Accounting Information Systems Lecture Notes (PDF) - University of Amsterdam 1/8/2025

1/8/2025 Accounting Information Systems, lecture 2 January 18, 2025 0 The program Fraud The COSO model The internal control toolbox Overview of the book Ch 8-10 1 1 ...

1/8/2025 Accounting Information Systems, lecture 2 January 18, 2025 0 The program Fraud The COSO model The internal control toolbox Overview of the book Ch 8-10 1 1 1/8/2025 The program 2 Fraud: Some characteristics and views 3 2 1/8/2025 The Enron scandal https://www.youtube.com/watch?v=-w6duQhWuVk 4 March 7, 2002 - the SEC requests information from WorldCom: How could WorldCom make so much when AT&T is losing money? WorldCom reduced the amount of money it Scott Sullivan, who had been the telecom held in reserve (to cover liabilities for the company's financial director, received far companies it had acquired) by $2.8 billion less than the 25 years and moved this money into the revenue line given last month to Ebbers, his one-time of its financial statements. Additionally Bernard Ebbers former CEO of WorldCom enters Manhattan boss. WorldCom classified operating expenses as federal court, Tuesday. AP photo) long-term capital investments. Hiding these expenses in this way gave them another $3.85 billion. In 2002 WorldCom filed for bankruptcy, becoming the largest bankruptcy filing in American history. The SEC accused the company of misrepresenting earnings to the tune of $11 billion. 5 3 1/8/2025 A BIG fraud SocGen's rogue trader A harsh sentence for Jérôme Kerviel A bumpkin from Brittany, seduced by a corrupt banking system and the avarice of his bosses, or “a crook, a fraud and a terrorist”? These were the competing descriptions that a French court was asked to weigh in the case of Jérôme Kerviel, a rogue trader who almost laid low Société Générale, France's second-biggest bank. On October 5th the court ruled unequivocally that Mr Kerviel was guilty, sentencing him to five years in jail, the maximum sentence it could hand down (although it suspended two years of the term). Mr Kerviel, who has become something of a popular hero in France for outwitting fat-cat bankers, is appealing against the decision. The court's order that Mr Kerviel repay the bank €4.9 billion ($7 billion), the amount that it lost in January 2008 unwinding his trades, also caused public consternation. 6 Fraude is BIG (UK figures) 7 4 1/8/2025 Definition of fraud Intentionally (so not an error) Misleading: altering information, presenting wrong information Objective: To gain an illigitimate gain (mostly money) 8 Types of Frauds Fraudulent Statements  Financial Intellectual property theft  Non-financial Financial institution fraud Asset Misappropriation Check and credit card fraud  Theft of cash Insurance fraud  Fraudulent disbursements Healthcare fraud  Inventory and other assets Bankruptcy fraud Bribery and Corruption Tax fraud  Bribery  Illegal gratuities Securities fraud  Economic extortion Money laundering  Conflict of interest Consumer fraud Computer and Internet fraud 9 5 1/8/2025 WHO COMMITS FRAUD AND WHY Opportunity is the opening or gateway that allows an individual to: Commit the fraud Conceal the fraud Convert the proceeds There are many opportunities that enable fraud. Some of the most common are: Lack of internal controls Failure to enforce controls (the most prevalent reason) Excessive trust in key employees Incompetent supervisory personnel Inattention to details Inadequate staff 10 11 The Grammar of Fraud Risk – 4 Risk Sources of Fraud 11 6 1/8/2025 The fraud triangle Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in an attempt to determine the common threads in their crimes. As a result of his research, he determined that three factors were present in the commission of each crime. These three factors have come to be known as the fraud triangle. Pressure Opportunity Rationalization 12 De fraude-driehoek 13 7 1/8/2025 From triangle to diamond.. 14 The M.I.C.E. Model 15 8 1/8/2025 Dorminey: Expansion of the Triangle 16 WHO COMMITS FRAUD AND WHY Opportunity is the opening or gateway that allows an individual to: Commit the fraud Conceal the fraud Convert the proceeds There are many opportunities that enable fraud. Some of the most common are: Lack of internal controls Failure to enforce controls (the most prevalent reason) Excessive trust in key employees Incompetent supervisory personnel Inattention to details Inadequate staff 17 9 1/8/2025 Six famous red flags for fraud Living beyond one's means Financial difficulties Unusually close association with a vendor or customer Excessive control issues or unwillingness to share duties Recent divorce or family problems A general “wheeler-dealer” attitude involving shrewd or unscrupulous behavior 18 OK, but ICAIS is not only aimed at preventing or detecting fraud Intentional “mistakes”: Fraud Non-intentional: Errors and incidents Human errors Errors caused by e.g. Hardware / software problems Internal or external events ICAIS tries to prevent (if possible) or detect the events or the consequences of the events,.. related to: Quality of information Assets of the organzation (money, goods, information, ….) 19 10 1/8/2025 Threats to information provision and AIS Information does not automatically meet quality requirements! Risk = The possibility of an event occurring that adversely affects the achievement of objectives If business risks threaten the achievement of business objectives, information risks threaten the achievement of the objectives of the AIS and information provision in general (producing information that meets the quality criteria). Threats to the AIS and quality of information: Natural and political disasters (floods, fire, war) Software errors and equipment malfunctions (bugs, failure of hardware components) Unintentional acts (human errors, laziness, incompetence) Intentional acts (crime, fraud, but also: sabotage) Information does not automatically meet quality requirements! 