BUSI2111: Information Systems in Accounting Part I

1
BUSI2111 Information Systems in Accounting
(Part I)

• LEC04 Control and Auditing in Accounting
  Information Systems
• M. Romney, P. Steinbart (2009), Accounting
  Information Systems, Prentice Hall,
• Prepared by Ada Wong

2
INTRODUCTION

• Questions to be addressed in this chapter
• What are the basic internal control concepts, and
  why are computer control and security important?
• Brief Introduction of COBIT framework

3
INTRODUCTION

• Why AIS threats are increasing
• Control risks have increased in the last few
  years because
• There are computers and servers everywhere, and
  information is available to an unprecedented
  number of workers.
• Distributed computer networks make data available
  to many users, and these networks are harder to
  control than centralized mainframe systems.
• Wide area networks are giving customers and
  suppliers access to each others systems and
  data, making confidentiality a major concern.

4
INTRODUCTION

• Historically, many organizations have not
  adequately protected their data due to one or
  more of the following reasons
• Computer control problems are often
  underestimated and downplayed.
• Control implications of moving from centralized,
  host-based computer systems to those of a
  networked system or Internet-based system are not
  always fully understood.
• Companies have not realized that data is a
  strategic resource and that data security must be
  a strategic requirement.
• Productivity and cost pressures may motivate
  management to forego time-consuming control
  measures.

5
INTRODUCTION

• Some vocabulary terms for this chapter
• A threat is any potential adverse occurrence or
  unwanted event that could injure the AIS or the
  organization.
• The exposure or impact of the threat is the
  potential dollar loss that would occur if the
  threat becomes a reality.
• The likelihood is the probability that the threat
  will occur.

6
Developing a Control Structure

• How much control should be built into a system?
• It depends on
• Importance of Data
• Critical??
• Conduct Cost and Benefit Analysis
• Control is expensive to build complicated to
  use
• Risk Assessment
• Determine the potential frequency of the
  occurrence of a problem and the potential damage
  if it were to occur

7
Risk Assessment Model
Probability
H
II Prevent and Protect
I Contain and Control
III Safely Ignore
IV Insurance or Backup Plan
H
L
Impact
8
INTRODUCTION

• Control and security are important
• Companies are now recognizing the problems and
  taking positive steps to achieve better control,
  including
• Devoting full-time staff to security and control
  concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information
  security policies.
• Making controls a part of the applications
  development process.
• Moving sensitive data to more secure
  environments.

9
INTRODUCTION

• To use IT in achieving control objectives,
  accountants must
• Understand how to protect systems from threats.
• Have a good understanding of IT and its
  capabilities and risks.
• Achieving adequate security and control over the
  information resources of an organization should
  be a top management priority.

10
INTRODUCTION

• Control objectives are the same regardless of the
  data processing method, but a computer-based AIS
  requires different internal control policies and
  procedures because
• Computer processing may reduce clerical errors
  but increase risks of unauthorized access or
  modification of data files.
• Segregation of duties must be achieved
  differently in an AIS.
• Computers provide opportunities for enhancement
  of some internal controls.

11
INTRODUCTION

• One of the primary objectives of an AIS is to
  control a business organization.
• Accountants must help by designing effective
  control systems and auditing or reviewing control
  systems already in place to ensure their
  effectiveness.

12
INTRODUCTION

• It is much easier to build controls into a system
  during the initial stage than to add them after
  the fact.
• Consequently, accountants and control experts
  should be members of the teams that develop or
  modify information systems.

13
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by
  the board of directors, management, and those
  under their direction to provide reasonable
  assurance that the following control objectives
  are achieved
• Assets (including data) are safeguarded.
• Records are maintained in sufficient detail to
  accurately and fairly reflect company assets.
• Accurate and reliable information is provided.
• There is reasonable assurance that financial
  reports are prepared in accordance with GAAP.
• Operational efficiency is promoted and improved.
• Adherence to prescribed managerial policies is
  encouraged.
• The organization complies with applicable laws
  and regulations.

14
OVERVIEW OF CONTROL CONCEPTS

• Internal control is a process because
• It permeates an organizations operating
  activities.
• It is an integral part of basic management
  activities.
• Internal control provides reasonable, rather than
  absolute, assurance, because complete assurance
  is difficult or impossible to achieve and
  prohibitively expensive.

15
OVERVIEW OF CONTROL CONCEPTS

• Internal control systems have inherent
  limitations, including
• They are susceptible to errors and poor
  decisions.
• They can be overridden by management or by
  collusion of two or more employees.
• Internal control objectives are often at odds
  with each other.
• EXAMPLE Controls to safeguard assets may also
  reduce operational efficiency.

16
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important
  functions
• Preventive controls

• Deter problems before they arise.

17
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important
  functions
• Preventive controls
• Detective controls

• Discover problems quickly when they do arise.

18
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important
  functions
• Preventive controls
• Detective controls
• Corrective controls

• Remedy problems that have occurred by
• Identifying the cause
• Correcting the resulting errors and
• Modifying the system to prevent future problems
  of this sort.

19
SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• In the late 1990s and early 2000s, a series of
  multi-million-dollar accounting frauds made
  headlines.
• The impact on financial markets was substantial,
  and Congress responded with passage of the
  Sarbanes-Oxley Act of 2002 (aka, SOX).
• Applies to publicly held companies and their
  auditors.

20
SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• The intent of SOX is to
• Prevent financial statement fraud
• Make financial reports more transparent
• Protect investors
• Strengthen internal controls in publicly-held
  companies
• Punish executives who perpetrate fraud
• SOX has had a material impact on the way boards
  of directors, management, and accountants operate.

21
CONTROL FRAMEWORKS

• A number of frameworks have been developed to
  help companies develop good internal control
  systems. Three of the most important are
• The COBIT framework
• The COSO internal control framework
• COSOs Enterprise Risk Management framework (ERM)

22
CONTROL FRAMEWORKS

• COBIT framework
• Also know as the Control Objectives for
  Information and Related Technology framework.
• Developed by the Information Systems Audit and
  Control Foundation (ISACF).
• A framework of generally applicable information
  systems security and control practices for IT
  control.

23
CONTROL FRAMEWORKS

• The COBIT framework allows
• Management to benchmark security and control
  practices of IT environments.
• Users of IT services to be assured that adequate
  security and control exists.
• Auditors to substantiate their opinions on
  internal control and advise on IT security and
  control matters.

24
SUMMARY

• In this chapter, youve learned about basic
  internal control concepts and why computer
  control and security are so important.
• Brief Introduction of COBIT framework