AC330 CHAPTER 6 Instructor OutlineCONTROL and ACCOUNTING INFORMATION SYSTEMS

As an accountant you must understand how to protect systems from the threats they face. You must have a good understanding of IT and its capabilities and risks. This knowledge can help you use IT to achieve an organization’s control objectives.

As a result of your study of this chapter, you should be able to do the following:

1. Explain basic control concepts and why computer control and security are important.2. Compare and contrast the COBIT, COSO, and ERM control frameworks.3. Describe the major elements in the internal environment of a company.4. Describe the four types of control objectives that companies need to set.5. Describe the events that affect uncertainty and the techniques used to identify them.6. Explain how to assess and respond to risk using the Enterprise Risk Management model.7. Describe control activities commonly used in companies.8. Describe how to communicate information and monitor control processes in

organizations. Why Accounting Information Systems Threats Are Increasing?

More than 60% of organizations have recently experienced a major control failure for some of the following reasons:

Increase in number of information systems means that information is available to an increasing number of workers.

Distributed (decentralized) computer networks are harder to control than centralized mainframe systems.

Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern

Some of the reasons why organizations have not adequately protected their data are:

Computer control problems have been underestimated and downplayed The control implications of moving from centralized, host-based computer

systems to a networked or Internet-based system have not been fully understood Many companies have not realized that data security is crucial to their survival Productivity and cost pressures have motivated management to forgo time-

consuming control measures

Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.

The potential dollar loss, should a particular threat become a reality, is referred to as the exposure or impact of the threat, and the probability that the threat will happen is the likelihood associated with the threat.

Page 1 of 21

Why Control and Security Are Important

One of management’s basic functions is to ensure that enterprise objectives are achieved. Thus management’s decisions pertaining to controls are crucial to the firm’s success in meeting its objectives. Companies need control systems so they are not exposed to excessive risk or behaviors that might harm their reputation for honesty and integrity.

Management expects accountants to(1) take a proactive approach in eliminating system threats and(2) detect, correct and recover from threats when they occur

Overview of Control Concepts

Internal control is the process implemented by the board of directors, management and those under their direction to provide reasonable assurance that the following control objectives are achieved:

Safeguarding assets, including preventing or detecting, on a timely basis, the unauthorized acquisition, use or disposition of material company assets

Maintaining records in sufficient detail to accurately and fairly reflect company assets

Providing accurate and reliable information Providing reasonable assurance that financial reporting is prepared in

accordance with GAAP Promoting and improving operational efficiency, including making sure

company receipts and expenditures are made in accordance with management and directors’ authorizations

Encouraging adherence to prescribed managerial policies Complying with applicable laws and regulations

Preventive Controls deter problems before they arise; anticipate the problem. Hiring highly qualified personnel; appropriately segregating employee duties; and effectively controlling physical access to assets, facilities, and information are effective preventive controls.

Detective Controls discover problems as soon as they arise; examples include duplicate checking of calculations and preparation of bank reconciliations and monthly trial balances.

Corrective Controls remedy control problems that have been discovered. They include procedures taken to identify the cause of a problem, correct resulting errors or difficulties, and modify the system so that future problems are minimized or eliminated. Examples include maintaining backup copies of transaction files and master files and adhering to procedures for correcting data

Page 2 of 21

entry errors, as well as those for resubmitting transactions for subsequent processing.

General Controls are designed to make sure an organization’s control environment is stable and well managed.

Some of the more important general controls are(1) information systems management controls(2) security management controls;(3) information technology infrastructure controls; and(4) software acquisition, development and maintenance controls

Application Controls prevent, detect and correct transaction errors and fraud. They are concerned with the accuracy, completeness, validity and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

An effective system of internal control should exist in all organizations to help them achieve their missions, as well as their performance and profitability goals, while minimizing surprises along the way. An effective internal control system can also help companies deal with rapidly changing economic and competitive environments and shifting customer demands and priorities.

The Sarbanes-Oxley and Foreign Corrupt Practices Acts

The Foreign Corrupt Practices Act (1977)

The primary purpose of this Act was to prevent the bribery of foreign officials in order to obtain business. However, a significant effect of the act was to require corporations to maintain good systems of internal accounting control.

