Accounting 3603

Transcript Accounting 3603

HAPTER 6 Control and Accounting Information Systems ةيبساحملا تامولعملا مظنو ةباقرلا

1 of 314

INTRODUCTION

• Questions to be addressed in this chapter: – What are the basic internal control concepts, and why are computer control and security important?

– What is the difference between the COBIT, COSO, and ERM control frameworks?

– What are the major elements in the internal environment of a company?

– What are the four types of control objectives that companies need to set?

– What events affect uncertainty, and how can they be identified?

– How is the Enterprise Risk Management model used to assess and respond to risk?

– What control activities are commonly used in companies?

– How do organizations communicate information and monitor control processes?

2 of 314

INTRODUCTION

•

Why AIS Threats Are Increasing

؟ةدايز يف ةيبساحملا تامولعملا مظن تاديدهت اذامل – Control risks have increased in the last few years because: • There are computers and servers everywhere, and information is available to an unprecedented number of workers.

• Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.

• Wide area networks are giving customers and suppliers access to each other ’s systems and data, making confidentiality a major concern.

3 of 314

INTRODUCTION

• Historically, many organizations have not adequately protected their data due to one or more of the following reasons: – Computer control problems are often underestimated and downplayed.

– Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet based system are not always fully understood.

– Companies have not realized that data is a strategic resource and that data security must be a strategic requirement.

– Productivity and cost pressures may motivate management to forego time-consuming control measures.

4 of 314

INTRODUCTION

• Some vocabulary terms for this chapter:

– A

threat

is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.

– The

exposure

impact

of the threat is the potential dollar loss that would occur if the threat becomes a reality.

– The

likelihood

threat will occur.

is the probability that the

5 of 314

INTRODUCTION

•

Control and Security are Important

– Companies are now recognizing the problems and taking positive steps to achieve better control, including: • Devoting full-time staff to security and control concerns.

• Educating employees about control measures.

• Establishing and enforcing formal information security policies.

• Making controls a part of the applications development process.

• Moving sensitive data to more secure environments.

6 of 314

INTRODUCTION

• To use IT in achieving control objectives, accountants must: – Understand how to protect systems from threats.

– Have a good understanding of IT and its capabilities and risks.

• • Achieving adequate security and control over the information resources of an organization should be a top management priority.

Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because: – Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files.

– Segregation of duties must be achieved differently in an AIS.

– Computers provide opportunities for enhancement of some internal controls

7 of 314

INTRODUCTION

• One of the primary objectives of an AIS is to control a business organization.

– Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.

• • • Management expects accountants to be control consultants by: – Taking a proactive approach to eliminating system threats; and – Detecting, correcting, and recovering from threats when they do occur.

It is much easier to build controls into a system during the initial stage than to add them after the fact.

Consequently, accountants and control experts should be members of the teams that develop or modify information systems.

8 of 314

OVERVIEW OF CONTROL CONCEPTS

• In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to: – Hire creative and innovative employees.

– Give these employees power and flexibility to: • Satisfy changing customer demands; • Pursue new opportunities to add value to the organization; and • Implement process improvements.

• At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.

9 of 314

OVERVIEW OF CONTROL CONCEPTS

• •

Internal control

is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: –

Assets (including data) are safeguarded.

This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.

10 of 314

OVERVIEW OF CONTROL CONCEPTS

•

Internal control

: عبات – Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are prepared in accordance with GAAP.

–

Operational efficiency is promoted and improved.

•

This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors ’ authorizations.

11 of 314

OVERVIEW OF CONTROL CONCEPTS

•

Internal control

. عبات

– Adherence to prescribed managerial policies is encouraged.

–

The organization complies with applicable laws and regulations

12 of 314

OVERVIEW OF CONTROL CONCEPTS

• Internal control is a employees.

process

because: – It permeates نم ذفني وا قرتخي an organization’s operating activities.

– It is an integral part of basic management activities.

• Internal control provides

reasonable

assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.

, rather than absolute, • Internal control systems have inherent limitations, including: – They are susceptible to errors and poor decisions.

– They can be overridden by management or by collusion of two or more • Internal control objectives are often at odds with each other.

– EXAMPLE: Controls to safeguard assets may also reduce operational efficiency

13 of 314

OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important functions:

–

Preventive controls

•

Deter عنمي problems before they arise.

•

Detective controls : Discover problems quickly when they do arise.

14 of 314

OVERVIEW OF CONTROL CONCEPTS

Corrective controls

•

Remedy problems that have occurred by:

– – –

Identifying the cause; Correcting the resulting errors; and Modifying the system to prevent future problems of this sort.

- General controls

• • •

Those designed to make sure an organization ’s control environment is stable and well managed.

They apply to all sizes and types of systems.

Examples: Security management controls .

15 of 314

OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:

–

Application controls

• •

Prevent, detect, and correct transaction errors and fraud.

Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

• An effective system of internal controls should exist in all organizations to: – Help them achieve their missions and goals – Minimize surprises

16 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• In 1977, Congress passed the an AICPA pronouncement.

Foreign Corrupt Practices Act

, and to the surprise of the profession, this act incorporated language from • The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.

• A significant effect was to require that corporations maintain good systems of internal accounting control.

– Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems.

– The resulting internal control improvements weren’t sufficient.

17 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.

– The impact on financial markets was substantial, and Congress responded with passage of the

Sarbanes-Oxley Act of 2002

(aka,

SOX

). • Applies to publicly held companies and their auditors • The intent of SOX is to: – Prevent financial statement fraud – Make financial reports more transparent – Protect investors – Strengthen internal controls in publicly-held companies – Punish executives who perpetrate fraud • SOX has had a material impact on the way boards of directors, management, and accountants operate.

18 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• Important aspects of SOX include: –

Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.

• • • •

Has five members, three of whom cannot be CPAs.

Charges fees to firms to fund the PCAOB.

Sets and enforces auditing, quality control, ethics, independence, and other standards relating to audit reports.

Currently recognizes FASB statements as being generally accepted.

19 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• • • • Important aspects of SOX include: –

New rules for auditors They must report specific information to the company ’s audit committee, such as:

–

Critical accounting policies and practices

– –

Alternative GAAP treatments Auditor-management disagreements Audit partners must be rotated periodically.

Auditors cannot perform certain non-audit services, such as:

–

Bookkeeping

– – – –

Information systems design and implementation Internal audit outsourcing services Management functions Human resource services © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

20 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• • –

New rules for auditors : عبات Permissible non-audit services must be approved by the board of directors and disclosed to investors.

Cannot audit a company if a member of top management was employed by the auditor and worked on the company ’s audit in the past 12 months.

–

New rules for audit committees:

• • •

Members must be on the company ’s board of directors and must otherwise be independent of the company.

One member must be a financial expert.

The committee hires, compensates, and oversees the auditors, and the auditors report directly to the committee.

21 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

•

New rules for management

•

The CEO and CFO must certify that:

–

The financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.

–

Management is responsible for internal controls.

– –

The auditors were advised of any material internal control weaknesses or fraud.

Any significant changes to controls after management ’s evaluation were disclosed and corrected.

22 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

- New internal control requirements

• • •

New internal control requirements:

–

Section 404 of SOX requires companies to issue a report accompanying the financial statements that:

• •

States management is responsible for establishing and maintaining an adequate internal control structure and procedures.

Contains management ’s assessment of the company’s internal controls.

•

Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests.

SOX also requires that the auditor attests to and reports on management ’s internal control assessment.

23 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• After the passage of SOX, the SEC further mandated that: – Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.

