Control and Accounting Information Systems

Chapter 7

Copyright © 2015 Pearson Education, Inc.

7-1
 Learning Objectives

• Explain basic control concepts and why computer control and security are important.

• Compare and contrast the COBIT, COSO, and ERM control frameworks.

• Describe the major elements in the internal environment of a company.

• Describe the four types of control objectives that companies need to set.

• Describe the events that affect uncertainty and the techniques used to identify them.

• Explain how to assess and respond to risk using the Enterprise Risk Management model.

• Describe control activities commonly used in companies.

• Describe how to communicate information and monitor control processes in

organizations.
Copyright © 2015 Pearson Education, Inc.
7-2
 Why Is Control Needed?
• Any potential adverse occurrence or unwanted event
that could be injurious to either the accounting
information system or the organization is referred to as
a threat (ancaman) or an event.

• The potential dollar loss should a particular threat

become a reality is referred to as the exposure
(paparan) or impact (dampak) of the threat.

• The probability that the threat will happen is the

likelihood (kemungkinan) associated with the threat
Copyright © 2015 Pearson Education, Inc.
7-3
 A Primary Objective of an AIS

• Is to control the organization so the organization

can achieve its objectives

• Management expects accountants to:

▫ Take a proactive approach to eliminating system
threats.
▫ Detect, correct, and recover from threats when
they occur.

Copyright © 2015 Pearson Education, Inc.

7-4
 Internal Controls
• Processes implemented to provide assurance
that the following objectives are achieved:
▫ Safeguard assets
▫ Maintain sufficient records
▫ Provide accurate and reliable information
▫ Prepare financial reports according to established
criteria
▫ Promote and improve operational efficiency
▫ Encourage adherence (ketaatan) with
management policies
▫ Comply with laws and regulations
Copyright © 2015 Pearson Education, Inc.
7-5
 Functions of Internal Controls

• Preventive controls
▫ Deter problems from occurring
• Detective controls
▫ Discover problems that are not prevented
• Corrective controls
▫ Identify and correct problems; correct and recover
from the problems

Copyright © 2015 Pearson Education, Inc.

7-6
 Control Frameworks
• COBIT
▫ Framework for IT control
• COSO
▫ Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
▫ Expands COSO framework taking a risk-based
approach

Copyright © 2015 Pearson Education, Inc.

7-7
 COBIT Framework
Control Objective for Information and Related Technolgy

• Current framework version is COBIT5

• Based on the following principles:
▫ Meeting stakeholder needs
▫ Covering the enterprise end-to-end
▫ Applying a single, integrated framework
▫ Enabling a holistic approach
▫ Separating governance from management

Copyright © 2015 Pearson Education, Inc.

7-8
 COBIT5 Separates Governance from
Management

Copyright © 2015 Pearson Education, Inc.

7-9
 Components of COSO Frameworks
Committee of Sponsoring Organization

COSO COSO-ERM
(Enterprise Risk Management)

• Control (internal) • Internal environment

environment • Objective setting
• Risk assessment • Event identification
• Control activities • Risk assessment
• Information and • Risk response
communication • Control activities
• Monitoring • Information and
communication
• Monitoring
Copyright © 2015 Pearson Education, Inc.
7-10
 Internal Environment
• Management’s philosophy, operating style, and
risk appetite
• Commitment to integrity, ethical values, and
competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards

Copyright © 2015 Pearson Education, Inc.

7-11
 Objective Setting

• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor
performance
• Compliance objectives
▫ Compliance with applicable laws and regulations
Copyright © 2015 Pearson Education, Inc.
7-12
 Event Identification
Identifying incidents both external and internal to
the organization that could affect the achievement
of the organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?

Copyright © 2015 Pearson Education, Inc.

7-13
 Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs

Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
Copyright © 2015 Pearson Education, Inc.
7-14
 Risk Response

• Reduce
▫ Implement effective internal control
• Accept
▫ Do nothing, accept likelihood and impact of risk
• Share
▫ Buy insurance, outsource, or hedge
• Avoid
▫ Do not engage in the activity

Copyright © 2015 Pearson Education, Inc.

7-15
 Control Activities

• Proper authorization of transactions and

activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance

Copyright © 2015 Pearson Education, Inc.

7-16
 Segregation of Duties

Copyright © 2015 Pearson Education, Inc.

7-17
 Monitoring
• Perform internal control evaluations (e.g., internal
audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement
Copyright fraud
© 2015 Pearson Education, Inc. hotline
7-18
 Key Terms
• Threat or Event • Foreign Corrupt Practices Act
• Exposure or impact (FCPA)
• Likelihood • Sarbanes-Oxley Act (SOX)
• Internal controls • Public Company Accounting
• Preventive controls Oversight Board (PCAOB)
• Detective controls • Control Objectives for
• Corrective controls Information and Related
Technology (COBIT)
• General controls
• Committee of Sponsoring
• Application controls
Organizations (COSO)
• Belief system
• Internal control-integrated
• Boundary system framework (IC)
• Diagnostic control system • Enterprise Risk Management
• Interactive control system Integrated Framework (ERM)
• Audit committee • Internal environment
Copyright © 2015 Pearson Education, Inc.
7-19
 Key Terms (continued)
• Risk appetite • Specific authorization
• Policy and procedures manual • General authorization
• Background check • Segregation of accounting
• Strategic objectives duties
• Operations objectives • Collusion
• Reporting objectives • Segregation of systems duties
• Compliance objectives • Systems administrator
• Event • Network manager
• Inherent risk • Security management
• Residual risk • Change management
• Expected loss • Users
• Control activities • Systems analysts
• Authorization • Programmers
• Digital signature • Computer operators
Copyright © 2015 Pearson Education, Inc. • Information system library 7-20
 Key Terms (continued)
• Data control group • Postimplementation review
• Steering committee • Systems integrator
• Strategic master plan • Analytical review
• Project development plan • Audit trail
• Project milestones • Computer security officer
• Data processing schedule (CSO)
• • Chief compliance officer (CCO)
System performance
measurements • Forensic investigators
• Throughput • Computer forensics specialists
• Utilization • Neural networks
• Response time • Fraud hotline

Copyright © 2015 Pearson Education, Inc.

7-21