Control and Accounting Information Systems

1
Control and Accounting Information Systems

7

• UAA ACCT 316 Accounting
  Information Systems
• Dr. Fred Barbee

Chapter
2
Introduction to Internal Control
3
Internal Control . . .

• Can an information system operate without
  internal controls?
• Perhaps.
• Will the organization attain its objectives?
• Perhaps.

4
Why Internal Control?
5
Why Controls . . .

• To Ensure system goals are achieved

• To Lessen the risk of unwanted outcomes

6
Controls . . .

• What are the goals that internal control is
  designed to achieve?

What are the typical business risks that the
organization should try to avoid?
7
What are the goals that internal control is
designed to help achieve?

• Question

8
Internal Control Goals

• The National Commission on Fraudulent Financial
  Reporting
• Appointed

• The Committee of Sponsoring Organizations (COSO)
• To study internal control

9
Internal Control Goals

• COSO entity objectives . . .
• Operations - relating to effective and efficient
  use of an entitys resources.
• Financial Reporting - relating to preparation of
  reliable financial reports.
• Compliance - relating to the entitys compliance
  with applicable laws and regulations.

10
What are the typical business risks that an
organization should try to avoid?

• Question

11
What is Risk?

• The dictionary defines risk as . . .

Hazard peril exposure to loss or injury.

• What is an exposure?

12
Exposure . . .

• . . . the potential financial effect of an event
  multiplied by its probability of occurrence.

Potential Financial Effect of an Event
Probability of Occurrence
Exposure
X

13
Risk Analysis
EXPECTEDLOSS



THREAT
EXPOSURE
RISK
14
Risk Analysis
Internal Controls
EXPECTEDLOSS
THREAT
EXPOSURE
RISK



15
Controls . . .

• An exposure consists of the potential financial
  effect of an event multiplied by its probability
  of occurrence.

Potential Financial Effect of an Event
Probability of Occurrence
Exposure
X

5
250,000
5,000,000
X

16
Direct Material Variances

• An example of a control system in accounting

17
Common Business Exposures
18
Common Business Exposures
Business Exposures
19
Common Business Exposures
Business Exposures
20
What are the legal responsibilities of management?

• Or, what are we supposed to do?

21
The SEC . . .

• The establishment and maintenance of a system of
  internal controls is an important management
  obligation.

22
The SEC . . .

• A fundamental aspect of managements stewardship
  responsibility is to provide shareholders with
  reasonable assurance that the business is
  adequately controlled.

23
The SEC . . .

• Additionally, management has a responsibility to
  furnish shareholders and potential investors with
  reliable financial information on a timely basis.

24
Legal Responsibilities

• Management is legally responsible

• for establishing and maintaining an adequate
  system of internal control.

25
The SEC . . .

• An adequate system of internal control is
  necessary to managements discharge of these
  obligations.

26
OK, so what if management doesnt do this. What
then?
27
Enter . . . The Foreign Corrupt Practices Act
28
FCPA Legal Requirement

• Make and keep
• books,
• records, and
• accounts
• that, in reasonable detail, accurately and
  fairly reflect the transactions of the registrant
  and the disposition of its assets.

29
FCPA Legal Requirement

• Design and maintain
• a system of internal accounting controls
• sufficient to provide reasonable assurances
• that certain specified objectives are met.

30
The Internal Control Structure . . .
What is Internal Control?
31
Standards of Field Work

• The Field Work standards are so named because
  they pertain primarily to the conduct of the
  audit at the clients
  place of business
  that is, in the field.

32
Second Standard of Field Work

• A sufficient understanding of the internal
  control structure is to be obtained to plan
  the audit and to determine the nature, timing,
  and extent of tests to be performed.

33
Defining Internal Control
Reviewing the Literature
34
1949 Committee on Auditing Procedure

• A system of internal control should be designed
  to achieve objectives that are both
• operational and
• accounting in nature.

