Ais Romney 2006 Slides 06 Control And Ais

HAPTER 6 Control and Accounting Information Systems

INTRODUCTION
Questions to be addressed in this chapter:
What are the basic internal control concepts, and why are computer control and security important?
What is the difference between the COBIT, COSO, and ERM control frameworks?
What are the major elements in the internal environment of a company?
What are the four types of control objectives that companies need to set?
What events affect uncertainty, and how can they be identified?
How is the Enterprise Risk Management model used to assess and respond to risk?
What control activities are commonly used in companies?
How do organizations communicate information and monitor control processes?

INTRODUCTION
Why AIS Threats Are Increasing
Control risks have increased in the last few years because:
There are computers and servers everywhere, and information is available to an unprecedented number of workers.
Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.
Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.

INTRODUCTION
Historically, many organizations have not adequately protected their data due to one or more of the following reasons:
Computer control problems are often underestimated and downplayed.
Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood.
Companies have not realized that data is a strategic resource and that data security must be a strategic requirement.
Productivity and cost pressures may motivate management to forego time-consuming control measures.

INTRODUCTION
Some vocabulary terms for this chapter:
A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.
The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality.
The likelihood is the probability that the threat will occur.

INTRODUCTION
Control and Security are Important
Companies are now recognizing the problems and taking positive steps to achieve better control, including:
Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security policies.
Making controls a part of the applications development process.
Moving sensitive data to more secure environments.

INTRODUCTION
To use IT in achieving control objectives, accountants must:
Understand how to protect systems from threats.
Have a good understanding of IT and its capabilities and risks.
Achieving adequate security and control over the information resources of an organization should be a top management priority.

INTRODUCTION
Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because:
Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files.
Segregation of duties must be achieved differently in an AIS.
Computers provide opportunities for enhancement of some internal controls.

INTRODUCTION
One of the primary objectives of an AIS is to control a business organization.
Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.
Management expects accountants to be control consultants by:
Taking a proactive approach to eliminating system threats; and
Detecting, correcting, and recovering from threats when they do occur.

INTRODUCTION
It is much easier to build controls into a system during the initial stage than to add them after the fact.
Consequently, accountants and control experts should be members of the teams that develop or modify information systems.

OVERVIEW OF CONTROL CONCEPTS
In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to:
Hire creative and innovative employees.
Give these employees power and flexibility to:
Satisfy changing customer demands;
Pursue new opportunities to add value to the organization; and
Implement process improvements.
At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.

Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
Assets (including data) are safeguarded.
This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.

Records are maintained in sufficient detail to accurately and fairly reflect company assets.

Accurate and reliable information is provided.

There is reasonable assurance that financial reports are prepared in accordance with GAAP.

Operational efficiency is promoted and improved.
This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.

Adherence to prescribed managerial policies is encouraged.

Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws and regulations .

Internal control is a process because:
It permeates an organization’s operating activities.
It is an integral part of basic management activities.
Internal control provides reasonable , rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.

Internal control systems have inherent limitations, including:
They are susceptible to errors and poor decisions.
They can be overridden by management or by collusion of two or more employees.
Internal control objectives are often at odds with each other.
EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.

Internal controls perform three important functions:
Preventive controls
Deter problems before they arise.

Preventive controls
Detective controls
Discover problems quickly when they do arise.

Preventive controls
Detective controls
Corrective controls
Remedy problems that have occurred by:
Identifying the cause;
Correcting the resulting errors; and
Modifying the system to prevent future problems of this sort.

Internal controls are often classified as:
General controls
Those designed to make sure an organization’s control environment is stable and well managed.
They apply to all sizes and types of systems.
Examples: Security management controls.

Internal controls are often classified as:
General controls
Application controls
Prevent, detect, and correct transaction errors and fraud.
Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

An effective system of internal controls should exist in all organizations to:
Help them achieve their missions and goals
Minimize surprises

SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In 1977, Congress passed the Foreign Corrupt Practices Act , and to the surprise of the profession, this act incorporated language from an AICPA pronouncement.
The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.
A significant effect was to require that corporations maintain good systems of internal accounting control.
Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems.
The resulting internal control improvements weren’t sufficient.

In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX ).
Applies to publicly held companies and their auditors

The intent of SOX is to:
Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors, management, and accountants operate.

Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
Has five members, three of whom cannot be CPAs.
Charges fees to firms to fund the PCAOB.
Sets and enforces auditing, quality control, ethics, independence, and other standards relating to audit reports.
Currently recognizes FASB statements as being generally accepted.

New rules for auditors
They must report specific information to the company’s audit committee, such as:
Critical accounting policies and practices
Alternative GAAP treatments
Auditor-management disagreements
Audit partners must be rotated periodically.

Auditors cannot perform certain non-audit services, such as:
Bookkeeping
Information systems design and implementation
Internal audit outsourcing services
Management functions
Human resource services

Permissible non-audit services must be approved by the board of directors and disclosed to investors.
Cannot audit a company if a member of top management was employed by the auditor and worked on the company’s audit in the past 12 months.

New rules for audit committees
Members must be on the company’s board of directors and must otherwise be independent of the company.
One member must be a financial expert.
The committee hires, compensates, and oversees the auditors, and the auditors report directly to the committee.

New rules for management
The CEO and CFO must certify that:
The financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.
Management is responsible for internal controls.
The auditors were advised of any material internal control weaknesses or fraud.
Any significant changes to controls after management’s evaluation were disclosed and corrected.

If management willfully and knowingly violates the certification, they can be:
Imprisoned up to 20 years.
Fined up to $5 million.
Management and directors cannot receive loans that would not be available to people outside the company.
They must disclose on a rapid and current basis material changes to their financial condition.

New internal control requirements
New internal control requirements:
Section 404 of SOX requires companies to issue a report accompanying the financial statements that:
States management is responsible for establishing and maintaining an adequate internal control structure and procedures.
Contains management’s assessment of the company’s internal controls.
Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests.

New internal control requirements
SOX also requires that the auditor attests to and reports on management’s internal control assessment.
Each audit report must describe the scope of the auditor’s internal control tests.

After the passage of SOX, the SEC further mandated that:
Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.
The report must contain a statement identifying the framework used.
Management must disclose any and all material internal control weaknesses.
Management cannot conclude that the company has effective internal control if there are any material weaknesses.

Levers of Control
Many people feel there is a basic conflict between creativity and controls.
Robert Simons has espoused four levers of controls to help companies reconcile this conflict:
A concise belief system
Communicates company core values to employees and inspires them to live by them.
Draws attention to how the organization creates value.
Helps employees understand management’s intended direction.
Must be broad enough to appeal to all levels.

Levers of Control
A boundary system
Helps employees act ethically by setting limits beyond which they must not pass.
Does not create rules and standard operating procedures that can stifle creativity.
Encourages employees to think and act creatively to solve problems and meet customer needs as long as they operate within limits such as:
Meeting minimum standards of performance
Shunning off-limits activities
Avoiding actions that could damage the company’s reputation.

Levers of Control
A boundary system
A diagnostic control system
Ensures efficient and effective achievement of important controls.
This system measures company progress by comparing actual to planned performance.
Helps managers track critical performance outcomes and monitor performance of individuals, departments, and locations.
Provides feedback to enable management to adjust and fine-tune.

Levers of Control
A boundary system
A diagnostic control system
An interactive control system
Helps top-level managers with high-level activities that demand frequent and regular attention. Examples:
Developing company strategy.
Setting company objectives.
Understanding and assessing threats and risks.
Monitoring changes in competitive conditions and emerging technologies.
Developing responses and action plans to proactively deal with these high-level issues.
Also helps managers focus the attention of subordinates on key strategic issues and to be more involved in their decisions.
Data from this system are best interpreted and discussed in face-to-face meetings.

CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
The COBIT framework
The COSO internal control framework
COSO’s Enterprise Risk Management framework (ERM)

CONTROL FRAMEWORKS
COBIT Framework
Also know as the Control Objectives for Information and Related Technology framework.
Developed by the Information Systems Audit and Control Foundation (ISACF).
A framework of generally applicable information systems security and control practices for IT control.

CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and control practices of IT environments.
Users of IT services to be assured that adequate security and control exists.
Auditors to substantiate their opinions on internal control and advise on IT security and control matters.

