Pengendalian Internal

You might also like

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 35

Accounting Information Systems:

Essential Concepts and Applications

Fourth Edition by Wilkinson, Cerullo, Raval,

and Wong-On-Wing

Chapter 7: Risk Exposures

and the Internal Control
Slides Authored by Somnath
Florida Atlantic University

Bhattacharya, Ph.D.

Internal Control
Internal Control is a state that
management strives to achieve to
provide reasonable assurance that the
firms objectives will be achieved
These controls encompass all the
measures and practices that are used
to counteract exposures to risks
The control framework is called the
Internal Control Structure

Objectives of the Internal

Control Structure
Promoting Effectiveness and Efficiency of
Reliability of Financial Reporting
Safeguarding assets
Checking the accuracy and reliability of
accounting data
Compliance with applicable laws and regulations
Encouraging adherence to prescribed
managerial policies

Components and Major

Considerations of the IC Structure
Internal Control




Activities related
to Financial


Activities related
to Information

Figure 7-1



Control Environment
The Control Environment establishes the tone
of a company, influencing the control
consciousness of its employees
It is comprised of seven components:

Management philosophy and operating style

Integrity and ethical values
Commitment to competence
The Board of Directors and the Audit Committee
Organizational Structure
Assignment of authority and responsibility
Human resources policies and practices
External Influences

Highlights of CE Components - I
Management Philosophy and Operating
Does management emphasize short-term
profits and operating goals over long-term
Is management dominated by one or a few
What type of business risks does management
take and how are these risks managed?
Is management conservative or aggressive
toward selecting from available alternative
accounting principles?

Figure 7-2

Highlights of CE Components - II
Organization Structure
Is an up-to-date organization chart prepared,
showing the names of key personnel?
Is the information systems function
separated from incompatible functions?
How is the accounting department
Is the internal audit function separate and
distinct from accounting?
Do subordinate managers report to more than
one supervisor?

Figure 7-2 Continued

Highlights of CE Components - III

Assignment of Authority and
Does the company prepare written employee
job descriptions defining specific duties and
reporting relationships?
Is written approval required for changes
made to information systems?
Does the company clearly delineate
employees and managers the boundaries of
authority-responsibility relationships?
Does the company properly delegate
authority to employees and departments?

Figure 7-2 Continued

Highlights of CE Components - IV
Human Resource Policies and Practices
Are new personnel indoctrinated with respect to
Internal Controls, Ethics Policies, and Corporate Code
of Conduct?
Is the company in compliance with the ADA? The
Are Grievance Procedures to manage conflict in force?
Does the company maintain a sound Employee
Relations program?
Do employees work in a safe, healthy environment?
Are Counseling Programs available to employees?
Are proper Separation Programs in force for
employees who leave the firm?
Are critical employees Bonded?
Figure 7-2 Continued

Key Functions Performed

by Audit Committees
Establish an Internal Audit Department
Review the Scope and Status of Audits
Review Audit Findings with the Board
and ensure that Management has
taken proper action recommended in
the Audit Report and Letter of
Reportable Conditions
Maintain a direct Line of
Communication among the Board,
Management, External and Internal
Auditors, and periodically arrange
Meetings among the parties
Figure 7-3

Key Functions Performed

by Audit Committees
Review the Audited Financial
Statements with the Internal Auditors
and the Board of Directors
Require periodic Quality Reviews of the
operations of the Internal Audit
Departments to identify areas needing
Supervise special investigations, such
as Fraud Investigations
Assess the performance of Financial
Require the Review of Compliance with
Laws and Regulations and with
Corporate Codes of Conduct
Figure 7-3

Risk Assessment
Top management must be directly
involved in Business Risk Assessment.
This involves the Identification and
Analysis of Relevant Risks that may
prevent the attainment of Company-wide
Objectives and Objectives of
Organizational Units and the formation of
a plan to determine how to manage the

Control Activities - I
Control Activities as related to Financial
Reporting may be classified according to their
intended uses in a system:
Preventive Controls block adverse events, such as
errors or losses, from occurring
Detective Controls discover the occurrence of
adverse events such as operational inefficiency
Corrective controls are designed to remedy problems
discovered through detective controls
Security Measures are intended to provide adequate
safeguards over access to and use of assets and data

