Accounting information systems 11e romney steinbart chapter 06

OVERVIEW OF CONTROL CONCEPTS• Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that t

Trang 1

C HAPTER 6

Control and Accounting Information Systems

Trang 2

• Questions to be addressed in this chapter:

– What are the basic internal control concepts, and why are

computer control and security important?

– What is the difference between the COBIT, COSO, and ERM

control frameworks?

– What are the major elements in the internal environment of

a company?

– What are the four types of control objectives that

companies need to set?

– What events affect uncertainty, and how can they be identified?

– How is the Enterprise Risk Management model used to

assess and respond to risk?

– What control activities are commonly used in companies?

– How do organizations communicate information and

monitor control processes?

Trang 3

– Control risks have increased in the last few years

because:

• There are computers and servers everywhere, and information is available to an unprecedented number of workers.

• Distributed computer networks make data available to many users, and these networks are harder to control than

centralized mainframe systems.

• Wide area networks are giving customers and suppliers access to each other’s systems and data, making

confidentiality a major concern.

Trang 4

• Historically, many organizations have not adequately

protected their data due to one or more of the

following reasons:

– Computer control problems are often underestimated and downplayed.

– Control implications of moving from centralized, host-based

computer systems to those of a networked system or Internet-based system are not always fully understood.

– Companies have not realized that data is a strategic

resource and that data security must be a strategic requirement.

– Productivity and cost pressures may motivate management

to forego time-consuming control measures.

Trang 5

• Some vocabulary terms for this chapter:

– A threat is any potential adverse occurrence or unwanted

event that could injure the AIS or the organization.

– The exposure or impact of the threat is the potential dollar

loss that would occur if the threat becomes a reality.

– The likelihood is the probability that the threat will occur.

Trang 6

– Companies are now recognizing the problems and

taking positive steps to achieve better control, including:

• Devoting full-time staff to security and control concerns.

• Educating employees about control measures.

• Establishing and enforcing formal information security policies.

• Making controls a part of the applications development process.

• Moving sensitive data to more secure environments.

Trang 7

• To use IT in achieving control objectives,

accountants must:

– Understand how to protect systems from threats.

– Have a good understanding of IT and its capabilities and

risks.

• Achieving adequate security and control over the

information resources of an organization should be a top management priority.

Trang 8

the data processing method, but a based AIS requires different internal control

computer-policies and procedures because:

– Computer processing may reduce clerical errors

but increase risks of unauthorized access or modification of data files.

– Segregation of duties must be achieved differently

in an AIS.

– Computers provide opportunities for

enhancement of some internal controls.

Trang 9

• One of the primary objectives of an AIS is to

control a business organization.

– Accountants must help by designing effective control

systems and auditing or reviewing control systems already in place to ensure their effectiveness.

• Management expects accountants to be control

Trang 10

• It is much easier to build controls into a system

during the initial stage than to add them after the

fact.

• Consequently, accountants and control experts

should be members of the teams that develop or

modify information systems.

Trang 11

OVERVIEW OF CONTROL CONCEPTS

companies must react quickly to changing

conditions and markets, including steps to:

– Hire creative and innovative employees.

– Give these employees power and flexibility to:

• Satisfy changing customer demands;

• Pursue new opportunities to add value to the organization;

and

• Implement process improvements.

systems so they are not exposed to

excessive risks or behaviors that could harm their reputation for honesty and integrity.

Trang 12

• Internal control is the process implemented by the

board of directors, management, and those under

their direction to provide reasonable assurance that

the following control objectives are achieved:

– Assets (including data) are safeguarded.

• This objective includes prevention or timely

detection of unauthorized acquisition, use, or disposal of material company assets.

Trang 13

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets

Trang 14

– Records are maintained in sufficient detail to accurately and

– Accurate and reliable information is provided.

Trang 15

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.

Trang 16

– There is reasonable assurance that financial reports are prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.

• This objective includes ensuring that company

receipts and expenditures are made in accordance with management and directors’ authorizations.

Trang 17

– There is reasonable assurance that financial reports are prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.

– Adherence to prescribed managerial policies is

encouraged.

Trang 18

– Records are maintained in sufficient detail to accurately and fairly reflect company assets

– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.

– Adherence to prescribed managerial policies is encouraged.

– The organization complies with applicable laws and

regulations.

Trang 19

– It permeates an organization’s operating activities. – It is an integral part of basic management

activities.

than absolute, assurance, because complete

assurance is difficult or impossible to

achieve and prohibitively expensive.

Trang 20

limitations, including:

– They are susceptible to errors and poor decisions. – They can be overridden by management or by

collusion of two or more employees.

with each other.

– EXAMPLE: Controls to safeguard assets may also

reduce operational efficiency.

Trang 21

• Internal controls perform three important functions:

– Preventive controls

• Deter problems before they arise.

Trang 22

– Preventive controls

– Detective controls

• Discover problems quickly when they do arise.

Trang 23

– Preventive controls

– Detective controls

– Corrective controls

• Remedy problems that have occurred by:

– Identifying the cause;

– Correcting the resulting errors; and – Modifying the system to prevent future

problems of this sort.

Trang 24

• Internal controls are often classified as:

– General controls

• Those designed to make sure an

organization’s control environment is stable and well managed.

• They apply to all sizes and types of systems.

