Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01

8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01

1/73

2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314

C HAPTER 6

Control and Accounting

Information Systems


2/73


INTRODUCTION

Questions to be addressed in this chapter: What are the basic internal control concepts, and why are

computer control and security important?

What is the difference between the COBIT, COSO, and ERMcontrol frameworks?

What are the major elements in the internal environment of acompany?

What are the four types of control objectives that companiesneed to set?

What events affect uncertainty, and how can they be identified?

How is the Enterprise Risk Management model used to assess

and respond to risk? What control activities are commonly used in companies?

How do organizations communicate information and monitorcontrol processes?


3/73


INTRODUCTION

Why AIS Threats Are Increasing

Control risks have increased in the last few years

because:

There are computers and servers everywhere, andinformation is available to an unprecedented number of

workers.

Distributed computer networks make data available to many

users, and these networks are harder to control than

centralized mainframe systems. Wide area networks are giving customers and suppliers

access to each others systems and data, making

confidentiality a major concern.


4/73


INTRODUCTION

Historically, many organizations have not adequatelyprotected their data due to one or more of the followingreasons: Computer control problems are often underestimated and

downplayed. Control implications of moving from centralized, host-based

computer systems to those of a networked system or Internet-based system are not always fully understood.

Companies have not realized that data is a strategic resourceand that data security must be a strategic requirement.

Productivity and cost pressures may motivate management toforego time-consuming control measures.


5/73


INTRODUCTION

Some vocabulary terms for this chapter:

A threatis any potential adverse occurrence

or unwanted event that could injure the AIS or

the organization.

The exposureor impactof the threat is the

potential dollar loss that would occur if the

threat becomes a reality. The l ikel ihoodis the probability that the

threat will occur.


6/73


INTRODUCTION

Control and Security are Important

Companies are now recognizing the problems and

taking positive steps to achieve better control,

including: Devoting full-time staff to security and control concerns.

Educating employees about control measures.

Establishing and enforcing formal information security

policies.

Making controls a part of the applications developmentprocess.

Moving sensitive data to more secure environments.


7/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 314

INTRODUCTION

To use IT in achieving control objectives,accountants must:

Understand how to protect systems from

threats. Have a good understanding of IT and its

capabilities and risks.

Achieving adequate security and controlover the information resources of anorganization should be a top managementpriority.



INTRODUCTION

Control objectives are the same regardless of

the data processing method, but a computer-

based AIS requires different internal control

policies and procedures because: Computer processing may reduce clerical errors but

increase risks of unauthorized access or modification

of data files.

Segregation of duties must be achieved differently inan AIS.

Computers provide opportunities for enhancement of

some internal controls.



INTRODUCTION

One of the primary objectives of an AIS is to

control a business organization.

Accountants must help by designing effective control

systems and auditing or reviewing control systemsalready in place to ensure their effectiveness.

Management expects accountants to be control

consultants by:

Taking a proactive approach to eliminating systemthreats; and

Detecting, correcting, and recovering from threats

when they do occur.



INTRODUCTION

It is much easier to build controls into a

system during the initial stage than to add

them after the fact.

Consequently, accountants and control

experts should be members of the teams

that develop or modify information

systems.



OVERVIEW OF CONTROL CONCEPTS

In todays dynamic business environment,companies must react quickly to changingconditions and markets, including steps to: Hire creative and innovative employees.

Give these employees power and flexibility to: Satisfy changing customer demands;

Pursue new opportunities to add value to the organization;and

Implement process improvements.

At the same time, the company needs controlsystems so they are not exposed to excessiverisks or behaviors that could harm theirreputation for honesty and integrity.




Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:

Assets (including data) are safeguarded. This objective includes prevention or timely

detection of unauthorized acquisition, use, or

disposal of material company assets.





Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and

fairly reflect company assets.







Accurate and reliable information is provided.








There is reasonable assurance that financial reports are

prepared in accordance with GAAP.









prepared in accordance with GAAP. Operational efficiency is promoted and improved.

This objective includes ensuring that company

receipts and expenditures are made in accordance

with management and directors authorizations.









prepared in accordance with GAAP. Operational efficiency is promoted and improved.

Adherence to prescribed managerial policies is encouraged.








There is reasonable assurance that financial reports areprepared in accordance with GAAP.

Operational efficiency is promoted and improved.

Adherence to prescribed managerial policies is encouraged.

The organization complies with applicable laws andregulations.




