Handy Chapter 10: Control and Accounting Information Systems PDF

Summary

This document discusses threats to accounting information systems (AIS) and the need for control in business organizations. It covers the importance of control and security in managing information technology (IT) and computer-based accounting information systems, including preventive, detective, and corrective controls. It also explores control frameworks, the Sarbanes-Oxley Act and other relevant acts.

Full Transcript

HANDY CHAPTER 10 Any potential adverse occurrence that could
be injurious to either the accounting
CONTROL AND ACCOUNTING information system or the organization is
INFORMATION SYSTEMS referred to as a threat.

The potential dollar loss should a particular
threat become a reality is referred to as the
Why Accounting Information Systems exposure or impact of the threat.
Threats Are Increasing
The probability that the threat will happen is
 Increase in number of information the likelihood associated with the threat.
systems means that information is
available to an increasing number of
workers.

 Distributed (decentralized) computer
networks are harder to control than
centralized mainframe systems.

 Wide area networks are giving
customers and suppliers access to one
another’s systems and data, making
confidentiality a major concern.

Some of the reasons why organizations do Why Control and Security Are Important
not adequately protect their data are:
As an accountant you must have a good
 Computer control problems have been understanding of information technology (IT)
underestimated and downplayed. and its capabilities and risks.

 The control implications of moving from Although, internal control objectives remain
centralized, host-based computer the same regardless of the data processing
systems to a networked or Internet- method, a computer-based AIS requires
based system have not been fully different internal control policies and
understood. procedures.

 Many companies have not realized that One of the primary objectives of an
data is a resource and must be accounting information system is to provide
protected. control in a business organization.

 Productivity and cost pressures have One of management’s basic functions is to
motivated management to forgo time- ensure that enterprise objectives are
consuming control measures. achieved. Thus, management’s decisions
pertaining to controls are crucial to the firm’s
success in meeting its objectives.
Management expects accountants to: 1. Safeguarding assets,
including preventing or
1. Take a proactive approach to detecting, on a timely basis,
eliminating system threats. the unauthorized acquisition,
2. Detect, correct, and recover from use, or disposition of material
threats when they occur. company assets.

2. Maintaining records in
sufficient detail to accurately
and fairly reflect company
assets.

3. Providing accurate and
reliable information.

4. Prepare financial reports in
accordance with established
criteria.

5. Promoting and improving
operational efficiency,
including making sure
company receipts and
Overview of Control Concepts
expenditures are made in
accordance with
management and directors’
authorizations.

6. Encouraging adherence to
prescribed managerial
policies.

7. Complying with applicable
laws and regulations.

Internal control is the process
implemented by the board of directors,
management, and those under their
direction to provide reasonable assurance
that the following control objectives are
achieved:
Function of Internal Control Application controls prevent, detect, and
correct transaction errors and fraud in
application programs. They are concerned
with the accuracy, completeness, validity,
and authorization of the data captured,
entered, processed, stored, transmitted to
other systems, and reported.

The Foreign Corrupt Practices and
Sarbanes-Oxley Acts

Preventive controls deter problems before
they arise: anticipate the problem.

Detective controls discover problems as
soon as they arise: what we normally call in
auditing “following the problem.”

Corrective controls identify and correct
problems that have been discovered and
recover from resulting errors. They include
procedures taken to identify the cause of a
problem, correct resulting errors or
difficulties, and modify the system so that The Foreign Corrupt Practices Act (1977)
future problems are minimized or
eliminated. The primary purpose of this Act was to
prevent the bribery of foreign officials in
General controls are designed to make order to obtain business. The chapter notes
sure an organization’s control environment example of FCPA violations that resulted in
is stable and well managed. fines in the billions.

Some of the more important general The Sarbanes-Oxley Act of 2002 (SOX)
controls are:
Applies to publicly held companies and their
 Information systems management auditors and was intended to prevent
controls. financial statement fraud, make financial
reports more transparent, provide protection
 Security management controls. to investors, strengthen the internal controls
 Information technology infrastructure at public companies, and punish executives
controls. who perpetrate fraud.

 Software acquisition, development,
and maintenance controls.
Control Frameworks an information system that adds value
to its stakeholders.

B. Covering the enterprise end-to-end.
Focus is not just on the IT operation; it
integrates all IT functions and
processes into companywide functions
and processes.

C. Applying a single, integrated
framework. COBIT can be aligned at
a high level with other standards and
frameworks.

D. Enabling a holistic approach.
Applies a holistic approach that results
in effective governance and
COBIT Framework management of all IT functions in the
company.