The Sarbanes-Oxley Act of 2002

Resulted from several accounting frauds and scandals. Applies to publicly held companies and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud.

Page 3 of 21

Some of the important aspects of The Sarbanes-Oxley Act are:

Creation of the Public Company Accounting Oversight Board (PCAOB). A five member board, created by The Sarbanes-Oxley Act, to control the auditing profession. The PCAOB sets and enforces auditing, quality control, ethics, independence, and other standards related to audit reports.

New rules for auditorsAuditors must report specific information to the company’s audit committee, such as critical accounting policies and practices, alternative GAAP treatments, and auditor-management disagreements. CPA Auditors are prohibited from performing certain nonaudit services such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services for audit clients. Audit firms cannot provide services to publicly held companies if top management was previously employed by the auditing firm and worked on the company’s audit in the preceding 12 months.

New roles for audit committeesAudit committee members must be on the company’s board of directors and be independent of the company. At least one member of the audit committee must be a financial expert. The audit committee hires, compensates, and oversees the auditors, who report directly to them.

New rules for managementRequires the CEO and CFO to certify that financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading. They must certify that they are responsible for internal controls and that the auditors were told about all material internal control weaknesses and fraud. Management can be imprisoned up to 20 years and fined up to $5,000,000. In addition, management and directors cannot receive loans that those outside the company cannot get.

New internal control requirementsSection 404 of SOX requires publicly held companies to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an adequate internal control structure and appropriate control procedures. The report must also contain management’s assessment of internal controls.

For more detailed information on The Sarbanes-Oxley Act, click in the following web site: http://www.sec.gov/about/laws/soa2002.pdf

Page 4 of 21

After the Sarbanes-Oxley Act was passed, the Security & Exchange Commission (SEC) mandated that management must:

Base its evaluation on a recognized control framework. The most likely frameworks have been formulated by The Committee of Sponsoring Organizations (COSO).

Disclose any and all material internal control weaknesses. Conclude that a company does not have effective internal controls over

financial reporting if there are any material weaknesses.

Levers of Control

Many people feel there is a basic conflict between creativity and controls. In other words, you can’t have both. Four levels of control have been proposed to help companies reconcile this conflict. They include the following:

(1)A concise belief system that communicates company core values to employees and inspires them to live by them(2)A boundary system helps employees act ethically by setting limits beyond which an employee must not pass(3) To ensure the efficient and effective achievement of important goals, a diagnostic control system measures company progress by comparing actual performance to planned performance (budget)(4) An interactive control system helps top-level managers with high-level activities that demand frequent and regular attention, such as developing company strategy, setting company objectives, understanding and assessing threats and risks, monitoring changes in competitive conditions and emerging technologies, and developing responses and action plans to proactively deal with these high-level issues.

Control Frameworks

COBIT Framework: The Information Systems Audit and Control Foundation (ISACF) developed the Control Objectives for Information and related Technology (COBIT) framework. COBIT is a framework of generally applicable information systems security and controls practices of IT control. The framework allows: 1) management to benchmark the security and control practices of IT environments, 2) users of IT services to be assured that adequate security and control exist, and 3) auditors to substantiate their opinions on internal control and to advise on IT security and control matters.

The COBIT framework addresses the issue of control from three dimensions:

(1)Business objectives. To satisfy business objectives, information must conform to criteria called business requirement for information. The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives:

Page 5 of 21

• Effectiveness (relevant, pertinent, and timely)• Efficiency• Confidentiality• Integrity• Availability• Compliance with legal requirements• Reliability

(2)IT resources. This includes people, application systems, technology, facilities and data.