35
Defining Internal Control

• The 1958 definition was the first to
  differentiate between
• accounting controls and
• administrative controls,
• A distinction that is very important to
  independent auditors.

36

• In 1963, chapter 5 of Statement on Auditing
  Procedure No. 33 attempted to clarify the
  distinction between administrative and accounting
  controls, stating that the independent auditor is
  primarily concerned with the latter when applying
  generally accepted auditing standards.

37

• After 1963, there continued to be confusion
  concerning the scope of the auditors
  responsibility as it related to safeguarding of
  assets and the reliability of financial
  statements.

38
So . . . What is Internal Control?
39
Cohen Commission Report

• Published annual reports should contain a report
  in which corporate management discloses the
  condition of the companys internal control
  system.

40
Internal Control
Some Recent Additions
41
Internal Control . . .

• Information Systems Audit and Control Foundation
  
• Control Objectives for Information and
  Related Technology COBIT

42
COBIT
Audience Management Users IS Auditors
Focus Information Technology
Responsibility Management
Size 187 Pages 4 Documents
43
Internal Control Viewed as

• A set of processes including policies,
  procedures, practices, and organizational
  structure.

www.isaca.org/bkr_cbt3.htm
44
Internal Control Objectives

• Effective efficient operations
• Confidentiality
• Integrity availability of information
• Reliable financial reporting
• Compliance with laws and regulations

45
Internal Control . . .

• Institute of Internal Auditors Research
  Foundations
• Systems Auditability and Control (SAC)

46
Systems Auditability and Control
Audience Internal Auditors
Focus Information Technology
Responsibility Management
Size 1,193 pages in 12 modules
47
Internal Control Viewed as . . .

• Set of processes, subsystems, and people.

www.theiia.org
48
Internal Control Objectives

• Effective efficient operations
• Reliable financial reporting
• Compliance with laws and regulations

49
Internal Control . . .

• The Committee of Sponsoring Organizations of the
  Treadway Commission
• Internal Control Integrated Framework

50
COSO
Audience Management
Focus Overall Entity
Responsibility Management
Size 353 pages in 4 volumes
51
COSO

• Internal control viewed as a process.

www.coso.org
52
COSO

• Internal control objectives
• Effective and efficient operations
• Reliable financial reporting
• Compliance with laws and regulations

53
Internal Control . . .

• American Institute of Certified Public
  Accountants
• Consideration of the Internal Control
  Structure in a Financial Statement Audit
  (SAS 55)

54
SAS 55 SAS 78
Audience External Auditors
Focus Financial Statement
Responsibility Management
Size 63 pages in 2 documents
55
SAS 55/78

• Internal control viewed as a process.

www.aicpa.org
56
SAS 55/78

• Internal control objectives
• Effective and efficient operations
• Reliable financial reporting
• Compliance with laws and regulations

57
National Commission on Fraudulent Financial
Reporting
The TreadwayCommission
58
Treadway Commission

• Emphasized the importance of internal control.
  Specifically . . .
• The control environment
• Codes of conduct
• Audit committees and
• The internal audit function

59
Treadway Commission

• The commission reaffirmed the Cohen Commissions
  call for management reports on the effectiveness
  of its internal controls.

60
COSO Report . . .

• COSOs final report Internal Control
  Integrated Framework was issued in September
  1992
• 4 volumes
• 453 pages
• Thousands of hours of work

61
COSO Report . . .

• Provides a common definition of internal control
  to meet the needs of diverse users.
• Provides a framework against which entities can
  assess and improve their internal control systems.

62
Internal Control . . .
The COSO Definition
63
COSO

• Internal control is a process, effected by an
  entitys board of directors, management, and
  other personnel,

64
COSO

• designed to provide reasonable assurance
  regarding the achievement of objectives in the
  following categories

65
COSO

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.

