AIS Romney 2006 Slides 06 Control and AIS Part 1

C HAPTER 6
Control and Accounting

Information Systems
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?
INTRODUCTION
• Why AIS Threats Are Increasing

– Control risks have increased in the last few years
because:
• There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
• Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
• Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.
INTRODUCTION
• Some vocabulary terms for this chapter:

– A threat is any potential adverse occurrence or
unwanted event that could injure the AIS or the
organization.
– The exposure or impact of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
– The likelihood is the probability that the threat
will occur.
INTRODUCTION
• Control and Security are Important

– Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security
policies.
• Making controls a part of the applications development
process.
• Moving sensitive data to more secure environments.
INTRODUCTION
• To use IT in achieving control objectives,

accountants must:
– Understand how to protect systems from threats.
– Have a good understanding of IT and its
capabilities and risks.
• Achieving adequate security and control over
the information resources of an organization
should be a top management priority.
INTRODUCTION
• Control objectives are the same regardless of

the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because:
– Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
– Segregation of duties must be achieved differently in
an AIS.
– Computers provide opportunities for enhancement of
some internal controls.
INTRODUCTION
• One of the primary objectives of an AIS is to

control a business organization.
– Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
• Management expects accountants to be control
consultants by:
– Taking a proactive approach to eliminating system
threats; and
– Detecting, correcting, and recovering from threats
when they do occur.
INTRODUCTION
• It is much easier to build controls into a

system during the initial stage than to add
them after the fact.
• Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.
OVERVIEW OF CONTROL CONCEPTS
• In today’s dynamic business environment,

companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization;
and
• Implement process improvements.
• At the same time, the company needs control
systems so they are not exposed to excessive
risks or behaviors that could harm their
reputation for honesty and integrity.
• Internal control is the process implemented by the

board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
• This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.

– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.
• This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors’ authorizations.

– Adherence to prescribed managerial policies is encouraged.

– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and
regulations.
• Internal control is a process because:

– It permeates an organization’s operating activities.
– It is an integral part of basic management activities.
• Internal control provides reasonable, rather than
absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.
• Internal control systems have inherent

limitations, including:
– They are susceptible to errors and poor decisions.
– They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds with
each other.
– EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
• Internal controls perform three important

functions:
– Preventive controls
• Deter problems before they arise.

functions:
– Detective controls
• Discover problems quickly when they do arise.

functions:
– Detective controls
– Corrective controls
• Remedy problems that have occurred by:
– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.
• Internal controls are often classified as:

– General controls
• Those designed to make sure an
organization’s control environment is stable
and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.
• Internal controls are often classified as:

– General controls
– Application controls
• Prevent, detect, and correct transaction errors
and fraud.
• Are concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.
• An effective system of internal controls

should exist in all organizations to:
– Help them achieve their missions and goals
– Minimize surprises
CONTROL FRAMEWORKS
• A number of frameworks have been

developed to help companies develop
good internal control systems. Three
of the most important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
CONTROL FRAMEWORKS

framework (ERM)
CONTROL FRAMEWORKS
• COBIT Framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
CONTROL FRAMEWORKS
• The COBIT framework allows:

– Management to benchmark security and
control practices of IT environments.
– Users of IT services to be assured that
adequate security and control exists.
– Auditors to substantiate their opinions on
internal control and advise on IT security and
control matters.
• To satisfy business objectives,
CONTROL FRAMEWORKS information must conform to
certain criteria referred to as
“business requirements for
• The framework addresses the issue of information.”
• The criteria are divided into
control from three vantage points or seven distinct yet overlapping
dimensions: categories that map into COSO
objectives:
– Business objectives – Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
CONTROL FRAMEWORKS
• The framework addresses the issue of

control from three vantage points or
dimensions:
– Business objectives
– IT resources • Includes:
• People
• Application systems
• Technology
• Facilities
• Data
CONTROL FRAMEWORKS
• The framework addresses the issue of

control from three vantage points or
dimensions:
– Business objectives
– IT resources
– IT processes • Broken into four domains
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
CONTROL FRAMEWORKS
• COBIT consolidates standards from 36 different

sources into a single framework.
• It is having a big impact on the IS profession.
– Helps managers to learn how to balance risk and
control investment in an IS environment.
– Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate.
– Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.
CONTROL FRAMEWORKS

framework (ERM)
CONTROL FRAMEWORKS
• COSO’s Internal Control Framework

– The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute
CONTROL FRAMEWORKS
• In 1992, COSO issued the Internal