CONTROL FRAMEWORKS
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives
To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.”
The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives:
Effectiveness (relevant, pertinent, and timely)
Efficiency
Confidentiality
Integrity
Availability
Compliance with legal requirements
Reliability

CONTROL FRAMEWORKS
Business objectives
IT resources
Includes:
People
Application systems
Technology
Facilities
Data

CONTROL FRAMEWORKS
Business objectives
IT resources
IT processes
Broken into four domains
Planning and organization
Acquisition and implementation
Delivery and support
Monitoring

CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different sources into a single framework.
It is having a big impact on the IS profession.
Helps managers to learn how to balance risk and control investment in an IS environment.
Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate.
Guides auditors as they substantiate their opinions and provide advice to management on internal controls.

CONTROL FRAMEWORKS
The COBIT framework

CONTROL FRAMEWORKS
COSO’s Internal Control Framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:
The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute

CONTROL FRAMEWORKS
In 1992, COSO issued the Internal Control Integrated Framework :
Defines internal controls.
Provides guidance for evaluating and enhancing internal control systems.
Widely accepted as the authority on internal controls.
Incorporated into policies, rules, and regulations used to control business activities.

CONTROL FRAMEWORKS
COSO’s internal control model has five crucial components:
Control environment
The core of any business is its people.
Their integrity, ethical values, and competence make up the foundation on which everything else rests.

CONTROL FRAMEWORKS
Control environment
Control activities
Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.

CONTROL FRAMEWORKS
Control environment
Control activities
Risk assessment
The organization must be aware of and deal with the risks it faces.
It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.

CONTROL FRAMEWORKS
Control environment
Control activities
Risk assessment
Information and communication
Information and communications systems surround the control activities.
They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.

CONTROL FRAMEWORKS
Control environment
Control activities
Risk assessment
Monitoring
The entire process must be monitored and modified as necessary.

CONTROL FRAMEWORKS
The COBIT framework

CONTROL FRAMEWORKS
Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process.
Result: Enterprise Risk Manage Integrated Framework (ERM)
An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterprise risk management.

CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the internal control framework and help the organization:
Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk.
Avoid adverse publicity and damage to the entity’s reputation.

CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entity’s board of directors, management, and other personnel
Applied in strategy setting and across the enterprise
To identify potential events that may affect the entity
And manage risk to be within its risk appetite
In order to provide reasonable assurance of the achievement of entity objectives.

CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.
Management must decide how much uncertainty they will accept.
Uncertainty can result in:
Risk
The possibility that something will happen to:
Adversely affect the ability to create value; or
Erode existing value.

CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.
Management must decide how much uncertainty they will accept.
Uncertainty can result in:
Risk
Opportunity
The possibility that something will happen to positively affect the ability to create or preserve value.

CONTROL FRAMEWORKS
The framework should help management manage uncertainty and its associated risk to build and preserve value.
To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.

CONTROL FRAMEWORKS
COSO developed a model to illustrate the elements of ERM.

CONTROL FRAMEWORKS
Columns at the top represent the four types of objectives that management must meet to achieve company goals.
Strategic objectives
Strategic objectives are high-level goals that are aligned with and support the company’s mission.

CONTROL FRAMEWORKS
Operations objectives
Operations objectives deal with effectiveness and efficiency of company operations, such as:
Performance and profitability goals
Safeguarding assets

CONTROL FRAMEWORKS
Reporting objectives
Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature.
Improve decision-making and monitor company activities and performance more efficiently.

CONTROL FRAMEWORKS
Reporting objectives
Compliance objectives
Compliance objectives help the company comply with applicable laws and regulations.
External parties often set the compliance rules.
Companies in the same industry often have similar concerns in this area.

CONTROL FRAMEWORKS
ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them.
However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control.
Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.

CONTROL FRAMEWORKS
Columns on the right represent the company’s units:
Entire company

CONTROL FRAMEWORKS
Entire company
Division

CONTROL FRAMEWORKS
Entire company
Division
Business unit

CONTROL FRAMEWORKS
Entire company
Division
Business unit
Subsidiary

CONTROL FRAMEWORKS
The horizontal rows are eight related risk and control components, including:
Internal environment
The tone or culture of the company.
Provides discipline and structure and is the foundation for all other components.
Essentially the same as control environment in the COSO internal control framework.

CONTROL FRAMEWORKS
Objective setting
Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk.
Strategic objectives are set first as a foundation for the other three.
The objectives provide guidance to companies as they identify risk-creating events and assess and respond to those risks.

CONTROL FRAMEWORKS
Objective setting
Event identification
Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment and response); or
Opportunities (positive-impact events that influence strategy and objective-setting processes).

