IM_CH06

CHAPTER 6

CONTROL AND ACCOUNTING INFORMATION

SYSTEMS

INTRODUCTION

?Questions to be addressed in this chapter include:

–What are the basic internal control concepts, and why are computer control and security important?

–What is the difference between the COBIT, COSO, and ERM control frameworks?

–What are the major elements in the internal environment of a company?

–What are the four types of control objectives that companies need to set?

–What events affect uncertainty, and how can they be identified?

–How is the Enterprise Risk Management model used to assess and respond to risk?

–What control activities are commonly used in companies?

–How do organizations communicate information and monitor control processes?

?Why AIS Threats Are Increasing--Control risks have increased in the last few years because there is a proliferation of computers, servers, and users, and because distributed and wide-area

networks make data widely available.

?Some vocabulary terms for this chapter:

– A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.

–The exposure or impact of the threat is the potential dollar loss that would occur if the threat became a reality.

–The likelihood is the probability that the threat will occur.

?Companies are now recognizing control risks and taking positive steps to achieve better control, including security staffs, education, enforcement, secure environments, and building control into the development process. Accountants must understand how to protect systems from threats,

have a good understanding of IT and its capabilities and risks. Management must make security and control a top priority.

?Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different policies and procedures to achieve that control.

?In today’s dynamic business environment, companies must balance the need for innovation and creativity with the need for control systems to avoid excessive risks or harmful behaviors.

?Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are

achieved: (1) assets (including data) are safeguarded; (2) records are maintained in sufficient

detail to accurately and fairly reflect company assets; (3) accurate and reliable information is

provided; (4) there is reasonable assurance that financial reports are prepared in accordance with GAAP; (5) operational efficiency is promoted and improved (6) adherence to prescribed

managerial policies is encouraged; and (7) the organization complies with applicable laws and

regulations.

?Internal control is a process that permeates and organization’s activities and provides reasonable, rather than absolute, assurance. Internal control systems are susceptible to errors, poor decisions, and override; and internal control objectives are often ad odds with each other, e.g., controls to

safeguard assets may also reduce operational efficiency.

?Internal controls perform three important functions:

–Preventive controls deter problems before they arise.

–Detective controls discover problems quickly when they do arise.

–Corrective controls remedy problems by identifying cause, correcting errors, and modifying the system to prevent recurrences.

?Internal controls are often classified as:

–General controls to ensure the environment is stable and well-managed.

–Application controls to prevent, detect, and correct transaction errors and fraud.

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

?In 1977, Congress passed the Foreign Corrupt Practices Act. Its primary purpose was to prevent the bribery of foreign officials to obtain business. A significant effect was to require that

corporations maintain good systems of internal accounting control.

?In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. Congress responded with passage of the Sarbanes-Oxley Act of 2002 (SOX). SOX

applies to publicly held companies and their auditors.

?Important aspects of SOX include: (1) creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession; (2) new rules for auditors, audit committees, and management; and (3) new internal control requirements, requiring that management attest to the adequacy of internal controls. The auditor must attest to and report on management’s

assessment on internal controls.

?The SEC further mandated that management must base its evaluation of internal control on a recognized control framework. The most likely framework is the COSO model discussed later.

?Levers of Control--Many people feel there is a basic conflict between creativity and controls.

Robert Simons has espoused four levers of controls to help companies reconcile this conflict: – A concise belief system to communicate core values to employees.

– A boundary system to set limits.

– A diagnostic control system to ensure efficient and effective achievement of important controls.

–An interactive control system to help top-management with high-level activities that demand regular attention, such as strategic development.

CONTROL FRAMEWORKS

? A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: the COBIT framework; the COSO internal control

framework; and COSO’s Enterprise Risk Management framework (ERM).

?The COBIT Framework, also known as the Control Objectives for Information and Related Technology framework was developed by the Information Systems Audit and Control

Foundation (ISACF) as a foundation for IT control. COBIT consolidates standards from 36

different sources into a single framework and is having a big impact on the IS profession.

?COSO’s Internal Control Framework was created by the Committee of Sponsoring Organizations (COSO), a private-sector group consisting of the AAA, the AICPA, the IIA, the

IMA, and the FEI. In 1992, COSO issued the Internal Control Integrated Framework to define internal controls and provide guidance for evaluating and enhancing them. It was widely

accepted as the authority on internal controls and was incorporated into policies, rules, and

regulations used to control business activities. COSO’s internal control model has five crucial

components: control environment; control activities; risk assessment; information and

communication; and monitoring.