– The report must contain a statement identifying the framework used.

– Management must disclose any and all material internal control weaknesses.

– Management cannot conclude that the company has effective internal control if there are any material weaknesses.

24 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• Levers of Control

– Many people feel there is a basic conflict between creativity and controls.

– Robert Simons has espoused four levers of controls to help companies reconcile this conflict: •

A concise belief system

• • • •

Communicates company core values to employees and inspires them to live by them.

Draws attention to how the organization creates value.

Helps employees understand management ’s intended direction.

Must be broad enough to appeal to all levels.

25 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• • • •

Levers of Control

– Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system •

A boundary system Helps employees act ethically by setting limits beyond which they must not pass.

Does not create rules and standard operating procedures that can stifle creativity.

Encourages employees to think and act creatively to solve problems and meet customer needs as long as they operate within limits such as:

– – –

Meeting minimum standards of performance Shunning off-limits activities Avoiding actions that could damage the company ’s reputation.

26 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• Levers of Control

• • A concise belief system • A boundary system

A diagnostic control system

• • • •

Ensures efficient and effective achievement of important controls.

This system measures company progress by comparing actual to planned performance.

Helps managers track critical performance outcomes and monitor performance of individuals, departments, and locations.

Provides feedback to enable management to adjust and fine tune.

27 of 314

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• • • •

An interactive control system

Helps top-level managers with high-level activities that demand frequent and regular attention. Examples:

– –

Developing company strategy.

Setting company objectives.

– –

Understanding and assessing threats and risks.

Monitoring changes in competitive conditions and emerging technologies.

–

Developing responses and action plans to proactively deal with these high-level issues.

Also helps managers focus the attention of subordinates on key strategic issues and to be more involved in their decisions.

Data from this system are best interpreted and discussed in face-to face meetings.

28 of 314

CONTROL FRAMEWORKS

• A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: – The COBIT framework – The COSO internal control framework – COSO’s Enterprise Risk Management framework (ERM)

29 of 314

CONTROL FRAMEWORKS

•

COBIT Framework

– Also know as the

Control Objectives for Information and Related Technology

framework.

– Developed by the Information Systems Audit and Control Foundation (ISACF).

– A framework of generally applicable information systems security and control practices for IT control.

• The COBIT framework allows: – Management to benchmark سايقم security and control practices of IT environments.

– Users of IT services to be assured that adequate security and control exists.

– Auditors to substantiate their opinions on internal control and advise on IT security and control matters

30 of 314

CONTROL FRAMEWORKS

• The framework addresses the issue of control from three vantage points or dimensions: –

Business objectives

• •

To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.” The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives:

–

Effectiveness (relevant, pertinent فقوملا كلذل مئلام , and timely)

– – –

Efficiency Confidentiality Integrity

– – –

31 of 314

CONTROL FRAMEWORKS

• • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives –

IT resources Includes: People, Application systems, Technology, Facilities, Data

• –

IT processes Broken into four domains

–

Planning and organization

– – –

32 of 314

CONTROL FRAMEWORKS

• COBIT consolidates standards from 36 different sources into a single framework.

• It is having a big impact on the IS profession.

– Helps managers to learn how to balance risk and control investment in an IS environment.

– Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate.

– Guides auditors as they substantiate their opinions and provide advice to management on internal controls.

33 of 314

CONTROL FRAMEWORKS

• COSO ’s Internal Control Framework

– The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute

34 of 314

CONTROL FRAMEWORKS

• In 1992, COSO issued the

Internal Control Integrated Framework

: – Defines internal controls.

– Provides guidance for evaluating and enhancing internal control systems.

– Widely accepted as the authority on internal controls.

– Incorporated into policies, rules, and regulations used to control business activities.

35 of 314

CONTROL FRAMEWORKS

• COSO’s internal control model has five crucial components: - Control environment • •

The core of any business is its people.

Their integrity, ethical values, and competence make up the foundation on which everything else rests.

•

- Control activities Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.

36 of 314

CONTROL FRAMEWORKS

Risk assessment • •

The organization must be aware of and deal with the risks it faces.

It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.

Information and communication

• •

Information and communications systems surround the control activities.

They enable the organization ’s people to capture and exchange information needed to conduct, manage, and control its operations .

37 of 314

CONTROL FRAMEWORKS

• Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process.

• Result: Enterprise Risk Manage Integrated Framework (ERM) – An enhanced corporate governance document.

– Expands on elements of preceding framework.

– Provides a focus on the broader subject of enterprise risk management.

• Intent of ERM is to achieve all goals of the internal control framework and help the organization: – Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.

– Achieve its financial and performance targets.

– Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk.

– Avoid adverse publicity and damage to the entity’s reputation.

38 of 314

CONTROL FRAMEWORKS

• ERM defines risk management as: – A process effected by an entity’s board of directors, management, and other personnel – Applied in strategy setting and across the enterprise – To identify potential events that may affect the entity – And manage risk to be within its risk appetite – In order to provide reasonable assurance of the achievement of entity objectives.

• Basic principles behind ERM: – Companies are formed to create value for owners.

– Management must decide how much uncertainty they will accept.

– Uncertainty can result in: •

Risk: The possibility that something will happen to: Adversely affect the ability to create value; or Erode existing value.

39 of 314

CONTROL FRAMEWORKS

• – Uncertainty can result in: • • Risk

Opportunity The possibility that something will happen to positively affect the ability to create or preserve value.

– The framework should help management manage uncertainty and its associated risk to build and preserve value.

– To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.

40 of 314

CONTROL FRAMEWORKS

• COSO developed a model to illustrate the elements of ERM.

41 of 314

CONTROL -FRAMEWORKS

• • Columns at the top represent the four types of

objectives

that management must meet to achieve company goals.

– Strategic objectives

Strategic objectives are high-level goals that are aligned with and support the company ’s mission.

•

- Operations objectives Operations objectives deal with effectiveness and efficiency of company operations, such as:

– –

42 of 314

CONTROL FRAMEWORKS

• • Reporting objectives

Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature.

Improve decision-making and monitor company activities and performance more efficiently.

–

Compliance objectives

•

Compliance objectives help the company comply with applicable laws and regulations.

–

External parties often set the compliance rules.

–

Companies in the same industry often have similar concerns in this area.

43 of 314

CONTROL FRAMEWORKS

• ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them.

• However, strategic and operations objectives are sometimes at the mercy of external events that the company can ’t control.

• Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.

44 of 314

CONTROL FRAMEWORKS

• Columns on the right represent the company ’s units:

– Entire company – Division – Business unit – Subsidiary

45 of 314

CONTROL FRAMEWORKS

• • • • The horizontal rows are eight related risk and control components, including: –

Internal environment The tone or culture of the company.

Provides discipline and structure and is the foundation for all other components.

Essentially the same as control environment in the COSO internal control framework.

46 of 314

CONTROL FRAMEWORKS

• • • •

Objective setting Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company ’s mission and are consistent with the company ’s tolerance for risk.

Strategic objectives are set first as a foundation for the other three.

The objectives provide guidance to companies as they identify risk-creating events and assess and respond to those risks .

47 of 314

CONTROL FRAMEWORKS

• • •

Event identification Requires management to identify events that may affect the company ’s ability to implement its strategy and achieve its objectives.

Management must then determine whether these events represent:

–

Risks (negative-impact events requiring assessment and response); or

–

Opportunities (positive impact events that influence strategy and objective setting processes).

48 of 314

CONTROL FRAMEWORKS

• • •

Risk assessment Identified risks are assessed to determine how to manage them and how they affect the company ’s ability to achieve its objectives.

