Bài giảng Romney_ais13 - Chapter 7: Control and Accounting Information Systems

Control and Accounting Information SystemsChapter 77-1Learning ObjectivesExplain basic control concepts and why computer control and security are important.Compare and contrast the COBIT, COSO, and ERM control frameworks.Describe the major elements in the internal environment of a company.Describe the four types of control objectives that companies need to set.Describe the events that affect uncertainty and the techniques used to identify them.Explain how to assess and respond to risk using the Enterprise Risk Management model.Describe control activities commonly used in companies.Describe how to communicate information and monitor control processes in organizations.7-2Why Is Control Needed?Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.The probability that the threat will happen is the likelihood associated with the threat7-3A Primary Objective of an AISIs to control the organization so the organization can achieve its objectivesManagement expects accountants to:Take a proactive approach to eliminating system threats.Detect, correct, and recover from threats when they occur.7-4Internal ControlsProcesses implemented to provide assurance that the following objectives are achieved:Safeguard assetsMaintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policiesComply with laws and regulations 7-5Functions of Internal ControlsPreventive controlsDeter problems from occurringDetective controlsDiscover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problems7-6Control FrameworksCOBITFramework for IT control COSOFramework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach 7-7COBIT FrameworkCurrent framework version is COBIT5Based on the following principles:Meeting stakeholder needsCovering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance from management7-8COBIT5 Separates Governance from Management7-9Components of COSO FrameworksCOSO COSO-ERMControl (internal) environmentRisk assessmentControl activitiesInformation and communicationMonitoringInternal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoring7-10Internal EnvironmentManagement’s philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of DirectorsOrganizing structureMethods of assigning authority and responsibilityHuman resource standards7-11Objective Setting Strategic objectivesHigh-level goalsOperations objectivesEffectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulations7-12Event IdentificationIdentifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?7-13Risk AssessmentRisk is assessed from two perspectives:LikelihoodProbability that the event will occurImpactEstimate potential loss if event occursTypes of riskInherentRisk that exists before plans are made to control itResidualRisk that is left over after you control it7-14Risk ResponseReduceImplement effective internal controlAcceptDo nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activity7-15Control ActivitiesProper authorization of transactions and activitiesSegregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance7-16Segregation of Duties7-17MonitoringPerform internal control evaluations (e.g., internal audit)Implement effective supervisionUse responsibility accounting systems (e.g., budgets)Monitor system activitiesTrack purchased software and mobile devicesConduct periodic audits (e.g., external, internal, network security)Employ computer security officerEngage forensic specialistsInstall fraud detection softwareImplement fraud hotline7-18Key TermsThreat or EventExposure or impactLikelihoodInternal controlsPreventive controlsDetective controlsCorrective controlsGeneral controlsApplication controlsBelief systemBoundary systemDiagnostic control systemInteractive control systemAudit committeeForeign Corrupt Practices Act (FCPA)Sarbanes-Oxley Act (SOX)Public Company Accounting Oversight Board (PCAOB)Control Objectives for Information and Related Technology (COBIT)Committee of Sponsoring Organizations (COSO)Internal control-integrated framework (IC)Enterprise Risk Management Integrated Framework (ERM)Internal environment7-19Key Terms (continued)Risk appetitePolicy and procedures manualBackground checkStrategic objectivesOperations objectivesReporting objectivesCompliance objectivesEventInherent riskResidual riskExpected lossControl activitiesAuthorizationDigital signatureSpecific authorizationGeneral authorizationSegregation of accounting dutiesCollusionSegregation of systems dutiesSystems administratorNetwork managerSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system library7-20Key Terms (continued)Data control groupSteering committeeStrategic master planProject development planProject milestonesData processing scheduleSystem performance measurementsThroughputUtilizationResponse timePostimplementation reviewSystems integratorAnalytical reviewAudit trailComputer security officer (CSO)Chief compliance officer (CCO)Forensic investigatorsComputer forensics specialistsNeural networksFraud hotline7-21