Internal control is a processbecause: It permeates an organizations operating activities.

It is an integral part of basic management activities.

Internal control provides reasonable, ratherthan absolute, assurance, because completeassurance is difficult or impossible to achieveand prohibitively expensive.




Internal control systems have inherentlimitations, including: They are susceptible to errors and poor decisions.

They can be overridden by management or bycollusion of two or more employees.

Internal control objectives are often at odds witheach other. EXAMPLE: Controls to safeguard assets may also

reduce operational efficiency.




Internal controls perform three important

functions:

Preventive controls

Deter problems before they arise.





functions:

Preventive controls

Detective controls Discover problems quickly when they do arise.





functions:

Preventive controls

Detective controls

Corrective controls

Remedy problems that have occurred by:

Identifying the cause; Correcting the resulting errors; and

Modifying the system to prevent future

problems of this sort.




Internal controls are often classified as:

General controls

Those designed to make sure an

organizations control environment is stable

and well managed.

They apply to all sizes and types of systems.

Examples: Security management controls.


25/73



Internal controls are often classified as:

General controls

Application controls

Prevent, detect, and correct transaction errorsand fraud.

Are concerned with accuracy, completeness,

validity, and authorization of the data captured,

entered into the system, processed, stored,

transmitted to other systems, and reported.


26/73



An effective system of internal controlsshould exist in all organizations to:

Help them achieve their missions and goals

Minimize surprises


27/73


CONTROL FRAMEWORKS

A number of frameworks have been

developed to help companies develop

good internal control systems. Threeof the most important are:

The COBIT framework

The COSO internal control framework COSOs Enterprise Risk Management

framework (ERM)


28/73


CONTROL FRAMEWORKS




The COBIT framework


framework (ERM)


29/73


CONTROL FRAMEWORKS

COBIT Framework

Also know as the Control Objectives for

Information and Related Technology

framework. Developed by the Information Systems Audit

and Control Foundation (ISACF).

A framework of generally applicableinformation systems security and control

practices for IT control.


30/73


CONTROL FRAMEWORKS

The COBIT framework allows:

Management to benchmark security and

control practices of IT environments.

Users of IT services to be assured thatadequate security and control exists.

Auditors to substantiate their opinions on

internal control and advise on IT security andcontrol matters.


31/73


CONTROL FRAMEWORKS

The framework addresses the issue of

control from three vantage points or

dimensions:

Business objectives

To satisfy business objectives,

information must conform to

certain criteria referred to as

business requirements forinformation.

The criteria are divided into

seven distinct yet overlapping

categories that map into COSO

objectives: Effectiveness (relevant,

pertinent, and timely)

Efficiency

Confidentiality

Integrity

Availability

Compliance with legal

requirements

Reliability


32/73


CONTROL FRAMEWORKS



dimensions:

Business objectives

IT resources Includes: People

Application systems

Technology Facilities

Data


33/73


CONTROL FRAMEWORKS



dimensions:

Business objectives

IT resources

IT processes Broken into four domains

Planning and organization Acquisition and implementation

Delivery and support

Monitoring


34/73


CONTROL FRAMEWORKS

COBIT consolidates standards from 36 different

sources into a single framework.

It is having a big impact on the IS profession.

Helps managers to learn how to balance risk andcontrol investment in an IS environment.

Provides users with greater assurance that security

and IT controls provided by internal and third parties

are adequate. Guides auditors as they substantiate their opinions

and provide advice to management on internal

controls.


35/73


CONTROL FRAMEWORKS




The COBIT framework


framework (ERM)


36/73


CONTROL FRAMEWORKS

COSOs Internal Control Framework

The Committee of Sponsoring Organizations

(COSO) is a private sector group consisting

of: The American Accounting Association

The AICPA

The Institute of Internal Auditors

The Institute of Management Accountants

The Financial Executives Institute


37/73


CONTROL FRAMEWORKS

In 1992, COSO issued the Internal

Con trol Integrated Framework:

Defines internal controls.

Provides guidance for evaluating and

enhancing internal control systems.

Widely accepted as the authority on internal

controls. Incorporated into policies, rules, and

regulations used to control business activities.


38/73


CONTROL FRAMEWORKS

COSOs internal control model has five

crucial components:

- Control environment

The core of any business is its people.

Their integrity, ethical values, and competence make

up the foundation on which everything else rests.