20 Control models as a solution? 21 21 11 1/8/2025 COSO Internal control = “a process, effected by an entity’s board of directors, management and other personnel, designed tot provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations; Reliability of financial reporting; Compliance with applicable laws and regulations; Safeguarding of assets. 22 22 Foreign Corrupt Practices Act of 1977: Cohen Commission Report (1978): COSO Internal Control Congressional committee held hearings in response to Study of auditors’ responsibilities by the AICPA that Watergate investigation results. FCPA was enacted and recommended that corporate management include a Integrated Framework (1992) contained provisions pertaining to accounting and internal report with the financial statements that disclosed the control. These provisions require corporate management condition of the company’s system of internal control. to maintain adequate books and records, and to devise a The report was endorsed by the Financial Executives system of internal accounting control. Institute (FEI). Financial Executives Research Foundation (1980): Major contribution of a research study on internal control was the cataloging of internal control characteristics, conditions, practices and procedures. 1975 1980 1985 1990 1992 Treadway Commission Report (1987): The National Commission on Fraudulent Financial Reporting (the Treadway Commission) was created by the joint sponsorship of the AICPA, American Accounting Association, FEI, Institute of Internal Auditors, and the Institute of Management Accountants. Primary objective was to identify the causal factors of fraudulent financial reporting and make recommendations to reduce its incidence. A number of recommendations addressed internal control. Called for sponsoring organizations to work together to integrate internal control concepts and definitions. Watergate investigations (mid SEC (1979): SEC proposed rules for mandatory management reports 1970s): Identified several US on an entity’s internal accounting controls. The proposed rules called for corporations that made illegal independent auditor report as well. political contributions, including bribes to foreign government Minahan Committee (1979): AICPA formed a Special Advisory officials. Increased attention Committee on Internal Control, the “Minahan Committee” to provide guidance about establishing and evaluating internal control given to internal controls. © Protivity Inc., 2004 23 23 12 1/8/2025 The COSO-model 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring 24 COSO 2013 Framework 5 Components 25 13 1/8/2025 COSO – Control Environment The process consists of 5 elements: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring 26 COSO – Control Environment Management’s philosophy, operating style, and risk appetite Commitment to integrity, ethical values, and competence Internal control oversight by Board of Directors Organizing structure Methods of assigning authority and responsibility Human resource standards 27 14 1/8/2025 Control environment / internal environment Elements: Ethics, “Tone at the top” Organisational structure Tasks, responsibilities Managementphylosophy, pressure to perform Commitment to competence Commitment to excellence Human resource policies 28 28 COSO 2013 Framework 5 Components 29 15 1/8/2025 Risk assessment H Probability L Impact H 30 30 Risk Assessment: Risk matrix Internal Control: Know where you want to go Know where you're going Be able to intervene if necessary Do not take irresponsible risks Risk assessment involves estimation of the likelihood of a critical event occurring and the impact of the occurrence of that event. This does not mean avoiding all risks or trying to reduce them to 0! Risk assessment is focused on establishing such measures that the residual risk is reduced to an acceptable level (see Knechel et al., 2007). For each identified risk, we must analyse: What is the impact and probability of the threat? Cost-benefit analysis of implementing controls for this specific risk. Can other control measures compensate? Alternative ways of responding to the risk 31 16 1/8/2025 How can management respond to these risks? Risk Responses Reduce / Reduce the likelihood and impact of risk by implementing an effective system of internal controls. Accept: Do nothing, accept likelihood, and impact of risk Share: Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into a hedging transaction Avoid : Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated. Controls should always be related to risks! 32 COSO – Control Activities The process consists of 5 elements: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring Controls are always coupled with risks! 33 17 1/8/2025 COSO 2013 Framework 5 Components 34 Examples of control activities Top level reviews Controls in the IT system Internal control measures Segregation of Duties Direct supervision And many more 35 35 18 1/8/2025 COSO 2013 Framework 5 Components 36 COSO – Information & Communication The process consists of 5 elements: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring 37 19 1/8/2025 COSO – Information & Communication There are three principles that apply to the information and communication process: Obtain or generate relevant, high-quality information to support internal control. Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control. Communicate relevant internal control matters to external parties. 38 Information and communication Formal communication Paper Oral Available management information Quality Availability Management atttention for information 39 39 20 1/8/2025 COSO 2013 Framework 5 Components 40 Monitoring How can management monitor the quality of their internal control system? Internal/external audits Information re. Complaints, other signals Direct supervision Audit committee 41 41 21 1/8/2025 COSO – Monitoring Measures to monitor correct working of IC-system: Perform internal control evaluations (e.g., internal audit) Implement effective supervision Use responsibility accounting systems (e.g., budgets) Monitor system activities Track purchased software and mobile devices Conduct periodic audits (e.g., external, internal, network security) Employ computer security officer Engage forensic specialists Install fraud detection software Implement fraud hotline 42 Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5.Holds individuals accountability 6. Specifies relevant objectives COSO Risk Assessment 7. Identifies and analyzes risk INTERNAL 8. 9. Assesses fraud risk Identifies and analyzes significant change CONTROL Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology INTEGRATED 12. Deploys through policies and procedures FRAMEWORK Information & Communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally Codification of 17 principles 16. Conducts ongoing and/or separate evaluations embedded in the original Framework Monitoring Activities 17. Evaluates and communicates deficiencies 43 22 1/8/2025 Effect of Coso-elements on the Fraud triangle Control environment Control activities, Segregatin of duties Management oversight Restricting authorization ? 44 44 The program Fraud The COSO model The internal control toolbox Overview of the book Ch 8-10 45 23 1/8/2025 Important part for this course: The internal control toolbox 46 Internal Controls: Functions of internal controls (Organizational) Preventive controls: Detective controls: Corrective controls: Controls that deter Controls designed to Controls that identify and problems before they discover control problems correct problems as well arise. that were not prevented. as correct and recover from the resulting errors Preventing (deviations Detect (deviations) from the norm) Correct (deviations) Through checks and Through organizational audits Correcting errors detected measures through checks and audits Looking back Looking forward Looking back 47 24 1/8/2025 Some elements of the internal control toolbox Segregation of duties Value cycle Reconciliations IT controls Control documentation Definitions, restrictions of authority Change management Project development and acquisiton control Independent checks on performance 48 Internal control: Types of controls We can classify controls into 3 different categories: 1. Generic: (Risks and) Controls applicable to every process and organization Organizational: Segregation of Duties, Reconciliations IT: Logical Access Controls (user names, passwords, 2FA) 2. Process-specific: Control measures specifically for a certain transaction cycle, but present in most organisations: Organizational: 3-way match in the expenditure cycle IT: Closed loop verification: entering zipcode and house number produces street address 3. Case-specific: Control measures specific for a certain scenario / business case Organizational: Deposit system for valuable goods IT: Cloudflare (organizations sensitive to downtime / DDOS attacks) 49 25 1/8/2025 Internal Control Measures: Segregation of Duties Basic idea: “Divide and Conquer” I don't want anyone in my organization to have so much power that they can make and break my organization So I break down processes into individual steps and make sure that successive steps are performed by separate people or departments Separating this functions prevents actors from being able to commit fraud Because of opposed interests: we can verify the correctness and completeness of data by comparing the same datapoint from 2 different sources (reconciliations, see further in this presentation), preventing concealment of fraud Segregation of accounting duties between the following functions prevents the possibility to commit AND conceal fraud: 1. Custody 2. Recording 3. Authorization 4. Checking 5. (Executing) 50 Segregation of duties: I do not want to give the “key to success” to only one person/department Because of possible fraud Because of possible mistakes Therefore: “Divide and conquer” 51 26 1/8/2025 SOD’s and functions What are these functions? Duty Description Authorization Can commit the organization or part of the organization independently Custody Safeguarding goods, money or other values; should not surrender unless told so by authorized function Recording Records data related to purchases, sales, cash receipts and cash disbursements in data collections (Checking) Checks realization of plans to norms (Execution) Not directly visible in the value cycle 52 Concluding: SoD Every combined function that should be segregated is a risk What is the impact and probability of the threat? Cost-benefit analysis Can other control measures compensate? SoD does not prevent fraud when different actors collude! 