Copyright 2015 Pearson Education, Inc.

Control and Accounting Information

Systems

Chapter 7
7-1

Copyright 2015 Pearson Education, Inc.
Learning Objectives
Explain basic control concepts and why computer control and security are important.

Compare and contrast the COBIT, COSO, and ERM control frameworks.

Describe the major elements in the internal environment of a company.

Describe the four types of control objectives that companies need to set.

Describe the events that affect uncertainty and the techniques used to identify them.

Explain how to assess and respond to risk using the Enterprise Risk Management model.

Describe control activities commonly used in companies.

Describe how to communicate information and monitor control processes in organizations.

7-2
Copyright 2015 Pearson Education, Inc.
Why Is Control Needed?
Any potential adverse occurrence or unwanted event
that could be injurious to either the accounting
information system or the organization is referred to
as a threat or an event.

The potential dollar loss should a particular threat
become a reality is referred to as the exposure or
impact of the threat.

The probability that the threat will happen is the
likelihood associated with the threat

7-3
Copyright 2015 Pearson Education, Inc.
A Primary Objective of an AIS
Is to control the organization so the organization
can achieve its objectives

Management expects accountants to:
Take a proactive approach to eliminating system
threats.
Detect, correct, and recover from threats when
they occur.

7-4
Copyright 2015 Pearson Education, Inc.
Internal Controls
Processes implemented to provide assurance
that the following objectives are achieved:
Safeguard assets
Maintain sufficient records
Provide accurate and reliable information
Prepare financial reports according to established
criteria
Promote and improve operational efficiency
Encourage adherence with management policies
Comply with laws and regulations
7-5
Copyright 2015 Pearson Education, Inc.
Functions of Internal Controls
Preventive controls
Deter problems from occurring
Detective controls
Discover problems that are not prevented
Corrective controls
Identify and correct problems; correct and recover
from the problems
7-6
Copyright 2015 Pearson Education, Inc.
Control Frameworks
COBIT
Framework for IT control
COSO
Framework for enterprise internal controls
(control-based approach)
COSO-ERM
Expands COSO framework taking a risk-based
approach
7-7
Copyright 2015 Pearson Education, Inc.
COBIT Framework
Current framework version is COBIT5
Based on the following principles:
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single, integrated framework
Enabling a holistic approach
Separating governance from management
7-8
Copyright 2015 Pearson Education, Inc.
COBIT5 Separates Governance from
Management
7-9
Copyright 2015 Pearson Education, Inc.
Components of COSO Frameworks
COSO COSO-ERM
Control (internal)
environment
Risk assessment
Control activities
Information and
communication
Monitoring
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and
communication
Monitoring
7-10
Copyright 2015 Pearson Education, Inc.
Internal Environment
Managements philosophy, operating style, and
risk appetite
Commitment to integrity, ethical values, and
competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and
responsibility
Human resource standards
7-11
Copyright 2015 Pearson Education, Inc.
Objective Setting
Strategic objectives
High-level goals
Operations objectives
Effectiveness and efficiency of operations
Reporting objectives
Improve decision making and monitor
performance
Compliance objectives
Compliance with applicable laws and regulations
7-12
Copyright 2015 Pearson Education, Inc.
Event Identification
Identifying incidents both external and internal to
the organization that could affect the achievement
of the organizations objectives
Key Management Questions:
What could go wrong?
How can it go wrong?
What is the potential harm?
What can be done about it?
7-13
Copyright 2015 Pearson Education, Inc.
Risk Assessment
Risk is assessed from two perspectives:
Likelihood
Probability that the event will occur
Impact
Estimate potential loss if event occurs

Types of risk
Inherent
Risk that exists before plans are made to control it
Residual
Risk that is left over after you control it
7-14
Copyright 2015 Pearson Education, Inc.
Risk Response
Reduce
Implement effective internal control
Accept
Do nothing, accept likelihood and impact of risk
Share
Buy insurance, outsource, or hedge
Avoid
Do not engage in the activity
7-15
Copyright 2015 Pearson Education, Inc.
Control Activities
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
7-16
Copyright 2015 Pearson Education, Inc.
Segregation of Duties
7-17
Copyright 2015 Pearson Education, Inc.
Monitoring
Perform internal control evaluations (e.g., internal
audit)
Implement effective supervision
Use responsibility accounting systems (e.g.,
budgets)
Monitor system activities
Track purchased software and mobile devices
Conduct periodic audits (e.g., external, internal,
network security)
Employ computer security officer
Engage forensic specialists
Install fraud detection software
Implement fraud hotline
7-18
Copyright 2015 Pearson Education, Inc.
Key Terms
Threat or Event
Exposure or impact
Likelihood
Internal controls
Preventive controls
Detective controls
Corrective controls
General controls
Application controls
Belief system
Boundary system
Diagnostic control system
Interactive control system
Audit committee
Foreign Corrupt Practices Act
(FCPA)
Sarbanes-Oxley Act (SOX)
Public Company Accounting
Oversight Board (PCAOB)
Control Objectives for
Information and Related
Technology (COBIT)
Committee of Sponsoring
Organizations (COSO)
Internal control-integrated
framework (IC)
Enterprise Risk Management
Integrated Framework (ERM)
Internal environment

7-19
Copyright 2015 Pearson Education, Inc.
Key Terms (continued)
Risk appetite
Policy and procedures manual
Background check
Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Event
Inherent risk
Residual risk
Expected loss
Control activities
Authorization
Digital signature
Specific authorization
General authorization
Segregation of accounting
duties
Collusion
Segregation of systems duties
Systems administrator
Network manager
Security management
Change management
Users
Systems analysts
Programmers
Computer operators
Information system library
7-20
Copyright 2015 Pearson Education, Inc.
Key Terms (continued)
Data control group
Steering committee
Strategic master plan
Project development plan
Project milestones
Data processing schedule
System performance
measurements
Throughput
Utilization
Response time


Postimplementation review
Systems integrator
Analytical review
Audit trail
Computer security officer
(CSO)
Chief compliance officer (CCO)
Forensic investigators
Computer forensics specialists
Neural networks
Fraud hotline
7-21