Report on Control and Accounting Information Systems

AIS 4203
Accounting & Information Systems

Submitted To
Md. Asiqur Rahman
Assistant Professor
Dept. of Accounting and Information Systems
University of Barishal

Submitted by
Abdul Ahad
17 AIS 004
Dept. of Accounting and Information Systems
University of Barishal

Date of Submission: 05/05/2021

1|Page
 Page
Sl No Topic’s Name
No
01 Introduction 3

02 Internal Control 3

03 The Foreign Corrupt Practices and Sarbanes - Oxley Acts 5

04 COBIT Framework 6-7

05 COSO’s Internal Control Framework 8

06 COSO’s Enterprise Risk Management Framework 9-13

Table of Contents

2|Page
Introduction
Society has increasingly relied on accounting information systems, which have developed increasingly
complex to meet the increasing need for information. In line with the increase in system complexity and
dependence on the system, companies face an increased risk of the system being negotiated. In most
years, more than 60% of organizations experience a major failure in controlling the security and integrity
of their computer systems. Reasons for the failures include the following:

 Information is available to an unprecedented number of workers

 Information on distributed computer networks is hard to control
 Customers and suppliers have access to each other’s systems and data.

Organizations have not adequately protected data for several reasons:

 Some companies view the loss of crucial information as a distant, unlikely threat.
 The control implications of moving from centralized computer systems to Internet-based systems
are not fully understood.
 Many companies do not realize that information is a strategic resource and that protecting it must
be a strategic requirement.
 Productivity and cost pressures motivate management to forgo time-consuming control measures.

Internal Control
Internal control is the process implemented by the board of directors, management, and those under their
direction to provide reasonable assurance that the following control objectives are achieved:

 Safeguard assets—prevent or detect their unauthorized acquisition, use, or disposition.

 Maintain records in sufficient detail to report company assets accurately and fairly.
 Provide accurate and reliable information.
 Prepare financial reports in accordance with established criteria.
 Promote and improve operational efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulations.

3|Page
Internal control is a process that permeates and organization’s activities and provides reasonable, rather
than absolute, assurance. Internal control systems are susceptible to errors, poor decisions, and override;
and internal control objectives are often at odds with each other, e.g., controls to safeguard assets may
also reduce operational efficiency.
Internal controls perform three important functions:
1. Preventive controls deter problems before they arise.
2. Detective controls discover problems that are not prevented.
3. Corrective controls identify and correct problems as well as correct and recover from the
resulting errors.

Internal controls are often segregated into two categories:

1. General controls make sure an organization’s control environment is stable and well managed.
2. Application controls prevent, detect, and correct transaction errors and fraud in application
programs.

Robert Simons, a Harvard business professor, has espoused four levers of control to help management
reconcile the conflict between creativity and controls.
1. Belief system - System that describes how a company creates value, helps employees understand
management’s vision, communicates company core values, and inspires employees to live by
those values.
2. Boundary system - System that helps employees act ethically by setting boundaries on employee
behavior.
3. Diagnostic control system - System that measures, monitors, and compares actual company
progress to budgets and performance goals.
4. Interactive control system - System that helps managers to focus subordinates’ attention on key
strategic issues and to be more involved in their decisions.

4|Page
The Foreign Corrupt Practices and Sarbanes - Oxley Acts
In 1977, the Foreign Corrupt Practices Act (FCPA) was passed to prevent companies from bribing foreign
officials to obtain business; also requires all publicly owned corporations maintain a system of internal
accounting controls. In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds
Such as Enron, WorldCom, Xerox, Tyco, Global Crossing, Adelphia, and other companies made
headlines. Congress responded with passage of the Sarbanes-Oxley Act of 2002(SOX). SOX applies to
publicly held companies and their auditors and was designed to prevent financial statement fraud, make
financial reports more transparent, protect investors, strengthen internal controls, and punish executives
who perpetrate fraud.
Important aspects of SOX include:
1. creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the
auditing profession
2. new rules for auditors, audit committees, and management
3. new roles for audit committees
4. New internal control requirements, including Section 404 requirements that companies issue a
report accompanying the financial statements stating management’s responsibility for
establishing and maintaining an adequate internal control system.

SEC mandated that management must:

1. Base its evaluation on a recognized control framework. The most likely frameworks, formulated
by the Committee of Sponsoring Organizations (COSO)
2. Disclose all material internal control weaknesses.
3. Conclude that a company does not have effective financial reporting internal controls if there are
material weaknesses.

