computer-based information systems controls
DESCRIPTION
Computer-Based Information Systems Controls. Learning Objectives. Describe the threats to an AIS and discuss why these threats are growing. Explain the basic concepts of control as applied to business organizations. - PowerPoint PPT PresentationTRANSCRIPT
7-1Anup Kumar Saha
Computer-Based Information Systems Controls
Anup Kumar Saha2
7-2
Learning Objectives
1. Describe the threats to an AIS and discuss why these threats are growing.
2. Explain the basic concepts of control as applied to business organizations.
3. Describe the major elements in the control environment of a business organization.
Anup Kumar Saha3
7-3
Learning Objectives, continued
4. Describe control policies and procedures commonly used in business organizations.
5. Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.
6. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.
Anup Kumar Saha4
7-4
Introduction
Jason Scott has been hired as an internal auditor for Northwest Industries, a diversified forest products company.
He is assigned to audit Springer’s Lumber & Supply, Northwest’s building materials outlet in Montana.
Anup Kumar Saha5
7-5
Introduction
His supervisor, Maria Pilier, has asked him to trace a sample of purchase transactions to verify that proper control procedures were followed. Jason becomes frustrated with this task.
Why is Jason frustrated?
The purchasing system is poorly documented.
He keeps finding transactions that have not been processed as Ed Yates, the accounts payable manager, said they should be.
Anup Kumar Saha6
7-6
IntroductionJason’s frustrations, continued Some vendor invoices have been paid without supporting
documents. Purchase requisitions are missing for several items that had
been authorized by Bill Springer, purchasing v.p. Prices charged for some items seem unusually high. Springer’s is the largest supplier in the area and has a near
monopoly. Management authority is concentrated in the company
president, Joe Springer, and his sons Bill, the purchasing v.p., and Ted, the controller.
Maria feels that Ted may have engaged in “creative accounting.”
Anup Kumar Saha7
7-7
Introduction
Jason ponders the following issues:Should he describe the unusual
transactions in his report?Is a violation of proper control
procedures acceptable if it has been authorized by management?
Regarding Jason’s assignment, does he have a professional or ethical responsibility to get involved?
Anup Kumar Saha8
7-8
Introduction
This chapter discusses the types of threats a company faces.
It also presents the five interrelated components of the Committee of Sponsoring Organizations (COSO’s) internal control model.
Anup Kumar Saha9
7-9
Learning Objective 1
Describe the threats to an AIS and discuss why these threats are growing.
Anup Kumar Saha10
7-10
Threats to Accounting Information Systems
What are examples of natural and political disasters?– fire or excessive heat– floods– earthquakes– high winds– war
Anup Kumar Saha11
7-11
Threats to Accounting Information Systems
What are examples of software errors and equipment malfunctions?– hardware failures– power outages and fluctuations– undetected data transmission errors
Anup Kumar Saha12
7-12
Threats to Accounting Information Systems What are examples of unintentional
acts?– accidents caused by human
carelessness– innocent errors of omissions– lost or misplaced data– logic errors– systems that do not meet company
needs
Anup Kumar Saha13
7-13
Threats to Accounting Information Systems
What are examples of intentional acts?– sabotage– computer fraud– embezzlement
Anup Kumar Saha14
7-14
Why are AIS Threats Increasing? Increasing numbers of client/server systems
mean that information is available to an unprecedented number of workers.
Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.
WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.
Anup Kumar Saha15
7-15
Learning Objective 2
Explain the basic concepts of control as applied to business organizations.
Anup Kumar Saha16
7-16
Overview of Control Concepts
What is the traditional definition of internal control?
Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.
Anup Kumar Saha17
7-17
Overview of Control Concepts What is management control? Management control encompasses the
following three features:1 It is an integral part of management
responsibilities.2 It is designed to reduce errors,
irregularities, and achieve organizational goals.