?Nine years later, COSO began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. The result was the Enterprise Risk Manage Integrated Framework (ERM). It is an enhanced corporate governance document that

expands on elements of the preceding framework and focuses on the broader subject of enterprise risk management.

?The intent of ERM is to achieve all goals of the previous framework and help the organization: –Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.

–Achieve its financial and performance targets.

–Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk.

–Avoid adverse publicity and damage to the entity’s reputation.

?ERM defines risk management as a process effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, to identify potential events that may affect the entity and manage risk to be within its risk appetite in order to provide reasonable assurance of the achievement of entity objectives.

?The basic principles behind ERM are:

–Companies are formed to create value for owners and that management must decide how much uncertainty they will accept. Uncertainty can result in risk (the possibility that

something negative will happen to value) and opportunity (the possibility that something

positive will happen to value).

–The framework should help management manage uncertainty and its associated risk to build and preserve value.

–To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.

?COSO developed a graphical model to illustrate the elements of ERM. Columns at the top represent the four types of objectives that management must meet to achieve company goals.

–Strategic objectives—high-level goals aligned with mission.

–Operations objectives—deal with effectiveness and efficiency of company operations, such as profitability goals and safeguarding assets.

–Reporting objectives—to ensure accuracy, completeness and reliability of reports.

–Compliance objectives—with laws and regulations.

?Columns on the right represent the company’s units: entire company; division; business unit; or subsidiary.

?The horizontal rows are eight related risk and control components, including:

–Internal environment—the tone or culture of the company.

–Objective setting—ensures a process in place to set objectives consistent with the company’s risk tolerance.

–Event identification—requires management to identify potential events that pose risks and opportunities.

–Risk assessment—to determine their potential impact.

–Risk response—involves determining whether to avoid, reduce, share or accept each risk.

–Control activities—to implement management’s risk responses.

–Information and communication—to identify, capture, and communicate information about the ERM’s components.

–Monitoring—involves reporting and acting on deficiencies.

?Each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.

?ERM Framework Vs. the Internal Control Framework—COSO’s internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX.

However, it has too narrow of a focus and has an inherent bias toward focusing on past problems and concerns. The ERM framework takes a risk-based, rather than controls-based, approach to

the organization, oriented toward future and constant change. It incorporates rather than replaces COSO’s internal control framework and contains th ree additional elements. Over time, ERM will probably become the most widely adopted risk and control model.

INTERNAL ENVIRONMENT

?The most critical component of the ERM and the internal control framework is the internal environment.

?Internal environment consists of the following components: (1) m anagement’s philosophy, operating style, and risk appetite; (2) the board of directors; (3) commitment to integrity, ethical

values, and competence; (4) organizational structure; (5) methods of assigning authority and

responsibility; (6) human resource standards; and (7) external influences.

?Management’s Philosophy, Operating Style, and Risk Appetite--An organization’s management has shared beliefs and attitudes about risk. That philosophy affects everything the organization

does, long- and short-term, and affects their communications. Companies also have a risk

appetite, the amount of risk they are willing to accept to achieve their goals and objectives. That appetite needs to be aligned with company strategy. This philosophy must be clearly

communicated to all employees and backed up with actions. This component can be assessed by asking whether management takes undue business risks, attempts to manipulate performance

measures or pressures employees to achieve results regardless of methods.

?The Board of Directors—The organization should have an active and involved board of directors that oversees management; scrutinizes their plans, performance, and activities; approves strategy;

reviews financial results and security policies; and interacts with auditors. They should possess

sufficient knowledge and independence.

?Public companies must have an audit committee, composed entirely of independent, outside directors. They oversee the internal control structure, the financial reporting process, and

compliance with laws and regulations. They also hire and work with the auditors to provide an

independent review of management actions.

?Commitment to Integrity, Ethical Values, and Competence--Management must create an organizational culture that stresses integrity and commitment to both ethical values and

competence. Management should reward and encourage honesty and give labels to honest and

dishonest acts. Codes of conduct can help specify permissible and forbidden acts. Employees

should be required to report violations. The levers of control can be helpful in creating a

commitment to integrity.

?Organizational Structure--A company’s organizational structure defines its lines of authority, responsibility, and reporting. It provides the overall framework for planning, directing, executing,

controlling, and monitoring its operations. In today’s business world, the hierarchical

organizations with many layers of management are giving way to flatter organizations with self-directed work teams. These changes have a significant impact on the nature and type of controls needed.

