Richardson_AIS3e_CH13_PowerPoint.pptx

Copyright © 2021 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 13
Accounting
Information Systems
&
Internal Controls

Learning Objectives
LO 13-1 Explain essential control concepts and why a
code of ethics and internal controls are
important.
LO 13-2 Explain the objectives and components of the
COSO internal control framework and the COSO
enterprise risk management framework.
LO 13-3 Describe the overall COBIT framework and its
implications for IT governance.
LO 13-4 Describe other governance frameworks related
to information systems management and
security.
10-2

WHY a Code of Ethics?
• Ethical behavior prompted by a code of ethics can be
considered a form of INTERNAL CONTROL.
• Employees with different culture backgrounds are
likely to have different values
→ to promote ethical behavior within a group
• Many professional associations have developed
codes of ethics to assist professionals in selecting
among decisions that are not clearly right or wrong:
AICPA, ISACA, IIA, IMA, …
10-3
LO# 1
Ethics, Sarbanes Oxley Act 2002, and
Corporate Governance

Ethics, Sarbanes Oxley Act 2002, and
10-4
• American Institute of Certified
Public Accountants
AICPA
• Information Systems Audit
and Control Association
ISACA
• Institute of Internal Auditors
IIA
• Institute of Management
Accountants
IMA
LO# 1

Sarbanes Oxley Act of 2002
• SOX requires public companies registered with the SEC
and their auditors to annually assess and report on the
design and effectiveness of internal control over financial
reporting.
• Established the Public Company Accounting Oversight
Board (PCAOB) to provide independent oversight of
public accounting firms.
• PCAOB Auditing Standard No. 5 (AS 5) encourages
auditors to use a risk-based, top-down approach to
identify the key controls
 analyzing control at financial statement level and focus on
entity-level control
10-5
LO# 1

• A set of processes and policies in managing an
organization with sound ethics, internal and
external control mechanisms to safeguard the
interests of its stakeholders.
• Promotes accountability, fairness, and
transparency in the organization’s relationship
with its stakeholders.
10-6
LO# 1

Overview of Control Concepts
• Processes implemented to provide assurance that the
following objectives are achieved:
– Safeguard assets
– Maintain sufficient records
– Provide accurate and reliable information
– Prepare financial reports according to established criteria
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations
• According to SOX, the establishment and maintenance of
internal controls is a management responsibility.
10-7
LO# 2

Three main functions of internal control:
• Preventive controls deter problems from
occurring (Authorization)
• Detective controls discover problems that are
not prevented (Bank reconciliations and
monthly trial balances)
• Corrective controls correct and recover from
the problems that have been identified
(Backup files to recover corrupted data)
10-8
LO# 2

• Computerized environment:
• General controls pertain to enterprise-wide
issues (controls over accessing the network,
developing and maintaining applications, etc.)
• Application controls are specific to a
subsystem or an application to ensure the
validity, completeness and accuracy of the
transactions.
10-9
LO# 2

Commonly Used Internal Control
Frameworks
• The SEC requires management to evaluate internal
controls based on a recognized control framework
• COSO Internal Control framework
– COSO-Committee of Sponsoring Organizations
• AAA, AICPA, FEI, IIA, and IMA
– One of the most widely accepted authority on internal
control, providing a baseline for evaluating, reporting, and
improving internal control
10-10
LO# 2

Committee of Sponsoring Organizations of
the Treadway Commission (COSO)
10-11
• American Accounting Association
AAA
• American Institute of Certified Public
Accountants
AICPA
• Financial Executives International
FEI
• Institute of Internal Auditors
IIA
• Institute of Management Accountants
IMA
LO# 2

Control Frameworks
10-12
• For evaluating, reporting, and improving
internal control, widely accepted
COSO Internal
Control
Framework
• Expands COSO framework taking a risk-based
approach
COSO ERM
Framework
• Control Objectives for Information & related Technology
• For the governance and management of enterprise IT
COBIT
• Information Technology Infrastructure Library
• For IT service management.
ITIL
• International Organization for Standardization 27000
Series
• Address information security issues
ISO
LO# 2

COSO Internal Control Framework
(COSO 2013)
1. Internal control is a process consisting of ongoing tasks and
activities. It is a means to an end, not an end in itself.
2. Internal control is affected by people. It is not merely about
policy manuals, systems and forms. Rather, it is about
people at every level of a firm that impact internal control.
3. Internal control can provide reasonable assurance, not
absolute assurance, to an entity’s management and board.
4. Internal control is geared toward the achievement of
objectives in one or more separate but overlapping
categories.
5. Internal control is adaptable to the entity structure.
10-13
LO# 2

Copyright © 2021 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 14
(COSO 2013)
An effective internal control should consist of THREE OBJECTIVES
effectiveness and efficiency
of a firm’s operations
reliability of reporting
adherence to applicable laws
and regulations
LO# 2

Copyright © 2021 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 10-15
(COSO 2013)
FIVE COMPONENTS
LO# 2

Control Environment
• Management’s philosophy, operating style
• Commitment to integrity, ethical values, and
competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and responsibility
• Human resource standards
10-16
LO# 2

