Your SlideShare is downloading. ×
Ais Romney 2006 Slides 06 Control And Ais Part 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ais Romney 2006 Slides 06 Control And Ais Part 1

1,071
views

Published on

Ais Romney 2006 Slides 06 Control And Ais Part 1

Ais Romney 2006 Slides 06 Control And Ais Part 1

Published in: Education, Business, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,071
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HAPTER 6 Control and Accounting Information Systems
  • 2. INTRODUCTION
    • Questions to be addressed in this chapter:
      • What are the basic internal control concepts, and why are computer control and security important?
      • What is the difference between the COBIT, COSO, and ERM control frameworks?
      • What are the major elements in the internal environment of a company?
      • What are the four types of control objectives that companies need to set?
      • What events affect uncertainty, and how can they be identified?
      • How is the Enterprise Risk Management model used to assess and respond to risk?
      • What control activities are commonly used in companies?
      • How do organizations communicate information and monitor control processes?
  • 3. INTRODUCTION
    • Why AIS Threats Are Increasing
      • Control risks have increased in the last few years because:
        • There are computers and servers everywhere, and information is available to an unprecedented number of workers.
        • Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.
        • Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
  • 4. INTRODUCTION
    • Historically, many organizations have not adequately protected their data due to one or more of the following reasons:
      • Computer control problems are often underestimated and downplayed.
      • Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood.
      • Companies have not realized that data is a strategic resource and that data security must be a strategic requirement.
      • Productivity and cost pressures may motivate management to forego time-consuming control measures.
  • 5. INTRODUCTION
    • Some vocabulary terms for this chapter:
      • A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.
      • The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality.
      • The likelihood is the probability that the threat will occur.
  • 6. INTRODUCTION
    • Control and Security are Important
      • Companies are now recognizing the problems and taking positive steps to achieve better control, including:
        • Devoting full-time staff to security and control concerns.
        • Educating employees about control measures.
        • Establishing and enforcing formal information security policies.
        • Making controls a part of the applications development process.
        • Moving sensitive data to more secure environments.
  • 7. INTRODUCTION
    • To use IT in achieving control objectives, accountants must:
      • Understand how to protect systems from threats.
      • Have a good understanding of IT and its capabilities and risks.
    • Achieving adequate security and control over the information resources of an organization should be a top management priority.
  • 8. INTRODUCTION
    • Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because:
      • Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files.
      • Segregation of duties must be achieved differently in an AIS.
      • Computers provide opportunities for enhancement of some internal controls.
  • 9. INTRODUCTION
    • One of the primary objectives of an AIS is to control a business organization.
      • Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.
    • Management expects accountants to be control consultants by:
      • Taking a proactive approach to eliminating system threats; and
      • Detecting, correcting, and recovering from threats when they do occur.
  • 10. INTRODUCTION
    • It is much easier to build controls into a system during the initial stage than to add them after the fact.
    • Consequently, accountants and control experts should be members of the teams that develop or modify information systems.
  • 11. OVERVIEW OF CONTROL CONCEPTS
    • In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to:
      • Hire creative and innovative employees.
      • Give these employees power and flexibility to:
        • Satisfy changing customer demands;
        • Pursue new opportunities to add value to the organization; and
        • Implement process improvements.
    • At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.
  • 12. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
    • This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
  • 13. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
  • 14. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
      • Accurate and reliable information is provided.
  • 15. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
      • Accurate and reliable information is provided.
      • There is reasonable assurance that financial reports are prepared in accordance with GAAP.
  • 16. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
      • Accurate and reliable information is provided.
      • There is reasonable assurance that financial reports are prepared in accordance with GAAP.
      • Operational efficiency is promoted and improved.
    • This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.
  • 17. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
      • Accurate and reliable information is provided.
      • There is reasonable assurance that financial reports are prepared in accordance with GAAP.
      • Operational efficiency is promoted and improved.
      • Adherence to prescribed managerial policies is encouraged.
  • 18. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
      • Assets (including data) are safeguarded.
      • Records are maintained in sufficient detail to accurately and fairly reflect company assets.
      • Accurate and reliable information is provided.
      • There is reasonable assurance that financial reports are prepared in accordance with GAAP.
      • Operational efficiency is promoted and improved.
      • Adherence to prescribed managerial policies is encouraged.
      • The organization complies with applicable laws and regulations .
