Control and Accounting Information Systems Chapter 7

Learning Objectives Explain basic control concepts and why computer control and security are important. Compare and contrast the COBIT, COSO, and ERM control frameworks. Describe the major elements in the internal environment of a company. Describe the four types of control objectives that companies need to set. Describe the events that affect uncertainty and the techniques used to identify them. Explain how to assess and respond to risk using the Enterprise Risk Management model. Describe control activities commonly used in companies. Describe how to communicate information and monitor control processes in organizations.

Why Is Control Needed? Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event. The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat. The probability that the threat will happen is the likelihood associated with the threat Many organizations have real risks by not adequately protecting their data. Although they may see the threat of the risk, many organizations underestimate the impact and the likleihood that a threat will occur.

A Primary Objective of an AIS Is to control the organization so the organization can achieve its objectives Management expects accountants to: Take a proactive approach to eliminating system threats. Detect, correct, and recover from threats when they occur.

Internal Controls Processes implemented to provide assurance that the following objectives are achieved: Safeguard assets Maintain sufficient records Provide accurate and reliable information Prepare financial reports according to established criteria Promote and improve operational efficiency Encourage adherence with management policies Comply with laws and regulations Good internal controls are necessary for an organization to achieve its goals.

Functions of Internal Controls Preventive controls Deter problems from occurring Detective controls Discover problems that are not prevented Corrective controls Identify and correct problems; correct and recover from the problems In addition to the functions of internal controls, controls are segregated into two categories: General controls which ensure that organization’s control environment is stable and well managed. Application controls that prevent, detect, and correct transaction errors and fraud in application programs.

Two Categories of Internal Controls General controls Make sure an organization’s control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls Application controls Prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, stored, transmitted to other systems, and reported In addition to the functions of internal controls, controls are segregated into two categories: General controls which ensure that organization’s control environment is stable and well managed. Application controls that prevent, detect, and correct transaction errors and fraud in application programs.

Control Frameworks COBIT COSO COSO-ERM Framework for IT control Framework for enterprise internal controls (control-based approach) COSO-ERM Expands COSO framework taking a risk-based approach

COBIT Framework Current framework version is COBIT5 The benefit of a standard framework for IT controls is that it allows: Management to benchmark their environments and compare it to other organizations Because the framework is comprehensive, it provides assurances that IT security and controls exist Allows auditors to substantiate their internal control opinions The COBIT framework has evolved over the years and each time there are major changes to the framework, the framework is numbered to its current version. The current version of COBIT for IT controls is COBIT5. The benefit of a standard framework for IT controls is that it allows: Management to benchmark their environments and compare it to other organizations Because the framework is comprehensive, it provides assurances that IT security and controls exist Allows auditors to substantiate their internal control opinions The framework is based on the five principles: Meeting stakeholders needs means that enterprises exist to create value to their shareholders. Thus, the governance objective is value creation. Covering the enterprise from end-to-end means that COBIT5 addresses governance and management of information and information-related technologies throughout the enterprise. This means that it is not focused solely on the IT function as information technology runs throughout the enterprise. Applying a single, integrated framework means that COBIT5 can align with other governance frameworks such as COSO and COSO-ERM. Enabling a holistic approach includes the following enablers: Processes-a set of activities to achieve an overall IT related goal Organizational structures—key decision-making entity Culture, ethics, and behavior of individuals and the organization Principles and policies guide the day-to-day management Information Infrastructure, technology, and applications People, skills, and competencies

COBIT Framework (cont) Based on the following principles: Meeting stakeholder needs Covering the enterprise end-to-end Applying a single, integrated framework Enabling a holistic approach Separating governance from management The COBIT framework has evolved over the years and each time there are major changes to the framework, the framework is numbered to its current version. The current version of COBIT for IT controls is COBIT5. The benefit of a standard framework for IT controls is that it allows: Management to benchmark their environments and compare it to other organizations Because the framework is comprehensive, it provides assurances that IT security and controls exist Allows auditors to substantiate their internal control opinions The framework is based on the five principles: Meeting stakeholders needs means that enterprises exist to create value to their shareholders. Thus, the governance objective is value creation. Covering the enterprise from end-to-end means that COBIT5 addresses governance and management of information and information-related technologies throughout the enterprise. This means that it is not focused solely on the IT function as information technology runs throughout the enterprise. Applying a single, integrated framework means that COBIT5 can align with other governance frameworks such as COSO and COSO-ERM. Enabling a holistic approach includes the following enablers: Processes-a set of activities to achieve an overall IT related goal Organizational structures—key decision-making entity Culture, ethics, and behavior of individuals and the organization Principles and policies guide the day-to-day management Information Infrastructure, technology, and applications People, skills, and competencies

COBIT5 Separates Governance from Management See page 219 for details

Components of COSO Frameworks COSO-ERM Control (internal) environment Risk assessment Control activities Information and communication Monitoring Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring The major difference between COSO and COSO-ERM is that COSO-ERM’s focus is on a risk-based approach and the components are expanded for this approach (objective setting, event identification, and risk response are added). All of the other components are similar.

Internal Environment Management’s philosophy, operating style, and risk appetite Commitment to integrity, ethical values, and competence Internal control oversight by Board of Directors Organizing structure Methods of assigning authority and responsibility Human resource standards The internal environment establishes the foundation for all other components of the internal control model. Assessing the internal environment involves observance of the organizational behavior of management actions and evaluation of policies and procedures. For example, is there a written code of conduct that explicitly describes honest and dishonest behaviors. Does the company exhibit good hiring practices to by evaluating qualified applicants and conducting thorough background checks.