Risk Assessment
• Identifying and analyzing a firm’s risks from
external and internal environments.
• Allows a firm to understand the extent to which
potential events might affect corporate
objectives.
• Risk is assessed from two perspectives:
– + Likelihood
– Probability that the event will occur
– + Impact
– Estimate potential loss if event occurs
10-17
LO# 2

Control Activities
• A firm must establish control policies,
procedures, and practices that ensure the
firm’s objectives are achieved and risk
mitigation strategies are carried out.
• Occur throughout a firm at all levels and in all
functions.
10-18
LO# 2

Information and Communication
• Supports all other control components by
communicating effectively
– + to ensure information flows within the firm
• Down
• Across
• Up
– + to interact with external parties and inform them
about related policy positions
• customers
• suppliers
• regulators
• shareholders
10-19
LO# 2

Monitoring Activities
• The design and effectiveness of internal controls
should be monitored by management in an ongoing
basis.
• Findings should be evaluated and deficiencies must
be communicated in a timely manner.
• Necessary modifications should be made to improve
the business process and the internal control system.
10-20
LO# 2

COSO 2013
Control Components & Principles
21
Control
Environment
Risk Assessment Control Activities Information and
Communication
Monitoring
Activities
1.Demonstrates
commitment to
integrity and
ethical values
2. Exercises
oversight
responsibility
3. Establishes
structure,
authority, &
responsibility
4.Demonstrates
commitment to
competence
5. Enforces
accountability
6. Specifies
suitable
objectives
7. Identifies &
analyzes risk
8. Assesses fraud
risk
9. Identifies &
analyzes
significant
change
10. Selects &
develops control
activities
11. Selects &
develops general
controls over
technology
12. Deploys
through policies
& procedures
13. Uses relevant
information
14.Communicate
s internally
15.
Communicates
externally
16. Conducts
ongoing and/or
separate
evaluations
17. Evaluates &
communicates
deficiencies
LO# 2

ERM
identifies potential
events that may affect
the firm
manages risk to be
within the firm’s risk
appetite
provides reasonable
assurance regarding
the achievement of
the firm’s objectives
expands the COSO
Internal Control
framework to
provide a broader
view on risk
management to
maximize firm value
COSO Enterprise Risk Management—
Integrated Framework
10-22
LO# 2

10-23
LO# 2

10-24
Strategic — high-level
goals, aligned with and
supporting the firm’s
mission and vision
Operations —
effectiveness and
efficiency of operations
Reporting — reliability
of internal and external
reporting
Compliance —
compliance with
applicable laws and
regulations
Objectives
LO# 2

COSO and COSO Enterprise Risk
Management Framework
10-25
• Control (internal)
environment
• Risk assessment
• Control activities
• Information and
communication
• Monitoring
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and
communication
• Monitoring
COSO COSO-ERM
LO# 2

• Objectives are set at the strategic level,
establishing a basis for operations,
reporting and compliance
support and align with the firm's
mission and are consistent with its risk
appetite.
LO# 2
Objective Setting

Event Identification
• Identifying incidents both external and internal to the
organization that could affect the achievement of the
organizations objectives
• Must distinguish between risks and opportunities
• Opportunities are channeled back to strategy or objective-
setting processes and identified risks should be forwarded
to the next stage
• Key Management Questions:
– What could go wrong?
– How can it go wrong?
– What is the potential harm?
– What can be done about it?
10-27
LO# 2

• Given AS 5, risk assessment is also a first step in
developing an audit plan to meet the mandate of
SOX Section 404.
• Types of risk
– Inherent risk: exists already before plans are made to
address it
– Control risk: the threat that errors or irregularities in the
underlying transactions will not be prevented, detected
and corrected by the internal control system.
– Residual risk: the product of inherent risk and control risk
(risks that is left over after controlling it)
10-28
LO# 2
Risk Assessment

Management selects risk responses and develops a
set of actions to align risks with the entity's risk
tolerances, its risk appetite and cost versus benefit
of potential risk responses
(1) Reduce risks: implement effective internal control
(2) Share risks: buy insurance, outsource, or hedge
(3) Avoid risks: do not engage in the activity
(4) Accept risks: Do nothing, accept likelihood and impact
of risk
10-29
LO# 2
Risk Response

Copyright © 2021 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 30
Reduce Avoid
Accept Share
High frequency/likelihood
Low frequency/likelihood
Low impact High impact
LO# 2
Risk Response

Identify the risks
Estimate the likelihood of each risk occurring
Estimate the impact, or potential
loss, from each risk
Identify controls to mitigate the risk
Estimate the costs and benefits from
instituting controls
Reduce risk by implementing
Is it
cost beneficial
to protect the firm
from the risk?
Avoid, share,
or accept risk
No
Yes
Risk
Assessmen
t and
Response
to Selecting
Control
Activities
LO# 2

• Cost and benefit analysis is important in determining
whether to implement an internal control.
Internal control benefits > costs: IMPLEMENT
• Expected benefit of an internal control
= Impact X Decreased Likelihood
= Estimated impact of a risk times × decreased likelihood if the
control is implemented
LO# 2
Risk Assessment

