Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012

Contents Learning Objectives – Continue with Database design exercise – Start / Stop / Continue exercise – Chapter 7 Course material

Chapter 7 – Control and Accounting Info. Systems Definitions – Threat or event– a potential adverse occurrence – Exposure or impact – the potential dollar loss from a threat – Likelihood – the probability that it will occur – Intentional acts These are the words and criteria that are used when assessing whether controls are required.

Chapter 7 – Control Concepts Internal Control – Is the process implemented within your organization to provide reasonable assurance the following control objectives are achieved: Safeguard assets Maintain records with sufficient detail to support assets Provide accurate and reliable information Prepare financial reports in accordance with established criteria Promote and improve operating efficiency Encourage adherence to prescribed managerial policies Comply with applicable laws and regulations

Chapter 7 – Internal Controls Internal controls perform three functions – Preventive controls deter problems before they arise Segregating employee duties Controlling physical access to assets – Detective controls discover problems that were not prevented Preparing bank reconciliations Preparing monthly trial balances Duplicate checking of calculations – Corrective controls correct and recover from the resulting errors Maintaining backup copies of files Correcting data entry errors

Chapter 5 – Review – Fraud Triangle - Pressure General Controls make an organization’s control environment stable and well managed Security IT infrastructure Software acquisition Development Maintenance Application controls make sure transactions are processed correctly Accuracy Completeness Validity Authorization of the data captured, entered, processed, stored, and transmitted to other systems and reported. Internal controls are often segregated into two categories – General Controls – Application Controls

Chapter 7 – Large Control Breaches Enron - $62 billion in assets WorldCom - > $100 billion in assets Xerox Tyco Many more unfortunately In response to frauds – Sarbanes Oxley Act (SOX) was passed – Public company accounting oversight board (PCAOSB) – New rules for auditors – New roles for audit committees – New rules for management – New internal control requirements

Chapter 7 – Control Frameworks Three frameworks will be discussed that are used to develop internal control systems – COBIT – Information and Systems Audit and Control Association developed it for control objectives for Information and related technology – COSO – Committee of Sponsoring Organizations developed an Internal Control – Integrated Framework (IC) – COSO – Enterprise Risk Management – Integrated Framework (ERM)

Chapter 7 – Control Frameworks COBIT addresses control from three vantage points – Business Objectives To satisfy business objectives, information must conform to seven categories of criteria – IT Resources Including people, application systems, technology, facilities, and data – IT Processes Broken into four domains; planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation

Chapter 7 – Control Frameworks COSO’s Internal Control Framework – Control Environment – the core of any business is its people – Control Activities – control policies and procedures – Risk Assessment – identify, analyze, and manage risks – Information and Communication – systems capture and exchange the information needed to conduct, manage, and control the organizations operations – Monitoring- the entire process must be monitored and evolve as conditions warrant. Limitations of this framework – Examines controls without looking at the purpose and risks of business processes and does not provide context to determine which control process are most important, whether they address the risks, and if controls are missing.

Chapter 7 – Control Frameworks COSO’s ERM Framework – Takes a risk based approach rather than a controls based approach – It adds three additional elements to COSO’s IC Framework Setting objectives Identifying events that may affect the company Developing a response to assessed risk – Controls become flexible and relevant because they are linked to business objectives – ERM model also recognizes that in addition to being controlled, risk can be accepted, avoided, diversified, shared or transferred Example of a transferred risk?

Chapter 7 – ERM – Internal Environment Internal Environment A weak or deficient internal environment often results in a breakdown in risk management and control. Objective Setting Management sets objectives at the corporate level and these are cascaded down through other subunits Strategic Operational Reporting Compliance Event Identification Management sets objectives at the corporate level and these are cascaded down through other subunits Strategic Operational Reporting Compliance

Chapter 7 – Control Frameworks – Malware Any software that can be used to do harm. Spread through file sharing (72%), shared access to files (42%), attachments (25%), remote access vulnerabilities (24%)