Qualitative and quantitative methods are used to assess risks individually and by category in terms of:

– – –

49 of 314

CONTROL FRAMEWORKS

•

Risk response

• •

Management aligns identified risks with the company ’s tolerance for risk by choosing to:

– –

Avoid Reduce

– –

Share Accept Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses.

50 of 314

CONTROL FRAMEWORKS

• • •

Control activities To implement management risk responses, control Corresponds to the control activities element in the COSO internal control framework.

’s policies and procedures are established and implemented throughout the various levels and functions of the organization.

51 of 314

CONTROL FRAMEWORKS

• • • • –

Information and communication Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities.

Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties.

Employees should understand their role and importance in ERM and how these responsibilities relate to those of others.

Has a corresponding element in the COSO internal control framework.

52 of 314

CONTROL FRAMEWORKS

•

Monitoring

• • • •

ERM processes must be monitored on an ongoing basis and modified as needed.

Accomplished with ongoing management activities and separate evaluations.

Deficiencies are reported to management.

Corresponding module in COSO internal control framework.

53 of 314

CONTROL FRAMEWORKS

• The ERM model is three-dimensional.

• Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.

54 of 314

CONTROL FRAMEWORKS

•

ERM Framework Vs. the Internal Control Framework

– The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.

•

It has too narrow of a focus.

• •

Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results.

Makes it difficult to know:

– – –

Which control systems are most important.

Whether they adequately deal with risk.

Whether important control systems are missing.

55 of 314

CONTROL FRAMEWORKS

• • It has too narrow of a focus.

Focusing on controls first has an inherent bias toward past problems and concerns.

•

May contribute to systems with many controls to protect against risks that are no longer important.

56 of 314

CONTROL FRAMEWORKS

• Over time, ERM will probably become the most widely adopted risk and control model.

• Consequently, its eight components are the topic of the remainder of the chapter.

57 of 314

INTERNAL ENVIRONMENT

• The most critical component of the ERM and the internal control framework.

• Is the foundation on which the other seven components rest.

• Influences how organizations: – Establish strategies and objectives – Structure business activities – Identify, access, and respond to risk • A deficient internal control environment often results in risk management and control breakdowns.

58 of 314

INTERNAL ENVIRONMENT

• Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences

59 of 314

INTERNAL ENVIRONMENT

•

Management ’s Philosophy, Operating Style, and Risk Appetite

– An organization’s management has shared beliefs and attitudes about risk.

– That philosophy affects everything the organization does, long and short-term, and affects their communications.

– Companies also have a objectives.

risk appetite

it is not enough to give lip service.

, which is the amount of risk a company is willing to accept to achieve its goals and – That appetite needs to be in alignment with company strategy.

– The more responsible management’s philosophy and operating style, the more likely employees will behave responsibly.

– This philosophy must be clearly communicated to all employees; – Management must back up words with actions; if they show little concern for internal controls, then neither will employees

60 of 314

INTERNAL ENVIRONMENT

– This component can be assessed by asking questions such as: • Does management take undue business risks or assess potential risks and rewards before acting?

• Does management attempt to manipulate performance measures such as net income?

• Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?

61 of 314

INTERNAL ENVIRONMENT

•

The Board of Directors

– An active and involved board of directors plays an important role in internal control.

– They should: • Oversee management • Scrutinize management’s plans, performance, and activities • Approve company strategy • Review financial results • Annually review the company’s security policy • Interact with internal and external auditors • Directors should possess management, technical, or other expertise, knowledge, or experience, as well as a willingness to advocate for shareholders.

• At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries.

62 of 314

INTERNAL ENVIRONMENT

• Public companies must have an

audit committee

, composed entirely of independent, outside directors. – The audit committee oversees: • The company’s internal control structure; • Its financial reporting process; • Its compliance with laws, regulations, and standards.

– Works with the corporation’s external and internal auditors.

• Hires, compensates, and oversees the auditors.

• Auditors report all critical accounting policies and practices to the audit committee.

– Provides an independent review of management’s actions.

63 of 314

INTERNAL ENVIRONMENT

• •

Commitment to Integrity, Ethical Values, and Competence

– Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence.

• Ethical standards of behavior make for good business.

• Tone at the top is everything.

• Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.

Companies can endorse integrity as a basic operating principle by actively teaching and requiring it.

– Management should: • Make it clear that honest reports are more important than favorable ones.

– Management should avoid: • Unrealistic expectations, incentives or temptations.

• Attitude of earnings or revenue at any price.

• Overly aggressive sales practices.

• Unfair or unethical negotiation practices.

• Implied kickback offers.

• Excessive bonuses.

• Bonus plans with upper and lower cutoffs

64 of 314

INTERNAL ENVIRONMENT

• Management should not assume that employees would always act honestly.

– Consistently reward and encourage honesty.

– Give verbal labels to honest and dishonest acts.

– The combination of these two will produce more consistent moral behavior.

65 of 314

INTERNAL ENVIRONMENT

• • • SOX only requires a code of ethics for senior financial management. However, the ACFE suggests that companies create a code of conduct for all employees: – Should be written at a fifth-grade level.

– Should be reviewed annually with employees and signed.

– This approach helps employees keep themselves out of trouble.

– Helps the company if they need to take legal action against the employee.

Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.

– Reports of dishonest acts should be thoroughly investigated.

– Those found guilty should be dismissed.

– Prosecution should be undertaken when possible, so that other employees are clear about consequences.

Companies must make a commitment to competence.

– Begins with having competent employees.

– Varies with each job but is a function of knowledge, experience, training, and skills.

66 of 314

INTERNAL ENVIRONMENT

• The levers of control, particularly beliefs and boundaries systems, can be used to create the kind of commitment to integrity an organization wants.

– Requires more than lip service and signing forms.

– Must be

systems

in which top management actively participates in order to: • Demonstrate the importance of the system.

• Create buy-in and a team spirit.

67 of 314

INTERNAL ENVIRONMENT

• Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.

– Reports of dishonest acts should be thoroughly investigated.

– Those found guilty should be dismissed.

– Prosecution should be undertaken when possible, so that other employees are clear about consequences.

• Companies must make a commitment to competence.

– Begins with having competent employees.

– Varies with each job but is a function of knowledge, experience, training, and skills.

68 of 314

INTERNAL ENVIRONMENT

Organizational structure

– Methods of assigning authority and responsibility – Human resource standards – External influences

69 of 314

INTERNAL ENVIRONMENT

•

Organizational Structure

– A company’s organizational structure defines its lines of authority, responsibility, and reporting.

• Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.

• Important aspects or organizational structure: – Degree of centralization or decentralization.

– Assignment of responsibility for specific tasks.

– Direct-reporting relationships or matrix structure – Organization by industry, product, geographic location, marketing network – How the responsibility allocation affects management’s information needs – Organization of accounting and IS functions – Size and nature of company activities

70 of 314

INTERNAL ENVIRONMENT

• Statistically fraud occurs more frequently in organizations with complex structures

– The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or – The structure may be intentionally complex to facilitate the fraud.

71 of 314

INTERNAL ENVIRONMENT

Methods of assigning authority and responsibility

– Human resource standards – External influences

72 of 314

INTERNAL ENVIRONMENT

•

Methods of Assigning Authority and Responsibility

– Management should make sure: • Employees understand the entity’s objectives • Authority and responsibility for business objectives is assigned to specific departments and individuals – Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives.

– Management: • Must be sure to identify who is responsible for the IS security policy.