Control Activities - II
Control Activities relating to Information
Processing may also be classified according
to where they will be applied within the system
General controls are those controls that pertain to
all activities involving a firms AIS and assets
Application controls relate to specific accounting
tasks or transactions

The overall trend seems to be going from

specific application controls to more global
general controls

Control Activities - III

Performance Reviews
Comparing Budgets to Actual Values
Relating Different Sets of Data-Operating or
Financial-to one another, together with
Analyses of the relationships and Investigative
and Corrective Actions
Reviewing Functional Performance such as a
banks consumer loan managers review of
reports by branch, region, and loan type for
loan approvals and collections

Information & Communication

All Transactions entered for processing are Valid and
All valid transactions are captured and entered for
processing on a Timely Basis and in Sufficient Detail
to permit the proper Classification of Transactions
The input data of all entered transactions are
Accurate and Complete, with the transactions being
expressed in proper Monetary terms
All entered transactions are processed properly to
update all affected records of Master Files and/or
Other Types of Data sets
All required Outputs are prepared according to
Appropriate Rules to provide Accurate and Reliable
All transactions are recorded in the proper
Accounting Period

Business firms face risks that reduce the
chances of achieving their control objectives.
Risk exposures arise from internal sources,
such as employees, as well as external
sources, such as computer hackers.
Risk assessment consists of identifying
relevant risks, analyzing the extent of
exposure to those risks, and managing risks
by proposing effective control procedures.

Some Typical Sources of Risk - I

Clerical and Operational Employees, who
process transactional data and have access
to Assets
Computer Programmers, who have
knowledge relating to the Instructions
by which transactions are processed
Managers and Accountants, who have access
to Records and Financial Reports and often
have Authority to Approve Transactions

Figure 7-4

Some Typical Sources of Risk - II

Former Employees, who may still understand the
Control Structure and may harbor grudges against
the firm
Customers and Suppliers, who generate many of
the transactions processed by the firm
Competitors, who may desire to acquire confidential
information of the firm
Outside Persons, such as Computer Hackers and
Criminals, who have various reasons to access the
firms data or its assets or to commit destructive
Acts of Nature or Accidents, such as floods, fires,
and equipment breakdowns

Figure 7-4 Continued

Types of Risks

Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence and Natural

Factors that Increase

Risk Exposure
Frequency - the more frequent an
occurrence of a transaction the
greater the exposure to risk
Vulnerability - liquid and/or portable
assets contribute to risk exposure
Size of the potential loss - the higher
the monetary value of a loss, the
greater the risk exposure

Problem Conditions
Affecting Risk Exposures
Collusion (both internal and external), which
is the cooperation of two or more people for a
fraudulent purpose, is difficult to counteract
even with sound control procedures
Lack of Enforcement Management may not
prosecute wrongdoers because of the
potential embarrassment
Computer crime poses very high degrees
of risk, and fraudulent activities are difficult
to detect

Computer Crime
Computer crime (computer abuse) is the
use of a computer to deceive for personal
Due to the proliferation of networks and
personal computers, computer crime is
expected to significantly increase both in
frequency and amount of loss.
It is speculated that a relatively small
proportion of computer crime gets detected
and an even smaller proportion gets reported.

Examples of Computer
Theft of Computer Hardware &
Unauthorized Use of Computer
Facilities for Personal Use
Fraudulent Modification or Use of
Data or Programs

Reasons Why Computers

Cause Control Problems

Processing is Concentrated
Audit Trails may be Undermined
Human Judgment is bypassed
Data are stored in Device-Oriented rather than
Human-Oriented forms

Invisible Data
Stored data are Erasable
Data are stored in a Compressed form
Stored data are relatively accessible

Computer Equipment is Powerful but Complex

and Vulnerable

Feasibility of Controls
Audit Considerations
Cost-Benefit Considerations
Determine Specific Computer Resources Subject to Control
Determine all Potential Threats to the companys Computer
Assess the Relevant Risks to which the firm is exposed
Measure the Extent of each Relevant Risk exposure in dollar
Multiply the Estimated Effect of each Relevant Risk Exposure
by the Estimated Frequency of Occurrence over a Reasonable
Period, such as a year
Compute the Cost of Installing and Maintaining a Control that
is to Counter each Relevant Risk Exposure
Compare the Benefits against the Costs of Each Control

