Chapter 9 and 10 for Accounting Information Systems

Internal controls

 implements internal controls to minimize risks. Internal controls involve implementing procedures and policies so the organization’s objectives can be achieved. (Designed well and operating well.)

Errors

unintentional mistakes

Irregularities

 Intentional and deliberate problems.

The quality of an organization’s internal control affects not only the reliability of its financial information but also the ability of the organization to make good decisions and remain in business.

Why internal control is important.

COSO

Committee of Sponsoring Organizations of the Treadway Commission. Sponsored by 5 organizations: AAA (American Accounting Association), AICPA (American Institute of Certified Public Accountants), FEI (Financial Executives International), the Institute of Internal Auditors (IIA), and the IMA (Institute of Management Accountants).

1.Control environment, 2. Risk assessment, 3. Existing control activities, 4. Information and communication, 5. Monitoring activities

5 Components of Internal Control:

Control Environment

The organization’s attitude toward internal control.

Risk Assessment

The process of thinking about what can go wrong.

Existing Control Activities

Help reduce the risks.

Information and communication

Ensure that everyone understands the policies and procedures relating to internal controls.

Monitoring activities

The continuing assessment of internal controls.

 entity-level controls

The control environment, risk assessment, information and communication, and monitoring are referred to as… because they apply to the entire organization.

control activities

Transaction cycle controls are known as … since they apply to the specific cycle.

1.Governance and Culture; 2.Strategy and Objective-Setting; 3.Performance; 4.Review and Revision; 5.Information, Communication, and Reporting.

5 Components of COSO frameworks

tone at the top

An organization requires proper governance oversight by the board as well as an adequate control environment to be established by management. Together the board and management establish attitudes and create standards of conducting business.

ethical values, the board of directors, management’s style and philosophy, the organizational structure, the assignment of authority, and the commitment to ensuring employee competence.

What is the control environment influence by

Managerial integrity requires a commitment to doing the right thing. When people in the organization know that ethical standards will be enforced, the likelihood that employees will engage in improper or illegal activities is lower.

What is management’s responsibility?

1.Estimating the potential loss or exposure from the problem.” 2.“The probability or likelihood of occurrence.”

2 parts to the assessment of risk

Expected Loss

Expected loss= Exposure * Probability of Occurrence.

Risk

The possibility that an event will occur and negatively affect the organization from achieving its goals

Consequences of inadequately controlled risks

 critical information is unavailable; bad decisions made on faulty data; resources are lost, wasted, or abused; management spends unnecessary time dealing with problems; public credibility is tarnished; employee and management turnover increases; litigation against the company occurs; investors and creditors become unwilling to provide financing; the company files for bankruptcy.”

1.Avoid the risk,2.Accept the risk,3.Mitigate the risk, 4.Share the risk

4 ways of responding to risk

Sharing the risk

requires the organization to use different options that reduce its exposure to a risk that results from engaging in a business activity. This can be done by buying insurance, hedging, or outsourcing.

Inherent Risk

“Risk that is faced prior to taking action.”

Residual Risk

Risk that remains after management takes action to respond to the risks, threats, and counteractions.

Control activities

used in addition to the control environment to achieve objectives at the accounting application level.  “Reconciling the bank account”, “Comparing the physical inventory to the system inventory records”, “Completeness check in a web form to ensure that all required fields are completed before a customer clicks the submit button”, “Credit checking a new customer before approving a sales order”, “Approving a journal voucher”.

Management must document control activities + findings of its review

The documentation should include both entity-level and activity-level controls. Entity-level control is important because it is intended to reduce risk across the entire organization.” Affects the entire accounting system.“In addition, management must document the findings of its review, whether any control deficiencies were noted, and if so, what corrective action was taken.” It should include “a policy and procedure manuals, flowcharts, job descriptions, and internal control questionnaires.

Collusion

A company could assign one person to oversee another or to maintain records on someone else’s activities only to find out later that the two employees worked together to defeat the system.

