AIS07Computer-Based Information Systems Controls

7/23/2019 AIS07Computer-Based Information Systems Controls

http://slidepdf.com/reader/full/ais07computer-based-information-systems-controls 1/59

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 7-

AccountingInformation

Systems9th Edition

Marshall B. Romney

Paul John Steinbart



©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 7-2

Comuter!Based Information

Systems Controls

Chater "



#$%%& Prentice 'all BusinessPublishing(

"!&

*earning +b,ecti-es

. /escribe the threats to an AIS and

discuss 0hy these threats are

gro0ing.$. E1lain the basic concets of control

as alied to business organi2ations.

&. /escribe the ma,or elements in thecontrol en-ironment of a business

organi2ation.




"!3

*earning +b,ecti-es( continued

3. /escribe control olicies and rocedures

commonly used in business organi2ations.

4.

E-aluate a system of internal accountingcontrol( identify its deficiencies( and

rescribe modifications to remedy those

deficiencies.

5. Conduct a cost!benefit analysis forarticular threats( e1osures( ris6s( and

controls.




"!4

Introduction

Jason Scott has been hired as an

internal auditor for 7orth0est

Industries( a di-ersified forestroducts comany.

'e is assigned to audit Sringer8s

*umber Suly( 7orth0est8s

building materials outlet in Montana.




"!5

Introduction

'is suer-isor( Maria Pilier( has as6ed himto trace a samle of urchase transactionsto -erify that roer control rocedures 0ere

follo0ed. Jason becomes frustrated 0ith thistas6. :hy is Jason frustrated;

<he urchasing system is oorly

documented.'e 6ees finding transactions that ha-e not

been rocessed as Ed =ates( the accountsayable manager( said they should be.




"!"

Introduction

Jason8s frustrations( continued Some -endor in-oices ha-e been aid 0ithout suorting

documents. Purchase re>uisitions are missing for se-eral items that had

been authori2ed by Bill Sringer( urchasing -.. Prices charged for some items seem unusually high. Sringer8s is the largest sulier in the area and has a near

monooly. Management authority is concentrated in the comany

resident( Joe Sringer( and his sons Bill( the urchasing

-..( and <ed( the controller. Maria feels that <ed may ha-e engaged in ?creati-e

accounting.@




"!

Introduction

Jason onders the follo0ing issuesShould he describe the unusual

transactions in his reort;Is a -iolation of roer control

rocedures accetable if it has beenauthori2ed by management;

Regarding Jason8s assignment( doeshe ha-e a rofessional or ethicalresonsibility to get in-ol-ed;




"!9

Introduction

<his chater discusses the tyes of

threats a comany faces.

It also resents the fi-e interrelatedcomonents of the Committee of

Sonsoring +rgani2ations C+S+8sD

internal control model.




"!%

*earning +b,ecti-e

/escribe the threats to an AIS and

discuss 0hy these threats are

gro0ing.




"!

<hreats to Accounting

Information Systems

:hat are e1amles of natural and

political disasters;

fire or e1cessi-e heat floods

earth>ua6es

high 0inds 0ar




"!$


Information Systems

:hat are e1amles of software errors

and equipment malfunctions;

hard0are failures o0er outages and fluctuations

undetected data transmission errors




"!&


Information Systems

:hat are e1amles of unintentionalacts;

accidents caused by humancarelessness

innocent errors of omissions

lost or mislaced data

logic errors systems that do not meet comany

needs




"!3


Information Systems

:hat are e1amles of intentional

acts;

sabotage comuter fraud

embe22lement




"!4

:hy are AIS <hreats

Increasing;

Increasing numbers of client)ser-er systemsmean that information is a-ailable to anunrecedented number of 0or6ers.

Because *A7s and client)ser-er systemsdistribute data to many users( they areharder to control than centrali2edmainframe systems.

:A7s are gi-ing customers and suliersaccess to each other8s systems and data(ma6ing confidentiality a concern.




"!5

*earning +b,ecti-e $

E1lain the basic concets

of control as alied tobusiness organi2ations.




"!"

+-er-ie0 of Control

Concets

:hat is the traditional definition of internal

control;

Internal control is the plan of organization

and the methods a business uses to

safeguard assets, provide accurate and

reliable information, promote and improve

operational efficiency, and encourage

adherence to prescribed managerial

policies.




"!

+-er-ie0 of Control

Concets

:hat is management control; Management control encomasses the

follo0ing three features

It is an integral art of managementresonsibilities.

$ It is designed to reduce errors(irregularities( and achie-e organi2ational

goals.& It is ersonnel!oriented and see6s to hel

emloyees attain comany goals.