E Separating governance from
management. Distinguishes between
governance (direct, evaluate, and
monitor) and management (plan, build,
run, and monitor).

The Information Systems Audit and Control
Foundation (ISACF) developed the Control
Objectives for Information and related
Technology (COBIT) framework. COBIT is
a framework of generally applicable
information systems security and controls
practices of Information Technology control. The objective of governance is to create
value by optimizing the use of
The COBIT framework addresses the issue
organizational resources to produce
of control from five key principles: desired benefits in a manner that
A. Meeting stakeholder needs. Helps effectively addresses risk.
users to customize business
processes and procedures to create
Responsibility of the Board: COSO framework

i) Evaluate stakeholder needs to identify The Committee of Sponsoring
objectives. Organizations (COSO) is a private-
sector group consisting of the
ii) Provide management with direction by American Accounting Association, the
prioritizing objectives. AICPA, the Institute of Internal
Auditors, the Institute of Management
iii) Monitor management’s performance.
Accountants, and the Financial
Executives Institute.

Responsibility of Management: In 1992, COSO issued the Internal
Control—Integrated Framework,
i) Planning, building, running, and which defines internal controls and
monitoring the activities and processes provides guidance for evaluating and
used by the organization to pursue the enhancing internal control systems.
objectives established by the board of COSO was updated in 2013 to align
directors. with technological advancements.
Governance and management of IT is an
ongoing process requiring monitoring,
communication, and feedback.

Figure 10-2 on page 328 provides a COBIT
process reference model using five
governance processes to Evaluate,
Direct, and Monitor (EDM01–EDM 05)
and 32 management processes. The
management processes are broken
down into the following four domains:

1. Align, plan, and organize (APO). COSO’s internal control model has five
crucial components,
2. Build, acquire, and implement
(BAI). 1. Control environment.

3. Deliver, service, and support 2. Risk assessment.
(DSS).
3. Control activities.
4. Monitor, evaluate, and assess
4. Information and communication.
(MEA).
5. Monitoring.
The Control Environment

The more responsible management’s
philosophy and operating style and the
more clearly they are communicated,
the more likely employees will behave
responsibly.

Management’s philosophy, operating style,
and risk appetite can be assessed by
answering questions such as these:

 Does management take
undue business risks to
achieve its objectives, or
does it assess potential
The control environment is the most
risks and rewards prior to
important component of the ERM and
acting?
internal control frameworks.
 Does management attempt
An internal environment consists of items
to manipulate such
such as the following:
performance measures as
(1) Management’s philosophy, operating net income so that its
style, and risk appetite. performance can be seen in
a more favorable light?
(2) The board of directors.
 Does management
(3) Commitment to integrity, ethical pressure employees to
values, and competence. achieve results regardless
of the methods, or does it
(4) Organizational structure.
demand ethical behavior?
(5) Methods of assigning authority and In other words, does
responsibility. management believe the
ends justify the means?
(6) Human resource standards.

The Board of Directors
Management’s Philosophy, Operating
Style, and Risk Appetite The Sarbanes-Oxley Act requires all public
companies to have an audit
committee composed entirely of
outside (nonemployee), independent
Companies have a risk appetite, which is
directors.
the amount of risk a company is willing
to accept in order to achieve its goals
and objectives.
The audit committee is responsible for 2. Assignment of responsibility
overseeing the corporation’s internal for specific tasks.
control structure, its financial reporting
process, and its compliance with 3. Whether there is a direct
related laws, regulations, and reporting relationship (e.g.,
standards. functional organizational
structure or divisional
organizational structure) or
more of a matrix structure.
Commitment to Integrity, Ethical Values, A matrix organizational
and Competence structure is a design that
It is important to create an organizational utilizes functional and
culture that stresses integrity and divisional chains of
command simultaneously in
commitment to both ethical values and
competence. the same part of the
organization.
Companies endorse integrity as a basic
4. Organization by industry,
operating principle by actively teaching
product line, geographical
and requiring it.
location, or by a particular
Management should consistently reward distribution or marketing
and encourage honesty and give network.
verbal labels to honest and dishonest
behavior. 5. The way responsibility
allocation affects
Management should develop clearly stated management’s information
policies that explicitly describe honest requirements.
and dishonest behaviors.
6. The organization of the
Companies should require employees to accounting and information
report any dishonest, illegal, or system functions.
unethical acts and discipline
7. The size and nature of
employees who knowingly fail to report
violations. company activities.