  • 19. OVERVIEW OF CONTROL CONCEPTS
    • Internal control is a process because:
      • It permeates an organization’s operating activities.
      • It is an integral part of basic management activities.
    • Internal control provides reasonable , rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
  • 20. OVERVIEW OF CONTROL CONCEPTS
    • Internal control systems have inherent limitations, including:
      • They are susceptible to errors and poor decisions.
      • They can be overridden by management or by collusion of two or more employees.
    • Internal control objectives are often at odds with each other.
      • EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.
  • 21. OVERVIEW OF CONTROL CONCEPTS
    • Internal controls perform three important functions:
      • Preventive controls
    • Deter problems before they arise.
  • 22. OVERVIEW OF CONTROL CONCEPTS
    • Internal controls perform three important functions:
      • Preventive controls
      • Detective controls
    • Discover problems quickly when they do arise.
  • 23. OVERVIEW OF CONTROL CONCEPTS
    • Internal controls perform three important functions:
      • Preventive controls
      • Detective controls
      • Corrective controls
    • Remedy problems that have occurred by:
      • Identifying the cause;
      • Correcting the resulting errors; and
      • Modifying the system to prevent future problems of this sort.
  • 24. OVERVIEW OF CONTROL CONCEPTS
    • Internal controls are often classified as:
      • General controls
    • Those designed to make sure an organization’s control environment is stable and well managed.
    • They apply to all sizes and types of systems.
    • Examples: Security management controls.
  • 25. OVERVIEW OF CONTROL CONCEPTS
    • Internal controls are often classified as:
      • General controls
      • Application controls
    • Prevent, detect, and correct transaction errors and fraud.
    • Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
  • 26. OVERVIEW OF CONTROL CONCEPTS
    • An effective system of internal controls should exist in all organizations to:
      • Help them achieve their missions and goals
      • Minimize surprises
  • 27. CONTROL FRAMEWORKS
    • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
      • The COBIT framework
      • The COSO internal control framework
      • COSO’s Enterprise Risk Management framework (ERM)
  • 28. CONTROL FRAMEWORKS
    • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
      • The COBIT framework
      • The COSO internal control framework
      • COSO’s Enterprise Risk Management framework (ERM)
  • 29. CONTROL FRAMEWORKS
    • COBIT Framework
      • Also know as the Control Objectives for Information and Related Technology framework.
      • Developed by the Information Systems Audit and Control Foundation (ISACF).
      • A framework of generally applicable information systems security and control practices for IT control.
  • 30. CONTROL FRAMEWORKS
    • The COBIT framework allows:
      • Management to benchmark security and control practices of IT environments.
      • Users of IT services to be assured that adequate security and control exists.
      • Auditors to substantiate their opinions on internal control and advise on IT security and control matters.
  • 31. CONTROL FRAMEWORKS
    • The framework addresses the issue of control from three vantage points or dimensions:
      • Business objectives
    • To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.”
    • The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives:
      • Effectiveness (relevant, pertinent, and timely)
      • Efficiency
      • Confidentiality
      • Integrity
      • Availability
      • Compliance with legal requirements
      • Reliability
  • 32. CONTROL FRAMEWORKS
    • The framework addresses the issue of control from three vantage points or dimensions:
      • Business objectives
      • IT resources
    • Includes:
      • People
      • Application systems
      • Technology
      • Facilities
      • Data
  • 33. CONTROL FRAMEWORKS
    • The framework addresses the issue of control from three vantage points or dimensions:
      • Business objectives
      • IT resources
      • IT processes
    • Broken into four domains
      • Planning and organization
      • Acquisition and implementation
      • Delivery and support
      • Monitoring
  • 34. CONTROL FRAMEWORKS
    • COBIT consolidates standards from 36 different sources into a single framework.
    • It is having a big impact on the IS profession.
      • Helps managers to learn how to balance risk and control investment in an IS environment.
      • Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate.
      • Guides auditors as they substantiate their opinions and provide advice to management on internal controls.
  • 35. CONTROL FRAMEWORKS
    • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
      • The COBIT framework
      • The COSO internal control framework
      • COSO’s Enterprise Risk Management framework (ERM)
  • 36. CONTROL FRAMEWORKS
    • COSO’s Internal Control Framework
      • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:
        • The American Accounting Association
        • The AICPA
        • The Institute of Internal Auditors
        • The Institute of Management Accountants
        • The Financial Executives Institute
  • 37. CONTROL FRAMEWORKS
    • In 1992, COSO issued the Internal Control Integrated Framework :
      • Defines internal controls.
