Accounting Information Systems

Fourteenth Edition, Global Edition

Chapter 7
Control and Accounting
Information Systems

Copyright © 2018 Pearson Education, Ltd. All Rights Reserved

Learning Objectives (1 of 2)
• Explain basic control concepts and why computer control
and security are important.
• Compare and contrast the COBIT, COSO, and ERM
control frameworks.
• Describe the major elements in the internal environment of
a company.
• Describe the control objectives that companies need to set
and how to identify events that affect organizational
uncertainty.

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 2
Learning Objectives (2 of 2)
• Explain how to assess and respond to risk using the
Enterprise Risk Management model.
• Describe control activities commonly used in companies.
• Describe how to communicate information and monitor
control processes in organizations.

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 3
Why Is Control Needed?
• Any potential adverse occurrence or unwanted event that
could be injurious to either the accounting information
system or the organization is referred to as a threat or an
event.
• The potential dollar loss should a particular threat become
a reality is referred to as the exposure or impact of the
threat.
• The probability that the threat will happen is the likelihood
associated with the threat.

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 4
A Primary Objective of an AIS
• Is to control the organization so the organization can
achieve its objectives
• Management expects accountants to:
– Take a proactive approach to eliminating system threats.
– Detect, correct, and recover from threats when they occur.

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 5
Internal Controls
• Processes implemented to provide assurance that the
following objectives are achieved:
– Safeguard assets
– Maintain sufficient records
– Provide accurate and reliable information
– Prepare financial reports according to established criteria
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 6
Functions of Internal Controls
• Preventive controls
– Deter problems from occurring

• Detective controls
– Discover problems that are not prevented

• Corrective controls
– Identify and correct problems; correct and recover from the
problems

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 7
Foreign Corrupt Practices (FCPA) and
Sarbanes–Oxley Acts (SOX)
• FCPA is legislation passed (1977) to
– Prevent companies from bribing foreign officials to obtain
business
– Requires all publicly owned corporations to maintain a system of
internal accounting controls.
• SOX is legislation passed (2002) applies to publicly held
companies and their auditors to
– Prevent financial statement fraud
– Financial report transparent
– Protect investors
– Strengthen internal controls
– Punish executives who perpetrate fraud

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 8
Control Frameworks
• COBIT
– Framework for IT control
• COSO
– Framework for enterprise internal controls (control-based
approach)
• COSO-ERM
– Expands COSO framework taking a risk-based approach

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 9
COBIT Framework
• Current framework version is COBIT5
• Based on the following principles:
– Meeting stakeholder needs
– Covering the enterprise end-to-end
– Applying a single, integrated framework
– Enabling a holistic approach
– Separating governance from management

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 10
COBIT5 Separates Governance from
Management

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 11
Components of COSO Frameworks
COSO COSO-ERM
• Control (internal) environment • Internal environment
• Risk assessment • Objective setting
• Control activities • Event identification
• Information and communication • Risk assessment
• Monitoring • Risk response
• Control activities
• Information and communication
• Monitoring

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 12
Internal Environment
• Management’s philosophy, operating style, and risk
appetite
• Commitment to integrity, ethical values, and competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and responsibility
• Human resource standards

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 13
Objective Setting
• Strategic objectives
– High-level goals
• Operations objectives
– Effectiveness and efficiency of operations
• Reporting objectives
– Improve decision making and monitor performance
• Compliance objectives
– Compliance with applicable laws and regulations

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 14
Event Identification
Identifying incidents both external and internal to the
organization that could affect the achievement of the
organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 15
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
– Probability that the event will occur
• Impact
– Estimate potential loss if event occurs
Types of risk
• Inherent
– Risk that exists before plans are made to control it
• Residual
– Risk that is left over after you control it

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 16
Risk Response
• Reduce
– Implement effective internal control
• Accept
– Do nothing, accept likelihood, and impact of risk
• Share
– Buy insurance, outsource, or hedge
• Avoid
– Do not engage in the activity

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 17
Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 18
Segregation of Accounting Duties

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 19
Segregation of Systems Duties
• Segregation of systems duties as to divide authority and
responsibility between the following systems functions
– System administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programmers
– Computer operators
– Information system librarian
– Data control

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 20
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network
security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 21
Key Terms (1 of 3)
• Threat/Event • Foreign Corrupt Practices Act (FCPA)
• Exposure/impact • Sarbanes-Oxley Act (SOX)
• Likelihood/risk • Public Company Accounting
Oversight Board (PCAOB)
• Internal controls
• Preventive controls • Control Objectives for Information
and Related Technology (COBIT)
• Detective controls
• Committee of Sponsoring
• Corrective controls Organizations (COSO)
• General controls • Internal control-integrated framework
• Application controls (IC)

• Belief system • Enterprise Risk Management

Integrated Framework (ERM)
• Boundary system
• Internal environment
• Diagnostic control system
• Interactive control system

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 22
Key Terms (2 of 3)
• Risk appetite • Specific authorization
• Audit committee • General authorization
• Policy and procedures manual • Segregation of accounting duties
• Background check • Collusion
• Strategic objectives • Segregation of systems duties
• Operations objectives • Systems administrator
• Reporting objectives • Network manager
• Compliance objectives • Security management
• Event • Change management
• Inherent risk • Users
• Residual risk • Systems analysts
• Expected loss • Programmers
• Control activities • Computer operators
• Authorization • Information system library
• Digital signature
Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 23
Key Terms (3 of 3)
• Data control group • Postimplementation review
• Steering committee • Systems integrator
• Strategic master plan • Analytical review
• Project development plan • Audit trail
• Project milestones • Computer security officer (CSO)
• Data processing schedule • Chief compliance officer (CCO)
• System performance measurements • Forensic investigators
• Throughput • Computer forensics specialists
• Utilization • Neural networks
• Response time • Fraud hotline

Copyright © 2018 Pearson Education, Ltd. Chapter 7: Control and Accounting Information Systems Slide 1 - 24