(3)IT processes. These are broken into four domains:

Planning and organization, Acquisition and implementation, Delivery and support and Monitoring

The Committee of Sponsoring Organizations Internal Control Framework

The Committee of Sponsoring Organizations (COSO) is a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants and the Financial Executives Institute. In 1992, COSO issued the Internal Control – Integrated Framework, which defines internal controls and provides guidance for evaluating and enhancing internal control systems. COSO’s internal control model has five crucial components, provided in Table 6-1 on Page 204:

1. Control environment2. Control activities3. Risk assessment4. Information and communication5. Monitoring

COSO’s Enterprise Risk Management Framework

Enterprise Risk Management – Integrated Framework (ERM)

Expands on the elements of the internal control integrated framework and provides an all-encompassing focus on the broader subject of enterprise risk management. The purpose is to achieve all the goals of the control framework and help the organization to:

Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized

Page 6 of 21

Achieve its financial and performance targets Assess risks continuously and identify the steps to take and the

resources to allocate to overcome or mitigate risk Avoid adverse publicity and damage to the entity’s reputation

The basic principles behind enterprise risk management are:

Companies are formed to create value for their owners Company management must decide how much uncertainty it

will accept as it creates value Uncertainty results in risk, which is the possibility that

something will occur to affect adversely the company’s ability to create value or to erode existing value

Uncertainty can also results in an opportunity, which is the possibility that something will occur to affect positively the company’s ability to create or preserve value

The Enterprise Risk Management – Integrated Framework (ERM) helps management manage uncertainty, and its associated risk and opportunity, so they can build and preserve value

The elements of the ERM are provided in a model shown in Figure 6-1 on Page 205. The columns on the top of the figure represent four types of objectives that management must meet to achieve company goals.

Strategic objectives are high-level goals that are aligned with and support the company’s mission. Strategic planning is designed to help managers answer critical questions in a business. These questions include:

What is the organization’s position in the marketplace? What does the organization want its position to be? What trends and changes are occurring in the marketplace? What are the best alternatives to help the organization achieve

its goals?

Operations objectives deal with the effectiveness and efficiency of the company operations, such as performance and profitability goals and safeguarding assets

Reporting objectives help ensure the accuracy, completeness and reliability of internal and external company reports, of both a financial and nonfinancial nature. They also improve decision making and monitor company activities and performance more efficiently.

Compliance objectives help the company comply with all applicable laws and regulations.

Page 7 of 21

The columns on the right side of the figure represent the company’s units.

The horizontal rows are the eight interrelated risk and control components of COSO and include the following:

1. Internal environment. This is the tone or culture of a company and helps determine how risk conscious employees are.

2. Objective setting. ERM ensures that company management puts into place a process to formulate strategic, operations, reporting and compliance objectives that support the company’s mission and that are consistent with the company’s tolerance for risk.

3. Event identification. ERM requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives

4. Risk assessment. Identified frisks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives.

5. Risk response. To align identified risks with the company’s tolerance for risk, management can choose to avoid, reduce, share, or accept the risks.

6. Control activities. To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions in the organization.

7. Information and communication. Information about the company and the various ERM components must be identified, captured and communicated so employees can fulfill their responsibilities

8. Monitoring. To remain effective, ERM processes must be monitored on an ongoing basis and modified as needed

The ERM Framework Versus the Internal Control Framework

The internal control framework has been widely adopted as the principal way to evaluate internal controls, as required by the Sarbanes-Oxley Act. However, it has too narrow a focus. The ERM is a more comprehensive framework which takes a risk-based, rather than a controls-based approach to the organization that is oriented toward the future and constant change

Page 8 of 21

The Internal Environment is the most important component of the ERM and internal control frameworks. An internal environment consists of items such as the following:

1. Management’s philosophy, operating style and risk appetite2. The board of directors 3. Commitment to integrity, ethical values and competence4. Organizational structure5. Methods of assigning authority and responsibility6. Human resource standards7. External influences

Management’s philosophy, operating style and risk appetite

Companies have a risk appetite, which is the amount of risk a company is willing to accept in order to achieve its goals and objectives. The more responsible management’s philosophy and operating style and the more clearly they are communicated, the more likely employees will behave responsibly. Management’s philosophy, operating style and risk appetite can be assessed by answering questions such as these:

Does management take undue business risks to achieve its objectives, or does it assess potential risks and rewards prior to acting?

