CONTROL OF ACCOUNTING

INFORMATION SYSTEM

CHAPTER 7
 OVERVIEW OF CONTROL CONCEPTS
• Internal Control - is the process implemented by the board of
directors, management , and those under their direction to provide
reasonable assurance that the following control objectives are
achieved:
▪ Assets (including data) are safeguard.
▪ Records are maintained in sufficient detail to accurately and fairly reflect
company assets.
▪ Accurate and reliable information is provided.
▪ There is reasonable assurance that financial reports are prepared in
accordance with GAAP.
▪ Operational efficiency is promoted and improved.
▪ Adherence to prescribed managerial policies is encouraged.
▪ The organization complies with applicable laws and regulations.
INTERNAL CONTROL FUNCTIONS
• Internal controls perform three important functions:
- Preventive controls
- Detective controls
- Corrective controls

CLASSIFICATION OF CONTROLS
• Internal controls are often classified as:
- General controls
- Application controls
 SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• 1997 Foreign Corrupt Practices Act

• all publicly traded corporations subject to SEC required to keep
records that accurately and fairly represent transactions and assets
in reasonable detail
• Internal control system must be assure
- Transactions are authorized
- Transactions are recorded in conformity with GAAP and to maintain
accountability
- Authorized access to assets
- Accountability for assets
SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• The intent of SOX is to :

- Prevent financial statement fraud
- Make financial reports more transparent
- Protect investors
- Strengthen internal controls in publicly-held companies
- Punish executives who perpetrate fraud
SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• Important aspects of SOX include:

- Creation of the Public Company Accounting Oversight Board
(PCAOB) to oversee the auditing profession.
- New rules for auditors
- New rules for audit committees
- New rules for management
- New internal control requirements
 SOX AND THE FOREIGN CORRUPT PRACTICES ACT

• After SOX, the SEC further mandated that:

- Management must base its evaluation on a
recognized control
framework, developed using a due-process procedure that
allows for public comment.
- The report must contain a statement identifying the framework
used.
- Management must disclose any and all material internal
control weaknesses.
- Management cannot conclude that the company has effective
internal control if there are any material weaknesses.
 Internal Control Frameworks

• The COBIT framework

• The COSO internal control framework
• COSO's Enterprise Risk Management framework (ERM)
 COBIT FRAMEWORK
• Control Objectives for Information and Related Technology
• Developed by the Information Systems Audit and Control
Foundation (ISACF).
• Allows:
- Management to benchmark security and control practices
- Users to be assured that adequate security and control exists
- Auditors to substantiate their opinions on internal control
 Control Frameworks

• The framework addresses the issue of control from three

vantage points:
- Business objectives
- IT resources
- IT processes
COSO’S INTERNAL CONTROL FRAMEWORK
• COSO's Internal Control Framework
- The Committee of Sponsoring Organizations (COSO) is a private
sector group consisting of:
▪ The American Accounting Association
▪ The AICPA
▪ The Institute of Internal Auditors
▪ The Institute of Management Accountants
▪ The Financial Executives Institute
COSO’S INTERNAL CONTROL FRAMEWORK

• Control environment
• Control activities
• Risk assessment
• Information and communication
• Monitoring
 COSO’S ENTERPRISE RISK MANAGEMENT
FRAMEWORK
• Risk management is:
- A process applied in strategy setting to identify potential events
that may affect the entity and manage risk in order to provide
reasonable assurance of the achievement of entity objectives.
• Basic principles behind ERM:
- Companies are formed to create value for owners.
- Management must decide how much uncertainty they will
accept.
- Uncertainty can result in:
• Risk
• Opportunity
COSO’S ENTERPRISE RISK MANAGEMENT
FRAMEWORK
• Basic principles behind ERM:
- Companies are formed to create value for owners.
- Management must decide how much uncertainty they will
accept.
- Uncertainty can result in:
• Risk
• Opportunity
COSO’S ENTERPRISE RISK MANAGEMENT
FRAMEWORK
INTERNAL ENVIRONMENT
 INTERNAL ENVIRONMENT
• Assessment of management's philosophy and operating style
- Does management take undue business risks or assess
potential risks and rewards before acting?
- Does management attempt to manipulate performance
measures such as net income?
- Does management pressure employees to achieve results
regardless of methods or do they demand ethical behavior?
 INTERNAL ENVIRONMENT

