Study Notes on Control and Accounting Information System

Control and Accounting Information System

Topic Learning Outcomes

At the end of this topic, you should be able to:

  • Explain basic control concepts and why computer control and security are important.
  • Compare and contrast the COBIT, COSO, and ERM control frameworks.
  • Describe the major elements in the internal environment of a company.
  • Describe the four types of control objectives that companies need to set.
  • Describe the events that affect uncertainty and the techniques used to identify them.
  • Explain how to assess and respond to risk using the Enterprise Risk Management model.
  • Describe control activities commonly used in companies.
  • Describe how to communicate information and monitor control processes in organizations.

Why Is Control Needed?

Control mechanisms are necessary to protect organizations from threats and adverse occurrences, which may be detrimental to either the accounting information system or the organization as a whole. Key concepts include:

  • Threat/Event: A potential occurrence that could cause harm.
  • Exposure/Impact: The anticipated dollar loss if a threat materializes.
  • Likelihood: The probability of a threat occurring.
  • Data Protection: Ensuring data safety from unauthorized access or breaches.

A Primary Objective of an AIS

The primary objective of Accounting Information Systems (AIS) is to control the organization, allowing it to achieve its overarching goals and objectives. Management expects accountants to:

  • Excel in a proactive approach to eliminate system threats.
  • Detect, correct, and recover from threats as they occur.

Internal Controls

Internal controls refer to the processes instituted to ensure the achievement of specific objectives, which are:

  • Safeguard assets: Prevent unauthorized acquisition or usage.
  • Maintain accurate records: Report company assets accurately and fairly.
  • Provide reliable information: Ensure preparation of financial reports according to established criteria such as International Financial Reporting Standards (IFRS) or Generally Accepted Accounting Principles (GAAP).
  • Promote operational efficiency: Drive improvements in organizational processes.
  • Adhere to laws and regulations: Ensure compliance with relevant laws and regulations.

Functions of Internal Controls

Internal controls serve to identify, prevent, and correct issues in operations. They can be classified into three categories:

  • Preventive Controls: Designed to deter problems before they occur. Examples include:
      - Hiring qualified personnel
      - Segregating employee duties
      - Controlling physical access to assets and information
  • Detective Controls: Discover problems that were not prevented. Examples include:
      - Duplicate checking of calculations
      - Preparation of bank reconciliations
      - Monthly trial balance reviews
  • Corrective Controls: Identify and rectify problems. Examples include:
      - Maintaining backup copies of files
      - Correcting data entry errors
      - Resubmitting transactions for processing.

Control Frameworks

Several frameworks guide internal controls:

  • COBIT (Control Objectives for Information Technologies): Developed by ISACA, it focuses on IT control, security, governance, and risk management. It provides a comprehensive framework for establishing and maintaining effective IT controls.
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission): An internal control framework that approaches organizational controls from a control-based perspective. This framework is meant to help organizations design, implement, and assess internal controls to achieve operational objectives.
  • COSO-ERM (Enterprise Risk Management): An extension of COSO that adopts a risk-based approach towards organizational control and risk management.

Current COBIT Framework

The current version of COBIT is based on key principles:

  • Meeting Stakeholder Needs: Understanding and delivering on stakeholder expectations.
  • Covering the Enterprise End-to-End: Ensuring comprehensive governance across all functions.
  • Single, Integrated Framework: Utilizing a cohesive approach to governance and management.
  • Holistic Approach: Effectively overseeing all IT functions.
  • Separating Governance from Management: Establishing clear distinctions to enhance accountability.

Components of COSO Frameworks

The components of the COSO and COSO-ERM frameworks are:

  • COSO Components:
      - Control (Internal) Environment
      - Risk Assessment
      - Control Activities
      - Information and Communication
      - Monitoring
  • COSO-ERM Components:
      - Internal Environment
      - Objective Setting
      - Event Identification
      - Risk Assessment
      - Risk Response
      - Control Activities
      - Information and Communication
      - Monitoring

Effective Enterprise Risk Management (ERM)

ERM ensures that:

  • Monitoring Information and Communication is effective.
  • Control Activities adhere to proper standards.
  • Risk Response strategies are in place.
  • Risk Assessment processes identify underlying threats.
  • Event Identification is systematic in recognizing potential risks.
  • Objective Setting aligns risk management with broader organizational goals.