"!9

Internal Control

Classifications

<he secific control rocedures used in the

internal control and management control

systems may be classified using the

follo0ing four internal control classifications

Pre-enti-e( detecti-e( and correcti-e controls

$ Feneral and alication controls

&

Administrati-e and accounting controls3 Inut( rocessing( and outut controls




"!$%

<he Goreign Corrut

Practices Act

In 9""( Congress incororated language

from an AICPA ronouncement into the

Goreign Corrut Practices Act.

<he rimary urose of the act 0as to

re-ent the bribery of foreign officials in

order to obtain business.

A significant effect of the act 0as to re>uirecororations to maintain good systems of

internal accounting control.




"!$

Committee of Sonsoring

+rgani2ations

<he Committee of Sonsoring

+rgani2ations C+S+D is a ri-ate sector

grou consisting of fi-e organi2ations

American Accounting Association

$ American Institute of Certified Public

Accountants

& Institute of Internal Auditors

3 Institute of Management Accountants

4 Ginancial E1ecuti-es Institute




"!$$


+rgani2ations

In 99$( C+S+ issued the results of a

study to de-elo a definition of

internal controls and to ro-ideguidance for e-aluating internal

control systems.

<he reort has been 0idely acceted

as the authority on internal controls.




"!$&


+rgani2ations

<he C+S+ study defines internal controlas the rocess imlemented by theboard of directors( management( and

those under their direction to ro-idereasonable assurance that controlob,ecti-es are achie-ed 0ith regard to effecti-eness and efficiency of oerations

reliability of financial reorting comliance 0ith alicable la0s and

regulations




"!$3


+rgani2ations

C+S+8s internal control model has

fi-e crucial comonents

Control en-ironment$ Control acti-ities

& Ris6 assessment

3 Information and communication4 Monitoring




"!$4

Information Systems Audit

and Control Goundation

<he Information Systems Audit and Control

Goundation ISACGD recently de-eloed the

Control +b,ecti-es for Information and

related <echnology C+BI<D.

C+BI< consolidates standards from &5

different sources into a single frame0or6.

<he frame0or6 addresses the issue ofcontrol from three -antage oints( or

dimensions




"!$5

Information Systems Audit

and Control Goundation

Information needs to conform to certain

criteria that C+BI< refers to as business

re>uirements for information

$ I< resources eole( alication systems(

technology( facilities( and data

& I< rocesses lanning and organi2ation(

ac>uisition and imlementation( deli-eryand suort( and monitoring




"!$"

*earning +b,ecti-e &

/escribe the ma,or

elements in the controlen-ironment of a

business organi2ation.




"!$

<he Control En-ironment

<he first comonent of C+S+8s internal

control model is the control en-ironment.

<he control en-ironment consists of many

factors( including the follo0ing

Commitment to integrity and ethical -alues

$ Management8s hilosohy and oerating

style& +rgani2ational structure




"!$9

<he Control En-ironment

3 <he audit committee of the board of

directors

4

Methods of assigning authority andresonsibility

5 'uman resources olicies and

ractices

" E1ternal influences




"!&%

*earning +b,ecti-e 3

/escribe control

olicies and rocedures

commonly used in

business organi2ations.




"!&

Control Acti-ities

<he second comonent of C+S+8s

internal control model is control

acti-ities. Fenerally( control rocedures fall into

one of fi-e categories

Proer authori2ation of transactions

and acti-ities

$ Segregation of duties




"!&$

Control Acti-ities

& /esign and use of ade>uate

documents and records

3

Ade>uate safeguards of assets andrecords

4 Indeendent chec6s on erformance




"!&&

Proer Authori2ation of

<ransactions and Acti-ities

Authorization is the emo0ermentmanagement gi-es emloyees toerform acti-ities and ma6e decisions.

Digital signature or fingerrint is ameans of signing a document 0ith aiece of data that cannot be forged.

Specific authorization is the grantingof authori2ation by management forcertain acti-ities or transactions.




"!&3

Segregation of /uties

Food internal control demands that no

single emloyee be gi-en too much

resonsibility. An emloyee should not be in a

osition to eretrate and conceal

fraud or unintentional errors.




"!&4


Recording Functions

Preparing source documents

Maintaining journals

Preparing reconciliations

Preparing performance reports

Custodial Functions

Handling cash

Handling assets

Writing checksReceiving checks in mail Authorization Functions

Authorization of

transactions




"!&5


If t0o of these three functions are the

resonsibility of a single erson( roblems

can arise.

Segregation of duties re-ents emloyees

from falsifying records in order to conceal

theft of assets entrusted to them.

Pre-ent authori2ation of a fictitious orinaccurate transaction as a means of

concealing asset thefts.




"!&"


Segregation of duties re-ents an

emloyee from falsifying records to

co-er u an inaccurate or falsetransaction that 0as inaroriately

authori2ed.