      • Provides guidance for evaluating and enhancing internal control systems.
      • Widely accepted as the authority on internal controls.
      • Incorporated into policies, rules, and regulations used to control business activities.
  • 38. CONTROL FRAMEWORKS
    • COSO’s internal control model has five crucial components:
      • Control environment
    • The core of any business is its people.
    • Their integrity, ethical values, and competence make up the foundation on which everything else rests.
  • 39. CONTROL FRAMEWORKS
    • COSO’s internal control model has five crucial components:
      • Control environment
      • Control activities
    • Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.
  • 40. CONTROL FRAMEWORKS
    • COSO’s internal control model has five crucial components:
      • Control environment
      • Control activities
      • Risk assessment
    • The organization must be aware of and deal with the risks it faces.
    • It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.
  • 41. CONTROL FRAMEWORKS
    • COSO’s internal control model has five crucial components:
      • Control environment
      • Control activities
      • Risk assessment
      • Information and communication
    • Information and communications systems surround the control activities.
    • They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.
  • 42. CONTROL FRAMEWORKS
    • COSO’s internal control model has five crucial components:
      • Control environment
      • Control activities
      • Risk assessment
      • Information and communication
      • Monitoring
    • The entire process must be monitored and modified as necessary.
  • 43. CONTROL FRAMEWORKS
    • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:
      • The COBIT framework
      • The COSO internal control framework
      • COSO’s Enterprise Risk Management framework (ERM)
  • 44. CONTROL FRAMEWORKS
    • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process.
    • Result: Enterprise Risk Manage Integrated Framework (ERM)
      • An enhanced corporate governance document.
      • Expands on elements of preceding framework.
      • Provides a focus on the broader subject of enterprise risk management.
  • 45. CONTROL FRAMEWORKS
    • Intent of ERM is to achieve all goals of the internal control framework and help the organization:
      • Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.
      • Achieve its financial and performance targets.
      • Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk.
      • Avoid adverse publicity and damage to the entity’s reputation.
  • 46. CONTROL FRAMEWORKS
    • ERM defines risk management as:
      • A process effected by an entity’s board of directors, management, and other personnel
      • Applied in strategy setting and across the enterprise
      • To identify potential events that may affect the entity
      • And manage risk to be within its risk appetite
      • In order to provide reasonable assurance of the achievement of entity objectives.
  • 47. CONTROL FRAMEWORKS
    • Basic principles behind ERM:
      • Companies are formed to create value for owners.
      • Management must decide how much uncertainty they will accept.
      • Uncertainty can result in:
        • Risk
    • The possibility that something will happen to:
      • Adversely affect the ability to create value; or
      • Erode existing value.
  • 48. CONTROL FRAMEWORKS
    • Basic principles behind ERM:
      • Companies are formed to create value for owners.
      • Management must decide how much uncertainty they will accept.
      • Uncertainty can result in:
        • Risk
        • Opportunity
    • The possibility that something will happen to positively affect the ability to create or preserve value.
  • 49. CONTROL FRAMEWORKS
      • The framework should help management manage uncertainty and its associated risk to build and preserve value.
      • To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.
  • 50. CONTROL FRAMEWORKS
    • COSO developed a model to illustrate the elements of ERM.
  • 51. CONTROL FRAMEWORKS
    • Columns at the top represent the four types of objectives that management must meet to achieve company goals.
      • Strategic objectives
    • Strategic objectives are high-level goals that are aligned with and support the company’s mission.
  • 52. CONTROL FRAMEWORKS
    • Columns at the top represent the four types of objectives that management must meet to achieve company goals.
      • Strategic objectives
      • Operations objectives
    • Operations objectives deal with effectiveness and efficiency of company operations, such as:
      • Performance and profitability goals
      • Safeguarding assets
  • 53. CONTROL FRAMEWORKS
    • Columns at the top represent the four types of objectives that management must meet to achieve company goals.
      • Strategic objectives
      • Operations objectives
      • Reporting objectives
    • Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature.
    • Improve decision-making and monitor company activities and performance more efficiently.