Management Override

A ‘perfectly’ good system can be ignored by someone in authority by simply telling an employee to suspend or disregard a procedure for some supposedly ‘good’ reason or by just deciding to override the control themselves.

Fraud

“when there is intent to deceive for personal gain. Accountants must be aware of two potential types of fraud: 1. Misappropriation of assets and 2. Financial statement fraud.

Misappropriation of assets

are related to theft of an organization’s assets, such as cash or inventory.” Ex: Theft of inventory.

Embezzlement

which is where bookkeepers write checks to themselves for fictitious business expenses, is also a misappropriation of assets.

Financial Statement Fraud

is where management misrepresents the financial statements.

1.Pressure ( the motive to commit the fraud), 2. Opportunity (the availability to commit the fraud), 3. Rationalization (reasoning to commit the fraud.)

3 components for fraud to occur:

Fraud Triangle

Requires all three elements, pressure, opportunity, and rationalization, to commit fraud.

Segregation of Accounting Duties

Used to minimize errors and fraud; different individuals should be responsible for each of the three major activities of a transaction: approval, recordkeeping, and custody.

Approval function (Revenue Cycle)

 receiving orders for sales and granting credit

Recordkeeping function (Revenue Cycle)

 Billing customers and recording sales, maintaining inventory records, maintaining general ledger accounting records, and maintaining detailed accounts receivable records

Custody function (Revenue Cycle)

Shipping goods and processing cash receipts

Approval function (Expenditure Cycle)

 purchase orders and vendor payments.

Recordkeeping function (Expenditure Cycle)

record vendor invoice, maintain inventory records, maintain general ledger accounting records, and maintain detailed accounts payable records.

Custody function (Expenditure Cycle)

receiving goods and processing cash payments.

1.Ongoing evaluations, 2. separate evaluation, 3. Combination

3 ways that monitoring can be done:

Unintentional threat

Malicious link that downloads files or deletes them by mistake. Power outages as well.

Intentional threat

security threats to the IT system, such as outsiders (or inside employees) hacking into the system and gaining access to unauthorized files.

SEC

 is concerned about keeping investors informed about cybersecurity and providing guidance for publicly held companies by discussing threats and disclosing material events impacted by cybersecurity. Has the right to issue an enforcement action against a company for failure to protect customer data.

8-K report

These disclosures are important because investors need to be aware of the risk and probability of a cybersecurity risk affecting costs.”

PCAOB

Regulates auditors and has given guidance that auditors need to consider cybersecurity risks as it relates to the financial reporting risk of the companies they audit.

COBIT

created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). Has governance objectives and management objectives.

Evaluate, Direct, and Monitor

This government objective is focused on evaluating strategy with executive management and monitoring strategy performance.

Align, Plan, and Organize

This management objective addresses the need for a technology strategic plan and organization of the IT function.

Build, Acquire, and Implement

This management objective deals with the need for sound practices in acquiring and implementing new hardware and software

Deliver, Service, and Support

This management objective addresses the need for a clear definition of the IT services provided and the availability of training and help

Monitor, Evaluate, and Access

This management objective is the process for making sure that the IT governance and control practices established are working properly.

National Institute of Standards and Technology (NIST)

a specific cybersecurity framework for organizations. The framework is organized around five functions: identify, protect, detect, respond, and recover.

Identify

addresses understanding and assessing cybersecurity risk

Protect

 involves implementing controls to  mitigate the risks

Detect

the ability to discover events on a timely basis.

Respond

centered around actions to take once an event is detected.

Recover

addresses getting back to normal operating capabilities after an event occurs.

Application Controls

Controls concerned with processing transactions that are specific to the software application. Ex: Processing, cash receipts, and cash disbursements.

General IT controls

Entity-wide IT risks that affect the entire computer system.” Ex: Input, processing, and output.

Input Controls

Application control that relates to data input to ensure accuracy, validity, and completeness of the data. Ex: Validity Check, Consistency Check, Check Digit, Limit Digit, Completeness Check, and a field check.

Validity Check

Input control that ensures an account number exists.