?Methods of Assigning Authority and Responsibility--Management should make sure employees understand the entity’s objectives and that authority and responsibility for achieving those

objectives is assigned to specific departments and individuals. Ownership of responsibility

encourages employees to take initiative in solving problems and holds them accountable.

Management must be sure to identify who is responsible for the IS security policy and should

monitor results so decisions can be reviewed and, if necessary, overruled. Authority and

responsibility are assigned through job descriptions; employee training; operating plans,

schedules, and budgets; codes of conduct; and written policies and procedures manuals.

?Human Resources Standards--Employees are both the company’s greatest control strength and weakness. Organizations can implement human resource policies and practices with respect to

hiring, training, compensating, evaluating, counseling, promoting, and discharging employees

that send messages about the level of competence and ethical behavior required. Policies on

working conditions, incentives, and career advancement can encourage efficiency and loyalty.

Policies with respect to the following issues are particularly important:

?Hiring—Should be based on the candidates match to the job requirements. Formal interviews should be conducted, and reference and background checks should be done.

–Compensating—Employees should be paid a fair wage.

–Training—Employees should have ongoing training related to their responsibilities, company policies and expectations, and fraud awareness. Employees should be made

aware of consequences of bad behavior.

–Evaluating and promoting—Periodic performance appraisals help employees understand their strengths and weaknesses and should be an important basis for promotions.

–Discharging—Terminated employees should be removed from sensitive jobs

immediately and denied system access.

–Managing disgruntled employees--Disgruntled employees are much likelier fraud candidates than satisfied employees. The organization can try to reduce the employee’s

pressures through grievance channels and counseling.

–Vacations and rotation of duties--Some fraud schemes cannot continue without the constant attention of the perpetrator. Mandatory vacations or rotation of duties can

prevent these frauds or lead to early detection.

–Confidentiality agreements and fidelity bond insurance--Employees, suppliers, and contractors should be required to sign and abide by nondisclosure or confidentiality

agreements. Key employees should have fidelity bond insurance coverage to protect the

company against losses from fraudulent acts.

–In addition to the preceding policies, the company should seek prosecution and

incarceration of hackers and fraud perpetrators

?External influences--External influences that affect the control environment include requirements imposed by FASB, the PCAOB, the SEC, insurance commissions, and regulatory

agencies for banks, utilities, etc.

OBJECTIVE SETTING

?Objective setting is the second ERM component. It must precede many of the other six components, i.e., you must set objectives before you can define events that affect your ability to achieve objectives. Top management, with board approval, must articulate why the company

exists and what it hopes to achieve (the corporate vision or mission). They use the mission

statement as a base from which to set corporate objectives. The objectives need to be easy to

understand and measure, prioritized, and aligned with the company’s risk appetite.

?Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub-units. For each set of objectives, critical success factors (what has to go right) must be defined and performance measures should be established.

?Objective-setting process goes as follows. First, set strategic objectives--the high-level goals that support the company’s mission and create value for shareholders. To meet these objectives,

identify alternative ways of accomplishing them. For each alternative, identify and assess risks

and implications. Formulate a corporate strategy, and then set operations, compliance, and

reporting objectives.

EVENT IDENTIFICATION

?Events are incidents or occurrences that emanate from internal or external sources that affect implementation of strategy or achievement of objectives. Their impact can be positive, negative, or both. Events can range from obvious to obscure and from inconsequential to highly significant.

?Management must do its best to anticipate all possible events. COSO identified many internal and external factors that could influence events and affect a company’s abi lity to implement

strategy and achieve objectives.

?External factors include economic factors, natural environment, political factors, social factors, and technological factors. Internal factors include infrastructure, personnel, process, and

technology. Companies usually use two or more of the following techniques together to identify events: comprehensive lists of potential events; internal analysis; monitoring of leading events

and trigger points; workshops and interviews; data mining and analysis; and process analysis. RISK ASSESSMENT AND RISK RESPONSE

?COSO indicates there are two types of risk: Inherent risk is the risk that exists before management takes any control steps. Residual risk is the risk that still remains after control steps.

Companies should assess inherent risk, develop a response, and then assess residual risk. The

steps in risk assessment and response are:

–Identify the events or threats that confront the company.

–Estimate the likelihood of each event occurring.

–Estimate the potential loss from each threat.

–Identify controls to guard against the threat.

–Estimate costs and benefits of implementing such controls.