• Should monitor results so decisions can be reviewed and, if necessary, overruled.

73 of 314

INTERNAL ENVIRONMENT

• Authority and responsibility are assigned through: – Formal job descriptions – Employee training – Operating plans, schedules, and budgets – Codes of conduct that define ethical behavior, acceptable practices, regulatory requirements, and conflicts of interest – Written policies and procedures manuals (a good job reference and job training tool) which covers: • Proper business practices • Knowledge and experience needed by key personnel • Resources provided to carry out duties • Policies and procedures for handling particular transactions • The organization’s chart of accounts • Sample copies of forms and documents

74 of 314

INTERNAL ENVIRONMENT

•

Human Resources Standards

– Employees are both the company’s greatest control strength and the greatest control weakness.

– Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required.

– Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization ’s vulnerability.

75 of 314

INTERNAL ENVIRONMENT

• The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds

76 of 314

INTERNAL ENVIRONMENT

• Hiring – Should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well candidates meet written job requirements.

– Employees should undergo a formal, in-depth employment interview.

– Resumes, reference letters, and thorough

background checks

are critical.

Background checks can involve: – Verifying education and experience – Talking with references – Checking for criminal records, credit issues, and other publicly available data.

– Note that you must have the employee’s or candidate’s written permission to conduct a background check, but that permission does not need to have an expiration date.

– Background checks are important because recent studies show that about 50% of resumes have been falsified or embellished .

77 of 314

INTERNAL ENVIRONMENT

• • Sometimes professional firms are hired to do the background checks because applicants are becoming more aggressive in their deceptions.

– Some get phony degrees ةفيزم هداهش – Others actually hack (or hire someone to hack) into the systems of universities to create or alter transcripts and other academic data.

employee should be exempted from background checks. Anyone from the custodian to the company president is capable of committing fraud, sabotage, etc

78 of 314

INTERNAL ENVIRONMENT

• Compensating – Employees should be paid a fair and competitive wage.

– Poorly compensated employees are more likely to feel the resentment and financial pressures that lead to fraud.

– Appropriate incentives can motivate and reinforce outstanding performance.

• Policies on Training – Training programs should familiarize new employees with: • Their responsibilities.

• Expected performance and behavior.

• Company policies, procedures, history, culture, and operating style.

– Training needs to be ongoing, not just one-time.

– Companies who shortchange training are more likely to experience security breaches

79 of 314

INTERNAL ENVIRONMENT

– Many believe employee training and education are the most important elements of fraud prevention and security programs.

– Fraud is less likely to occur when employees believe security is everyone ’s business.

– An ideal corporate culture exists when: • Employees are proud of their company and protective of its assets.

• They believe fraud hurts everyone and that they therefore have a responsibility to report it.

- These cultures do not just happen. They must be created, taught, and practiced, and the following training should be provided: – Fraud awareness • Employees should be aware of fraud’s prevalence and dangers, why people do it, and how to deter and detect it.

– Ethical considerations • The company should promote ethical standards in its practice and its literature.

• Acceptable and unacceptable behavior should be defined and labeled, leaving as little gray area as possible.

80 of 314

INTERNAL ENVIRONMENT

– Punishment for fraud and unethical behavior.

• Employees should know the consequences (e.g., reprimand بينأت, dismissal لزع وا درط , prosecution ةاضاقم) of bad behavior.

• Should be disseminated as a consequence rather than a threat.

• EXAMPLE: “Using a computer to steal or commit fraud is a federal crime, and anyone doing so faces immediate dismissal and/or prosecution.

” • The company should display notices of program and data ownership and advise employees of the penalties of misuse.

81 of 314

INTERNAL ENVIRONMENT

• Training can take place through:

– Informal discussions – Formal meetings – Periodic memos – Written guidelines – Codes of ethics – Circulating reports of unethical behavior and its consequences – Promoting security and fraud training programs

82 of 314

INTERNAL ENVIRONMENT

• Evaluating and promoting

– Do periodic performance appraisals to help employees understand their strengths and weaknesses.

– Base promotions on performance and qualifications.

83 of 314

INTERNAL ENVIRONMENT

• The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting –

Discharging

– Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds

84 of 314

INTERNAL ENVIRONMENT

• Discharging

– Fired employees are disgruntled employees.

– Disgruntled employees are more likely to commit a sabotage or fraud against the company.

– Employees who are terminated (whether voluntary or involuntary) should be removed from sensitive jobs immediately and denied access to information systems.

85 of 314

INTERNAL ENVIRONMENT

• The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging –

Managing disgruntled employees

– Vacations and rotation of duties – Confidentiality insurance and fidelity bonds

86 of 314

INTERNAL ENVIRONMENT

• Managing disgruntled employees – Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud candidates than satisfied employees.

– The organization can try to reduce the employee’s pressures through grievance channels and counseling.

• Difficult to do because many employees feel that seeking counseling will stigmatize مسو them in their jobs.

– Disgruntled employees should not be allowed to continue in jobs where they could harm the organization.

87 of 314

INTERNAL ENVIRONMENT

88 of 314

INTERNAL ENVIRONMENT

• Vacations and rotation of duties – Some fraud schemes, such as lapping and kiting, cannot continue without the constant attention of the perpetrator.

– Mandatory vacations or rotation of duties can prevent these frauds or lead to early detection.

– These measures will only be effective if

someone else

is doing the job while the usual employee is elsewhere.

• Confidentiality agreements and fidelity bond insurance – Employees, suppliers, and contractors should be required to sign and abide by nondisclosure or confidentiality agreements.

– Key employees should have fidelity bond insurance coverage to protect the company against losses from fraudulent acts by those employees.

89 of 314

INTERNAL ENVIRONMENT

90 of 314

INTERNAL ENVIRONMENT

• External influences

– External influences that affect the control environment include requirements imposed by: • FASB • PCAOB • SEC • Insurance commissions • Regulatory agencies for banks, utilities, etc.

91 of 314

OBJECTIVE SETTING

• Objective setting is the second ERM component.

• It must precede many of the other six components.

• For example, you must set objectives before you can define events that affect your ability to achieve objectives

92 of 314

OBJECTIVE SETTING

• Top management, with board approval, must articulate why the company exists and what it hopes to achieve.

– Often referred to as the corporate vision or mission.

• Uses the mission statement as a base from which to set corporate objectives.

• The objectives: – Need to be easy to understand and measure.

– Should be prioritized.

– Should be aligned with the company’s risk appetite.

93 of 314

OBJECTIVE SETTING

• Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub units.

• For each set of objectives:

– Critical success factors (what has to go right) must be defined.

– Performance measures should be established to determine whether the objectives are met.

94 of 314

OBJECTIVE SETTING

• Objective-setting process proceeds as follows: – First, set strategic objectives, the high-level goals that support the company ’s mission and create value for shareholders.

– To meet these objectives, identify alternative ways of accomplishing them.

– For each alternative, identify and assess risks and implications.

– Formulate a corporate strategy.

– Then set operations, compliance, and reporting objectives.

95 of 314

OBJECTIVE SETTING

• As a rule of thumb:

– The mission and strategic objectives are stable.

– The strategy and other objectives are more dynamic: • Must be adapted to changing conditions.

• Must be realigned with strategic objectives.

96 of 314

OBJECTIVE SETTING

• Operations objectives:

– Are a product of management preferences, judgments, and style – Vary significantly among entities: • One may adopt technology; another waits until the bugs are worked out.

– Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures.

– Give clear direction for resource allocation—a key success factor.