Internal Environment

The internal environment comprises several factors influencing an organization’s control framework:

  • Management Philosophy: Shared beliefs, risk appetite, and operating style.
  • Commitment to Integrity and Ethical Values: Integrity is cultivated from the top, impacting all levels of the organization.
  • Internal Control Oversight: The Board of Directors’ role in management, serving as an independent review board, is emphasized, particularly in contexts like the Sarbanes-Oxley Act (SOX).
  • Organizational Structure: Whether centralized or decentralized, and how size/nature influences operations.
  • Authority & Responsibility Assignment: Clarity in holding individuals accountable for goals.
  • Human Resource Standards: Recruitment practices that include checks for experience and backgrounds.

Objective Setting

Organizations must outline several categories of objectives:

  • Strategic Objectives: High-level overarching goals of the organization.
  • Operations Objectives: Effectiveness and efficiency regarding operational processes.
  • Reporting Objectives: Monitoring and improving decision-making capabilities.
  • Compliance Objectives: Ensuring adherence to applicable laws and regulations.

Event Identification

Organizations must identify potential internal and external incidents impacting their objectives. Key management questions include:

  • What could go wrong? (E.g., insufficient supply of cacao beans)
  • How can it go wrong? (E.g., due to adverse weather conditions or civil unrest)
  • What is the potential harm? (E.g., increased costs due to limited supply)
  • What can be done about it? (E.g., implementing hedges to mitigate risks)

ERM - Risk Assessment

The risk assessment process involves:

  • Identifying Risk: Ascertain the likelihood of risk and its potential impacts.
      - Inherent Risk: Risk existing before control measures are implemented.
      - Residual Risk: Risk remaining after control measures are enacted.

ERM - Risk Response

Responses to identified risks can include:

  • Reduce: Minimizing the likelihood and impact through controls.
  • Accept: Taking no action and tolerating the risk.
  • Share: Transferring risk to another party (e.g., via insurance).
  • Avoid: Eliminating engagement in risk-inducing activities (e.g., divesting divisions).

ERM - Control Activities

Control activities are the policies and procedures assuring control objectives are met. Examples include:

  • Authorization of Transactions: Procedures requiring signatures or approval codes.
  • Segregation of Duties: Dividing responsibilities among employees.
  • Project Development Controls: Oversight during project initiation and execution.
  • Change Management Controls: Regulations governing system or process alterations.
  • Document Design and Use: Ensuring records serve their intended purpose effectively.
  • Asset Safeguarding: Protecting physical and digital assets from loss.
  • Independent Performance Checks: Regular assessments of operational performance.

Control Evaluation and Management Decisions

To identify controls effectively, an organization should:

  1. Identify events or threats confronting the company.
  2. Estimate the likelihood and probability of each threat occurring.
  3. Estimate the potential impact or loss from each threat.
  4. Identify controls to guard against each threat.
  5. Estimate the costs and benefits from implementing controls.
  6. Determine if it is cost-beneficial to protect the system from a threat (Yes/No).
       - If Yes, implement controls.
       - If No, consider whether to avoid, share, or accept the risk.

Quick Review Questions

  • Why Is Control Needed?
  • What are the primary objectives of AIS?
  • What is Corrective controls?

Question and Answer Session (Q&A)

Any Questions?

Case Study - Class Task

Fresh Brew Cafe - A small family-owned coffee shop located in Penang, Malaysia, facing issues such as declining profit margins, stock shortages, and cash register discrepancies.

Required Tasks

a. If you were hired as an accountant by Fresh Brew Café, what are the first three actions you would take to improve the internal control framework?
b. Design a framework for Fresh Brew Café integrating COBIT principles and enterprise risk management to minimize operational risks.

Information System Control for System Reliability

Next, we will cover the concepts related to ensuring system reliability within information systems and controls applied therein.