  • 54. CONTROL FRAMEWORKS
    • Columns at the top represent the four types of objectives that management must meet to achieve company goals.
      • Strategic objectives
      • Operations objectives
      • Reporting objectives
      • Compliance objectives
    • Compliance objectives help the company comply with applicable laws and regulations.
      • External parties often set the compliance rules.
      • Companies in the same industry often have similar concerns in this area.
  • 55. CONTROL FRAMEWORKS
    • ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them.
    • However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control.
    • Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.
  • 56. CONTROL FRAMEWORKS
    • Columns on the right represent the company’s units:
      • Entire company
  • 57. CONTROL FRAMEWORKS
    • Columns on the right represent the company’s units:
      • Entire company
      • Division
  • 58. CONTROL FRAMEWORKS
    • Columns on the right represent the company’s units:
      • Entire company
      • Division
      • Business unit
  • 59. CONTROL FRAMEWORKS
    • Columns on the right represent the company’s units:
      • Entire company
      • Division
      • Business unit
      • Subsidiary
  • 60. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
    • The tone or culture of the company.
    • Provides discipline and structure and is the foundation for all other components.
    • Essentially the same as control environment in the COSO internal control framework.
  • 61. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
    • Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk.
    • Strategic objectives are set first as a foundation for the other three.
    • The objectives provide guidance to companies as they identify risk-creating events and assess and respond to those risks.
  • 62. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
    • Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives.
    • Management must then determine whether these events represent:
      • Risks (negative-impact events requiring assessment and response); or
      • Opportunities (positive-impact events that influence strategy and objective-setting processes).
  • 63. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
    • Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives.
    • Qualitative and quantitative methods are used to assess risks individually and by category in terms of:
      • Likelihood
      • Positive and negative impact
      • Effect on other organizational units
    • Risks are analyzed on an inherent and a residual basis.
    • Corresponds to the risk assessment element in COSO’s internal control framework.
  • 64. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
      • Risk response
    • Management aligns identified risks with the company’s tolerance for risk by choosing to:
      • Avoid
      • Reduce
      • Share
      • Accept
    • Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses.
  • 65. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
      • Risk response
      • Control activities
    • To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions of the organization.
    • Corresponds to the control activities element in the COSO internal control framework.
  • 66. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
      • Risk response
      • Control activities
      • Information and communication
    • Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities.
    • Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties.
    • Employees should understand their role and importance in ERM and how these responsibilities relate to those of others.
    • Has a corresponding element in the COSO internal control framework.
  • 67. CONTROL FRAMEWORKS
    • The horizontal rows are eight related risk and control components, including:
      • Internal environment
      • Objective setting
      • Event identification
      • Risk assessment
      • Risk response
      • Control activities
      • Information and communication
      • Monitoring
    • ERM processes must be monitored on an ongoing basis and modified as needed.
    • Accomplished with ongoing management activities and separate evaluations.
    • Deficiencies are reported to management.
    • Corresponding module in COSO internal control framework.
  • 68. CONTROL FRAMEWORKS
    • The ERM model is three-dimensional.
    • Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.
  • 69. CONTROL FRAMEWORKS
    • ERM Framework Vs. the Internal Control Framework
      • The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
        • It has too narrow of a focus.
    • Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results.
    • Makes it difficult to know:
      • Which control systems are most important.
      • Whether they adequately deal with risk.
      • Whether important control systems are missing.
  • 70. CONTROL FRAMEWORKS
    • ERM Framework Vs. the Internal Control Framework
      • The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it.
        • It has too narrow of a focus.
        • Focusing on controls first has an inherent bias toward past problems and concerns.
    • May contribute to systems with many controls to protect against risks that are no longer important.
  • 71. CONTROL FRAMEWORKS
    • These issues led to COSO’s development of the ERM framework.
      • Takes a risk-based, rather than controls-based, approach to the organization.
      • Oriented toward future and constant change.
      • Incorporates rather than replaces COSO’s internal control framework and contains three additional elements:
        • Setting objectives.
        • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.
        • Developing a response to assessed risk.
  • 72. CONTROL FRAMEWORKS
      • Controls are flexible and relevant because they are linked to current organizational objectives.
      • ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.
  • 73. CONTROL FRAMEWORKS
    • Over time, ERM will probably become the most widely adopted risk and control model.
    • Consequently, its eight components are the topic of the remainder of the chapter.