Control and Accounting Information Systems Notes

Control and Accounting Information Systems

Movie Theater Example: Controls and Risks

  • Ticket System Purpose:
    • Prevents cashiers from stealing by controlling cash receipts.
    • Prevents cashiers from giving tickets to friends via prenumbered tickets.
  • Controls:
    • Reconciling cash register totals with tickets sold.
    • Reconciling tickets sold with tickets collected by the usher.
  • Remaining Risks:
    • Ticket-taker letting friends in without tickets.
    • Ticket-taker taking money and letting people in without tickets.
    • Cashier and ticket-taker colluding to sell admittances and split the proceeds.

Learning Objectives

  • Explain basic control concepts and the importance of computer control and security.
  • Compare and contrast COBIT, COSO, and ERM control frameworks.
  • Describe the major elements of a company's internal environment.
  • Describe control objectives and how to identify events affecting organizational uncertainty.
  • Explain how to assess and respond to risk using the Enterprise Risk Management model.
  • Describe commonly used control activities.
  • Describe how to communicate information and monitor control processes.

Why Control is Needed

  • Threat/Event: A potential adverse occurrence or unwanted event harmful to the AIS or the organization.
  • Exposure/Impact: Potential dollar loss if a threat becomes a reality.
  • Likelihood/Risk: Probability of a threat occurring.

Primary Objective of an AIS

  • Control the organization to achieve its objectives.
  • Management expects accountants to:
    • Proactively eliminate system threats.
    • Detect, correct, and recover from threats.

Internal Controls

  • Processes to provide assurance of achieving the following objectives:
    • Safeguard assets
    • Maintain sufficient records
    • Provide accurate and reliable information
    • Prepare financial reports according to established criteria
    • Promote and improve operational efficiency
    • Encourage adherence with management policies
    • Comply with laws and regulations

Functions of Internal Controls

  • Preventive Controls: Deter problems from occurring.
  • Detective Controls: Discover problems not prevented.
  • Corrective Controls: Identify and correct problems; correct and recover from problems.
  • Examples:
    • Comparing a bank statement to company records: Detective.
    • Assigning separate personnel for check writing and payment authorization: Preventive.
    • Root cause analysis of physical inventory discrepancy: Corrective.

Activity: Unauthorized Wireless Access Point

  • Scenario: Attackers break into a company's system via an unauthorized wireless access point.
  • Preventive Action: Policy forbidding unauthorized wireless access points.
  • Detective Action: Routine audits for unauthorized wireless access points.
  • Corrective Action: Sanction employees violating the policy.

Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley Act (SOX)

  • FCPA (1977):
    • Prevents companies from bribing foreign officials.
    • Requires publicly owned corporations to maintain internal accounting controls.
  • SOX (2002):
    • Applies to publicly held companies and their auditors.
    • Aims to prevent financial statement fraud.
    • Makes financial reports transparent.
    • Protects investors.
    • Strengthens internal controls.
    • Punishes executives who perpetrate fraud.
    • Led to the creation of the Public Company Accounting Oversight Board (PCAOB), which enforces auditing, quality control, ethics, independence, and other auditing standards.
    • Example: Response to the Enron scandal.

Control Frameworks

  • COBIT (Control Objectives for Information and Related Technologies): Framework for IT control.
  • COSO (Committee of Sponsoring Organizations): Framework for enterprise internal controls (control-based approach).
  • COSO-ERM (COSO's Enterprise Risk Management): Expands COSO framework, taking a risk-based approach.

COBIT Framework

  • Current version: COBIT5
  • Based on the following principles:
    • Meeting stakeholder needs
    • Covering the enterprise end-to-end
    • Applying a single, integrated framework
    • Enabling a holistic approach
    • Separating governance from management

COBIT5: Governance vs. Management

  • 32 management processes organized under four domains:
    1. Align, Plan, and Organize
    2. Build, Acquire, and Implement
    3. Deliver, Service, and Support
    4. Monitor, Evaluate, and Assess

Components of COSO Frameworks

  • COSO:
    • Control (internal) environment
    • Risk assessment
    • Control activities
    • Information and communication
    • Monitoring
  • COSO-ERM:
    • Internal environment
    • Objective setting
    • Event identification
    • Risk assessment
    • Risk response
    • Control activities
    • Information and communication
    • Monitoring
  • Key Difference: COSO-ERM focuses on a risk-based approach, adding objective setting, event identification, and risk response components.