Organizational Structure Methods of Assigning Authority and
Responsibility
Important aspects of organizational
structure include: Authority and responsibility are assigned
through formal job descriptions;
1. Centralization or employee training; operating plans,
decentralization of authority. schedules, and budgets; a formal
company code of conduct; and a
written policy and procedures
manual.
Human Resource Standards 5. Evaluating and promoting.
Employees should be given periodic
The following policies and procedures are performance appraisals that help them
important: to understand their strengths and
1. Hiring. To obtain the most qualified weaknesses. Promotion should be
and ethical employees, hiring should based on performance and how well
be based on educational background, qualified employees are for the next
relevant work experience, past position.
achievements, honesty and integrity, 6. Discharging. A company should take
and how well potential employees care when firing employees. To
meet written job requirements. prevent sabotage or copying
2. A thorough background check confidential data before they leave,
dismissed employees should be
includes verifying educational and
work experience, talking to references, removed from sensitive jobs
checking for a criminal record, and immediately and denied access to the
checking credit records. information system.

7. Managing disgruntled employees.
3. Compensating. It is important to pay
employees a fair and competitive Some employees who commit fraud
are seeking revenge for a perceived
wage. Poorly paid employees are
likely to feel resentment and make up wrong done to them. Hence,
the difference in their wages by companies should have procedures
stealing money, property, or both. for identifying disgruntled employees
and either helping them resolve their
4. Training. Training programs should feelings or removing them from jobs
familiarize new employees with their where they might be able to harm the
responsibilities; expected levels of organization or perpetrate a fraud.
performance and behavior; and the
8. Vacations and rotation of duties.
company’s policies and procedures,
Many fraud schemes, such as lapping
history, culture, and operating style.
and kiting, require the ongoing
attention of the perpetrator. Many of
these employee frauds are discovered
Training on Fraud and Ethics: when the perpetrator is suddenly
forced, by illness or accident, to take
 Fraud awareness.
time off.
 Ethical considerations.
9. Confidentiality agreements and
 Punishment for fraud and fidelity bond insurance. All
unethical behavior. employees, suppliers, and contractors
should be required to sign and abide
by a nondisclosure or confidentiality
agreement. Fidelity bond insurance
coverage of key employees protects
 companies against losses arising from Risk Assessment and Risk Response
deliberate acts of fraud by bonded
employees.

Prosecute and incarcerate hackers and
fraud perpetrators. Most fraud cases
and hacker attacks go unreported and
are not prosecuted for several
reasons:

 Companies are reluctant to
report computer crimes and
intrusions—a recent study
showed only 36% reporting
intrusions—because a highly
visible fraud is a public
Estimate Likelihood and Impact
relations disaster.
Some events pose a greater risk because
 Law enforcement officials
the probability of their occurrence is
and the courts are so busy
more likely.
with violent crimes that they
have little time for computer For example, a company is more likely to be
crimes in which no physical the victim of a fraud than of an
harm occurs. earthquake, and employees are more
likely to make unintentional errors than
 Fraud is difficult, costly, and
they are to commit fraud.
time-consuming to
investigate and prosecute. The risks that exist before management
takes any steps to control the
 Many law enforcement
likelihood or impact of a risk are called
officials, lawyers, and judges inherent risks.
lack the computer skills
needed to investigate, The risk that remains after management
prosecute, and evaluate implements internal controls, or some
computer crimes. other response to risk, is residual
risk.
 When fraud cases are
prosecuted and a conviction
is obtained, the sentences
received are often light.
The ERM model indicates that there are Control Activities
four ways to respond to risk:

1. Reduce. The most effective way to
reduce the likelihood and impact of The fourth component of COSO’s IC model
risk is to implement an effective is control activities, which are
system of internal controls. policies, procedures, and rules that
provide reasonable assurance that
2. Accept. Accepts the likelihood and
management’s control objectives are
impact of the risk by not acting to
met and the risk responses are carried
prevent or mitigate it.
out.
3. Share. Share some of the risk or
Generally, control procedures fall into one of
transfer it to someone else. For
the following categories:
example, buy insurance, outsource an
activity, or enter into hedging 1. Proper authorization of transactions
transactions. and activities

4. Avoid. Risk is avoided by not Management establishes policies for
engaging in the activity that produces employees to follow and then
the risk. This may require the empowers employees to perform
company to sell a division, exit a accordingly. This empowerment,
product line, or not expand as called authorization, is an important
anticipated. part of an organization’s control
procedures.