The Foreign Corrupt Practices Act of 1977
Of the Federal Legislation governing the
use of computers, The Computer Fraud and
Abuse Act of 1984 (amended in 1986) is
perhaps the most important
This act makes it a federal crime to intentionally
access a computer for such purposes as: (1)
obtaining top-secret military information,
personal, financial or credit information
(2) committing a fraud
(3) altering or destroying federal information

Methods for Thwarting

Computer Abuse
Enlist top-management support so that
awareness of computer abuse will filter down
through management ranks.
Implement and enforce control procedures.
Increase employee awareness in the seriousness
of computer abuse, the amount of costs, and the
disruption it creates.
Establish a code of conduct.
Be aware of the common characteristics of most
computer abusers.

Methods for Thwarting

Computer Abuse
Recognize the symptoms of computer abuse
such as:
behavioral or lifestyle changes in an employee
accounting irregularities such as forged, altered or
destroyed input documents or suspicious
accounting adjustments
absent or ignored control procedures
the presence of many odd or unusual anomalies
that go unchallenged

Encourage ethical behavior

Control Problems Caused by

Computerization: Data Collection
Manual System

Computer-based System



Risk Exposures


Data recorded in
paper source

Data sometimes
captured without
use of source

Audit trail may be

partially lost

Printed copies of
source documents
prepared by
computer systems

Data reviewed for Data often not

errors by clerks
subject to review
by clerks

Figure 7-6

Errors, accidental Edit checks

or deliberate, may performed by
be entered for
computer system

Control Problems Caused by

Computerization: Data Processing
Manual System


Computer-based System


Risk Exposures


Processing steps
performed by CPU
blindly in accordance
with program
Processing steps
Processing steps
among various clerks in concentrated within
separate departments
computer CPU

Errors may cause

incorrect results of

Processing requires use Processing does not

of journals and ledgers require use of journals

Audit trail may be

partially lost

Outputs reviewed by
users of computer
system; carefully
developed computer
processing programs
Restricted access to
computer facilities;
clear procedure for
authorizing changes to
Printed journals and
other analyses

Processing performed
relatively slowly

Effects of errors may

spread rapidly through

Editing of all data

during input and
processing steps

Processing steps
performed by clerks
who possess judgment

Figure 7-6 Continued

Processing performed
very rapidly

manipulation of data
and theft of assets can
occur on larger scale

Control Problems Caused by Computerization:

Data Storage & Retrieval
Manual System

Computer-based System



Risk Exposures


Data stored in file

throughout the
Data stored on
hard copies in
human- readable

Data compressed
on magnetic
media (e.g.,
tapes, disks)

Data may be
accessed by
persons or stolen

Security measures
at points of access
and over data

Data stored in

Stored data
accessible on a
piece-meal basis
at various

Stored data often

readily accessible
from various
locations via

Data are
unusable by
humans, and
might possibly be
Data may be
accessed by

Data files printed

backup of files;
protection against
sudden power
Security measures
at points of access

Figure 7-6 Continued

Control Problems Caused by Computerization:

Information Generation
Manual System

Computer-based System



laboriously and
usually in small
Outputs usually in
hard-copy form

Outputs generated
quickly and neatly,
often in large

Figure 7-6 Continued

Risk Exposures

Inaccuracies may
be buried in
outputs that users
accept on faith
Outputs provided Information stored
in various forms,
on magnetic
including soft-copy media is subject to
displays and voice modification (only
hard copy
permanent record)


Reviews by users
of outputs,
including the
checking of
Backup of files;
periodic printing of
stored files onto
hard-copy records

Control Problems Caused by

Computerization: Equipment
Manual System

Computer-based System



Risk Exposures


Relatively simple,
inexpensive, and

expensive, and in
fixed locations

operations may be
intentionally or
interrupted; data
or hardware may
be destroyed;
operations may be
delayed through

Backup of data
and power supply
and equipment;
maintenance of
restrictions on
access to
documentation of
equipment usage
and processing

Figure 7-6 Continued

Accounting Information Systems:

Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing

Copyright 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained

You might also like