39/73


CONTROL FRAMEWORKS


crucial components:


- Control activities

Policies and procedures must be established and

executed to ensure that actions identified by

management as necessary to address risks are, in

fact, carried out.


40/73


41/73


CONTROL FRAMEWORKS


crucial components:



- Risk assessment

- Information and communication

Information and communications systems surround thecontrol activities.

They enable the organizations people to capture and

exchange information needed to conduct, manage, and

control its operations.


42/73


CONTROL FRAMEWORKS


crucial components:



- Risk assessment

- Information and communication

- Monitoring The entire process must be monitored and modified

as necessary.


43/73


44/73


CONTROL FRAMEWORKS

Nine years after COSO issued the precedingframework, it began investigating how toeffectively identify, assess, and manage risk soorganizations could improve the risk

management process. Result: Enterprise Risk Manage Integrated

Framework (ERM) An enhanced corporate governance document.

Expands on elements of preceding framework.

Provides a focus on the broader subject of enterpriserisk management.


45/73


CONTROL FRAMEWORKS

Intent of ERM is to achieve all goals of theinternal control framework and help theorganization: Provide reasonable assurance that company

objectives and goals are achieved and problems andsurprises are minimized.

Achieve its financial and performance targets.

Assess risks continuously and identify steps to take

and resources to allocate to overcome or mitigaterisk.

Avoid adverse publicity and damage to the entitysreputation.


46/73


CONTROL FRAMEWORKS

ERM defines risk management as:

A process effected by an entitys board ofdirectors, management, and other personnel

Applied in strategy setting and across theenterprise

To identify potential events that may affect theentity

And manage risk to be within its risk appetite In order to provide reasonable assurance of

the achievement of entity objectives.


47/73


CONTROL FRAMEWORKS

Basic principles behind ERM:

Companies are formed to create value for

owners.

Management must decide how muchuncertainty they will accept.

Uncertainty can result in:

Risk The possibility that something will happen to:

Adversely affect the ability to create value; or

Erode existing value.


48/73


CONTROL FRAMEWORKS

Basic principles behind ERM:

Companies are formed to create value for

owners.

Management must decide how muchuncertainty they will accept.

Uncertainty can result in:

Risk Opportunity

The possibility that something will happen to

positively affect the ability to create or preserve

value.


49/73


CONTROL FRAMEWORKS

The framework should help management

manage uncertainty and its associated risk to

build and preserve value.

To maximize value, a company must balanceits growth and return objectives and risks with

efficient and effective use of company

resources.


50/73


CONTROL FRAMEWORKS

COSO developed a

model to illustrate

the elements of

ERM.


51/73


CONTROL FRAMEWORKS

Columns at the top

represent the four types of

object ivesthat

management must meet to

achieve company goals. Strategic objectives

Strategic objectives are

high-level goals that are

aligned with and support

the companys mission.


52/73


CONTROL FRAMEWORKS

Columns at the top


object ivesthat



Operations objectives

Operations objectives deal with

effectiveness and efficiency ofcompany operations, such as:

Performance and

profitability goals

Safeguarding assets


53/73


CONTROL FRAMEWORKS

Columns at the top


object ivesthat




Reporting objectives

Reporting objectives help

ensure the accuracy,

completeness, and reliability of

internal and external company

reports of both a financial and

non-financial nature.

Improve decision-making and

monitor company activities andperformance more efficiently.


54/73


CONTROL FRAMEWORKS

Columns at the top


object ivesthat




Reporting objectives

Compliance objectives

Compliance objectives help the

company comply with

applicable laws and

regulations.

External parties often set

the compliance rules.

Companies in the same

industry often have similar

concerns in this area.


55/73


CONTROL FRAMEWORKS

ERM can provide reasonableassurance that reporting andcompliance objectives will beachieved because companieshave control over them.

However, strategic and

operations objectives aresometimes at the mercy ofexternal events that thecompany cant control.

Therefore, in these areas, theonly reasonable assurance the

ERM can provide is thatmanagement and directors areinformed on a timely basis of theprogress the company is makingin achieving them.


56/73


CONTROL FRAMEWORKS

Columns on the

right represent the

companys units:

Entire company


57/73


CONTROL FRAMEWORKS

Columns on the

right represent the

companys units:

Entire company

Division


58/73


CONTROL FRAMEWORKS

Columns on the

right represent the

companys units:

Entire company

Division

Business unit


59/73


CONTROL FRAMEWORKS

Columns on the

right represent the

companys units:

Entire company

Division

Business unit

Subsidiary


60/73


CONTROL FRAMEWORKS

The horizontal rows are

eight related risk and

control components,

including:

Internal environment

The tone or culture of the

company.