Objective Setting Strategic objectives Operations objectives High-level goals Operations objectives Effectiveness and efficiency of operations Reporting objectives Improve decision making and monitor performance Compliance objectives Compliance with applicable laws and regulations Objective setting is what the company hopes to achieve. This is broken down into four categories beginning from a high level to specific levels. Strategic objectives are high-level goals and may include considerations that involve the organizational direction relating to governance, business model, or strategy (e.g., grow market share) Operations objectives involve the operations which we can think of as people, process, and technology. Examples of these types of objectives include internal controls, supply chain and distribution, human resources. Reporting objectives ensure the accuracy and reliability of your reports. This would include objectives covering access to the systems and protecting the IT systems. In addition, ensuring adequate management review of the reports. Compliance objectives are focused on the compliance of all applicable laws and regulations. Many industries have specific regulations (e.g., food manufacturing and financial services). In addition, there are local, state, and federal laws that organizations must comply with meaning that there are environmental, legal, and contractual compliance considerations. It is also noted at the high level that an organizations risk appetite (how much risk is an organization willing to take?) and risk tolerance is formed. So in other words, there are trade-offs with risk in organizations. Organizations need to think about how much risk they are willing to take for a certain level of return. Of course there are uncertainties, that is why thinking about risk is so important.

Event Identification Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives Key Management Questions: What could go wrong? How can it go wrong? What is the potential harm? What can be done about it? Risk is two-sided: Opportunities (upside to uncertainty) Risk (downside to uncertainty) For example, a chocolate manufacturer that relies on sourcing its cacao beans from certain regions in Africa to get their signature blend of chocolate flavor for their truffles. Their organizational objective is to increase revenues and profitability. What could go wrong? We may not get enough supply of cacao beans to meet our customer demand. How can it go wrong? It is possible that the weather conditions produced a smaller crop limiting the supply; or it is possible that a civil war broke out in the African region and the crop produced, but no one was there to get the product off the trees in time due to the war. What is the potential harm? The cost of our cacao beans will go up do to limited supply, it will have an impact on our customers as we may have to increase our prices. What can be done about it? If we buy cacao bean futures on the market we may be able to hedge any potential risk due to our supply of cacao required to meet our customer demand to achieve our organizational goals of increasing revenues and profitability.

Risk Assessment Risk is assessed from two perspectives: Likelihood Probability that the event will occur Impact Estimate potential loss if event occurs Types of risk Inherent Risk that exists before plans are made to control it Residual Risk that is left over after you control it Risk assessment is perhaps the most difficult step for organizations because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs. This truly can be a daunting task with a lot of uncertainty! Many organizations will look at this task from a qualitative and quantitative perspective provided that they have enough data. From a qualitative perspective, management can simply assign high, medium, or low risk based upon their collective discussion. After assessing all the risks identified in this manner, a heat map can be generated to determine which risks have high (usually a red color), medium (orange color), or low (yellow color). Quantitative analysis can examine probabilistic techniques to model the cashflow or earnings based upon the risk identified.

Risk Response Reduce Accept Share Avoid Implement effective internal control Accept Do nothing, accept likelihood and impact of risk Share Buy insurance, outsource, or hedging transactions (對沖交易) Avoid Do not engage in the activity Management can respond to risk in four ways: Reduce the amount of risk by implementing internal controls Do nothing and accept the likelihood and impact of the risk Share the risk by buying insurance, doing a joint venture, or hedging transactions (chocolate company example in slide 7-13 notes) Avoid the risk entirely and sell off a division or not manufacture that product line

Control Activities Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguarding assets, records, and data Independent checks on performance

Segregation of Duties Good internal control requires that no single employee of a company have too much responsibility over transactions and business processes. Segregation of duties prevents an employee from committing and concealing fraud. The three functions that need to be segregated are: Custodial function which handles cash and assets (inventory, fixed assets) Recording function which involves preparing source documents, entering data into the system, maintaining journals or data files , and performing reconciliations of accounts Authorizing function which involves approving transactions and decisions In addition, from a systems perspective there is segregation of duties as to divide authority and responsibility between the following systems functions System administration Network management Security management Change management Users Systems analysts Programmers Computer operators Information system librarian Data control

Monitoring Perform internal control evaluations (e.g., internal audit) Implement effective supervision Use responsibility accounting systems (e.g., budgets) Monitor system activities Track purchased software and mobile devices Conduct periodic audits (e.g., external, internal, network security) Employ computer security officer Engage forensic specialists Install fraud detection software Implement fraud hotline

Key Terms Threat or Event Exposure or impact Likelihood Internal controls Preventive controls Detective controls Corrective controls General controls Application controls Belief system Boundary system Diagnostic control system Interactive control system Audit committee Foreign Corrupt Practices Act (FCPA) Sarbanes-Oxley Act (SOX) Public Company Accounting Oversight Board (PCAOB) Control Objectives for Information and Related Technology (COBIT) Committee of Sponsoring Organizations (COSO) Internal control-integrated framework (IC) Enterprise Risk Management Integrated Framework (ERM) Internal environment

Key Terms (continued) Risk appetite Policy and procedures manual Background check Strategic objectives Operations objectives Reporting objectives Compliance objectives Event Inherent risk Residual risk Expected loss Control activities Authorization Digital signature Specific authorization General authorization Segregation of accounting duties Collusion Segregation of systems duties Systems administrator Network manager Security management Change management Users Systems analysts Programmers Computer operators Information system library

Key Terms (continued) Postimplementation review Data control group Systems integrator Analytical review Audit trail Computer security officer (CSO) Chief compliance officer (CCO) Forensic investigators Computer forensics specialists Neural networks Fraud hotline Data control group Steering committee Strategic master plan Project development plan Project milestones Data processing schedule System performance measurements Throughput Utilization Response time