Download presentation
Published byAlvin Sherling Modified over 9 years ago
1
Chapter 10 Accounting Information Systems and Internal Controls
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
2
Learning Objectives LO#1 Explain essential control concepts and why a code of ethics and internal controls are important. LO#2 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework. LO#3 Describe the overall COBIT framework and its implications for IT governance. LO#4 Describe other governance frameworks related to information systems management and security.
3
Ethics, Sarbanes Oxley Act 2002 and Corporate Governance
LO# 1 Ethics, Sarbanes Oxley Act 2002 and Corporate Governance The Need for a Code of Ethics Ethical behavior prompted by a code of ethics can be considered a form of internal control. Employees with different culture backgrounds are likely to have different values Many professional associations have developed codes of ethics to assist professionals in selecting among decisions that are not clearly right or wrong.
4
LO# 1 Sarbanes Oxley Act 2002 SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting. Established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms. PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls.
5
LO# 1 Corporate Governance A set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. Promotes accountability, fairness, and transparency in the organization’s relationship with its stakeholders.
6
Overview of Control Concepts
LO# 1 Overview of Control Concepts Three main functions of internal control: Preventive controls deter problems before they arise. (Authorization) Detective controls find problems when they arise. (Bank reconciliations and monthly trial balances) Corrective controls fix problems that have been identified. (Backup files to recover corrupted data) Computerized environment: General controls pertain to enterprise-wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, etc. Application controls are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions.
7
Commonly used Internal Control Frameworks
LO# 2 Commonly used Internal Control Frameworks The SEC requires management to evaluate internal controls based on a recognized control framework COSO Internal Control framework -COSO-Committee of Sponsoring Organizations of the Treadway Commission. -AAA, AICPA, FEI, IIA, and IMA -The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for evaluating, reporting, and improving internal control.
8
Commonly used Internal Control Frameworks
LO# 2 Commonly used Internal Control Frameworks COSO 2.0 COSO ERM framework: focuses on the strategic alignment of the firm’s mission with its risk appetite. Control Objectives for Information and related Technology (COBIT): a control framework for the governance and management of enterprise IT. Information Technology Infrastructure Library (ITIL): a set of concepts and practices for IT service management. International Organization for Standardization (ISO) Series: address information security issues.
9
COSO Internal Control Framework (COSO 2.0)
LO# 2 COSO Internal Control Framework (COSO 2.0) Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control. Internal control can provide reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. Internal control is adaptable to the entity structure.
10
COSO Internal Control Framework (COSO 2.0)
LO# 2 COSO Internal Control Framework (COSO 2.0) Three categories of objectives: Operations Objectives – effectiveness and efficiency of a firm’s operations on financial performance goals and safeguarding assets Reporting Objectives – reliability of reporting, including internal and external financial and non-financial reporting Compliance Objectives – adherence to applicable laws and regulations
11
COSO 2.0 Five components of internal control: Control Environment
LO# 2 COSO 2.0 Five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
12
COSO Enterprise Risk Management—Integrated Framework
LO# 2 COSO Enterprise Risk Management—Integrated Framework
13
COSO Enterprise Risk Management—Integrated Framework
LO# 2 COSO Enterprise Risk Management—Integrated Framework Four categories of objectives: Strategic — high-level goals, aligned with and supporting the firm’s mission and vision Operations — effectiveness and efficiency of operations Reporting — reliability of internal and external reporting Compliance — compliance with applicable laws and regulations
14
COSO Enterprise Risk Management—Integrated Framework
LO# 2 COSO Enterprise Risk Management—Integrated Framework Eight components of internal control: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring
15
Risk Assessment and Risk Response
LO# 2 Risk Assessment and Risk Response Inherent risk : It exists already before management takes any actions to address it. Control risk : the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system. Residual risk: the product of inherent risk and control risk (1) Reduce risks by designing effective business processes and implementing internal controls. (2) Share risks by outsourcing business processes, buying insurance, or entering into hedging transactions. (3) Avoid risks by not engaging in the activities that would produce the risk. (4) Accept risk by relying on natural offsets of the risk within a portfolio, or allowing the likelihood and impact of the risk.
16
Risk Assessment and Risk Response
LO# 2 Risk Assessment and Risk Response Cost and benefit analysis is important in determining whether to implement an internal control. The benefits of an internal control should exceed its costs. One way to measure the benefits of a control is using the estimated impact of a risk times the decreased likelihood if the control is implemented. Expected benefit of an internal control = Impact X Decreased Likelihood
17
LO# 2 Control Activities Physical Controls: mainly manual but could involve the physical use of computing technology. IT controls: processes that provide assurance for information and help to mitigate risks associated with the use of technology. -- IT general controls (ITGC) -- IT application controls
18
LO# 3 COBIT Framework COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance and management. Governance: firm objectives: evaluating stakeholder needs setting direction through decision making monitoring performance, compliance and progress Management: activities: planning, building, running and monitoring
19
LO# 3 COBIT Framework Provides a business focus to align business and IT objectives; Defines the scope and ownership of IT process and control; Is consistent with accepted IT good practices and standards; Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; and Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.
20
Information Technology Infrastructure Library (ITIL)
A de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives. ITIL adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories.
21
International Organization for Standardization (ISO) 27000 Series
The ISO series of standards are designed to address information security issues. ISO series, particularly ISO and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines. The main objective of the ISO series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS).
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.