Provides discipline and

structure and is the foundationfor all other components.

Essentially the same as contro l

env i ronmentin the COSO

internal control framework.


61/73


CONTROL FRAMEWORKS



control components,

including:

Internal environment Objective setting

Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives thatsupport the companys mission and are consistent with the companys

tolerance for risk.

Strategic objectives are set first as a foundation for the other three.

The objectives provide guidance to companies as they identify risk-

creating events and assess and respond to those risks.


62/73


CONTROL FRAMEWORKS



control components,

including:


Event identification

Requires management to identify events that may affect the companys

ability to implement its strategy and achieve its objectives.

Management must then determine whether these events represent:

Risks (negative-impact events requiring assessment and

response); or

Opportunities (positive-impact events that influence strategy and

objective-setting processes).

Identified risks are assessed todetermine how to manage them


63/73


CONTROL FRAMEWORKS

The horizontal rows areeight related risk and

control components,

including:



Risk assessment

determine how to manage them

and how they affect the

companys ability to achieve its

objectives.

Qualitative and quantitativemethods are used to assess

risks individually and by

category in terms of:

Likelihood

Positive and negative

impact

Effect on other

organizational units

Risks are analyzed on an

inherent and a residual basis.

Corresponds to the risk

assessment element in COSOs


Management aligns identified risks


64/73


CONTROL FRAMEWORKS


control components,

including:



Risk assessment

Risk response

with the companys tolerance for

risk by choosing to:

Avoid

Reduce Share

Accept

Management takes an entity-wide

or portfolio view of risks in

assessing the likelihood of therisks, their potential impact, and

costs-benefits of alternate

responses.


65/73


CONTROL FRAMEWORKS


control components,

including:



Risk assessment

Risk response

Control activities

To implement managements

risk responses, control policies

and procedures are established

and implemented throughout

the various levels and

functions of the organization. Corresponds to the control

activities element in the COSO



66/73


67/73


CONTROL FRAMEWORKS


control components,

including:



Risk assessment

Risk response

Control activities

Information and

communication

Monitoring

ERM processes must be

monitored on an ongoing basis

and modified as needed.

Accomplished with ongoing

management activities and

separate evaluations.

Deficiencies are reported to

management.

Corresponding module in

COSO internal control

framework.


68/73


CONTROL FRAMEWORKS

The ERM model isthree-dimensional.

Means that each of

the eight risk andcontrol elements areapplied to the fourobjectives in the

entire companyand/or one of itssubunits.


69/73


CONTROL FRAMEWORKS

ERM Framework Vs. the Internal

Control Framework

The internal control framework has been

widely adopted as the principal way toevaluate internal controls as required by SOX.

However, there are issues with it.

It has too narrow of a focus.

Examining controls without first examining purposes and

risks of business processes provides little context for

evaluating the results.

Makes it difficult to know:

Which control systems are most important. Whether they adequately deal with risk.

Whether important control systems are missing.


70/73


CONTROL FRAMEWORKS

ERM Framework Vs. the Internal

Control Framework

The internal control framework has been

widely adopted as the principal way toevaluate internal controls as required by SOX.

However, there are issues with it.

It has too narrow of a focus.

Focusing on controls first has an inherent bias

toward past problems and concerns.

May contribute to systems with

many controls to protect

against risks that are no longer

important.


71/73


CONTROL FRAMEWORKS

These issues led to COSOs development of theERM framework. Takes a risk-based, rather than controls-based,

approach to the organization.

Oriented toward future and constant change. Incorporates rather than replaces COSOs internal

control framework and contains three additionalelements:

Setting objectives.

Identifying positive and negative events that may affect thecompanys ability to implement strategy and achieveobjectives.

Developing a response to assessed risk.


72/73


CONTROL FRAMEWORKS

Controls are flexible and relevant becausethey are linked to current organizational

objectives.

ERM also recognizes more options thansimply controlling risk, which include

accepting it, avoiding it, diversifying it, sharing

it, or transferring it.


73/73

CONTROL FRAMEWORKS

Over time, ERM will probably become the

most widely adopted risk and control

model.

Consequently, its eight components arethe topic of the remainder of the chapter.

Documents

Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01