3 It is personnel-oriented and seeks to help employees attain company goals.
Anup Kumar Saha18
7-18
Internal Control Classifications The specific control procedures used in the
internal control and management control systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls 2 General and application controls3 Administrative and accounting controls4 Input, processing, and output controls
Anup Kumar Saha19
7-19
The Foreign Corrupt Practices Act In 1977, Congress incorporated language
from an AICPA pronouncement into the Foreign Corrupt Practices Act.
The primary purpose of the act was to prevent the bribery of foreign officials in order to obtain business.
A significant effect of the act was to require corporations to maintain good systems of internal accounting control.
Anup Kumar Saha20
7-20
Committee of Sponsoring Organizations The Committee of Sponsoring
Organizations (COSO) is a private sector group consisting of five organizations:1 American Accounting Association 2 American Institute of Certified Public
Accountants3 Institute of Internal Auditors4 Institute of Management Accountants5 Financial Executives Institute
Anup Kumar Saha21
7-21
Committee of Sponsoring Organizations
In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems.
The report has been widely accepted as the authority on internal controls.
Anup Kumar Saha22
7-22
Committee of Sponsoring Organizations
The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:– effectiveness and efficiency of operations – reliability of financial reporting– compliance with applicable laws and
regulations
Anup Kumar Saha23
7-23
Committee of Sponsoring Organizations
COSO’s internal control model has five crucial components: 1 Control environment2 Control activities3 Risk assessment4 Information and communication5 Monitoring
Anup Kumar Saha24
7-24
Information Systems Auditand Control Foundation The Information Systems Audit and Control
Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT).
COBIT consolidates standards from 36 different sources into a single framework.
The framework addresses the issue of control from three vantage points, or dimensions:
Anup Kumar Saha25
7-25
Information Systems Auditand Control Foundation1 Information: needs to conform to certain
criteria that COBIT refers to as business requirements for information
2 IT resources: people, application systems, technology, facilities, and data
3 IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring
Anup Kumar Saha26
7-26
Learning Objective 3
Describe the major elements in the control environment of a business organization.
Anup Kumar Saha27
7-27
The Control Environment
The first component of COSO’s internal control model is the control environment.
The control environment consists of many factors, including the following:1 Commitment to integrity and ethical values2 Management’s philosophy and operating
style3 Organizational structure
Anup Kumar Saha28
7-28
The Control Environment
4 The audit committee of the board of directors
5 Methods of assigning authority and responsibility
6 Human resources policies and practices
7 External influences
Anup Kumar Saha29
7-29
Learning Objective 4
Describe control policies and procedures commonly used in business organizations.
Anup Kumar Saha30
7-30
Control Activities
The second component of COSO’s internal control model is control activities.
Generally, control procedures fall into one of five categories:1 Proper authorization of transactions
and activities2 Segregation of duties
Anup Kumar Saha31
7-31
Control Activities
3 Design and use of adequate documents and records
4 Adequate safeguards of assets and records
5 Independent checks on performance
Anup Kumar Saha32
7-32
Proper Authorization of Transactions and Activities Authorization is the empowerment
management gives employees to perform activities and make decisions.
Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.
Specific authorization is the granting of authorization by management for certain activities or transactions.
Anup Kumar Saha33
7-33
Segregation of Duties
Good internal control demands that no single employee be given too much responsibility.
An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.
Anup Kumar Saha34
7-34
Segregation of Duties
Recording FunctionsPreparing source documents
Maintaining journalsPreparing reconciliations
Preparing performance reports
Custodial FunctionsHandling cash
Handling assetsWriting checks
Receiving checks in mail Authorization FunctionsAuthorization of
transactions
Anup Kumar Saha35
7-35
Segregation of Duties
If two of these three functions are the responsibility of a single person, problems can arise.
Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.
Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.
Anup Kumar Saha36
7-36
Segregation of Duties
Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.
Anup Kumar Saha37
7-37
Design and Use of Adequate Documents and Records
The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.
Documents that initiate a transaction should contain a space for authorization.