Authorizations are often documented by
signing, initializing, or entering an
authorization code on a transaction
document or record. Computer
systems are now capable of recording
a digital signature, a means of
 signing a document with a piece of  Custody—handling cash, tools,
data that cannot be forged. inventory, or fixed assets; receiving
incoming customer checks; writing
Employees who process transactions checks on the organization’s bank
should verify the presence of the account.
appropriate authorization(s).
If two of these three functions are the
Certain activities or transactions may be of responsibility of a single person, then
such consequence that management problems can arise.
grants specific authorization for
them to occur. Collusion is when two or more people are
working together to override the
In contrast, management can authorize preventive aspect of the internal
employees to handle routine control system.
transactions without special approval,
a procedure known as general
authorization.
3. Segregation of systems duties:
[Figure 10-5 on page 340]

2. Segregation(separation) of duties
[Figure 10-4 on page 339]

 Authorization. This is authorization at a
systems level. Giving rights for
individuals to perform their job functions
within the system. It is also the approval
 Authorization—approving
of changes to programming or even new
transactions and decisions.
programming or systems.
 Recording—preparing source
 Data Entry. Responsible for entering or
documents; entering data into online
capturing data for all business
systems; maintaining journals,
transactions, accounts, and relations.
ledgers, files, or databases; preparing
reconciliations; and preparing  Programming. They determine
performance reports. information needs and design systems
to meet those needs.
 Operations. Responsible for running efficiently and to prevent errors and
the system. Assure that data is properly fraud.
processed, stored, and that needed
output is produced.  Data Control. The data control group
ensures that source data have been
 Data Storage. Responsible for physical properly approved, monitors the flow
storage and custody of databases, files, of work through the computer,
and programs. Also responsible for reconciles input and output, maintains
maintaining backup copies. a record of input errors to ensure their
correction and resubmission, and
 Users. Individually responsible for distributes systems output.
logical access and proper use. Must
safeguard the dataset and output for  Database Administrators. Described
which they are responsible. in Chapter 4. Coordinate, control, and
manage the database.
 Management. These are the
administrators of the AIS. These teams
might include:
Project Development and Acquisition
 Systems administration. Systems Controls
administrators are responsible for
ensuring that the different parts of an 1. Strategic master plan. To align an
information system operate smoothly organization’s information system
and efficiently. with its business strategies, a
multiyear strategic master plan is
 Network management. Network developed and updated yearly.
managers ensure that all applicable
devices are linked to the 2. Project controls. A project
organization’s internal and external development plan shows how a
networks and that the networks project will be completed, including
operate continuously and properly. the modules or tasks to be
performed and who will perform
them, the dates they should be
completed, and project costs.
 Security management. Security
management ensures that all aspects Project milestones—significant points
of the system are secure and when progress is reviewed and actual
protected from all internal and external and estimated completion times are
threats. compared.

A performance evaluation of project team
members should be prepared as each
 Change management. These project is completed.
individuals manage all changes to an
organization’s information system to
ensure they are made smoothly and
 3. Data processing schedule. To Companies that use systems integrators
maximize the use of scarce should:
computer resources, all data
processing tasks should be  Develop clear specifications.
organized according to a data
 Monitor the systems integration
processing schedule.
project.
4. Steering committee. A steering
committee should be formed to
guide and oversee systems Change Management Controls
development and acquisition.
Change management is the process of
5. System performance making sure changes do not
measurements. For a system to be negatively affect systems reliability,
evaluated properly, it must be security, confidentiality, integrity, and
assessed using system availability.
performance measurements.

Design and Use of Documents and
Common measurements include Records
throughput (output per unit of time),
utilization (percentage of time the The proper design and use of electronic and
system is being productively used), paper documents and records help
and response time (how long it takes ensure the accurate and complete
the system to respond). recording of all relevant transaction
data.
6. Post-implementation review. After
a development project is completed,
a post-implementation review should
Safeguarding Assets, Records, and Data
be performed to determine if the
anticipated benefits were achieved. In addition to safeguarding cash and
physical assets, such as inventory and
equipment, a company needs to
To simplify and improve systems protect its information.
development, some companies hire a
Many people mistakenly believe that the
systems integrator, a vendor who
greatest risks companies face are
uses common standards and
from outsiders.
manages a cooperative systems
development effort involving its own Companies also face significant risks from
development personnel and those of customers and vendors that have
the client and other vendors. access to company data.

New technologies such as blockchain can
assist in safeguarding data from
 change. But it may also introduce risks second person sometimes reviews
to privacy. the work of the first.