5|Page
COBIT Framework
A security and control framework that allows (1) management to benchmark the security and control
practices of IT environments (2) users of IT services to be assured that adequate security and control
exist, (3) auditors to substantiate their internal control opinions and advise on IT security and control
matters.
COBIT 5 is based on the following five key principles of IT governance and management. These
principles help organizations build an effective governance and management framework that protects
stakeholders’ investments and produces the best possible information system.
1. The first principle is meeting the stakeholders’ needs. This principle is about identifying the key
stakeholders, their needs and how value is created for enterprises by addressing those needs
through the cascading of goals. Covering the enterprise end-to-end.
2. The second principle is covering the enterprise end-to-end. This principle is about covering all the
functions and processes wherever information is processed in the enterprise.

3. The third principle is applying a single integrated framework. This principle is about having a
single and integrated framework that consists of the various established frameworks and
standards required for the governance and management of enterprise IT.
4. The fourth principle is enabling a holistic approach. This principle is about using a set of enablers
for an all-inclusive or holistic approach to support the governance and management of enterprise
IT.
5. The fifth principle is separating governance from management. This principle is about
differentiating between the governance and management roles, activities and responsibilities.

6|Page
Above Figure is the COBIT 5 process reference model. The model identifies the five governance
processes (referred to as evaluate, direct and monitor—or EDM) and 32 management processes. The 32
management processes are broken down into the following four domains:
1. Align, plan, and organize (APO)
2. Build, acquire, and implement (BAI)
3. Deliver, service, and support (DSS)
4. Monitor, evaluate, and assess (MEA)

7|Page
COSO’s Internal Control Framework
Committee of Sponsoring Organizations (COSO) is a private sector group consisting of the American
Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management
Accountants, and the Financial Executives Institute. In 1992, COSO issued Internal Control - Integrated
Framework (IC), which is a framework that defines internal controls and provides guidance for evaluating
and enhancing internal control systems. The five components and 17 principles of the updated IC
framework are summarized in the table below

8|Page
COSO’s Enterprise Risk Management Framework
To improve the risk management process, COSO developed a second control framework called Enterprise
Risk Management—Integrated Framework (ERM). ERM is a framework that improves the risk
management process by expanding (adds three additional elements) COSO’s Internal Control - Integrated.
The basic principles behind ERM are as follows:
 Companies are formed to create value for their owners.
 Management must decide how much uncertainty it will accept as it creates value.
 Uncertainty results in risk, which is the possibility that something negatively affects the
company’s ability to create or preserve value.
 Uncertainty results in opportunity, which is the possibility that something positively affects the
company’s ability to create or preserve value.
 The ERM framework can manage uncertainty as well as create and preserve value.

The Enterprise Risk Management Framework versus the Internal Control

Framework
The Enterprise Risk Management – Integrated Framework is a broader framework that incorporates the
internal control framework within it. In other words, one approach to risk is to develop controls to
mitigate the risks. The frameworks are compatible and are based on the same conceptual foundation.

Internal Environment
internal environment is the company culture that is the foundation for all other ERM components as it
influences how organizations establish strategies and objectives; structure business activities; and
identify, assess, and respond to risk. It is the foundation for all other ERM components.
An internal environment consists of the following:
1. Risk Management Philosophy: This is a set of shared attitudes and beliefs that will tend to
characterize how the enterprise considers risk in everything it does. While often not just the type
of message published in a code of conduct, a risk management philosophy is the kind of attitude
that will allow managers and others at all levels to respond to some high-risk proposal. An
enterprise might respond to similar situation differently based on business philosophy but it
should try to develop a consistent philosophy and attitude to how it accepts risky ventures.