Does management attempt to manipulate such performance measures as net income so that its performance can be seen in a more favorable light?

Does management pressure employees to achieve results regardless of the methods, or does it demand ethical behavior? In other words, does management believe the ends justify the means?

The board of directors and audit committee

Should oversee management and scrutinize its plans, performance, and activities; approve company strategy; review financial results; annual review the company’s security policy; and interact with internal and external auditors. The Sarbanes-Oxley Act requires all public companies to have an audit committee composed entirely of outside (nonemployee), independent directors. The audit committee is responsible for overseeing the corporation’s internal control structure, its financial reporting process, and its compliance with related laws, regulations and standards. The committee works closely with the corporation’s external and internal auditors. The audit committee must understand their business and its objective and processes, be able to recognize risk, and understand risk management and internal controls.

Commitment to integrity, ethical values, and competence

It is important to create an organizational culture that stresses integrity and commitment to both ethical values and competence. Companies endorse integrity as a basic operating principle by actively teaching and requiring it. Management

Page 9 of 21

should consistently reward and encourage honesty and give verbal labels to honest and dishonest behavior. Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors. Companies should require employees to report any dishonest, illegal or unethical acts and discipline employees who knowingly fail to report violations.

Organizational structure

Important aspects of organizational structure include:

Centralization or decentralization of authority Assignment of responsibility for specific tasks Whether there is a direct reporting relationship (i.e. functional organizational

structure or divisional organizational structure) or more of a matrix structure. A matrix organizational structure is a design that utilizes functional and divisional chains of commend simultaneously in the same part of the organization.

Organization by industry, product line, geographical location, or by a particular distribution or marketing network

The way responsibility allocation affects management’s information requirements

The organization of the accounting and information system functions The size and the nature of company activities

Methods of assigning authority and responsibility

Authority and responsibility are assigned through formal job descriptions; employee training; operating plans, schedules, and budgets; a formal company code of conduct; and a written policy and procedures manual.

Human resource standards

The following policies and procedures are important:

(1) Hiring. To obtain the most qualified and ethical employees, hiring should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well potential employees meet written job requirements. A thorough background check includes verifying educational and work experience, talking to references, checking for a criminal record, and checking credit records.

(2) Compensating. It is important to pay employees a fair and competitive wage. Poorly paid employees are likely to feel resentment and make up the difference in their wages by stealing money or property, or both.

Page 10 of 21

(3) Training. Training programs should familiarize new employees with their responsibilities; expected levels of performance and behavior; and the company’s policies and procedures, history, culture and operating style.

Training on fraud and ethics: Fraud awareness Ethical considerations Punishment for fraud and unethical behavior

(4) Evaluating and Promoting. Employees should be given periodic performance appraisals that help them understand their strengths and weaknesses. Promotion should be based on performance and how well qualified employees are for the net position.

(5) Discharging. A company should take care when firing employees. To prevent sabotage or copying confidential data before they leave, dismissed employees should be removed from sensitive jobs immediately and denied access to the information system.

(6) Managing Disgruntled Employees. Some employees who commit fraud are seeking revenge for a perceived wrong done to them. Hence, companies should have procedures for identifying disgruntled employees and either helping them resolve their feelings or removing them from jobs where they might be able to harm the organization or perpetrate a fraud.

(7) Vacations and rotation of duties. Many fraud schemes such as lapping and kiting require the ongoing attention of the perpetrator. Many of these employee frauds are discovered when the perpetrator is suddenly forced, by illness or accident, to take time off.

(8) Confidentiality Agreements and Fidelity Bond Insurance. All employees, suppliers, and contractors should be required to sign and abide by a nondisclosure or confidentiality agreement. Fidelity bond insurance coverage of key employees protects companies against losses arising from deliberate acts of fraud by bonded employees.

(9)Prosecute and Incarcerate Hackers and Fraud Perpetrators.

Most fraud cases and hacker attacks go unreported and are not prosecuted for several reasons:

1.Companies are reluctant to report computer crimes and intrusions – a recent study showed only 36% reporting intrusions – because a highly visible fraud is a public relations disaster.