66
COSO

• Key Concepts
• Internal control is a process. It is a means to
  an end, not an end in itself.
• Internal control is effected by people. Its not
  merely policy manuals and forms, but people at
  every level of an organization.

67
COSO

• Key Concepts
• Internal control can be expected to provide only
  reasonable assurance, not absolute assurance, to
  an entitys management and board.
• Internal control is geared to the achievement of
  objectives in one or more overlapping categories.

68
COSO

• It consists of several interrelated components,
  with
• integrity,
• ethical values
• competence, and
• the control environment,
• serving as the foundation for the other
  components.

69
COSO

• Cosos Components
• Control Environment
• Risk Assessment
• Control Activities
• Information Communication
• Monitoring

70
COSO Integrated Framework
71
Control Environment

• Commitment to integrity and ethical values
• Managements philosophy and operating style
• Organizational structure
• The audit committee of the board of directors.

72
Control Environment

• Methods of assigning authority and
  responsibility.
• Human resources policies and practices
• External influences

73
COSO Integrated Framework
74
Risk Assessment

• Identification of risks
• Analysis of risks
• Management of risks

75
Typical Sources of Risk

• Clerical and Operational employees
• Computer programmers
• Managers and Accountants
• Former Employees
• Customers and Suppliers

76
Typical Sources of Risk

• Competitors
• Outside persons
• Acts of Nature

77
Types of Risks

• Unintentional Errors
• Deliberate Errors (Fraud)
• Unintentional Losses of Assets
• Thefts of Assets
• Breaches of Security
• Acts of violence and Natural Disasters

78
Factors That Increase Risk Exposure

• Frequency
• Vulnerability
• Size of the potential loss

79
Problem Conditions Affecting Risk Exposures

• Collusion
• Computer Crime
• Lack of Enforcement

80
COSO Integrated Framework
81
Control Activities

• Proper authorization of transactions and
  activities

82
Control Activities

• Proper authorization of transactions and
  activities
• Segregation of duties

83
Segregation of Duties
Authorization
Recording
Custody
Must Be Separate
84
Control Activities

• Proper authorization of transactions and
  activities
• Segregation of duties
• Design and use of adequate documents and records

85
Control Activities

• Proper authorization of transactions and
  activities
• Segregation of duties
• Design and use of adequate documents and records
• Adequate safeguards of assets records

86
Control Activities

• Proper authorization of transactions and
  activities
• Segregation of duties
• Design and use of adequate documents and records
• Adequate safeguards of assets records
• Independent checks on performance.

87
COSO Integrated Framework
88
Information and Communication

• Identify, assemble, analyze, classify, record and
  report transactions
• Maintain accountability for assets and
  liabilities
• Open and well-defined lines of communication

89
COSO Integrated Framework
90
Monitoring

• Effective supervision
• Responsibility accounting
• Internal auditing

91
COSO Integrated Framework
Objectives
Financial Reporting
Compliance
Operations
Components
92
Internal Control . . .

• Classifications

93
Preventive, Detective, and Corrective Controls
Input
Output
Process
Sensor
Detective and Corrective Controls
Corrective Controls
Bench- mark
94
Control Classifications Control Classifications Control Classifications
By Objectives By Settings By Risk Aversion
Administrative Accounting General Application Input Processing Output Corrective Preventive Detective
By System Architectures
Manual Systems Computer Based Systems Batch Processing Online Processing Data Base
95
Internal Control . . .

• Some Common Grounds

96
Some Common Ground

• A system of internal control is not an end in
  itself.
• It is, rather, a means to an end.
• Internal control is a system
• Clearly defined goals
• Interrelated components acting in concert to
  achieve those goals.

97
Some Common Ground

• Establishing a viable internal control system in
  managements responsibility.
• The strength of any internal control system is
  largely a function of the people who operate it.

98
Some Common Ground

• Internal control cannot be expected to provide
  100 assurance that the organization will reach
  its objectives.
• Internal control is not free it has a cost
  associated with it.