• Examples: Security management controls.

Trang 25

• Internal controls are often classified as:

– General controls

– Application controls

• Prevent, detect, and correct transaction errors

and fraud.

• Concerned with accuracy, completeness,

validity, and authorization of the data captured, entered into the system, processed, stored,

transmitted to other systems, and reported.

Trang 26

• An effective system of internal controls should exist

in all organizations to:

– Help them achieve their missions and goals.

– Minimize surprises.

Trang 27

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• In 1977, Congress passed the Foreign Corrupt

Practices Act, and to the surprise of the profession,

this act incorporated language from an AICPA

pronouncement.

• The primary purpose of the act was to prevent the

bribery of foreign officials to obtain business.

• A significant effect was to require that corporations

maintain good systems of internal accounting control.

– Generated significant interest among management,

accountants, and auditors in designing and evaluating internal control systems.

– The resulting internal control improvements weren’t sufficient.

Trang 28

PRACTICES ACT

• In the late 1990s and early 2000s, a series of

multi-million-dollar accounting frauds made headlines.

– The impact on financial markets was substantial, and

Congress responded with passage of the Sarbanes-Oxley

Act of 2002 (aka, SOX)

• Applies to publicly held companies and their auditors.

Trang 29

PRACTICES ACT

• The intent of SOX is to:

– Prevent financial statement fraud

– Make financial reports more transparent – Protect investors

– Strengthen internal controls in publicly-held companies – Punish executives who perpetrate fraud

• SOX has had a material impact on the way boards of

directors, management, and accountants operate.

Trang 30

PRACTICES ACT

– Creation of the Public Company Accounting

Oversight Board (PCAOB) to oversee the auditing profession.

• Has five members, three of whom cannot be

CPAs.

• Charges fees to firms to fund the PCAOB.

• Sets and enforces auditing, quality control,

ethics, independence, and other standards relating to audit reports.

• Currently recognizes FASB statements as

being generally accepted.

Trang 31

PRACTICES ACT

– Creation of the Public Company Accounting

– New rules for auditors

• They must report specific information to the company’s audit

committee, such as:

– Critical accounting policies and practices – Alternative GAAP treatments

– Auditor-management disagreements

• Audit partners must be rotated periodically.

Trang 32

PRACTICES ACT

• Auditors cannot perform certain non-audit services, such as:

– Bookkeeping – Information systems design and implementation – Internal audit outsourcing services

– Management functions – Human resource services

Trang 33

PRACTICES ACT

• Permissible non-audit services must be approved by the

board of directors and disclosed to investors.

• Cannot audit a company if a member of top management was

employed by the auditor and worked on the company’s audit

in the past 12 months.

Trang 34

PRACTICES ACT

– New rules for auditors

– New rules for audit committees

• Members must be on the company’s board

of directors and must otherwise be independent of the company.

• One member must be a financial expert.

• The committee hires, compensates, and

oversees the auditors, and the auditors report directly to the committee.

Trang 35

PRACTICES ACT

– New rules for auditors – New rules for audit committees

– New rules for management

• The CEO and CFO must certify that:

– The financial statements and disclosures are fairly

presented, were reviewed by management, and are not misleading.

– Management is responsible for internal controls.

– The auditors were advised of any material internal control

weaknesses or fraud.

– Any significant changes to controls after management’s

evaluation were disclosed and corrected.

Trang 36

PRACTICES ACT

– New rules for auditors – New rules for audit committees

– New rules for management

• If management willfully and knowingly violates the

certification, they can be:

– Imprisoned up to 20 years – Fined up to $5 million

• Management and directors cannot receive loans that would not

be available to people outside the company.

• They must disclose on a rapid and current basis material

changes to their financial condition.

Trang 37

PRACTICES ACT

– New rules for auditors – New rules for audit committees – New rules for management

– New internal control requirements

• New internal control requirements:

– Section 404 of SOX requires companies to issue a

report accompanying the financial statements that:

• States management is responsible for

establishing and maintaining an adequate internal control structure and procedures.

• Contains management’s assessment of the

company’s internal controls.

• Attests to the accuracy of the internal controls,

including disclosures of significant defects or material noncompliance found during the tests.

Trang 38

PRACTICES ACT

– New rules for auditors – New rules for audit committees – New rules for management

– New internal control requirements

• SOX also requires that the auditor attests to and reports

on management’s internal control assessment.

• Each audit report must describe the scope of the

auditor’s internal control tests.

Trang 39

PRACTICES ACT

mandated that:

– Management must base its evaluation on a

recognized control framework, developed using a due-process procedure that allows for public

comment The most likely framework is the COSO model discussed later in the chapter.

– The report must contain a statement identifying

the framework used.

– Management must disclose any and all material

internal control weaknesses.

– Management cannot conclude that the company

has effective internal control if there are any material weaknesses.

Trang 40

PRACTICES ACT

• Levers of control

– Many people feel there is a basic conflict between creativity and controls.

– Robert Simons has espoused four levers of controls to help

companies reconcile this conflict:

• A concise belief system

• Communicates company core values to employees and

inspires them to live by those values.

• Draws attention to how the organization creates value.

• Helps employees understand management’s intended

direction.

• Must be broad enough to appeal to all levels.

Định dạng
Số trang	314
Dung lượng	1,95 MB