2.Law enforcement officials and the courts are so busy with violent crimes

Page 11 of 21

that they have little time for computer crimes in which no physical harm occurs.

3.Fraud is difficult, costly and time-consuming to investigate and prosecute

4. Many law enforcement officials, lawyers and judges lack the computer skills needed to investigate, prosecute and evaluate computer crimes.

5.When fraud cases are prosecuted and a conviction is obtained, the sentences received are often light.

External influences

Financial Accounting Standards Board (FASB)Public Company Accounting Oversight Board (PCAOB)Security and Exchange Commission (SEC)

Objective Setting

Objective setting is the second ERM component. It must precede the other six components. Top management, with board approval, needs to articulate why the company exists and what it hopes to achieve. This is often referred to as the corporate vision or mission. The company uses its mission statement as a base from which it sets and prioritizes corporate objectives.

Strategic objectives, which are high-level goals that support the company’s mission and are intended to create shareholder value, must be set first.

Operations objectives, which are a product of management preferences, judgments, and style, may vary significantly amount entities. Operation objectives deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguard assets.

Compliance objectives help the company comply with all applicable laws and regulations.

Reporting objectives help ensure the accuracy, completeness and reliability of internal and external company reports, of both a financial and non-financial nature. They also improve decision making and monitor company activities and performance more efficiently.

Event Identification

COSO defines an event as an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Table 6-2 on Page 215 lists some of the many internal and external factors that COSO indicated

Page 12 of 21

could influence events and affect a company’s ability to implement its strategy and achieve its objectives.

Economic Natural Environment Political Social TechnologicalInfrastructurePersonnelProcessTechnology

A few of the events, or threats, that a company might face as it implements an electronic data interchange system are:

1. Choosing an inappropriate technology2. Unauthorized system access3. Tapping into data transmission4. Loss of data integrity5. Incomplete transactions6. System failures7. Incompatible systems

Some of the more common techniques companies use to identify events follow. One, two or more of these techniques are used together.

Use comprehensive lists of potential events Perform an internal analysis Monitor leading events and trigger points Conduct workshops and interviews Perform data mining and analysis Analyze business processes

Risk Assessment and Risk Response

The fourth and fifth components of COSO’s ERM mode are risk assessment and risk response. The risk that exists before management takes any steps to control the likelihood or impact of a risk is inherent risk. The risk that remains after management implements internal controls, or some other response to risk, is residual risk. The ERM model indicates that there are four ways to respond to risk:

1. Reduce. The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls

2. Accept. Accepts the likelihood and impact of the risk by not acting to prevent or mitigate it

Page 13 of 21

3. Share. Share some of the risk or transfer it to someone else. For example, buy insurance, outsource an activity, or enter into hedging transactions.

4. Avoid. Risk is avoided by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.

Accountants can assess and reduce inherent risk using the risk assessment and response strategy shown in Figure 6-2 on Page 217.

Estimate Likelihood and Impact

Some events pose a greater risk because the probability of their occurrence is more likely. For example, a company is more likely to be the victim of a fraud than of an earthquake, and employees are more likely to make unintentional errors than they are to commit fraud

Identify Controls

Management must identify one or more controls that will protect the company from each event.

Estimate Costs and Benefits

No internal control system can provide foolproof protection against all events, as the cost would be prohibitive. In addition, because many controls negatively affect operational efficiency, too many controls slow the system and make it inefficient. The benefits of an internal control procedure must exceed its costs.

Benefits can be hard to quantify, but include:• Increased sales and productivity• Reduced losses• Better integration with customers and suppliers• Increased customer loyalty• Competitive advantages• Lower insurance premiums

Costs are usually easier to measure than benefits. Primary cost is personnel, including:

• Time to perform control procedures• Costs of hiring additional employees to effectively segregate duties• Costs of programming controls into a system

Other costs of a poor control system include:• Lost sales• Lower productivity• Drop in stock price if security problems arise

Page 14 of 21

• Shareholder or regulator lawsuits• Fines and penalties imposed by governmental agencies

One way to estimate the value of internal controls involves expected loss, the mathematical product of impact and likelihood:

Expected loss = Impact x Likelihood

Determine Cost/Benefit Effectiveness

Total pay period payroll cost $10,000. For an extra cost of $600 per pay period a validation step will reduce the likelihood of the event from 15% to 1%. The expected risk cost without the extra $600 validation procedure is $1,500 [$10,000 x 15%]. The expected risk cost with the extra $600 validation procedure is $100 [$10,000 x 1%]. The expected benefit of validation procedure is $800 as shown in Table 6-3 on Page 219.