CONTROL FRAMEWORKS
Objective setting
Risk assessment
Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives.
Qualitative and quantitative methods are used to assess risks individually and by category in terms of:
Likelihood
Positive and negative impact
Effect on other organizational units
Risks are analyzed on an inherent and a residual basis.
Corresponds to the risk assessment element in COSO’s internal control framework.

CONTROL FRAMEWORKS
Objective setting
Risk assessment
Risk response
Management aligns identified risks with the company’s tolerance for risk by choosing to:
Avoid
Reduce
Share
Accept
Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses.

CONTROL FRAMEWORKS
Objective setting
Risk assessment
Risk response
Control activities
To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions of the organization.
Corresponds to the control activities element in the COSO internal control framework.

CONTROL FRAMEWORKS
Objective setting
Risk assessment
Risk response
Control activities
Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities.
Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties.
Employees should understand their role and importance in ERM and how these responsibilities relate to those of others.
Has a corresponding element in the COSO internal control framework.

CONTROL FRAMEWORKS
Objective setting
Risk assessment
Risk response
Control activities
Monitoring
ERM processes must be monitored on an ongoing basis and modified as needed.
Accomplished with ongoing management activities and separate evaluations.
Deficiencies are reported to management.
Corresponding module in COSO internal control framework.

CONTROL FRAMEWORKS
The ERM model is three-dimensional.
Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.

CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control Framework
The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
It has too narrow of a focus.
Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results.
Makes it difficult to know:
Which control systems are most important.
Whether they adequately deal with risk.
Whether important control systems are missing.

CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control Framework
The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
It has too narrow of a focus.
Focusing on controls first has an inherent bias toward past problems and concerns.
May contribute to systems with many controls to protect against risks that are no longer important.

CONTROL FRAMEWORKS
These issues led to COSO’s development of the ERM framework.
Takes a risk-based, rather than controls-based, approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSO’s internal control framework and contains three additional elements:
Setting objectives.
Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.
Developing a response to assessed risk.

CONTROL FRAMEWORKS
Controls are flexible and relevant because they are linked to current organizational objectives.
ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.

CONTROL FRAMEWORKS
Over time, ERM will probably become the most widely adopted risk and control model.
Consequently, its eight components are the topic of the remainder of the chapter.

INTERNAL ENVIRONMENT
The most critical component of the ERM and the internal control framework.
Is the foundation on which the other seven components rest.
Influences how organizations:
Establish strategies and objectives
Structure business activities
Identify, access, and respond to risk
A deficient internal control environment often results in risk management and control breakdowns.

Internal environment consists of the following:
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences

Management’s Philosophy, Operating Style, and Risk Appetite
An organization’s management has shared beliefs and attitudes about risk.
That philosophy affects everything the organization does, long- and short-term, and affects their communications.
Companies also have a risk appetite , which is the amount of risk a company is willing to accept to achieve its goals and objectives.
That appetite needs to be in alignment with company strategy.

The more responsible management’s philosophy and operating style, the more likely employees will behave responsibly.
This philosophy must be clearly communicated to all employees; it is not enough to give lip service.
Management must back up words with actions; if they show little concern for internal controls, then neither will employees.

This component can be assessed by asking questions such as:
Does management take undue business risks or assess potential risks and rewards before acting?
Does management attempt to manipulate performance measures such as net income?
Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?

External influences

The Board of Directors
An active and involved board of directors plays an important role in internal control.
They should:
Oversee management
Scrutinize management’s plans, performance, and activities
Approve company strategy
Review financial results
Annually review the company’s security policy
Interact with internal and external auditors

Directors should possess management, technical, or other expertise, knowledge, or experience, as well as a willingness to advocate for shareholders.
At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries.

Public companies must have an audit committee , composed entirely of independent, outside directors.
The audit committee oversees:
The company’s internal control structure;
Its financial reporting process;
Its compliance with laws, regulations, and standards.
Works with the corporation’s external and internal auditors.
Hires, compensates, and oversees the auditors.
Auditors report all critical accounting policies and practices to the audit committee.
Provides an independent review of management’s actions.

External influences

Commitment to Integrity, Ethical Values, and Competence
Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence.
Ethical standards of behavior make for good business.
Tone at the top is everything.
Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.