97 of 314

OBJECTIVE SETTING

• Compliance and reporting objectives:

– Many are imposed by external entities, e.g.: • Reports to IRS or to EPA • Financial reports that comply with GAAP – A company’s reputation can be impacted significantly (for better or worse) by the quality of its compliance.

98 of 314

EVENT IDENTIFICATION

• Events are: – Incidents or occurrences that emanate from internal or external sources – That affect implementation of strategy or achievement of objectives.

– Impact can be positive, negative, or both.

– Events can range from obvious to obscure.

– Effects can range from inconsequential to highly significant.

99 of 314

EVENT IDENTIFICATION

• By their nature, events represent uncertainty:

– Will they occur?

– If so, when?

– And what will the impact be?

– Will they trigger another event?

– Will they happen individually or concurrently?

100 of 314

EVENT IDENTIFICATION

• Management must do its best to anticipate all possible events —positive or negative—that might affect the company: – Try to determine which are most and least likely.

– Understand the interrelationships of events.

• COSO identified many internal and external factors that could influence events and affect a company ’s ability to implement strategy and achieve objectives.

101 of 314

EVENT IDENTIFICATION

• • • • • • • • • • • Some of these factors include: – External factors: •

Economic factors Availability of capital; lower or higher costs of capital Lower barriers to entry, resulting in new competition Price movements up or down Ability to issue credit and possibility of default Concentration of competitors, customers, or vendors Presence or absence of liquidity Movements in the financial markets or currency fluctuations Rising or lowering unemployment rates Mergers or acquisitions Potential regulatory, contractual, or criminal legal liability © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

102 of 314

EVENT IDENTIFICATION

• • • • • Some of these factors include: – External factors: • Natural environment

Natural disasters such as fires, floods, or earthquakes Emissions and waste Energy restrictions or shortages Restrictions limiting development

•

Political factors

• • • •

Election of government officials with new agendas New laws and regulations Public policy, including higher or lower taxes Regulation affecting the company ’s ability to compete © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

103 of 314

EVENT IDENTIFICATION

• • • • • • • Some of these factors include: – External factors: • Social factors

Changing demographics, social mores, family structures, and work/life priorities Consumer behavior that changes demand for products and services or creates new buying opportunities Corporate citizenship Privacy Terrorism Human resource issues causing production shortages or stoppages

•

Technological factors

• • • •

New e-business technologies that lower infrastructure costs or increase demand for IT-based services Emerging technology Increased or decreased availability of data Interruptions or down time caused by external parties © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

104 of 314

EVENT IDENTIFICATION

• Some of these factors include: – Internal factors: • Infrastructure • • •

Inadequate access or poor allocation of capital Availability and capability of company assets Complexity of systems

•

Personnel

• • • •

Employee skills and capability Employees acting dishonestly or unethically Workplace accidents, health or safety concerns Strikes or expiration of labor agreements © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

105 of 314

EVENT IDENTIFICATION

• • • • • • • • • • • Some of these factors include: – Internal factors: • Process

Process modification without proper change management procedures Poorly designed processes Process execution errors Suppliers cannot deliver quality goods on time

•

Technology Insufficient capacity to handle peak IT usages Security breaches Data or system unavailability from internal factors Inadequate data integrity Poor systems selection/development Inadequately maintained systems © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

106 of 314

EVENT IDENTIFICATION

• Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events •

Often produced by special software that can tailor lists to an industry, activity, or process.

• – Perform an internal analysis

An internal committee analyzes events, contacting appropriate insiders and outsiders for input.

–

Monitor leading events and trigger points

•

Appropriate transactions, activities, and events are monitored and compared to predefined criteria to determine when action is needed.

107 of 314

EVENT IDENTIFICATION

• • Companies usually use two or more of the following techniques together to identify events: – Conduct workshops and interviews

Employee knowledge and expertise is gathered in structured discussions or individual interviews.

– Perform data mining and analysis •

Examine data on prior events to identify trends and causes that help identify possible events.

• –

Analyze processes Analyze internal and external factors that affect inputs, processes, and outputs to identify events that might help or hinder the process.

108 of 314

RISK ASSESSMENT AND RISK RESPONSE

• • The fourth and fifth components of COSO ’s ERM model are risk assessment and risk response.

• COSO indicates there are two types of risk: – Inherent risk

The risk that exists before management takes any steps to control the likelihood or impact of a risk.

–

Residual risk

•

The risk that remains after management implements internal controls or some other form of response to risk.

109 of 314

RISK ASSESSMENT AND RISK RESPONSE

• • Companies should: – Assess inherent risk – Develop a response – Then assess residual risk The ERM model indicates four ways to respond to risk: – Reduce it •

The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.

• –

Accept it Don ’t act to prevent or mitigate ففخيوا فطلي it.

110 of 314

RISK ASSESSMENT AND RISK RESPONSE

• Companies should: – Assess inherent risk مزلاملاوا لصأتملا رطخلا – Develop a response – Then assess residual risk • The ERM model indicates four ways to respond to risk: – Reduce it – Accept it –

111 of 314

RISK ASSESSMENT AND RISK RESPONSE

• The ERM model indicates four ways to respond to risk: – Reduce it – Accept it – Share it •

Transfer some of it to others via activities such as insurance, outsourcing, or hedging.

• • –

Avoid it Don ’t engage in the activity that produces it.

May require:

–

Sale of a division

– –

112 of 314

RISK ASSESSMENT AND RISK RESPONSE

• Accountants:

– Help management design effective controls to reduce inherent risk – Evaluate internal control systems to ensure they are operating effectively – Assess and reduce inherent risk using the risk assessment and response strategy

113 of 314

RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company

• •

Event Identification

– The first step in risk assessment and response strategy is event identification, which we have already discussed.

Estimate Likelihood and Impact

– Some events pose more risk because they are more probable than others.

– Some events pose more risk because their dollar impact would be more significant.

– Likelihood and impact must be considered together: – If either increases, the materiality of the event and the need to protect against it rises.

Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost beneficial to protect system

Avoid, share, or accept risk

Yes

114 of 314

• •

RISK ASSESSMENT AND RISK RESPONSE Identify Controls

– Management must identify one or more controls that will protect the company from each event.

– In evaluating benefits of each control procedure, consider effectiveness and timing.

All other factors equal: – A preventive control is better than a detective one.

– However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover.

– Consequently, the three complement each other, and a good internal control system should have all three.

– Similarly, a company should use all four levers of control.

Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls guard against threat to Estimate costs and benefits from instituting controls Is it cost beneficial to protect system

Avoid, share, or accept risk

Yes

115 of 314

• • •

RISK ASSESSMENT AND RISK RESPONSE Estimate Costs and Benefits

– It would be cost-prohibitive to create an internal control system that provided foolproof protection against all events.

– Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.

The benefits of an internal control procedure must exceed its costs.

Benefits can be hard to quantify, but include: – Increased sales and productivity – Reduced losses – Better integration with customers and suppliers – Increased customer loyalty – Competitive advantages – Lower insurance premiums

Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost beneficial to protect system

Avoid, share, or accept risk

Yes

116 of 314

• • •

RISK ASSESSMENT AND RISK RESPONSE

Costs are usually easier to measure than benefits.

Primary cost is personnel, including: – Time to perform control procedures – Costs of hiring additional employees to effectively segregate duties – Costs of programming controls into a system Other costs of a poor control system include: – Lost sales – Lower productivity – Drop in stock price if security problems arise – Shareholder or regulator lawsuits – Fines and penalties imposed by governmental agencies

Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost beneficial to protect system

Avoid, share, or accept risk

Yes

117 of 314

RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company

• The expected loss related to a risk is measured as: – Expected loss = impact x likelihood • The value of a control procedure is the difference between: – Expected loss with control procedure – Expected loss without it

Avoid, share, or accept risk

Yes

118 of 314

RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company

•

Determine Cost-Benefit Effectiveness

– After estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change?

