CH6 Control and Accounting Information Systems

1
CH6 Control and Accounting Information Systems

• ????? ??? ??? ??? ???

2
COBIT Frameworks

• COSOs Enterprise Risk Management Model

3
The Internal Environment and Objective Setting

• ???? 697526011 ???

4
The Internal Environment
5
The Internal Environment

• Managements Philosophy, Operating Style, and
  Risk Appetite

6
The Internal Environment

• The Board of Directors
• SOX section 301
• Commitment to integrity, ethical values, and
  competence
• Organizational structure
• Centralization or decentralization of authority
• Assignment of responsibility for specific tasks
• Whether there is a direct reporting relationship
  or more of a matrix structure
• Organization by industry, product line,
  geographical location, or by a particular
  distribution or marketing network
• The way responsibility allocation affects
  managements information requirements

7
The Internal Environment

• The size and the nature of company activities
• Methods of assigning authority and responsibility
• Policy and procedures manual
• Human resource standards
• Hiring
• Compensating
• Training
• Fraud awareness
• Ethical considerations
• Punishment for fraud and unethical behavior
• Evaluating and Promoting
• Discharging

8
The Internal Environment

• Managing Disgruntled Employees
• Vacations and rotation of duties
• Confidentiality agreements and fidelity bond
  insurance
• Prosecute and incarcerate hackers and fraud
  perpetrators
• External influences
• FASB
• PCAOB
• SEC

9
Objective Setting
10
Event identification?Risk assessment and Risk
response

• ???? 697526007 ???

11
Event Identification

• COSO defines an event as an incident or
  occurrence emanating from internal or external
  sources that affects implementation of strategy
  or achievement of objectives. Events may have
  positive or negative impacts or both.

12
(No Transcript)
13
Techniques used to identify events

• Use comprehensive lists of potential events.
• Perform an internal analysis.
• Monitor leading events and trigger points.
• Conduct workshops and interviews.
• Perform data mining and analysis.
• Analyze business processes.

14
Risk Assessment

• Inherent riskthe risk that exists before
  management takes any steps to control the
  likelihood or impact of a risk.
• Residual riskthe risk that remains after
  management implements internal controls, or some
  other response to risk.
• DR AR / IR CR

15
Risk Response
Respond to Risk
16
Identify the events, or threats, that confront
the company

• Companies typically accept risk when it is within
  the companys risk tolerance range.
• A reduce or share response is used to bring
  residual risk into an acceptable risk tolerance
  range.
• An avoid response is typically only used when
  there is no way to cost-effectively bring risk
  into an acceptable risk tolerance range.

• Likelihood and impact must be considered
  together.
• Software tools have been developed to help
  automate the risk assessment and response
  process.

• A preventive control is superior to a detective
  one.
• Preventive, detective, and corrective controls
  complement each other, and a good internal
  control system should employ all three.

• The benefits of an internal control procedure
  must exceed its costs.
• Expected loss Impact Likelihood

Estimate the likelihood, or probability, of each
threat occurring
Estimate the impact, or potential loss, from each
threat
Identify controls to guard against each threat
Estimate the costs and benefits from instituting
controls
Avoid, share, or accept risk
Is it cost-beneficial to protect the system from
a threat?
No
YES
Reduce risk by implementing controls to guard
against the threat
17
Control activities

• ???? 697526001 ???

18
Control activities

• Control activities are policies, procedures, and
  rules that provide reasonable assurance
  managements control objectives are met and the
  risk responses are carried out.
• Controls are much more effective when placed in
  the system as it is built.

19
Control activities

• Control activities are in place during the
  end-of-the-year season.
• Extended employee vacations and fewer people to
  mind the store
• Student out of school with more time on their
  hands
• Counterculture hackers getting lonely this time
  of year and increasing their attacks on systems
• Focus 6-1

20
Control activities

• Proper authorization of transactions and
  activities
• Specific authorization
• General authorization
• Segregation of duties
• Segregation of accounting duties
• Authorization, recording, custody
• Segregation of systems duties
• Systems administration, network management,
  security management, change management, users,
  systems analysis, programming, computer
  operations, information system library, data
  control.

21
Control activities
22
Control activities

• Project development and acquisition controls
• Strategic master plan, project control, data
  processing schedule, steering committee, system
  performance measurements, post-implement review.
• Systems integrator
• Develop clear specifications, monitor the systems
  integration project.
• Change management control

23
Control activities

• Design and use of documents and records
• Safeguard assts, records, and data
• Create and enforce appropriate policies and
  procedures
• Maintain accurate records of all assets
• Restrict access to assets
• Protect records and documents

24
Information and Communication, Monitoring, and
Case

• ???? 697526021 ???

25
Information and Communication

• According to the AICPA, an AIS has five primary
  objectives
• Identify and record all valid transactions.
• Properly classify transactions.
• Record transactions at their proper monetary
  value.
• Record transactions in the proper accounting
  period.
• Properly present transactions and related
  disclosures in the financial statement.

26
Monitoring

• Use Responsibility Accounting
• Monitor System Activities
• Companies who monitor system activities need to
  make sure they do not violate employee privacy.
  One way to do that is to have written policies
  that employees agree to in writing and indicate
  the following
• The technology employees use on the job belongs
  to the company.
• E-mails received on company computers are not
  private and can be ready by supervisory
  personnel.
• Employees should not use technology in any way to
  contribute to a hostile work environment.

27
Monitoring

• Track Purchased Software and Mobile Devices
• Conduct Periodic Audit
• Employ a computer Security Officer, a Chief
  Compliance Officer, and Computer Consultants
• Engage Forensic Specialists

28
Monitoring

• Install Fraud Detection Software
• For example, ReliaStar Financial used a fraud
  detection package from IBM to detect the
  following
• Hundreds of thousands of dollars in fraudulent
  claim from a Los Angeles chiropractor.
• A Long Island doctor who submitted bills weekly
  for a rare and expensive procedure that is
  normally done only once or twice in a lifetime.
• A podiatrist who saw four patients and then
  billed ReliaStar for almost 500 separate
  procedures.
• Implement a Fraud Hotline

29
????

• ????

30
????

• ?Maria ???,???????
• Ed Yates????????????????,??Jason???????????????
• ???????????,????????????
• Maria???????????????????????????????Jason??,??????
  ??????????????

31
Thank You !