Controlling Information Systems:

Slides:



Advertisements
Similar presentations
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Advertisements

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Auditing Computer-Based Information Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza
Accounting Information Systems 7e
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Controlling Information Systems: Introduction to Internal Control.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control Pertemuan Matakuliah: F0204 / Sistem Akuntansi Tahun: 2007.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama.
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-
INTERNAL CONTROL OVER FINANCIAL REPORTING
Control environment and control activities. Day II Session III and IV.
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.
Chapter 4 Internal Controls McGraw-Hill/Irwin
© Copyright 2012 Pearson Education. All Rights Reserved. Chapter 10 Fraud & Internal Control ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting.
Internal Auditing and Outsourcing
Accounting Information Systems 8e
Chapter 4 Internal Controls McGraw-Hill/Irwin
Control and Accounting Information Systems
Fall 2003 Auditing Update for Auditing and Assurance Services: An Integrated Approach.
Chapter 7 Controlling Information Systems:
An Educational Computer Based Training Program CBTCBT.
Chapter 8 Introduction to Internal Control Systems
Chapter 3 Internal Controls.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction to Internal Control Systems
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 4 – 1 Transaction Processing and the Internal Control.
Internal Control in a Financial Statement Audit
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
PENGANTAR PERANCANGAN SISTEM AKUNTANSI Pertemuan 01 Matakuliah: F0642 / Perancangan Sistem Akuntansi Tahun: 2009.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Chapter 9: Introduction to Internal Control Systems
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Chapter 3-Auditing Computer-based Information Systems.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Section 404 Audits of Internal Control and Control Risk Chapter 10.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
INTERNAL CONTROLS A STUDY TO THE REQUIREMENT OF INTERNAL CONTROL SYSTEMS.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Governance, risk and ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Internal control objectives
Defining Internal Control
Fraud & Internal Control
Fraud & Internal Control
Fraud & Internal Control
Unit 11 October 22, 2017.
Presentation transcript:

Controlling Information Systems: Introduction to Internal Control

Learning Objectives Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework. Understand that management employs internal control systems as part of organizational and IT governance initiatives. Describe how internal control systems assist organizations to achieve objectives and respond to risks. Describe fraud, computer fraud, and computer abuse. Enumerate control goals for operations and information processes. Describe the major categories of control plans.

Why do we need controls? (1) to provide reasonable assurance that the goals of each business process are being achieved (2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts) (3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.

Organizational Governance Organizational Process to: Select Objectives Determine Processes necessary to Achieve Objectives Monitor Performance Includes Internal Control

Example: Objective Setting Mission, vision, purpose: e.g., to be the leading producer of household products in the regions in which we operate Strategic objectives e.g., to be in the top quartile of product sales for retailers of our products Strategy e.g., expand production of our top-five selling retail products to meet increased demand Related objectives, e.g., increase production of x by 15% hire 180 qualified new staff maintain product quality Source: Adapted from Enterprise Risk Management—Integrated Framework, Application Techniques, p. 20.

Enterprise Risk Management Structured Process for Creating Organization Objectives (i.e. Governance) Board of Director, Management Initiative Strategic Outlook Identify events that might effect organization Manage risk associated with these events

Components of Enterprise Risk Management Internal Environment Decisions formulated re: Integrity, ethical values, risk, risk appetite, oversight functions, organization design, authority and responsibilities set Objective Setting Establish Strategies without which potential events can not be identified Operating, Reporting and Compliance Objectives Event Identification Risk and Opportunities that can effect the Objectives Risk – Assessment and Response Opportunities – Feedback to Objective Setting Process

Components of Enterprise Risk Management Risk Assessment What is the impact of a risk on an Objective Likelihood – Probability that the risk will occur Impact - $ Effect of the risk occurring

Risk vs. Exposure Estimate the annual dollar loss that would occur (i.e., the impact) should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is –$1,000,000. Estimate the annual probability that the event will occur (i.e., the likelihood). Suppose the estimate is 5 percent. Multiply item 1 by item 2 to get an initial expected gross risk (loss) of –$50,000 (–$1,000,000 × 0.05), which is the maximum amount or upper limit that should be paid for controls and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system. Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at –$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now –$31,000 [–$50,000 + ($20,000 – $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).

Risk vs. Exposure (Cont.) Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to –$41,000 (–$31,000 – $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000. Thus, the residual expected risk exposure is –$1,000, calculated as follows: Expected gross risk (–$20,000 or –$1,000,000 × 0.02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at –$1,000.

Components of Enterprise Risk Management Risk Response (4 Types) Avoid exposure Leave risky activity Reduce exposure Reduce likelihood or impact Fire extinguishers Share exposure Insurance Accept exposure Cost > Benefits of intervention Control Activities Procedures in place to make sure Risk Response are carried out

Components of Enterprise Risk Management Information and Communication Identify, Capture and Communicate So Decision Makers can carry out responsibilities Monitoring Evaluation of overall ERM process

Internal Control Definitions

Definition of Internal Control From SAS 78 (1995) - adopted COSO definition: INTERNAL CONTROL is a process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations.