• In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation.

– If an event threatens an organization ’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits.

– The additional cost can be viewed as a catastrophic loss insurance premium.

Yes No

119 of 314

RISK ASSESSMENT AND RISK RESPONSE

• • • • • • •

Let ’s go through an example:

– Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.

– A catastrophic theft could result in losses of $800,000.

– Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.

– Companies with motion detectors only have about a .5% probability of catastrophic theft.

– The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.

– Should Hobby Hole install the motion detectors ?

Expected Loss without control procedure = $800,000 x .12 = $96,000.

Expected loss with control procedure = $800,000 x .005 = $4,000.

Estimated value of control procedure = $96,000 - $4,000 = $92,000.

Estimated cost of control procedure = $43,000 (given).

Benefits exceed costs by $92,000 - $43,000 = $49,000 .

In this case, Hobby Hole should probably install the motion detectors .

120 of 314

RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring

•

Implement the Control or Avoid, Share, or Accept the Risk

– When controls are cost effective, they should be implemented so risk can be reduced.

Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost beneficia l to protect system

Yes No

121 of 314

RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company

• Risks that are not reduced must be accepted, shared, or avoided.

– If the risk is within the company ’s risk tolerance, they will typically accept the risk.

– A reduce or share response is used to bring residual risk into an acceptable risk tolerance range.

– An avoid response is typically only used when there is no way to cost-effectively bring risk into an acceptable risk tolerance range.

Yes No

122 of 314

CONTROL ACTIVITIES

• • The sixth component of COSO’s ERM model.

Control activities

policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.

are

123 of 314

CONTROL ACTIVITIES

• It is management’s responsibility to develop a secure and adequately controlled system.

– Controls are much more effective when built in on the front end.

– Consequently, systems analysts, designers, and end users should be involved in designing adequate computer-based control systems.

• Management must also establish a set of procedures to ensure control compliance and enforcement.

– Usually the purview of the information security officer and the operations staff.

124 of 314

CONTROL ACTIVITIES

• • It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break-ins occur during this time because: – More people are on vacation and fewer around to mind the store.

– Students are not tied up with school.

– Counterculture hackers may be lonely .

Generally, control procedures fall into one of the following categories: – Proper authorization of transactions and activities – Segregation of duties – Project development and acquisition controls – Change management controls – Design and use of documents and records – Safeguard assets, records, and data – Independent checks on performance

125 of 314

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories: –

Proper authorization of transactions and activities

– Segregation of duties – Project development and acquisition controls – Change management controls – Design and use of documents and records – Safeguard assets, records, and data – Independent checks on performance

126 of 314

CONTROL ACTIVITIES

•

Proper Authorization of Transactions and Activities

– Management lacks the time and resources to supervise each employee activity and decision.

– Consequently, they establish policies and empower employees to perform activities within policy.

– This empowerment is called

authorization

and is an important part of an organization ’s control procedures.

• Authorizations are often documented by signing initializing, or entering an authorization code.

• Computer systems can record

digital signatures

as a means of signing a document.

• Employees who process transactions should verify the presence of the appropriate authorizations.

• Auditors review transactions for proper authorization, as their absence indicates a possible control problem.

127 of 314

CONTROL ACTIVITIES

• Typically at least two levels of authorization: – General authorization • Management authorizes employees to handle routine transactions without special approval.

– Special authorization • For activities or transactions that are of significant consequences, management review and approval is required.

• Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.

• Management should have written policies for both types of authorization and for all types of transactions.

128 of 314

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories:

– Proper authorization of transactions and activities –

Segregation of duties تابجاولا وا تامهملا لصف

– Project development and acquisition controls – Change management controls – Design and use of documents and records – Safeguard assets, records, and data – Independent checks on performance

129 of 314

CONTROL ACTIVITIES

• Segregation of Duties

– Good internal control requires that no single employee be given too much responsibility over business transactions or processes.

– An employee should not be in a position to commit

and

conceal fraud or unintentional errors.

– Segregation of duties is discussed in two sections: • Segregation of accounting duties • Segregation of duties within the systems function

130 of 314

CONTROL ACTIVITIES

•

Segregation of Accounting Duties

– Effective segregation of accounting duties is achieved when the following functions are separated: • • •

Authorization

—approving transactions and decisions.

Recording

—Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.

Custody

ةياعرلا

—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization ’s bank account.

– If any two of the preceding functions are the responsibility of one person, then problems can arise.

131 of 314

CONTROL ACTIVITIES

• • • •

CUSTODIAL FUNCTIONS Handling cash Handling inventories, tools, or fixed assets Writing checks Receiving checks in mail

• • • •

RECORDING FUNCTIONS Preparing source documents Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports

• •

EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the recording for those receipts can steal some of the cash and falsify accounts to conceal the theft.

AUTHORIZATION FUNCTIONS SOLUTION: The

pink fence

•

132 of 314

• • • •

CUSTODIAL FUNCTIONS Handling cash Handling inventories, tools, or fixed assets Writing checks Receiving checks in mail

•

EXAMPLE OF PROBLEM: A person who has custody of

• •

authorize fictitious transactions and then steal the payments.

• • •

Preparing performance reports

•

133 of 314

•

EXAMPLE OF PROBLEM: A person who can authorize a

•

transactions can authorize and record fictitious RECORDING FUNCTIONS

•

Handling cash

•

Handling inventories, tools,

•

or fixed assets Writing checks

•

Receiving checks in mail

fence

(segregation of recording and authorization) prevents employees from falsifying records to cover up inaccurate or false transactions that were inappropriately authorized.

• • • •

AUTHORIZATION FUNCTIONS

•

Authorization of transactions Preparing source documents Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

134 of 314

CONTROL ACTIVITIES

• In a system that incorporates an effective separation of duties, it should be difficult for any single employee to commit embezzlement سلاتخا successfully.

• But when two or more people

collude

then segregation of duties becomes

ؤطاوت

, impotent and controls are overridden.

135 of 314

CONTROL ACTIVITIES

• • Employees can collude with other employees or with customers or vendors.

The most frequent form of employee/vendor collusions ؤطاوت include: – Billing at inflated prices – Performing substandard work and receiving full payment – Payment for non-performance – Duplicate billings – Improperly funneling more work to or purchasing more goods from a colluding company • The most frequent form of employee/customer collusions include: – Unauthorized loans or insurance payments – Receipt of assets or services at unauthorized discount prices – Forgiveness of amounts owed – Unauthorized extension of due dates

136 of 314

CONTROL ACTIVITIES

•

Segregation of Duties

– Good internal control requires that no single employee be given too much responsibility over business transactions or processes.

– An employee should not be in a position to commit

and

conceal fraud or unintentional errors.

– Segregation of duties is discussed in two sections: • • Segregation of accounting duties

137 of 314

CONTROL ACTIVITIES

•

Segregation of Duties Within the Systems Function

– In a highly integrated information system, procedures once performed by separate individuals are combined.

– Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud.

– To combat this threat, organizations must implement effective segregation of duties within the IS function.

• Authority and responsibility must be divided clearly among the following functions: –

138 of 314

CONTROL ACTIVITIES

• Authority and responsibility must be divided clearly among the following functions: – Systems administration •

Responsible for ensuring that the different parts of an information system operate smoothly and efficiently .