Anup Kumar Saha38
7-38
Design and Use of Adequate Documents and Records The following procedures safeguard assets
from theft, unauthorized use, and vandalism:– effectively supervising and segregating
duties– maintaining accurate records of assets,
including information– restricting physical access to cash and paper
assets– having restricted storage areas
Anup Kumar Saha39
7-39
Adequate Safeguards ofAssets and Records What can be used to safeguard
assets?– cash registers– safes, lockboxes– safety deposit boxes– restricted and fireproof storage areas– controlling the environment– restricted access to computer rooms,
computer files, and information
Anup Kumar Saha40
7-40
Independent Checkson Performance
Independent checks ensure that transactions are processed accurately are another important control element.
Anup Kumar Saha41
7-41
Independent Checkson Performance
What are various types of independent checks? – reconciliation of two independently
maintained sets of records– comparison of actual quantities with
recorded amounts– double-entry accounting– batch totals
Anup Kumar Saha42
7-42
Independent Checkson Performance
Five batch totals are used in computer systems:1 A financial total is the sum of a dollar
field.2 A Cash total is the sum of a field that
would usually not be added.
Anup Kumar Saha43
7-43
Independent Checkson Performance
3 A record count is the number of documents processed.
4 A line count is the number of lines of data entered.
5 A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.
Anup Kumar Saha44
7-44
Learning Objective 5
Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.
Anup Kumar Saha45
7-45
Risk Assessment
The third component of COSO’s internal control model is risk assessment.
Companies must identify the threats they face:– strategic — doing the wrong thing– financial — having financial resources lost,
wasted, or stolen– information — faulty or irrelevant information,
or unreliable systems
Anup Kumar Saha46
7-46
Risk Assessment
Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:1 Choosing an inappropriate technology2 Unauthorized system access3 Tapping into data transmissions4 Loss of data integrity
Anup Kumar Saha47
7-47
Risk Assessment
5 Incomplete transactions6 System failures7 Incompatible systems
Anup Kumar Saha48
7-48
Risk Assessment
Some threats pose a greater risk because the probability of their occurrence is more likely. For example:
A company is more likely to be the victim of a computer fraud rather than a terrorist attack.
Risk and exposure must be considered together.
Anup Kumar Saha49
7-49
Learning Objective 6
Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.
Anup Kumar Saha50
7-50
Estimate Cost and Benefits
No internal control system can provide foolproof protection against all internal control threats.
The cost of a foolproof system would be prohibitively high.
One way to calculate benefits involves calculating expected loss.
Anup Kumar Saha51
7-51
Expected loss = risk × exposure
Estimate Cost and Benefits
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.
Anup Kumar Saha52
7-52
Information and Communication
The fourth component of COSO’s internal control model is information and communication.
Anup Kumar Saha53
7-53
Information and Communication Accountants must understand the following:
1 How transactions are initiated2 How data are captured in machine-readable
form or converted from source documents3 How computer files are accessed and
updated4 How data are processed to prepare
information5 How information is reported6 How transactions are initiated
Anup Kumar Saha54
7-54
Information and Communication All of these items make it possible for the
system to have an audit trail. An audit trail exists when individual
company transactions can be traced through the system.
Anup Kumar Saha55
7-55
Monitoring Performance
The fifth component of COSO’s internal control model is monitoring.
What are the key methods of monitoring performance?– effective supervision– responsibility accounting– internal auditing
Anup Kumar Saha56
7-56
Case Conclusion
What happened to Jason’s report? A high-level internal audit team was
dispatched to Montana. The team discovered that the
problems identified by Jason occurred almost exclusively in transactions with three large vendors from whom Springer’s had purchased several million dollars of inventory.
Anup Kumar Saha57
7-57
Case Conclusion
One of the Springers held a significant ownership interest in each of these three companies.
They also found evidence that several of Springer’s employees were paid for more hours than documented by timekeeping, and that inventories were overstated.
Northwest settled the case with the Springers.
Anup Kumar Saha58
7-58
End of Topic