Control Integrated Framework:
– Defines internal controls.
– Provides guidance for evaluating and
enhancing internal control systems.
– Widely accepted as the authority on internal
controls.
– Incorporated into policies, rules, and
regulations used to control business activities.
CONTROL FRAMEWORKS
• COSO’s internal control model has five

crucial components:
- Control environment
• The core of any business is its people.
• Their integrity, ethical values, and competence make
up the foundation on which everything else rests.
CONTROL FRAMEWORKS

crucial components:
- Control activities
• Policies and procedures must be established and
executed to ensure that actions identified by
management as necessary to address risks are, in
fact, carried out.
CONTROL FRAMEWORKS

crucial components:
- Risk assessment
• The organization must be aware of and deal with the
risks it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and
manage the related risks.
CONTROL FRAMEWORKS

crucial components:
- Risk assessment
- Information and communication
• Information and communications systems surround the
control activities.
• They enable the organization’s people to capture and
exchange information needed to conduct, manage, and
control its operations.
CONTROL FRAMEWORKS

crucial components:
- Risk assessment
- Information and communication
- Monitoring
• The entire process must be monitored and modified
as necessary.
CONTROL FRAMEWORKS

framework (ERM)
CONTROL FRAMEWORKS
• Nine years after COSO issued the preceding
framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated
Framework (ERM)
– An enhanced corporate governance document.
– Expands on elements of preceding framework.
– Provides a focus on the broader subject of enterprise
risk management.
CONTROL FRAMEWORKS
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
– Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
– Avoid adverse publicity and damage to the entity’s
reputation.
CONTROL FRAMEWORKS
• ERM defines risk management as:

– A process effected by an entity’s board of
directors, management, and other personnel
– Applied in strategy setting and across the
enterprise
– To identify potential events that may affect the
entity
– And manage risk to be within its risk appetite
– In order to provide reasonable assurance of
the achievement of entity objectives.
CONTROL FRAMEWORKS
• Basic principles behind ERM:

– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• The possibility that something will happen to:
– Adversely affect the ability to create value; or
– Erode existing value.
CONTROL FRAMEWORKS
• Basic principles behind ERM:

– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• Opportunity
• The possibility that something will happen to
positively affect the ability to create or preserve
value.
CONTROL FRAMEWORKS
– The framework should help management

manage uncertainty and its associated risk to
build and preserve value.
– To maximize value, a company must balance
its growth and return objectives and risks with
efficient and effective use of company
resources.
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support
the company’s mission.
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
– Strategic objectives
– Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and
profitability goals
– Safeguarding assets
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
• Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Reporting objectives
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
– External parties often set
the compliance rules.
– –Strategic objectives
Companies in the same
industry often have similar
concerns
– Reporting in this area.
objectives
– Compliance objectives
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
• The tone or culture of the
company.
• Provides discipline and
structure and is the foundation
for all other components.
• Essentially the same as control
environment in the COSO
internal control framework.
CONTROL FRAMEWORKS
control components,
including:
– Objective setting
• Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives that
support the company’s mission and are consistent with the company’s
tolerance for risk.
• Strategic objectives are set first as a foundation for the other three.
• The objectives provide guidance to companies as they identify risk-
creating events and assess and respond to those risks.
CONTROL FRAMEWORKS
control components,
including:
– Event identification
• Requires management to identify events that may affect the company’s
ability to implement its strategy and achieve its objectives.
• Management must then determine whether these events represent:
– Risks (negative-impact events requiring assessment and
response); or
– Opportunities (positive-impact events that influence strategy and
objective-setting processes).
• Identified risks are assessed to
determine how to manage them
CONTROL FRAMEWORKS and how they affect the
company’s ability to achieve its
objectives.
• • Qualitative
The horizontaland quantitative
rows are
methods
eight arerisk
related used
andto assess
risks individually and by
control components,
category in terms of:
including:
– Likelihood
– Positive and negative
– Objective
impactsetting
– Effect on other
– Riskorganizational
assessment units
• Risks are analyzed on an
inherent and a residual basis.
• Corresponds to the risk
assessment element in COSO’s
internal control framework.
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
– Share
– Accept
control components,
• Management
including: takes an entity-wide
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
costs-benefits of alternate
responses.
– Risk assessment
– Risk response
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows are
management’s
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •The Information
horizontalmustrowsbeareable to
flowrelated
eight through all and
risk levels and
functions in the company as
control components,
well as flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their
Objective
role setting
and importance in
– ERM
Eventand how these
identification
– responsibilities
Risk assessmentrelate to those
of others.
– Risk response
• Has a corresponding element
– Control activities
in the COSO internal control
– Information and
framework.
communication
CONTROL FRAMEWORKS
•control components,
ERM processes must be
monitored on an ongoing basis
including:
and modified as needed.
• Accomplished with ongoing
management activities and
separate evaluations.
•– Risk assessment
Deficiencies are reported to
– management.
Risk response
•– Corresponding
Control activitiesmodule in
– COSO internal
Information andcontrol
framework.
communication
– Monitoring
CONTROL FRAMEWORKS
• The ERM model is