Physical Controls: mainly manual but could involve the
physical use of computing technology.
+ proper authorization of transactions and activities
+ segregation of duties
+ project development and acquisition controls
+ change management controls
+ design and use of documents and records
+ safeguarding assets, records, and data
+ independent checks on performance
10-33
LO# 2
Control Activities

IT controls: provide assurance for information and help to
mitigate risks associated with the use of technology.
IT general controls (ITGC): enterprise-level controls over IT
+ IT control environment
+ Access controls
+ Change management controls
+ Project development and acquisition controls
+ Computer operations controls
10-34
LO# 2
Control Activities

Control Activities
IT application controls
• Input controls: field checks, size checks, range
checks, validity checks, completeness checks,
reasonableness checks, check digit verifications,
closed-loop verifications
• Processing controls: pre-numbered documents,
sequence checks, batch totals, cross-footing balance
tests, concurrent update controls
• Output controls: required number of copies printed
10-35
LO# 2

COBIT Framework
• COBIT (Control Objectives for Information and related
Technology) is a generally accepted framework for IT
governance and management.
• IT governance is a subset of corporate governance and
includes issues regarding IT management and security.
• IT governance is the responsibility of management, to
ensure that the firm’s IT sustains and extends its business
objectives.
• COBIT supports IT governance and management by
providing a framework to ensure that IT is aligned with the
business, IT enables the business and maximizes firm value,
IT resources are used responsibly, and IT risks are managed
appropriately.
10-36
LO# 3

COBIT Framework
• Provides a business focus to align business and IT objectives
• Defines the scope and ownership of IT process and control
• Is consistent with accepted IT good practices and standards
• Provides a common language with a set of terms and
definitions that are generally understandable by all
stakeholders
• Meets regulatory requirements by being consistent with
generally accepted corporate governance standards (e.g.,
COSO) and IT controls expected by regulators and auditors.
10-37
LO# 3

COBIT Framework
Key criteria of business requirements for information:
• Effectiveness – relevant and timely
• Efficiency – produced economically
• Confidentiality – protection of sensitive information
• Integrity – valid, accurate and complete
• Availability – available when needed
• Compliance – complying with the laws and regulations
• Reliability – reliable for daily decision making
10-38
LO# 3

COBIT Framework
• Current version is COBIT 2019
• Based on the following principles:
– + Meeting stakeholder needs
– + Covering the enterprise end-to-end
– + Applying a single, integrated framework
– + Enabling a holistic approach
– + Separating governance from management
10-39
LO# 3

Information Technology
Infrastructure Library (ITIL)
• A de facto standard in Europe for the best practices
in IT infrastructure management and service delivery.
• ITIL’s value proposition centers on providing IT
service with an understanding the business
objectives and priorities, and the role that IT services
has in achieving the objectives.
• ITIL adopts a lifecycle approach to IT services, and
organizes IT service management into five high-level
categories.
10-40
LO# 4

Information Technology Infrastructure Library (ITIL)
10-41
•the strategic planning of IT service management capabilities and the alignment of IT service
and business strategies
Service Strategy (SS)
•the design and development of IT services and service management processes
Service Design (SD)
•realizing the requirements of strategy and design, and maintaining capabilities for the
ongoing delivery of a service
Service Transition (ST)
•the effective and efficient delivery and support of services, with a benchmarked approach
for event, incident, request fulfillment, problem, and access management.
Service Operation (SO)
•ongoing improvement of the service and the measurement of process performance required
for the service.
Continual Service Improvement (CSI)
LO# 4

Information Technology
Infrastructure Library (ITIL)
10-42
LO# 4

International Organization for
Standardization (ISO) 27000 Series
• The ISO 27000 series of standards are designed to address
information security issues.
• ISO 27000 series, particularly ISO 27001 and ISO 27002, have
become the most recognized and generally accepted sets of
information security framework and guidelines.
• The main objective of the ISO 27000 series is to provide a
model for establishing, implementing, operating, monitoring,
maintaining, and improving an Information Security
Management System (ISMS) using a “process approach”
10-43
LO# 4

Steps to Establishing an
ISMS Following ISO
27001/27002
International Organization for
Standardization (ISO) 27000 Series
LO# 4

ITIL vs. ISO 27001
45
ISO 27001 ITIL
International standard Best practice IT framework
Requirements for establishment,
implementation, maintenance
and continual improvement of
Information Security
Management System
Set of practices for IT service
management, guidance on the
provision of quality IT services
and the processes, functions
needed to support
Applicable to any type and size of
organizations
Applicable to every type of IT
environment
Implementation and certificate
are optional
Implementation is not subject to
certification
ISO 27001: 2013 ITIL 2011 edition

Richardson_AIS3e_CH13_PowerPoint.pptx

Recommended

Recommended

More Related Content

Similar to Richardson_AIS3e_CH13_PowerPoint.pptx

Similar to Richardson_AIS3e_CH13_PowerPoint.pptx (20)

Recently uploaded

Recently uploaded (20)

Richardson_AIS3e_CH13_PowerPoint.pptx

Editor's Notes