–If it’s cost beneficial, then reduce the risk by implementing controls; otherwise, avoid, share, or accept the risk.

CONTROL ACTIVITIES

?Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out. They generally fall into one of the following categories: (1) proper authorization of transactions and activities; (2) segregation of duties; (3) project development and acquisition controls; (4) change management

controls; (5) design and use of documents and records; (6) safeguard assets, records, and data;

and (7) independent checks on performance.

?Proper Authorization of Transactions and Activities--Management must establish policies and empower employees to perform activities within policy. This empowerment is called

authorization. There are typically at least two levels of authorization. With general

authorization, management authorizes employees to handle routine transactions without special

approval. Special authorization is required for transactions that are of significant consequences;

management review and approval is required.

?Segregation of Duties--Segregation of duties in the accounting function means that no two employees should have responsibility for more than one of the following with respect to related

assets:

–Authorization—approving transactions and decisions.

–Recording—Preparing source documents; maintaining journals, ledgers, or other files;

preparing reconciliations; and preparing performance reports.

–Custody—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, w riting checks on the organization’s bank account.

?If two or more employees work together to override these controls, there is collusion.

?Within the systems function, procedures once performed by separate individuals are combined.

Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud. To combat this threat, organizations must

implement effective segregation of duties within the IS function. Authority and responsibility

must be divided clearly among the following functions: systems administration; network

management; security management; change management; users; systems analysts; programming;

computer operations; information systems library; and data control.

?Project Development and Acquisition Controls—Involves a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of

information systems and related technologies. This approach should contain appropriate controls for management review and approval, user involvement, analysis, design, testing, implementation, and conversion. The following basic control principles should be applied to systems development: develop a strategic master plan; incorporate project controls; create a data processing schedule;

utilize a steering committee; and use system performance measurements and post-implementation review.

?Change Management Controls--Change management is the process of making sure that system changes do not negatively affect systems reliability, security, confidentiality, integrity, or

availability.

?Design and Use of Adequate Documents and Records--Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data. Form and

content should be kept as simple as possible. Documents that initiate a transaction should contain

a space for authorization. Those used to transfer assets should have a space for the receiving

party’s signature. Documents sh ould be sequentially pre-numbered and should provide an audit

trail.

?Safeguard Assets, Records, and Data—Cash, inventory, information, and other assets all need to be protected. Insiders pose the greatest risk to information. It is important to maintain accurate

records of all assets, periodically reconcile recorded amounts to physical counts, restrict access to assets, and protect records and documents.

?Independent Checks on Performance--Internal checks to ensure that transactions are processed accurately are an important control element. These checks should be performed by someone

independent of the party responsible for the activities. They typically include: top-level reviews, analytical reviews, reconciliation of independently maintained sets of records, comparison of

actual quantities with recorded amounts, double-entry accounting, and independent review. INFORMATION AND COMMUNICATION

?Information and communication is the seventh component of COSO’s ERM model. The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization. So accountants must understand how transactions are initiated, data are

captured in or converted to machine-readable form, computer files are accessed and updated, data are processed, and information is reported to internal and external parties. Accountants must also understand the accounting records and procedures, supporting documents, and specific financial

statement accounts involved in processing and reporting transactions. The preceding items

facilitate an audit trail which allows for transactions to be traced from origin to financial

statements and vice versa.

MONITORING

?Monitoring is the eighth component of COSO’s ERM model. It can be accomplished with a series of ongoing events or by separate evaluations. Key methods of monitoring performance

include: performing ERM evaluation, implementing effective supervision, using responsibility

accounting, monitoring system activities, tracking purchased software, conducting periodic audits, employing a computer security officer and security consultants, engaging forensic specialists,

installing fraud detection software, and implementing a fraud hotline.

SUMMARY OF MATERIAL COVERED

?Basic internal control concepts and why computer control and security are so important.

?Similarities and differences between the COBIT, COSO, and ERM control frameworks.

?Major elements in the internal control environment of a company and the four types of control objectives that companies need to set.

?Events that affect uncertainty and how these events can be identified.

?How the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies.

?How organizations communicate information and monitor control processes.

TEACHING TIPS

?Students have difficulty assimilating the sheer volume of information with respect to internal control frameworks. However, the material is very important for Section 404 assessments of

internal control as prescribed by Sarbanes-Oxley. Students won’t ―own‖ this material until they

apply it. In order to help students grasp the intuition behind the concepts, instructors should

assign and review as many of the end of chapter problems as time allows.