three-dimensional.
• Means that each of
the eight risk and
control elements are
applied to the four
objectives in the
entire company
and/or one of its
subunits.
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
Control Framework
risks of business processes provides little context for
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
widely adopted
– Which controlas the principal
systems way to
are most important.
– Whether
evaluate internal controlsdeal
they adequately as with
required
risk. by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.
CONTROL FRAMEWORKS
• ERM Framework Vs. the Internal

Control Framework
– The internal control framework has been
widely adopted as the principal way to
• May contribute to systems with
evaluate internal controls as required by SOX.
many controls to protect
However, there are issues with
against it.that are no longer
risks
important.
• It has too narrow of a focus.
• Focusing on controls first has an inherent bias
toward past problems and concerns.
CONTROL FRAMEWORKS
• These issues led to COSO’s development of the
ERM framework.
– Takes a risk-based, rather than controls-based,
approach to the organization.
– Oriented toward future and constant change.
– Incorporates rather than replaces COSO’s internal
control framework and contains three additional
elements:
• Setting objectives.
• Identifying positive and negative events that may affect the
company’s ability to implement strategy and achieve
objectives.
• Developing a response to assessed risk.
CONTROL FRAMEWORKS
– Controls are flexible and relevant because

they are linked to current organizational
objectives.
– ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.
CONTROL FRAMEWORKS
• Over time, ERM will probably become the

most widely adopted risk and control
model.
• Consequently, its eight components are
the topic of the remainder of the chapter.

AIS Romney 2006 Slides 06 Control and AIS Part 1

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AIS Romney 2006 Slides 06 Control and AIS Part 1

Încărcat de

Drepturi de autor:

Formate disponibile

C HAPTER 6

Control and Accounting

• Why AIS Threats Are Increasing

• Some vocabulary terms for this chapter:

• Control and Security are Important

• To use IT in achieving control objectives,

• Control objectives are the same regardless of

• One of the primary objectives of an AIS is to

• It is much easier to build controls into a

• In today’s dynamic business environment,

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is the process implemented by the

• Internal control is a process because:

• Internal control systems have inherent

• Internal controls perform three important

• Internal controls perform three important

• Internal controls perform three important

• Internal controls are often classified as:

• Internal controls are often classified as:

• An effective system of internal controls

• A number of frameworks have been

• A number of frameworks have been

• The COBIT framework allows:

• The framework addresses the issue of

• The framework addresses the issue of

• COBIT consolidates standards from 36 different

• A number of frameworks have been

• COSO’s Internal Control Framework

• In 1992, COSO issued the Internal

• COSO’s internal control model has five

• COSO’s internal control model has five

• COSO’s internal control model has five

• COSO’s internal control model has five

• COSO’s internal control model has five

• A number of frameworks have been

• ERM defines risk management as:

• Basic principles behind ERM:

• Basic principles behind ERM:

– The framework should help management

• Ensures that management implements a process to formulate

• The ERM model is

• ERM Framework Vs. the Internal

– Controls are flexible and relevant because

• Over time, ERM will probably become the

S-ar putea să vă placă și