–

Network management

•

Ensures that all applicable devices are linked to the organization ’s internal and external networks and that the networks operate continuously and properly.

139 of 314

CONTROL ACTIVITIES

• Authority and responsibility must be divided clearly among the following functions: – Security management •

Ensures that all aspects of the system are secure and protected from internal and external threats.

–

Change management

•

Manages changes to the organization ’s information system to ensure they are made smoothly and efficiently and to prevent errors and fraud.

140 of 314

CONTROL ACTIVITIES

• Authority and responsibility must be divided clearly among the following functions: – Users •

Record transactions, authorize data to be processed, and use system output.

– Systems analysts •

Help users determine their information needs and design systems to meet those needs.

–

Programming

•

Use design provided by the systems analysts to write the computer programs for the information system.

141 of 314

CONTROL ACTIVITIES

• Authority and responsibility must be divided clearly among the following functions: – Computer operations •

Maintains custody of corporate databases, files, and programs in a separate storage area.

– Information systems library • • • • • • •

Run the software on the company ’s computers.

Ensure that data are input properly, correctly processed, and needed output is produced.

–

Data control Ensures that source data have been properly approved.

Monitors the flow of work through the computer.

Reconciles input and output.

Maintains a record of input errors to ensure their correction and resubmission.

Distributes system output.

142 of 314

CONTROL ACTIVITIES

• It is important that different people perform the preceding functions.

– Allowing a person to do two or more jobs exposes the company to the possibility of fraud.

• In addition to adequate segregation of duties, organizations should ensure that the people who design, develop, implement, and operate the IS are qualified and well trained.

• The same holds true for systems security personnel.

143 of 314

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories: – Proper authorization of transactions and activities – Segregation of duties –

Project development and acquisition controls

– Change management controls – Design and use of documents and records – Safeguard assets, records, and data – Independent checks on performance

144 of 314

CONTROL ACTIVITIES

•

Project Development and Acquisition Controls

– It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies.

• Should contain appropriate controls for: – Management review and approval – User involvement – Analysis – Design – Testing – Implementation – Conversion • Should make it possible for management to trace information inputs from source to disposition and vice versa (the audit trail).

145 of 314

CONTROL ACTIVITIES

• The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS: –

Strategic master plan

• • • •

A multi-year strategic plan should align the organization ’s information system with its business strategies and show the projects that must be completed to achieve long-range goals.

Should address hardware, software, personnel, and infrastructure requirements.

Each year, the board and top management should prepare and approve the plan and its supporting budget.

Should be evaluated several times a year to ensure the organization can acquire needed components and maintain existing ones.

146 of 314

CONTROL ACTIVITIES

• • • • • The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS: – Strategic master plan –

Project controls A project development plan shows how a project will be completed, including:

•

Modules or tasks to be performed

•

Who will perform them

• •

Anticipated completion dates Project costs Project milestones should be specified —points when progress is reviewed and actual completion times are compared to estimates Each project should be assigned to a manager and team who are responsible for its success or failure.

At project completion, a project evaluation of the team members should be performed.

147 of 314

CONTROL ACTIVITIES

• – Data processing schedule

Data processing tasks should be organized according to a schedule to maximize the use of scarce computer resources

– Steering committee •

A steering committee should guide and oversee systems development and acquisition.

–

System performance measurements

•

To be evaluated properly, a system should be assessed with measures such as:

– – –

Throughput (output per unit of time) Utilization (percent of time it is used productively) Response time (how long it takes to respond) © 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart

148 of 314

CONTROL ACTIVITIES

• • • The following basic principles of control should be applied to systems development in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS: – Strategic master plan – Project controls – Data processing schedule – Steering committee – System performance measurements –

Post-implementation review A review should be performed after a development project is completed to determine if the anticipated benefits were achieved.

Helps control project development activities and encourage accurate and objective initial cost and benefit estimates.

149 of 314

CONTROL ACTIVITIES

• When using systems integrators, companies should adhere to the same basic rules used for project management of internal projects. In addition, they should: –

Develop clear specifications

• •

Before third parties bid, provide clear specifications, including:

– – –

Exact descriptions and definitions of the system Explicit deadlines Precise acceptance criteria While it ’s expensive to develop these specifications, it will save money in the end.

150 of 314

CONTROL ACTIVITIES

• When using systems integrators, companies should adhere to the same basic rules used for project management of internal projects. In addition, they should: –

Monitor the systems integration project

•

A sponsors committee should monitor third-party development projects.

–

Established by the CIO and chaired by the project ’s internal champion.

–

Should include department managers from all units that will use the system.

–

Should establish formal procedures for measuring and reporting project status.

–

Best approach is to:

• • •

Divide project into manageable tasks.

Assign responsibility for each task.

Meet on a regular basis (at least monthly) to review progress and assess quality.

151 of 314

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories: – Proper authorization of transactions and activities – Segregation of duties – Project development and acquisition controls –

Change management controls

– Design and use of documents and records – Safeguard assets, records, and data – Independent checks on performance

152 of 314

CONTROL ACTIVITIES

•

Change Management Controls

– Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances.

– Change management is the process of making sure that the changes do not negatively affect: • Systems reliability • Security • Confidentiality • Integrity • Availability

153 of 314

CONTROL ACTIVITIES

•

Design and Use of Adequate Documents and Records

– Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.

– Form and content should be kept as simple as possible to: • Promote efficient record keeping • Minimize recording errors • Facilitate review and verification – Documents that initiate a transaction should contain a space for authorization.

– Those used to transfer assets should have a space for the receiving party ’s signature .

154 of 314

CONTROL ACTIVITIES

• Documents should be sequentially pre-numbered: – To reduce likelihood that they would be used fraudulently.

– To help ensure that all valid transactions are recorded.

• A good audit trail facilitates: – Tracing individual transactions through the system.

– Correcting errors.

– Verifying system output.

•

Safeguard Assets, Records, and Data

– When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment.

– Another company asset that needs to be protected is information .

155 of 314

CONTROL ACTIVITIES

• • • • • Many people mistakenly believe that the greatest risks companies face are from outsiders.

However, employees pose a much greater risk when it comes to loss of data because: – They know the system and its weaknesses better.

– They are better able to hide their illegal acts.

Insiders also create less-intentional threats to systems, including: – Accidentally deleting company data – Turning viruses loose – Trying to fix hardware or software without appropriate expertise (i.e., when in doubt, unplug it).

These actions can result in crashed networks, corrupt data, and hardware and software malfunctions.

Companies also face significant risks from customers and vendors that have access to company data.

156 of 314

CONTROL ACTIVITIES

• • • Many steps can be taken to safeguard both information and physical assets from theft, unauthorized use, and vandalism. In addition, it is important to: – Maintain accurate records of all assets • Periodically reconcile recorded amounts to physical counts.

• Restrict access to assets

Use restricted storage areas for inventories and equipment.

Use cash registers, safes, lockboxes, and safe deposit boxes to limit access to cash, securities, and paper assets.

•

Protect records and documents

• •

Use fireproof storage areas, locked filing cabinets, backup of files (including copies at off-site locations).

Limit access to blank checks and documents to authorized personnel.

157 of 314

CONTROL ACTIVITIES

• • • Generally, control procedures fall into one of the following categories: – Proper authorization of transactions and activities – Segregation of duties – Project development and acquisition controls – Change management controls – Design and use of documents and records – Safeguard assets, records, and data –

Independent checks on performance

Internal checks to ensure that transactions are processed accurately are an important control element.

