Control and AIS

Chapter 6
7-1
 Learning Objectives
 Explain basic control concepts and explain why computer control and security are
important.

 Compare and contrast the COBIT, COSO, and ERM control frameworks.

 Describe the major elements in the internal environment of a company

 Describe the four types of control objectives that companies need to set.

 Describe the events that affect uncertainty and the techniques used to identify them.

 Explain how to assess and respond to risk using the Enterprise Risk Management (ERM)
model.

 Describe control activities commonly used in companies.

 Describe how to communicate information and monitor control processes in organizations.

 Internal Control

Internal control is a process, effected by an entity’s board of

directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations.

Besides GAAP, internal controls must be effective to ensure

the reliability of financial reports produced through AIS
 Internal Control

 System to provide reasonable assurance that objectives are met

such as:
 Safeguard assets.
 Maintain records in sufficient detail to report company assets
accurately and fairly.
 Provide accurate and reliable information.
 Prepare financial reports in accordance with established
criteria.
 Promote and improve operational efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulations.
 Stages in the Control Process

The first stage is the determination of objectives by

management. Lower level objectives should fit in the
organization’s overall objectives.
Those being controlled should be aware of the objectives so
that they will be able to appreciate the need for control.
As much as possible the objectives shall be quantified .
Quantitative standards facilitates measurement and
comparison of the actual results against the objectives.
 Stages in the Control Process

 The second stage is the design and implementation of controls to

achieve the objectives. Management selects the appropriate measures
which it considers will achieve the objective in the most economic,
efficient and effective manner. These measures are then implemented. 

 The third stage is measuring results. The results of the control

measures have to be measured to see whether they have met the
objectives and achieved the target set. To compare to the standard or
expected result management must establish procedures to collect the
needed information.
 Stages in the Control Process
 In the fourth stage, the actual results achieved are compared to the
standard. This gives a measure of how well the objective has been
achieved. A management decision is required as to whether the actual
results are acceptable or not. If the actual results are not acceptable,
the next stage will be undertaken.

 In the fifth stage, analysis of causes of differences should be made in

order to determine why the standard was not achieved. There could be
several reasons why the standard was not attained.

 For example, the standard may have been unrealistic, the measures
taken may have been inappropriate or not properly carried out or
implemented.
 Functions of Internal control

Internal controls designed in each of the business processes provide the

following functions

 Directive function- cause or encourage a desirable event to occur

 Preventive function—deter problems

 Detective function –discover problems

 Corrective function—correct problems

 Sarbanes Oxley (2002)

 Designed to prevent financial statement fraud, make financial

reports more transparent, protect investors, strengthen internal
controls, and punish executives who perpetrate fraud
 Public Company Accounting Oversight Board (PCAOB)
 Oversight of auditing profession
 New Auditing Rules
 Partners must rotate periodically
 Prohibited from performing certain non-audit services
Sarbanes Oxley (2002)
 New Roles for Audit Committee
 Be part of board of directors and be independent
 One member must be a financial expert
 Oversees external auditors
 New Rules for Management
 Financial statements and disclosures are fairly presented, were
reviewed by management, and are not misleading.
 The auditors were told about all material internal control weak-
nesses and fraud.
 New Internal Control Requirements
 Management is responsible for establishing and maintaining an
adequate internal control system.
 SOX Management Rules

 Base evaluation of internal control on a recognized framework.

 Disclose all material internal control weaknesses.

 Conclude a company does not have effective financial reporting

internal controls of material weaknesses.
 Internal Control Frameworks
 Control Objectives for Information and Related Technology
(COBIT)
 Business objectives
 IT resources
 IT processes

 Committee of Sponsoring Organizations (COSO)

 Internal control—integrated framework
 Control environment
 Control activities
 Risk assessment
 Information and communication
 Monitoring
 Internal Control

 Enterprise Risk Management Model

 Risk-based vs. control-based
 COSO elements +
 Setting objectives
 Event identification
 Risk assessment
 Can be controlled but also
 Accepted
 Diversified
 Shared
 Transferred
 Control Environment
 Management’s philosophy, operating style, and risk appetite

 The board of directors

 Commitment to integrity, ethical values, and competence

 Organizational structure

 Methods of assigning authority and responsibility

 Human resource standards

 External influences
 ERM (Objective Setting) (Enterprise Risk Management)

 Strategic
 High-level goals aligned with corporate mission

 Operational
 Effectiveness and efficiency of operations

 Reporting
 Complete and reliable
 Improve decision making

 Compliance
 Laws and regulations are followed
 ERM—Event Identification

 “…an incident or occurrence emanating from internal or

external sources that affects implementation of strategy or
achievement of objectives.”
 Positive or negative impacts (or both)
 Events may trigger other events
 All events should be anticipated
 Risk Assessment

 Identify Risk
 Identify likelihood (chances) of risk
 Identify positive or negative impact

 Types of Risk
 Inherent
 Risk that exists before any plans are made to control it
 Residual
 Remaining risk after controls are in place to reduce it
 ERM—Risk Response

 Reduce
 Implement effective internal control

 Accept
 Do nothing, accept likelihood of risk

 Share
 Buy insurance, outsource, hedge

 Avoid
 Do not engage in activity that produces risk
Event/Risk/Response Model
 Control Activities

 Policies and procedures to provide reasonable assurance that

control objectives are met:
 Proper authorization of transactions and activities
 Signature or code on document to signal authority over
a process
 Segregation of duties
 Project development and acquisition controls
 Change management controls
 Design and use of documents and records
 Safeguarding assets, records, and data
 Independent checks on performance
 Segregation of Accounting Duties

 No one employee should be given too much responsibility

 Separate:
 Authorization
 Approving transactions and decisions
 Recording
 Preparing source documents
 Entering data into an AIS
 Maintaining accounting records
 Custody
 Handling cash, inventory, fixed assets
 Receiving incoming checks
 Writing checks
 Information and Communication

 Primary purpose of an AIS

 Gather
 Record
 Process
 Summarize
 Communicate
 Monitoring
 Evaluate internal control framework.

 Effective supervision.

 Responsibility accounting system.

 Monitor system activities.

 Track (trial) purchased software and mobile devices.

 Conduct periodic audits.

 Employ (provide work for) a security officer and compliance officer.

 Engage forensic specialists.

 Install fraud detection software.

 Implement a fraud hotline.

 Segregation of System Duties
 Like accounting system duties should also be separated

 These duties include:

 System administration
 Network management
 Security management
 Change management
 Users
 Systems analysts
 Programmers
 Computer operators
 Information system librarian
 Data control