Consistency Check

“Input control that ensures that data entered into a field makes sense in relation to other data or in a situational context.” Ex: Someone manipulating a due date that has passed.

Check Digit

Input control that adds an extra digit to the end of an account number to ensure no transpositions or errors were made.

Limit Check

Input control that ensures pre-established limits are not exceeded. Ex: Total hours to be worked in a week, total accumulated depreciation, etc.

Completeness Check

“Input control that ensures that all required fields are filled in.”

Field Check

“Input control that ensures the characters entered in a field are of the proper type.” Ex: Wanted ten but wrote “1o”.

Processing Controls

Application controls used to ensure that all legitimate transactions have been accurately processed.

Prenumbered documents

Processing control relating to source documents used in transaction processing (e.g., purchase order) are sequentially prenumbered.” Ex: Receiving reports and shipping notices

Batch Totals

“Processing control that is a record count of a group of similar transactions.” Ex: A record count

Control Total

Batch total processing control where the total dollar amount of individual transactions processed equals the total on the report. If the total on the sheet is $56,090, then the processed control total generated by the computer should be $56,090.”

Hash Total

Batch total processing control where a nonfinancial attribute is added up to ensure all transactions are processed accurately.” Ex: General Ledger

Output Controls

Application control that ensures output is not lost, misdirected, or seen by unauthorized individuals.” Ex: Variety of distribution checks and reasonableness tests.

Distribution Checks

“Output control to ensure that output is distributed only to authorized users.” Ex: Confidential data.

Reasonableness Tests

“Output control that ensures output has no obvious errors and is reasonable.” Ex: Payroll and expense reimbursements.

access security, change, and operational controls.

3 types of general IT controls

Access Controls

“Data access and protection security measures include domains and access control lists, passwords, lockout procedures, callback procedures, firewalls, virtual private networks, encryption, virus and other malware protection, phishing protection, and intrusion detection.”

Network Domain

Collection of network resources of the organization.

Access Control Lists (ACL)

A list of user accounts who have access to an organization’s network domain resources.

Domain

essentially a collection of network resources that certain users are allowed to access. To allow access to the domain, the system administrator creates a list of user accounts.

Contra Security Behavior

Behavior that defeats the purpose of a good security practice (e.g., posting password on the computer monitor.

Lockout Procedure

Access control security measure that locks you out of the system after a certain number of failed attempts at a password.

Callback Procedure

Access control security measure that allows you to log in, but then shuts off the connection and calls you back at the authorized location. Useful in transferring large sums of money.

Firewalls

Used to filter data packets from the internet and drop data packets coming from unauthorized network servers.

Data Packets

Small amount of data sent over the network that includes the data itself, source, and destination.

Virtual Private Networks (VPNs)

Access control that provides a secure connection over the internet to access the organization’s files.

Encryption

Process of encoding information by using an algorithm to scramble the data so unauthorized individuals cannot read it.

Symmetric and Asymmetric

2 kinds of Encryption

Symmetric Encryption

Type of encryption that uses one encryption key to encrypt and decrypt the data.

Asymmetric Encryption

“Type of encryption that uses one public key to encrypt the data and one private key to decrypt the data.”

Malware

 “Software that prevents malicious code from infecting your computer.”

Phishing Attacks

“Fraudulent act to obtain data through disguise (e.g., clicking on a link in an email that appears trustworthy, but it is not.”

Ransomware

“Malware that locks you out of the system and requires you to pay a ransom in order for your data to be unlocked.”

IDS (Intrusion Detection Software)

Software that monitors and analyzes the data on the network for suspicious activity. An IDS can monitor and analyze the data on the network and send alerts of suspicious activity to the information security professionals.

Controls to minimize physical damage

a secure area, biometric identification, smoke detectors and fire retardants, file libraries, disaster recovery plans, and alternate processing facilities.

Biometric Controls

Security measure that can identify your unique physical characteristics e.g., fingerprint.

Change Controls

General IT control relating to management control focused on preventing breaks of a system from program codes or data conversions.

Patch Management

Update to fix software bugs.