Internal Environment

  • Management’s philosophy, operating style, and risk appetite.
  • Commitment to integrity, ethical values, and competence.
  • Internal control oversight by the Board of Directors.
  • Organizing structure.
  • Methods of assigning authority and responsibility.
  • Human resource standards.
  • Examples:
    • Existence of a written code of conduct.
    • Good hiring practices, including background checks.

Objective Setting

  • Strategic Objectives: High-level goals.
  • Operations Objectives: Effectiveness and efficiency of operations.
  • Reporting Objectives: Improve decision making and monitor performance.
  • Compliance Objectives: Compliance with applicable laws and regulations.

Event Identification

  • Identifying incidents (external and internal) that could affect achieving organizational objectives.
  • Key Management Questions:
    • Example (Chocolate Manufacturer):
      • Objective: Increase revenues and profitability.
      • What could go wrong? Not enough cacao beans to meet demand.
      • How can it go wrong? Weather conditions limiting supply.
      • Potential harm? Increased cost, impacting customers.
      • What can be done? Hedge potential supply risk.

Risk Assessment

  • Assessed from two perspectives:
    • Likelihood: Probability of the event occurring.
    • Impact: Estimate of potential loss.
  • Types of Risk:
    • Inherent: Risk before implementing controls.
    • Residual: Risk remaining after implementing controls.

Risk Response

  • Reduce: Implement effective internal controls.
  • Accept: Do nothing; accept the likelihood and impact.
  • Share: Buy insurance, outsource, or hedge.
  • Avoid: Do not engage in the activity.

Control Activities

  • Proper authorization of transactions and activities.
  • Segregation of duties.
  • Project development and acquisition controls.
  • Change management controls.
  • Design and use of documents and records.
  • Safeguarding assets, records, and data.
  • Independent checks on performance.

Segregation of Accounting Duties

(Slide 23 illustrates this, but without details--needs more content to be useful)

Segregation of Systems Duties

  • Divide authority and responsibility between system functions:
    • System administration
    • Network management
    • Security management
    • Change management
    • Users
    • Systems analysts
    • Programmers
    • Computer operators
    • Information system librarian
    • Data control

Monitoring

  • Perform internal control evaluations (e.g., internal audit).
  • Implement effective supervision.
  • Use responsibility accounting systems (e.g., budgets).
  • Monitor system activities.
  • Track purchased software and mobile devices.
  • Conduct periodic audits (e.g., external, internal, network security).
  • Employ computer security officer.
  • Engage forensic specialists.
  • Install fraud detection software.
  • Implement fraud hotline.

Key Terms

  • Threat/Event
  • Exposure/Impact
  • Likelihood/Risk
  • Internal Controls
  • Preventive Controls
  • Detective Controls
  • Corrective Controls
  • General Controls
  • Application Controls
  • Belief System
  • Boundary System
  • Diagnostic Control System
  • Interactive Control System
  • Foreign Corrupt Practices Act (FCPA)
  • Sarbanes-Oxley Act (SOX)
  • Public Company Accounting Oversight Board (PCAOB)
  • Control Objectives for Information and Related Technology (COBIT)
  • Committee of Sponsoring Organizations (COSO)
  • Internal Control-Integrated Framework (IC)
  • Enterprise Risk Management Integrated Framework (ERM)
  • Internal Environment
  • Risk Appetite
  • Audit Committee
  • Policy and Procedures Manual
  • Background Check
  • Strategic Objectives
  • Operations Objectives
  • Reporting Objectives
  • Compliance Objectives
  • Event
  • Inherent Risk
  • Residual Risk
  • Expected Loss
  • Control Activities
  • Authorization
  • Digital Signature
  • Specific Authorization
  • General Authorization
  • Segregation of Accounting Duties
  • Collusion
  • Segregation of Systems Duties
  • Systems Administrator
  • Network Manager
  • Security Management
  • Change Management
  • Users
  • Systems Analysts
  • Programmers
  • Computer Operators
  • Information System Library
  • Data Control Group
  • Steering Committee
  • Strategic Master Plan
  • Project Development Plan
  • Project Milestones
  • Data Processing Schedule
  • System Performance Measurements
  • Throughput
  • Utilization
  • Response Time
  • Post-implementation Review
  • Systems Integrator
  • Analytical Review
  • Audit Trail
  • Computer Security Officer (CSO)
  • Chief Compliance Officer (CCO)
  • Forensic Investigators
  • Computer Forensics Specialists
  • Neural Networks
  • Fraud Hotline