9|Page
 2. Risk Appetite: A concept or expression unfamiliar to many managers, risk appetite is the amount
of risk an enterprise is willing to accept in the pursuit of its objectives. This appetite for risk can
be measured in quantitative or qualitative terms, but all levels of management should have a
general understanding of this concept as well as the overall enterprise’s risk appetite. The term
appetite is often not used, but the term represents an overall philosophy.
3. Board of Directors’ Attitudes: The board of directors has a very important role in overseeing
and guiding an enterprise’s risk environment. The independent, outside directors in particular
should closely review management actions, ask appropriate questions, and serve as a check and
balance control for the enterprise.
4. Integrity and Ethical Values: This important ERM internal environment element requires much
more than a published code of conduct and includes strong integrity and standards of behavior for
members of the enterprise. There should be a strong corporate culture here that guides the
enterprise at all levels in helping to make risk-based decisions.
5. Commitment to Competence: Competence refers to the knowledge and skills necessary to
perform assigned tasks. Management decides how these critical assigned tasks will be
accomplished through developing appropriate strategies and assigning the proper people to
perform these often-strategic tasks.
6. Organizational Structure: While every enterprise will develop an enterprise structure that meets
its current needs and often satisfies its heritage, that same enterprise structure should have clear
lines of authority and responsibility along with appropriate lines of reporting. A poorly
constructed enterprise structure makes it difficult to plan, execute, control, and monitor activities.
7. Assignments of Authority and Responsibility: The assignment of authority refers to the extent
or degree to which authority and responsibility is assigned or delegated in an enterprise. The
trend in many enterprises today is to push such matters as levels of approval authorities down the
enterprise structure, giving more front-line employees’ greater authorization and approval
authority.
8. Human Resource Standards: An enterprise’s practices regarding employee hiring, training,
compensating, promoting, disciplining, and all other actions send messages to all members of the
enterprise regarding what is favored, tolerated, or forbidden. When management winks at or
ignores some ‘‘gray area’’ activities rather than taking a strong stand, that message is often
quickly communicated to others throughout an enterprise. A strong set of standards are needed
that are both communicated to all stakeholders and are enforced.

10 | P a g e
Objective Settings
Objective setting is the second ERM component. Management determines what the company hopes to
achieve, often referred to as the corporate vision or mission. Management sets objectives at the corporate
level and then subdivides them into more specific objectives for company subunits. The company
determines what must go right to achieve the objectives and establishes performance measures to
determine whether they are met.
Different types of objectives are
1. Strategic objectives
2. Operations objectives
3. Reporting objectives
4. Compliance objectives

Event Identification
COSO defines an event as “an incident or occurrence emanating from internal or external sources that
affects implementation of strategy or achievement of objectives. Events may have positive or negative
impacts or both.” An event represents uncertainty; it may or may not occur. If it does occur, it is hard to
know when. Management must try to anticipate all possible positive or negative events, determine which
are most and least likely to occur, and understand the interrelationship of events.

Risk Assessment and Risk Response

The risks of an identified event are assessed in several different ways: likelihood, positive and negative
impacts, individually and by category, their effect on other organizational units, and on an inherent and a
residual basis. Inherent risk is the susceptibility of a set of accounts or transactions to significant control
problems in the absence of internal control. Residual risk is the risk that remains after management
implements internal controls or some other response to risk. Companies should assess inherent risk,
develop a response, and then assess residual risk.
Management can respond to risk in one of four ways:
 Reduce. Reduce the likelihood and impact of risk by implementing an effective system of internal
controls.
 Accept. Accept the likelihood and impact of the risk.
 Share. Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or
entering into hedging transactions.
 Avoid. Avoid risk by not engaging in the activity that produces the risk. This may require the
company to sell a division, exit a product line, or not expand as anticipated.

11 | P a g e
 Risk Assessment Approach to Designing Internal Controls
Control Activities
Control activities are policies, procedures, and rules that provide reasonable assurance that control
objectives are met and risk responses are carried out. It is management’s responsibility to develop a
secure and adequately controlled system. Management must make sure that:
1. Controls are selected and developed to help reduce risks to an acceptable level.
2. Appropriate general controls are selected and developed over technology.
3. Control activities are implemented and followed as specified in company policies and procedures.
Control procedures fall into the following categories:
1. Proper authorization of transactions and activities
2. Segregation of duties
3. Project development and acquisition controls
4. Change management controls
5. Design and use of documents and records
6. Safeguarding assets, records, and data
7. Independent checks on performance

12 | P a g e
Information and Communication
Information and communication systems should capture and exchange the information needed to conduct,
manage, and control the organization’s operations. The primary purpose of an accounting information
system (AIS) is to gather, record, process, store, summarize, and communicate information about an
organization. This includes understanding how transactions are initiated, data are captured, files are
accessed and updated, data are processed, and information is reported.

Monitoring
The internal control system that is selected or developed must be continuously monitored, evaluated,
and modified as needed. Any deficiencies must be reported to senior management and
the board of directors.

13 | P a g e