• The Board of Directors

- They should:
• Oversee management
• Scrutinize management's plans, performance, and activities
• Approve company strategy Review financial results
• Annually review the company's security policy
• Interact with internal and external auditors
 INTERNAL ENVIRONMENT

• The audit committee oversees:

- The company's internal control structure;
- Its financial reporting process;
- Its compliance with laws, regulations, and standards.
- Works with the corporation's external and internal auditors.
- Hires, compensates, and oversees the auditors.
 INTERNAL ENVIRONMENT

• Important aspects of organizational structure:

- Degree of centralization or decentralization.
- Assignment of responsibility for specific tasks.
- Direct-reporting relationships or matrix structure
- Organization by industry, product, geographic
location, marketing network
- How the responsibility allocation affects
management's information needs
- Organization of accounting and IS functions
- Size and nature of company activities
 INTERNAL ENVIRONMENT
• Authority and responsibility are assigned through:
- Formal job descriptions
- Employee training
- Operating plans, schedules, and budgets
- Codes of conduct
- Written policies and procedures manuals which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization's chart of accounts
• Sample copies of forms and documents
 INTERNAL ENVIRONMENT
• Human Resources Standards
- Employees are both the company's greatest control strength
and the greatest control weakness.
- Organizations can implement human resource policies and
practices with respect to hiring, training, compensating,
evaluating, counseling, promoting, and discharging employees
that send messages about the level of competence and ethical
behavior required.
- Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency and loyalty
and reduce the organization's vulnerability.
 INTERNAL ENVIRONMENT

• Human resource policies and procedures are important:

- Hiring
- Compensating
- Training
- Evaluating and promoting
- Discharging
- Managing disgruntled employees
- Vacations and rotation of duties
- Confidentiality insurance and fidelity bonds
 INTERNAL ENVIRONMENT

• External influences
- FASB
- PCAOB
- SEC Insurance commissions
- Regulatory agencies for banks, utilities, etc.
OBJECTIVE SETTING
 OBJECTIVE SETTING

• For each set of objectives:

- Critical success factors must be defined
- Performance measures should be established to determine
whether the objectives are met
 OBJECTIVE SETTING
• Objective-setting process proceeds as follows:
- First, set strategic objectives, the high-level goals that support
the company's mission and create value for shareholders.
- To meet these objectives, identify alternative ways of
accomplishing them.
- For each alternative, identify and assess risks and implications.
Formulate a corporate strategy
- Then set operations, compliance, and reporting objectives.
 OBJECTIVE SETTING
• Operations objectives:
- Are a product of management preferences. judgments, and style
- Vary significantly among entities
- Are influenced by and must be relevant to the industry, economic
conditions, and competitive pressures
- Give clear direction for resource allocation

• Compliance and reporting objectives:

- Many are imposed by external entities
- A company's reputation can be impacted significantly by the quality of its
compliance
EVENT IDENTIFICATION
 EVENT IDENTIFICATION
• External factors:
- Economic factors
- Natural environment
- Political factors
- Social factors
- Technological factors
 EVENT IDENTIFICATION

• Internal factors:
- Infrastructure
- Personnel
- Process
- Technology
 EVENT IDENTIFICATION

• Techniques to identify events:

- Use comprehensive lists of potential events
- Perform an internal analysis
- Monitor leading events and trigger points Conduct workshops
and interviews
- Perform data mining and analysis
- Analyze processes
RISK ASSESSMENT AND RISK RESPONSE
 RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
- Assess inherent risk
- Develop a response
- Then assess residual risk

• The ERM model indicates four ways to respond to risk:

- Reduce it
- Accept it
- Share it
- Avoid it
CONTROL ACTIVITIES
 CONTROL ACTIVITIES
• Categories:
- Proper authorization of transactions and activities
- Segregation of duties
- Project development and acquisition controls
- Change management controls
- Design and use of documents and records
- Safeguard assets, records, and data
- Independent checks on performance
 CONTROL ACTIVITIES
• Segregation of Accounting Duties
- Effective segregation of accounting duties is achieved when the
following functions are separated:
▪ Authorization ー approving transactions and decisions.
▪ Recording -Preparing source documents; maintaining journals,
ledgers, or other files; preparing reconciliations; and preparing
performance reports.
▪ Custody -Handling cash, maintaining an inventory storeroom,
receiving incoming customer checks, writing checks on the
organization's bank account.
CONTROL ACTIVITIES
 CONTROL ACTIVITIES
• Employee/vendor collusions include:
- Billing at inflated prices
- Performing substandard work and receiving full payment
- Payment for non-performance
- Duplicate billings
- Improperly funneling more work to or purchasing more goods from a
colluding company
• Employee/customer collusions include:
- Unauthorized loans or insurance payments
- Receipt of assets or services at unauthorized discount prices
- Forgiveness of amounts owed
- Unauthorized extension of due dates
 CONTROL ACTIVITIES
• Segregation of Duties Within the Systems Function
- Systems administration
- Network management
- Security management
- Change management
- Users
- Systems analysts
- Programming
- Computer operations
- Data control
- Information systems library
 CONTROL ACTIVITIES
• Project Development and Acquisition Controls
- Should contain appropriate controls for:
• Management review and approval
• User involvement
• Analysis Design
• Testing
• Implementation
• Conversion
 CONTROL ACTIVITIES
• Basic principles of control for systems development process:
- Strategic master plan
- Project controls
- Data processing schedule S
- teering committee
- System performance measurements
- Post-implementation review
 CONTROL ACTIVITIES
• Change Management Controls
- Change management is the process of making sure that the
changes do not negatively affect:
▪ Systems reliability
▪ Security
▪ Confidentiality
▪ Integrity
▪ Availability
 CONTROL ACTIVITIES
• Design and Use of Adequate Documents and Records
- Form and content should be kept as simple as possible to:
▪ Promote efficient record keeping
▪ Minimize recording errors
▪ Facilitate review and verification

- Documents that initiate a transaction should contain a space

for authorization.
- Those used to transfer assets should have a space for the
receiving party's signature.
 CONTROL ACTIVITIES

• Safeguard Assets, Records, and Data

- Maintain accurate records of all assets
▪ Periodically reconcile recorded amounts to physical counts.
▪ Restrict access to assets
▪ Protect records and documents.
 CONTROL ACTIVITIES

• Independent checks on performance:

- Top-level reviews
- Analytical reviews
- Reconciliation of independently maintained
sets of records
- Comparison of actual quantities with recorded amounts
- Double-entry accounting
- Independent review
INFORMATION AND COMMUNICATION
 INFORMATION AND COMMUNICATION
• According to the AICPA, an AIS has five primary objectives:
- Identify and record all valid transactions.
- Properly classify transactions.
- Record transactions at their proper monetary value.
- Record transactions in the proper accounting period.
- Properly present transactions and related disclosures in the
financial statements.
MONITORING
 MONITORING
• Key methods of monitoring performance include:
- Perform ERM evaluation
- Implement effective supervision
- Use responsibility accounting
- Monitor system activities
- Track purchased software
- Conduct periodic audits
- Employ a computer security officer and security consultants
- Engage forensic specialists
- Install fraud detection software
- Implement a fraud hotline
 MONITORING
• Internal auditing involves:
- Reviewing the reliability and integrity of financial and operating
information.
- Providing an appraisal of internal control effectiveness.
- Assessing employee compliance with management policies and
procedures and applicable laws and regulations.
- Evaluating the efficiency and effectiveness of management.
 MONITORING
• Internal audits can detect:
- Excess overtime
- Under-used assets
- Obsolete inventory
- Padded expense reimbursements
- Excessively loose budgets and quotas
- Poorly justified capital expenditures
- Production bottlenecks
ERM VS. INTERNAL CONTROL FRAMEWORK
• Internal control framework has been widely adopted as principal way to
evaluate internal controls
- Too narrow a focus
- Inherent bias toward past problems and concerns

• ERM framework
- Oriented toward future and constant change
- Risk-based approach
- Incorporates internal control framework plus three additional elements :
▪ Setting objectives.
▪ Identifying positive and negative events that may affect the company's ability
to implement strategy and achieve objectives,
▪ Developing a response to assessed risk.
 REPORTERS:

• OPAO, ROBERT
• NARVASA, JANEL
• QUISTO, MICHAELLA
• SOCUACO, ETHEL MAE