53 27 1/8/2025 Internal Control Measures: The Value Cycle Goods Purchasing Stock Selling S C U U P S P T Accounts Accounts L Accounting O Payable receivable I M E E R R Paying Cash receiving Money “ recording “ " custody" " authorisation” Framework important tool for identifying necessary Segregation of Duties 54 Reconciliations A reconciliation is a check on the relationship between two independent sources of information If the relationship between these has been established, this provides (reasonable) certainty that both sources are correct Only if both sources make the same mistake (which is quite unlikely) will an error go undetected 2 types of reconciliations 1. Reconciliation procedures to reconcile to control reports (e.g., general ledger A/R account reconciled to Accounts Receivable Subsidiary Ledger) 2. External data reconciliation (e.g. taking stock) Examples of reconciliation procedures: Total purchases = Total received goods Total sales = Total disbursements from warehouse Total decrease in A/R = Total receipts of cash 55 28 1/8/2025 SOD makes reconciliations possible 10 purchased 10 received Purchasing Stock Selling Invoice for Accounts Accounts 10 booked Payable Accounting receivable Paying Cash receiving 56 Value Cycle, Segregation of Duties and Reconciliations: Building Triangles Authorization: Custody: Recording: purchased 10 items received 10 items Purchases # = Received #? Purchases Goods Sales A/P Accounting A/R Pay Cash Receive for49 57 29 1/8/2025 Value Cycle, Segregation of Duties and Reconciliations: Building Triangles Authorization: Recording: Approved invoice: 10 Purchases € = Increase A/P € ? items * price Purchases Goods Sales Custody: accounts payable increase @ 10 items * price A/P Accounting A/R Pay Cash Receive for49 58 Value Cycle, Segregation of Duties and Reconciliations: Network of reconciliations Framework important tool for reconciliations 59 30 1/8/2025 Reconciliations Reconciliations between (at least) 2 “independent” information sources If information is (correctly) reconciled it gives you information on correctness and completeness Most common example: 3 way match And another: Beginning inventory + purchases -/- sales = Ending inventory 60 Some elements of the internal control toolbox Segregation of duties Value cycle Reconciliations IT controls Control documentation Definitions, restrictions of authority Change management Project development and acquisiton control Independent checks on performance 61 31 1/8/2025 Types of IT-controls Romney p. 324: IT-controls are often segregated into two categories: 1. General controls make sure an organization’s control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls. 2. Application controls prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported. IT-controls in both categories are still preventive, detective and corrective in nature! 62 AIS & IT – Systems Reliability: Trust Services Framework Systems Reliability consists of 5 components: 1. Security 2. Confidentiality 3. Privacy 4. Processing integrity 5. Availability So we have to design and implement IT controls for every component! 63 32 1/8/2025 AIS & IT – Systems Reliability: Security Security = Access to the system and data is controlled and restricted to legitimate users. How? Time based model of security & Defense in Depth: Based on a assessment of risks, implement a coherent set of Preventive, Detective, Corrective controls (similar to IC) across the 6 layers of cybersecurity Why? Foundation for system reliability Foundation for segregation of accounting duties 64 AIS & IT – Systems Reliability: Confidentiality 1. Security 2. Confidentiality Information designated as confidential is protected 3. Privacy 4. Processing integrity 5. Availability 65 33 1/8/2025 AIS & IT – Systems Reliability: Confidentiality – Actions 1. Identify and classify information to protect Where is it located and who has access? Classify value of information to organization 2. Encryption Protect information in transit and in storage 3. Access controls Information Rights Management (IRM) Digital watermarks 4. Training 66 AIS & IT – Systems Reliability: Privacy 1. Security 2. Confidentiality 3. Privacy Personal information about trading partners, investors and employees is protected. 4. Processing Integrity 5. Availability 67 34 1/8/2025 AIS & IT – Systems Reliability: Privacy – Actions & Concerns The actions to achieve confidentiality also apply to privacy Additional concerns: 1. Spam-unsolicited e-mail that contains either advertising or offensive content. 2. Identity theft-assuming someone’s identity, usually for financial gain. 3. Generally Accepted Privacy Principles (GAPP) 68 Overview of the book Ch 8 Page: 250 Threats to AIS 253 Fraud, definition and characteristics 254-255 Misappropriation of assets and fraudulent financial reporting 256-260 The fraud triangle 265 Summary of ways to prevent and detect fraud and errors 69 35 1/8/2025 Overview of the book Ch 9 Page: 303-305 Summary of computer fraud and abuse techniques You s hould have a general understanding of the methods and terms that are mentioned in this chapter. 70 Overview of the book Ch 10 Page: 324 Internal controls objectives Preventive, detective, corrective controls 326 COBIT framework: only general knowledge required 328 COSO 329 COSO Frameworks Do not spend too much time on the difference between COSO IC and ERM: general understanding 330  All elements of the COSO framework, starting with control environment: Study in detail 71 36 1/8/2025 Program for the tutorial: Assignments Please prepare answers to the questions of: Problem 10.7, page 354 Problem 10.9, page 355 Please read Case 10.1, page 356 72 Thank you for your attention! 73 37

Accounting Information Systems Lecture Notes (PDF) - University of Amsterdam 1/8/2025

Document Details

Tags

Related

Summary

Full Transcript