Control and Accounting

Information Systems
Mamber Of Group

1 2 3

Adenia Intan Evi Nur M. Shinta yulia pranesti

2020310224 2020310239 2020310241

4 5 6

Divana Suci A. Nugraha Harits P.

Shintya Herawati
2020310244 2020310250 2020310324
01.
Framework
Control
Cobit Skeleton
The Information Systems Audit and Control Association
(ISACA) developed:Control Objectives for Information Technology and
Related (COBIT)framework. COBIT consolidates control
standards from multiple sources into a single framework that
allow:
1. management to compare the security and control practices of
the IT environment,

2. users are assured that adequate IT security and controls are

in place, and

3. auditors to support their internal control opinions and to

advise on IT security and control issues
COBIT 5 is based on the following five core
principles of IT governance and management

1 2 3

Implement a single,
Meeting the needs of Covering the company from integrated framewor k

stakeholders end to end

4 5

Allows a holistic Separate governance

approach from managemen t.
The management process is broken down
into the following four domains:

Align, plan and

organize (APO) Build,acquire,and
implement (BAI)

monitor,evaluate,
Delivery, service and
support (DSS) And assess (MEA)
COSO Internal Control Framework

ThatSponsor Organization Committee (COSO)consists of American

Accounting Association, AICPA, Institute of Internal Auditors,
Institute of Management Accountants, and Financial
Executives Institute. In 1992, COSO issued Internal Control—
Integrated Framework (IC), which was widely accepted as an
internal control authority and is incorporated into the
policies, rules, and regulations used to controlling business
activities.
 COSO Enterprise Risk
Management Framework

To improve the risk management process, COSO

developed a second control framework called Enterprise
Risk Management—Integrated Framework
(ERM). ERM is the process that boards of directors and
management use to define strategy, identify events that
can affect
Enterprise Risk Management
Framework Versus Internal
Control Framework

The IC framework has been widely adopted as a way to evaluate internal controls, as
required by SOX. A more comprehensive ERM framework takes a risk-based
approach rather than control based approach. ERM adds three additional elements
to the COSO IC framework: setting goals, identifying events that can influence the
company, and develop responses to assessed risk. As a result, controls are flexible
and relevant as they relate to the current goals of the organization. The ERM model
also recognizes that risk, in addition to being controlled, can be accepted, avoided,
diversified, shared, or transferred
02.
Internal Environmen t
“Internal environment, or culture
the company, influencing the way
the organization sets strategy and
goals; arrange business activities;
and identify, assess, and respond
tp risk.”
The internal environment consists of:

1. Management philosophy, operating style and risk

appetite
2. Commitment to integrity, ethical values, and
competence
3. Oversight of internal control by the board of directors
4. Organizational structure
5. Methods of assigning authority and responsibility
6. Human resource standards that attract, develop, and
retain competent individuals
7. External influences
MANAGEMENT PHILOSOPHY, OPERATING STYLE, AND THE
BREATH OF RISK

Collectively, an organization has philosophies, or

shared beliefs and attitudes, about risks that
risk appetite- The amount of risk
affect police, procedures, communication
willing to be accepted by the
oral and written, and decisions. Companies also
company to achieve its goals and
have a risk appetite, which is the amount of risk
objectives. To avoid undue risk,
they are willing to accept to achieve their goals
risk appetite must be in line with
they. To avoid undue risk, risk appetite must be
company strategy
in line with company strategy
 Management philosophy, operating style, and risk appetite
can be assessed by answering questions such as these:

Does management take undue business risks to

achieve its objectives, or does management assess
potential risks and rewards before acting?

Does management manipulate performance measures,

such as net income, so that they appear more
profitable?
Does management pressure employees to achieve
results regardless of the method, or does it require
ethical behavior? In other words, does the end
justify the means?
 COMMITMENT TO
INTEGRITY, ETHICAL VALUES, AND
COMPETENCE

Organizations need a culture that emphasizes

integrity and a commitment to ethical values
and competence. Ethics pays—ethical standards
are good business. Integrity starts at the top, as
Your Company company employees adopt top management
This is a tagline
attitudes about risk and control. A powerful
message is sent when the CEO, faced with a
decision difficult, making ethically correct
choices.
SUPERVISION OF INTERNAL CONTROL BY THE BOARD
OF DIRECTORS

The board of directors involved represent shareholders and provide reviews

independent of management which acts as a check and balance for its
actions.
SOX requires public companies to have a Committee
External audit, independent director. The audit committee is responsible
for financial reporting, regulatory compliance, internal control, and employing
and supervising internal and external auditors, who report
all accounting policies and practices are important to them. Directors too
must approve company strategy and review security policies.
 Organizational structure

The company's organizational structure provides a framework for planning,

executing, controlling, and monitoring operations. Important aspects of the
organizational structure include the following:

3
1 2
Organization by industry,
Centralization or decentralization Direct reporting relationship product line, location, or
or matrix marketing network
of authority

4 5
6
How does the
Organization and lines of
allocation of Size and nature of
authority for accounting,
responsibilities affect company activities
auditing, and information
needs information
systems functions
HOW TO GIVE
AUTHORITY AND
RESPONSIBILITY

Management must ensure employees understand the goals and objectives

entity, assigns authority and responsibility for goals and objectives to
departments and individuals, holds individuals accountable for achieving
them, and encourages the use of initiatives to solve problems. It is very
important to identify who
responsible for the company's information security policy.
Authorities and responsibilities are assigned and communicated
using formal job descriptions, employee training, schedules
operations, budgets, codes of conduct, and written policies and
procedures.
 EXTERNAL
EFFECT
External influences include requirements imposed by
stock exchange, Financial Accounting Standards Board
(FASB), PCAOB, and SEC. They also include requirements
imposed by regulatory agencies, such as for banks, utilities,
and insurance company.
 03.
Communicate
Information and
Monitor Process
Control
INFORMATION AND
COMMUNICATION

Information and communication systems must capture and exchange the

information needed to perform, manage, and control the organization's operations.
The main purpose of an accounting information system (AIS) is to collect,
record, process, store, summarize, and communicate information about an
organization. This includes understanding how transactions are initiated, data
is captured, files are accessed and updated, data is processed, and
information
reported

audit trail-The path that allows a transaction to be traced through the data
processing system from point of origin to output or backwards from output to point
of origin.
The updated IC framework stipulates that the following
three principles apply to information and communication
processes:

Communicating Communicating problems

. Obtain or generate information internally, internal control relevant to
relevant information and including goals and parties external
high quality to support responsibility, which
control internal needed to support
control components
other internals
 MONITORING

Selected or developed internal control system should be

continuously monitored, evaluated, and modified as needed.
Any deficiencies must be reported to senior management and
board of directors
 Main methods of performance monitoring:

DO EVALUATE DOING EFFECTIVE

INTERNAL CONTROL SUPERVISION

USE ACCOUNTING SYSTEM MONITOR SYSTEM ACTIVITY

RESPONSIBILITY

TRACK PURCHASE SOFTWARE AND CONDUCTING PERIODIC AUDITS

MOBILE DEVICES

HIRING COMPUTER SECURITY OFFICER

AND CHIEF COMPLIANCE OFFICER
ENGAGE FORENSIC
SPECIALISTS
THANK YOU