"!&

/esign and Hse of Ade>uate

/ocuments and Records

<he roer design and use of

documents and records hels ensure

the accurate and comlete recordingof all rele-ant transaction data.

/ocuments that initiate a transaction

should contain a sace for

authori2ation.




"!&9

/esign and Hse of Ade>uate

/ocuments and Records

<he follo0ing rocedures safeguard assetsfrom theft( unauthori2ed use( and-andalism

effecti-ely suer-ising and segregatingduties

maintaining accurate records of assets(including information

restricting hysical access to cash and aerassets

ha-ing restricted storage areas




"!3%

Ade>uate Safeguards of

Assets and Records

:hat can be used to safeguardassets; cash registers

safes( loc6bo1es

safety deosit bo1es

restricted and fireroof storage areas

controlling the en-ironment restricted access to comuter rooms(

comuter files( and information




"!3

Indeendent Chec6s

on Performance

Indeendent chec6s ensure that

transactions are rocessed accurately are

another imortant control element.




"!3$

Indeendent Chec6s

on Performance

:hat are -arious tyes of

indeendent chec6s;

reconciliation of t0o indeendentlymaintained sets of records

comarison of actual >uantities 0ith

recorded amounts

double!entry accounting batch totals




"!3&

Indeendent Chec6s

on Performance

Gi-e batch totals are used in comuter

systems

A financial total is the sum of a dollarfield.

$ A hash total is the sum of a field that

0ould usually not be added.




"!33

Indeendent Chec6s

on Performance

& A record count is the number of

documents rocessed.

3

A line count is the number of lines ofdata entered.

4 A cross!footing balance test comares

the grand total of all the ro0s 0ith the

grand total of all the columns to chec6that they are e>ual.




"!34


E-aluate a system of

internal accounting

control( identify itsdeficiencies( and rescribe

modifications to remedythose deficiencies.




"!35

Ris6 Assessment

<he third comonent of C+S+8s internal

control model is ris6 assessment.

Comanies must identify the threats they

face

strategic doing the 0rong thing

financial ha-ing financial resources lost(

0asted( or stolen

information faulty or irrele-ant

information( or unreliable systems




"!3"

Ris6 Assessment

Comanies that imlement electronic

data interchange E/ID must identify

the threats the system 0ill face( suchas

Choosing an inaroriate technology

$ Hnauthori2ed system access

& <aing into data transmissions

3 *oss of data integrity




"!3

Ris6 Assessment

4 Incomlete transactions

5 System failures

" Incomatible systems




"!39

Ris6 Assessment

Some threats ose a greater ris6

because the robability of their

occurrence is more li6ely. Gor

e1amle A comany is more li6ely to be the

-ictim of a comuter fraud rather than

a terrorist attac6. Ris6 and e1osure must be

considered together.




"!4%


Conduct a cost!benefit

analysis for articular

threats( e1osures(

ris6s( and controls.




"!4

Estimate Cost and Benefits

7o internal control system can ro-ide

foolroof rotection against all internal

control threats. <he cost of a foolroof system 0ould

be rohibiti-ely high.

+ne 0ay to calculate benefits in-ol-es

calculating e1ected loss.




"!4$

Epected loss ! risk " eposure

Estimate Cost and Benefits

<he benefit of a control rocedure is

the difference bet0een the e1ected

loss 0ith the control roceduresD andthe e1ected loss 0ithout it.



#$%%& Prentice 'all BusinessPublishing( "!4&

Information and

Communication

<he fourth comonent of C+S+8s

internal control model is information

and communication.



#$%%& Prentice 'all BusinessPublishing( "!43

Information and

Communication

Accountants must understand the follo0ing 'o0 transactions are initiated

$ 'o0 data are catured in machine!readable

form or con-erted from source documents& 'o0 comuter files are accessed and

udated

3 'o0 data are rocessed to reare

information4 'o0 information is reorted

5 'o0 transactions are initiated




Information and

Communication

All of these items ma6e it ossible for thesystem to ha-e an audit trail.

An audit trail e1ists 0hen indi-idual

comany transactions can be tracedthrough the system.




Monitoring Performance

<he fifth comonent of C+S+8s

internal control model is monitoring.

:hat are the 6ey methods ofmonitoring erformance;

effecti-e suer-ision

resonsibility accounting

internal auditing






Case Conclusion

+ne of the Sringers held a significant

o0nershi interest in each of these three

comanies.

<hey also found e-idence that se-eral of

Sringer8s emloyees 0ere aid for more

hours than documented by time6eeing(

and that in-entories 0ere o-erstated.

7orth0est settled the case 0ith the

Sringers.



End of Chapter 7

Documents

AIS07Computer-Based Information Systems Controls