Companies can endorse integrity as a basic operating principle by actively teaching and requiring it.
Management should:
Make it clear that honest reports are more important than favorable ones.
Management should avoid:
Unrealistic expectations, incentives or temptations.
Attitude of earnings or revenue at any price.
Overly aggressive sales practices.
Unfair or unethical negotiation practices.
Implied kickback offers.
Excessive bonuses.
Bonus plans with upper and lower cutoffs.

Management should not assume that employees would always act honestly.
Consistently reward and encourage honesty.
Give verbal labels to honest and dishonest acts.
The combination of these two will produce more consistent moral behavior.

Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors, often in the form of a written code of conduct.
In particular, such a code would cover issues that are uncertain or unclear.
Dishonesty often appears when situations are gray and employees rationalize the most expedient action as opposed to making a right vs. wrong choice.

SOX only requires a code of ethics for senior financial management. However, the ACFE suggests that companies create a code of conduct for all employees:
Should be written at a fifth-grade level.
Should be reviewed annually with employees and signed.
This approach helps employees keep themselves out of trouble.
Helps the company if they need to take legal action against the employee.

Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other employees are clear about consequences.
Companies must make a commitment to competence.
Begins with having competent employees.
Varies with each job but is a function of knowledge, experience, training, and skills.

The levers of control, particularly beliefs and boundaries systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms.
Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.

Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other employees are clear about consequences.

Companies must make a commitment to competence.
Begins with having competent employees.
Varies with each job but is a function of knowledge, experience, training, and skills.

The levers of control, particularly beliefs and boundary systems, can be used to create the kind of commitment to integrity an organization wants.
Requires more than lip service and signing forms.
Must be systems in which top management actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.

External influences

Organizational Structure
A company’s organizational structure defines its lines of authority, responsibility, and reporting.
Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.

Important aspects or organizational structure:
Degree of centralization or decentralization.
Assignment of responsibility for specific tasks.
Direct-reporting relationships or matrix structure
Organization by industry, product, geographic location, marketing network
How the responsibility allocation affects management’s information needs
Organization of accounting and IS functions
Size and nature of company activities

Statistically fraud occurs more frequently in organizations with complex structures
The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or
The structure may be intentionally complex to facilitate the fraud.

In today’s business world, the hierarchical organizations with many layers of management are giving way to flatter organizations with self-directed work teams.
Team members are empowered to make decisions without multiple layers of approvals.
Emphasis is on continuous improvement rather than on regular evaluations.
These changes have a significant impact on the nature and type of controls needed.

External influences

Methods of Assigning Authority and Responsibility
Management should make sure:
Employees understand the entity’s objectives
Authority and responsibility for business objectives is assigned to specific departments and individuals
Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives.
Management:
Must be sure to identify who is responsible for the IS security policy.
Should monitor results so decisions can be reviewed and, if necessary, overruled.

Authority and responsibility are assigned through:
Formal job descriptions
Employee training
Operating plans, schedules, and budgets
Codes of conduct that define ethical behavior, acceptable practices, regulatory requirements, and conflicts of interest
Written policies and procedures manuals (a good job reference and job training tool) which covers:
Proper business practices
Knowledge and experience needed by key personnel
Resources provided to carry out duties
Policies and procedures for handling particular transactions
The organization’s chart of accounts
Sample copies of forms and documents

External influences

Human Resources Standards
Employees are both the company’s greatest control strength and the greatest control weakness.
Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required.
Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.

The following policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds

Hiring
Should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well candidates meet written job requirements.
Employees should undergo a formal, in-depth employment interview.
Resumes, reference letters, and thorough background checks are critical.

Background checks can involve:
Verifying education and experience
Talking with references
Checking for criminal records, credit issues, and other publicly available data.
Note that you must have the employee’s or candidate’s written permission to conduct a background check, but that permission does not need to have an expiration date.
Background checks are important because recent studies show that about 50% of resumes have been falsified or embellished.

Sometimes professional firms are hired to do the background checks because applicants are becoming more aggressive in their deceptions.
Some get phony degrees from online “diploma mills.”
A Pennsylvania district attorney recently filed suit against a Texas “university” for issuing an MBA to the DA’s 6-year-old black cat.
Others actually hack (or hire someone to hack) into the systems of universities to create or alter transcripts and other academic data.
No employee should be exempted from background checks. Anyone from the custodian to the company president is capable of committing fraud, sabotage, etc