Implement Control or Avoid, Share, or Accept the Risk

When controls are cost-effective, they should be implemented so that risk can be reduced. Risks that are not reduced must be accepted, shared, or avoided.

Control Activities

The sixth component of COSO’s ERM model is control activities, which are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and the risk responses are carried out. Generally, control procedures fall into one of the following categories:

1. Proper authorization of transactions and activities

Management establishes policies for employees to follow and then empowers employees to perform accordingly. This empowerment called authorization, is an important part of an organization’s control procedures. Authorizations are often documented by signing, initializing, or entering an authorization code on a transaction document or record. Computer systems are now capable of recording a digital signature, a means of signing a document with a piece of data that cannot be forged. Employees who process transactions should verify the presence of the appropriate authorization(s). Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur.

For example, management review and approval are often required for sales in excess of $20,000, capital expenditures in excess of $10,000, or uncollectible write-off in excess of $5,000.

Page 15 of 21

In contrast, management can authorize employees to handle routine transactions without special approval, a procedure know as general authorization.

2. Segregation (separation) of duties. Figure 6-3 on Page 222]

Authorization – approving transactions and decisions

Recording – preparing source documents; entering data into online systems; maintaining journals, ledgers, files or databases; preparing reconciliations; and preparing performance reports

Custody – handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account.

If two of these three functions are the responsibility of a single person, then problems can arise. Collusion is when two or more people are working together to override the preventive aspect of the internal control system

Segregation of Systems Duties:

a. Systems administration. Systems administrators are responsible for ensuring that the different parts of an information system operate smoothly and efficiently

b. Network management. Network managers ensure that all applicable devices are linked to the organization’s internal and external networks and that the networks operate continuously and properly

c. Security management. Security management ensures that all aspects of the system are secure and protected from all internal and external threats

d. Change management. These individuals manage all changes to an organization’s information system to ensure they are made smoothly and efficiently and to prevent errors and fraud

e. Users. Users record transactions, authorize data to be processed, and use system output

f. Systems analysis. Systems analysts help users determine their information needs and then design an information system to meet those needs

Page 16 of 21

g. Programming. Programmers take the design provided by systems analysts and create an information system by writing the computer programs

h. Computer operations. Computer operators run the software on the company’s computers. They ensure that data are input properly and correctly processed and needed output is produced

i. Information system library. The information system librarian maintains custody of corporate databases, files and programs in a separate storage area called the information system library

j. Data control. The data control group ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output

Project development and acquisition controls

1. Strategic master plan. To align an organization’s information system with its business strategies, a multiyear strategic master plan is developed and updated yearly

2. Project controls. A project development plan shows how a project will be completed, including the modules or tasks to be performed and who will perform them, the dates they should be completed, and project costs.

Project milestones – significant points when progress is reviewed and actual and estimated completion times are compared.

A performance evaluation of project team members should be prepared as each project is completed.

3. Data processing schedule. To maximize the use of scarce computer resources, all data processing tasks should be organized according to a data processing schedule.

4. Steering committee. A steering committee should be formed to guide and oversee systems development and acquisition

5. System performance measurements. For a system to be evaluated properly, it must be assessed using system performance measurements.

Common measurements include throughput (output per unit of time), utilization (percentage of time the system is being

Page 17 of 21

productively used) and response time (how long it takes the system to respond).

6. Post-implementation review. After a development project is completed, a post-implementation review should be performed to determine if the anticipated benefits were achieved.

To simplify and improve systems development, some companies hire a systems integrator, a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors.