These checks should be performed by someone independent of the party(ies) responsible for the activities

158 of 314

CONTROL ACTIVITIES

• • The following independent checks are typically used: – Top-level reviews

Management at all levels should monitor company results and periodically compare actual performance to:

– – –

Planned performance as shown in budgets, targets, and forecasts Prior-period performance The performance of competitors

• • –

Analytical reviews Examinations of relationships between different sets of data.

EXAMPLE: If credit sales increased significantly during the period and there were no changes in credit policy, then bad debt expense should probably have increased also.

159 of 314

CONTROL ACTIVITIES

• • • The following independent checks are typically used: – Reconciliation of independently maintained sets of records Check the accuracy and completeness of records by reconciling them with other records that should have the same balance.

EXAMPLES: – Bank reconciliations – Comparing accounts payable control account to sum of subsidiary accounts.

– Comparison of actual quantities with recorded amounts – Double-entry accounting:

ensure that debits equal credit

–

Independent review

•

After one person processes a transaction, another reviews their work.

160 of 314

INFORMATION AND COMMUNICATION

• The seventh component of COSO ’s ERM model.

• The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization.

• So accountants must understand how: – Transactions are initiated – Data are captured in or converted to machine-readable form – Computer files are accessed and updated – Data are processed – Information is reported to internal and external parties

161 of 314

INFORMATION AND COMMUNICATION

• • • • • • Accountants must also understand the accounting records and procedures, supporting documents, and specific financial statement accounts involved in processing and reporting transactions.

The preceding items facilitate an audit trail which allows for transactions to be traced from origin to financial statements and vice versa.

According to the AICPA, an AIS has five primary objectives: – Identify and record all valid transactions.

– Properly classify transactions.

– Record transactions at their proper monetary value.

– Record transactions in the proper accounting period.

– Properly present transactions and related disclosures in the financial statements.

Accounting systems generally consist of several accounting subsystems, each designed to process transactions of a particular type.

Though they differ with respect to the type of transactions processed, all accounting subsystems follow the same sequence of procedures, referred to as

accounting cycles

The five major accounting cycles and their related control objectives and procedures are detailed in Chapters 10-14.

162 of 314

MONITORING

• The eighth component of COSO ’s ERM model.

• Monitoring can be accomplished with a series of ongoing events or by separate evaluations.

163 of 314

MONITORING

• Key methods of monitoring performance include: – Perform ERM evaluation – Implement effective supervision – Use responsibility accounting – Monitor system activities – Track purchased software – Conduct periodic audits – Employ a computer security officer and security consultants – Engage forensic specialists – Install fraud detection software – Implement a fraud hotline

164 of 314

MONITORING

• •

Perform ERM Evaluation

– Can measure ERM effectiveness through a formal evaluation or through a self-assessment process.

– A special group can be assembled to conduct the evaluation or it can be done by internal auditing.

Implement Effective Supervision

– Involves: • Training and assisting employees; • Monitoring their performance; • Correcting errors; and • Safeguarding assets by overseeing employees with access.

– Especially important in organizations that: • Can’t afford elaborate responsibility reporting; or • Are too small for segregation of duties.

165 of 314

MONITORING

• •

Use Responsibility Accounting

– Includes use of: • Budgets, quotas, schedules, standard costs, and quality standards; • Performance reports that compare actual with planned performance and highlight variances; • Procedures for investigating significant variances and taking timely actions to correct adverse conditions.

Monitor System Activities

– Risk analysis and management software packages are available to: • Review computer and network security measures; • Detect illegal entry into systems; • Test for weaknesses and vulnerabilities; • Report weaknesses found; and • Suggest improvements.

166 of 314

MONITORING

• •

Track Purchased Software

– The Business Software Alliance (BSA) aggressively tracks down and fines companies who violate software license agreements.

– To comply with copyrights, companies should periodically conduct software audits to ensure that.

• There are enough licenses for all users; • The company is not paying for more licenses than needed.

– Employees should be informed of the consequences of using unlicensed software.

Conduct Periodic Audits

– To monitor risk and detect fraud and errors, the company should have periodic: • External audits • Internal audits • Special network security audits – Auditors should test system controls and browse system usage files looking for suspicious activities (discussed in Chapter 9).

167 of 314

MONITORING

• Again, care should be exercised that employees ’ privacy rights are not violated.

• Therefore, inform employees that auditors will conduct random surveillance, which: – Avoids privacy violations – Creates a “perception of detection” that can deter crime and reduce errors.

• Internal auditing involves: – Reviewing the reliability and integrity of financial and operating information.

– Providing an appraisal of internal control effectiveness.

– Assessing employee compliance with management policies and procedures and applicable laws and regulations.

– Evaluating the efficiency and effectiveness of management.

168 of 314

MONITORING

• Internal audits can detect: – Excess overtime – Under-used assets – Obsolete inventory – Padded expense reimbursements – Excessively loose budgets and quotas – Poorly justified capital expenditures – Production bottlenecks • Internal auditing should be organizationally independent of the accounting and operating functions.

• The head should report to the audit committee of the board of directors rather than to the controller or CFO.

169 of 314

MONITORING

• •

Employ a Computer Security Officer and Computer Consultants

– The computer security officer (CSO) is in charge of AIS security • Should be independent of the IS function • Should report to the COO or CEO – Many companies also use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems.

Engage Forensic Specialists

– Forensic accountants specialize in fraud detection and investigation.

• Now one of the fastest growing areas of accounting due to: – SOX – SAS-99 – Boards of Directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process.

170 of 314

• • • • •

MONITORING

Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies.

– In particular demand are those with the necessary computer skills to ferret out and combat fraudsters who use sophisticated technology to perpetrate their crimes.

– The Association of Certified Fraud Examiners (ACFE) has created a professional certification program for fraud examiners.

Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies.

Management may also need to call on computer forensic specialists for help.

They assist in discovering, extracting, safeguarding, and documenting computer evidence so that its authenticity, accuracy, and integrity will not succumb to legal challenges.

Common incidents investigated by computer forensic experts include: – Improper internet usage – Fraud – Sabotage – Loss, theft, or corruption of data – Retrieving information from emails and databases that users thought they had erased – Determining who performed certain actions on a computer

171 of 314

MONITORING

•

Install Fraud Detection Software

– People who commit fraud tend to follow certain patterns and leave behind clues.

– Software has been developed to seek out these fraud symptoms.

– Some companies employ

neural networks

accurate in identifying suspected fraud.

(programs that mimic the brain and have learning capabilities) which are very – For example, if a husband and wife were each using the same credit card in two different stores at the same time, a neural network would probably flag at least one of the transactions immediately as suspicious.

– These networks and other recent advances in fraud detection software are significantly reducing the incidences of credit card fraud.

172 of 314

MONITORING

•

Implement a Fraud Hotline

– People who witness fraudulent behavior are often torn between conflicting feelings.

• They want to protect company assets and report fraud perpetrators.

• But they are uncomfortable in the whistleblower role and find it easier to remain silent.

– They are particularly reluctant to report if they know of others who have suffered repercussions from doing so.

173 of 314

MONITORING

• Outsourcing is available through a number of third parties and offers several benefits, including: – Increased confidence on the part of employee that his/her report is truly anonymous.

– 24/7 availability.

– Often have multilingual capabilities—an important plus for multinational organizations.

– The outsourcer may be able to do follow up with the employee if additional information is needed after the initial contact.

– The employee can be advised of the outcome of his report.

– Low cost.

174 of 314