Five Interrelated Components of Internal Control 1. Control environment- tone at the top, the foundation 2. Risk assessment - identification/analysis of risks 3. Control activities - policies and procedures 4. Information & communication - processing of info in a form and time frame that enables people to do their jobs 5. Monitoring - process that assess quality of internal control over time

COSO Report, SOA, and SAS 94 In the section addressing implementation of the Sarbanes Oxley Act section 404, the SEC used the COSO description of internal control. It went on to say that management must base its evaluation of the effectiveness of its internal control system on a framework such as COSO COSO report stresses internal control is a process A complementary perspective on internal control is found in Statement on Auditing Standards (SAS) 94, entitled “The Effect on Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.” This standard guides auditors in understanding the impact of IT on internal control and assessing IT-related control risks Further, SAS 94 highlights how IT can be used to strengthen internal control, while at the same time emphasizing how IT can actually weaken some controls

Recent Internal Control Legislation Sarbanes-Oxley Act (SOA) of 2002 Created public company accounting oversight board Increased accountability for company officers and board of directors Increased white collar crime penalties Prohibits audit firms from providing design and implementation of financial information systems

Sarbanes-Oxley Act of 2002 (SOA) Section 302—CEOs and CFOs must certify quarterly and annual financial statements Section 404—Mandates the annual report filed with the SEC include an internal control report by management which: Document significant Processes Flow of transactions Identify Key Controls Test Key Controls Written Assessment ACG 5405

Outline of SOA 2002

Fraud and its Relationship to Control Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain. Management charged with responsibility to prevent and/or disclose fraud Control systems enable management to do this job Management responsible to provide internal control system per the Foreign Corrupt Practices Act of 1977 Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility

SAS 99 The accounting profession too has been proactive in dealing with corporate fraud, as it has launched an anti-fraud program. One of the manifestations of this initiative is Statement on Auditing Standards (SAS) Number 99, entitled Consideration of Fraud in a Financial Statement Audit. SAS 99 has the same title as its predecessor, SAS 82, but the new standard is much more encompassing than the old. For instance, SAS 99 emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls.

E&Y Fraud Survey About 85 % of fraud committed by company insiders About 55% of perpetrators were management employees More fraud in less-developed countries Only about 20 % of fraud comes to the public knowledge About 40% of frauds are known to the public, 20% are kept confidential, and the other 40% are not yet discovered Best prevention is internal control, management reviews, and internal audits The #1 fraud worry to executives is asset misappropriation The #2 fraud worry to executives is computer crime Most organizations now have formal fraud prevention policies including codes of corporate governance and employee conduct Most useful fraud prevention techniques are internal controls, management reviews, and internal audits

Gelinas and Dull Working Definition of IC: Key Points A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives Internal control itself is a system. Therefore, like any system it must (1) have clearly defined goals and (2) consist of interrelated components that act in concert to achieve those goals. We can also say that internal control is a process Establishing a viable internal control system is management’s responsibility. The strength of any internal control system is largely a function of the people who operate it. Internal control cannot be expected to provide absolute, 100% assurance that the organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance Internal control is not free; controls should be built in and cost effective

Gelinas and Dull Working Definition of IC …a system of integrated elements - people, structure, processes, and procedures - acting in concert to provide reasonable assurance that an organization achieves business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:

(Text definition of IC cont.) Reflect management’s careful assessment of risks. Be based on management’s evaluation of costs versus benefits. Be built on management’s strong sense of business ethics and personal integrity.

Ethics and Controls COSO report stresses ethics as part of control environment (tone at the top) AICPA has built ethics issues into CPA exam The Institute of Management Accountants has a code of ethics which is also tested on both the CMA and CFM exams Internal Auditing has ethics articles Many corporations have developed Codes of Conduct

Business Process Control Goals Control Goals - ends to be obtained Control goals of operations processes Control goals of information processes See Table 7.1 Control Goals (page 230)

Control Goals of the Operations Process Ensure effectiveness of operations Process is achieving it’s objective Ensure efficient employment of resources Benefits > Cost Ensure security of resources Resources and Information

Control Goals of Operations Process Ensure effectiveness of operations A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes Ex. Deposit cash receipts on the day received Ensure efficient employment of resources A measure of the productivity of the resources applied to achieve a set of goals Ex. What is the cost of people, computers, and other resources to deposit cash on the day received Ensure security of resources Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse Ex. Are cash and information resources available when required? Are they put to authorized use?

Control Goals of the Information Process For business event inputs, ensure Input validity Input completeness Input accuracy For master data, ensure Update completeness Update accuracy

Control Goals of Information Process Input validity Input data is approved and represents actual economic events and objects Ex. Are all cash receipts input into the process supported by valid/authorized customer payments Input completeness Requires that all valid events or objects be captured and entered into the system Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process? Input Accuracy Requires that events be correctly captured and entered into the system (correctly) Ex. Is correct payment amount and customer number on the RA? Ex. Is the correct payment amount and customer number keyed into the system?

Control Goals of Information Process Master Update Information Processing Activity Merge new data (from Input’s) with existing Master data Update completeness Requires all events entered into the computer are reflected in their respective master data Ex. Are all input cash receipts recorded in the AR master data? Update accuracy Requires that data entered into a computer are reflected correctly in their respective master data Ex. Are all input cash receipts correctly recorded in the AR master data? Potential Problems Programming Errors Operational Errors What happens in Real-Time Processing Environments?

Master Updates

Control Goals Map

Lenox Company Systems Flowchart

Control Goals for the Lenox Cash Receipts Process Control Goals of the Lenox Cash Receipts Business Process Control goals of the operations process Control goals of the information process Ensure effectiveness of operations Ensure efficient employment of resources (e.g., people and computers) Ensure security of resources (e.g., checks and AR master data) For the remittance advice inputs, ensure: For the AR master data, ensure: A B IV IC IA UC UA Effectiveness goals include: A – Timely deposit of checks B – Comply with compensating balance agreements with the depository bank IV = Input validity IC = Input completeness IA = Input accuracy UC = Update completeness UA = Update accuracy

Business Process Control Plans Business Process Control Plans - reflect information processing policies and procedures that assist in accomplishing control goals The Control Environment The fact that the control environment appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans. Pervasive control plans also relate to a multitude of goals and processes Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes, hence they pervade all systems. Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.

Other Classifications of Control Plans Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data