Companies that use systems integrators should:

Develop clear specifications Monitor the systems integration project

Change management controls

Change management is the process of making sure changes do not negatively affect systems reliability, security, confidentiality, integrity and availability.

Design and use of documents and records

The proper design and use of electronic and paper documents and records help ensure the accurate and complete recording of all relevant transaction data.

Safeguarding assets, records and data

In addition to safeguarding cash and physical assets such as inventory and equipment, a company needs to protect its information. Many people mistakenly believe that the greatest risks companies face are from outsiders. Companies also face significant risks from customers and vendors that have access to company data. Some of the computer-based controls that can be put into place to safeguard assets include:

Create and enforce appropriate policies and procedures Maintain accurate records of all assets Restrict access to assets Protect records and documents

Independent checks on performance

Top level reviews. Management at all levels should monitor company results and periodically compare actual company performance to (a) planned performance, as shown in budgets, targets and forecasts; (b) prior period

Page 18 of 21

performance; and (c) the performance of competitors

Analytical reviews. An analytical review is an examination of the relationship between different sets of data

Reconciliation of two independently maintained sets of records

Comparison of actual quantities with recorded amounts

Double-entry accounting: debits must equal credits

Independent review. After one person processes a transaction, a second person sometimes reviews the work of the first.

Information and Communication

Accounting Information Systems has five primary objectives:

1) Identify and record all valid transactions2) Properly classify transactions3) Record transactions at their proper monetary value4) Record transactions in the proper accounting period5) Properly present transactions and related disclosures in the financial

statements

Monitoring

Perform ERM Evaluations

Implement Effective Supervision

Use Responsibility Accounting

Monitor System Activities

There are software packages available to review computer and network security measures, detect illegal entry into systems, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements. Software is also available to monitor and combat viruses, spyware, spam and pop-up ads and to prevent browsers from being hijacked.

All system transactions and activities should be recorded in a log that indicates who accessed what data, when and from which online device.

In monitoring employees computers at work or at home, companies must be careful to ensure that they don’t violate the employee’s privacy. To help, one way

Page 19 of 21

would be to have written policies that employees agree to in writing which indicate:

The technology employees use on the job belongs to the company E-mails received on company computers are not private and can be

read by supervisory personnel Employees should not use technology in any way to contribute to a

hostile work environment

Track Purchased Software

The Business Software Alliance (BSA) is very aggressive in tracking down and finding companies who violate software license agreements.

Conduct Periodic Audits

One way to monitor risk and detect fraud and errors is to conduct periodic external and internal audits, as well as special network security audits. Internal audits involve reviewing the reliability and integrity of financial and operating information and providing an appraisal of internal control effectiveness. Internal audits can detect excess overtime, underused assets, obsolete inventory, padded travel expense reimbursements, excessively loose budgets and quotas, poorly justified capital expenditures and production bottlenecks.

Employ a Computer Security Officer and Computer Consultants

A computer security officer (CSO) is in charge of AIS security and should be independent of the information system function and report to the COO or CEO. The overwhelming number of new tasks related to SOX and other forms of compliance has led many larger companies to delegate all compliance issues to a chief compliance officer (CCO).

Engage Forensic Specialists

Forensic accountants specialize in fraud detection and investigation. Forensic accounting is now one of the fastest-growing areas of accounting due to the Sarbanes-Oxley law, new accounting rules such as SAS No. 99, and boards of directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process. Most forensic accountants are CPAs, and many have received specialized training with the FBI, the IRS, or other law enforcement agencies. Computer forensics is discovering, extracting, safeguarding and documenting computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.

Page 20 of 21

Install Fraud Detection Software

People who commit fraud tend to follow certain patterns and leave behind clues. Software has been developed to uncover fraud symptoms. Other companies have neural networks (programs that mimic the brain and have learning capabilities), which are quite accurate in identifying suspected fraud.

Implement a Fraud Hot Line

The Sarbanes-Oxley Act mandates that companies set up mechanisms for employees to report abuses such as fraud. Fraud hotlines provide a means for employees can anonymously report fraud.

Return to Homepage

Page 21 of 21