Some of the computer-based controls that
can be put into place to safeguard
assets include: Information and Communication

1. Create and enforce appropriate
policies and procedures.

2. Maintain accurate records of all
assets.

3. Restrict access to assets.

4. Protect records and documents.

Independent Checks on Performance

1. Top level reviews. Management at
Accounting Information Systems have five
all levels should monitor company
primary objectives:
results and periodically compare
actual company performance to (a) 1. Identify and record all
planned performance, as shown in valid transactions.
budgets, targets, and forecasts; (b)
prior period performance; and (c) the 2. Properly classify
performance of competitors. transactions.

2. Analytical reviews. An analytical 3. Record transactions at
review is an examination of the their proper monetary
relationship between different sets of value.
data.
4. Record transactions in
3. Reconciliation of two the proper accounting
independently maintained sets of period.
records.
5. Properly present
4. Comparison of actual quantities transactions and related
with recorded amounts. disclosures in the
financial statements.
5. Double-entry accounting: debits
must equal credits.

6. Independent review. After one
person processes a transaction, a
Monitoring To help, one way would be to have written
policies that employees agree to in
writing which indicate:

 The technology employees’ use on
the job belongs to the company.

 E-mails received on company
computers are not private and can be
read by supervisory personnel.

 Employees should not use
technology in any way to contribute to
a hostile work environment.

Perhaps some of you have also seen this
Perform ERM Evaluations.
happen; many government activities
Implement Effective Supervision. and offices have taken the computer
games off their computers.
Use Responsibility Accounting.

Monitor System Activities.
Track Purchased Software
There are software packages available to
review computer and network security The Business Software Alliance (BSA) is
measures, detect illegal entry into very aggressive in tracking down and
systems, test for weaknesses and finding companies who violate
vulnerabilities, report weaknesses software license agreements.
found, and suggest improvements. Companies should periodically conduct
Software is also available to monitor and software audits.
combat viruses, spyware, spam, pop-
up ads, and to prevent browsers from
being hijacked. Conduct Periodic Audits

All system transactions and activities should One way to monitor risk and detect fraud
be recorded in a log that indicates who and errors is to conduct periodic
accessed what data, when, and from external and internal audits, as well as
which online device. special network security audits.

In monitoring employees’ computers at work Internal audits involve reviewing the
or at home, companies must be reliability and integrity of financial and
careful to ensure that they do not operating information and providing an
violate the employee’s privacy. appraisal of internal control
effectiveness.
Internal audits can detect excess overtime, Computer forensics is discovering,
underused assets, obsolete inventory, extracting, safeguarding, and
padded travel expense documenting computer evidence such
reimbursements, excessively loose that its authenticity, accuracy, and
budgets and quotas, poorly justified integrity will not succumb to legal
capital expenditures, and production challenges.
bottlenecks.

Install Fraud Detection Software
Employ a Computer Security Officer and
Computer Consultants People who commit fraud tend to follow
certain patterns and leave behind
A computer security officer (CSO) is in clues, such as things that do not make
charge of AIS security and should be sense.
independent of the information system
function and report to the COO or Software has been developed to uncover
CEO. these fraud symptoms.

The overwhelming number of new tasks Other companies have neural networks
related to SOX and other forms of (programs that mimic the brain and
compliance has led many larger have learning capabilities), which are
companies to delegate all compliance quite accurate in identifying suspected
issues to a chief compliance officer fraud.
(CCO).

Implement a Fraud Hotline
Engage Forensic Specialists
The Sarbanes-Oxley Act mandates that
Forensic accountants specialize in fraud companies set up mechanisms for
detection and investigation. Forensic employees to report abuses such as
accounting is now one of the fastest- fraud.
growing areas of accounting due to Fraud hotlines provide a means for
the Sarbanes-Oxley Act, new employees to anonymously report
accounting rules such as SAS No. 99, fraud.
and boards of directors demanding
that forensic accounting be an ongoing
part of the financial reporting and
corporate governance process.

Most forensic accountants are CPAs, and
many have received specialized
training with the FBI, the IRS, or other
law enforcement agencies.
COSO – ERM

Enterprise Risk Management—Integrated
with Strategy and Performance

Expands on the elements of the internal
control integrated framework and
provides an all-encompassing focus
on the broader subject of enterprise
risk management.

The basic principles behind enterprise risk
management are:

 Companies are formed to create
value for their owners.

 Company management must decide
how much uncertainty it will accept as
it creates value.

 Uncertainty results in risk, which is
the possibility that something will
occur to affect adversely the
company’s ability to create value or to
erode existing value.

 Uncertainty can also result in an
opportunity, which is the possibility
that something will occur to affect
positively the company’s ability to
create or preserve value.

 The Enterprise Risk Management—
Integrated Framework helps
management to manage uncertainty,
and its associated risk and
opportunity, so they can build and
preserve value.