Controlling
Information
Systems:
Introduction to
Internal Control
Learning Objectives
• Learn the purpose of achieving an
adequate level of control in business
organizations
• Understand that organizational and
IT management control systems
• Relationship between ethics & sound
internal employs control systems as
part of organizational and IT
governance initiatives
• Appreciate the relationship between
business ethics and sound internal
control
• Grasp the concepts of fraud,
computer fraud, and computer abuse
• Examine operations process and
information process control goals
• Describe the major categories of
control plans
Internal Control
2
Internal Control
• As you can see by looking at the
AIS Wheel icon, this chapter will
introduce the concept of internal
control, which includes
pervasive, process, and
database controls.
• You will learn about the vital
importance that controls play in
today’s organizations,
particularly in light of recent
accounting scandals and frauds.
• At no time in recent history has
the issue of accounting
information system controls been
more publicly prominent and
socially sensitive.
3
Why do we need controls?
• (1) to provide reasonable assurance that the
goals of each business process are being
achieved
• (2) to mitigate the risk that the enterprise will
be exposed to some type of harm, danger, or
loss (including loss caused by fraud or other
intentional and unintentional acts)
• (3) to provide reasonable assurance that the
company is in compliance with applicable
legal and regulatory obligations.
4
Common Business Exposures
1.
2.
3.
4.
5.
6.
7.
8.
9.
Erroneous recordkeeping
Unacceptable accounting
Business interruption
Erroneous management decisions
Fraud and embezzlement
Statutory sanctions
Excessive costs
Loss or destruction of resources
Competitive disadvantage
5
Recent Internal Control
Legislation
• Sarbanes-Oxley Act (SOA) of 2002
– Created public company accounting
oversight board
– Increased accountability for company
officers and board of directors
– Increased white collar crime penalties
– Prohibits audit firms from providing design
and implementation of financial information
systems
6
Sarbanes-Oxley Act of 2002
(SOA)
• Section 302—CEOs and CFOs must
certify quarterly and annual financial
statements
• Section 404—Mandates the annual
report filed with the SEC include an
internal control report
7
Outline
of SOA
2002
8
Fraud and its Relationship to Control
• Fraud: deliberate act or untruth intended
to obtain unfair or unlawful gain.
– Management charged with responsibility to prevent and/or
disclose fraud
– Control systems enable management to do this job
– Management responsible to provide internal control system
per the Foreign Corrupt Practices Act of 1977
– Section 1102 of the Sarbanes-Oxley Act specifically
addresses corporate fraud
– Instances of fraud undermine management’s ability to
convince various authorities that it is upholding its
stewardship responsibility
9
SAS 99
• The accounting profession too has been proactive in
dealing with corporate fraud, as it has launched an
anti-fraud program.
• One of the manifestations of this initiative is
Statement on Auditing Standards (SAS) Number 99,
entitled Consideration of Fraud in a Financial
Statement Audit.
– SAS 99 has the same title as its predecessor, SAS 82, but
the new standard is much more encompassing than the old.
– For instance, SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using unpredictable audit
test patterns, and detecting management override of internal
controls.
10
E&Y Fraud Survey
•
•
•
•
•
•
•
•
•
•
About 85 % of fraud committed by company insiders
About 55% of perpetrators were management employees
More fraud in less-developed countries
Only about 20 % of fraud comes to the public knowledge
About 40% of frauds are known to the public, 20% are kept
confidential, and the other 40% are not yet discovered
Best prevention is internal control, management reviews,
and internal audits
The #1 fraud worry to executives is asset misappropriation
The #2 fraud worry to executives is computer crime
Most organizations now have formal fraud prevention
policies including codes of corporate governance and
employee conduct
Most useful fraud prevention techniques are internal
controls, management reviews, and internal audits
11
Definition of Internal Control
• From SAS 78 (1995) - adopted COSO
definition:
– INTERNAL CONTROL is a process-effected by a an
entity’s board of directors, management, and other
personnel-designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws & regulations.
12
Five Interrelated Components
of Internal Control
1.
2.
3.
4.
Control environment- tone at the top
Risk assessment - identification/analysis of risks
Control activities - policies and procedures
Information & communication - processing of
info in a form and time frame to enable people to
do their jobs
5. Monitoring - process that assess quality of
internal control over time
13
COSO Report, SOA, and SAS 94
• In the section addressing implementation of the Sarbanes
Oxley Act section 404, the SEC used the COSO description
of internal control.
– It went on to say that management must base its evaluation of the
effectiveness of its internal control system on a framework such as
COSO
– COSO report stresses internal control is a process
• A complementary perspective on internal control is found in
Statement on Auditing Standards (SAS) 94, entitled “The
Effect on Information Technology on the Auditor’s
Consideration of Internal Control in a Financial Statement
Audit.”
– This standard guides auditors in understanding the impact of IT on
internal control and assessing IT-related control risks
– Further, SAS 94 highlights how IT can be used to strengthen internal
control, while at the same time emphasizing how IT can actually
weaken some controls
14
Gelinas, Sutton & Hunton’s Working
Definition of IC: Key Points
• A system of internal control is not an end in itself. Rather, it is a means to
an end—the end of attaining process objectives
• Internal control itself is a system. Therefore, like any system it must
– (1) have clearly defined goals and
– (2) consist of interrelated components that act in concert to achieve those
goals.
– We can also say that internal control is a process
• Establishing a viable internal control system is management’s
responsibility.
• The strength of any internal control system is largely a function of the
people who operate it.
• Internal control cannot be expected to provide absolute, 100% assurance
that the organization will reach its objectives. Rather, the operative phrase
is that it should provide reasonable assurance
• Internal control is not free; controls should be built in and cost effective
15
Gelinas, Sutton & Hunton’s Working
Definition of IC
• …a system of integrated elements people, structure, processes, and
procedures - acting in concert to provide
reasonable assurance that an organization
achieves business process goals. The
design and operation of the internal control
system is the responsibility of top
management and therefore should:
16
(Text definition of IC cont.)
• Reflect management’s careful
assessment of risks.
• Be based on management’s evaluation
of costs versus benefits.
• Be built on management’s strong sense
of business ethics and personal
integrity.
17
General Control Model: Figure 7.1
18
Ethics and Controls
• COSO report stresses ethics as part of control
environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• The Institute of Management Accountants has a
code of ethics which is also tested on both the
CMA and CFM exams
• Internal Auditing has ethics articles
• Many corporations have developed Codes of
Conduct
19
Causeway Company Systems Flowchart
20
Business Process Control Goals
• Control Goals - ends to be obtained
– Control goals of operations processes
– Control goals of information processes
– See Table 7.1 Control Goals (page 244)
21
Control Goals of the Operations Process
• Ensure effectiveness of operations
• Ensure efficient employment of
resources
• Ensure security of resources
22
Control Goals of Operations Process
• Ensure effectiveness of operations
– A measure of success in meeting one or more operations process
goals which reflect the criteria used to judge the effectiveness of
various business processes
– Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources
– A measure of the productivity of the resources applied to achieve a
set of goals
– Ex. What is the cost of people, computers, and other resources to
deposit cash on the day received
• Ensure security of resources
– Protecting an organization’s resources from loss, destruction,
disclosure, copying, sale, or other misuse
– Ex. Are cash and information resources available when required?
– Are they put to authorized use?
23
Control Goals of the Information Process
• For business event inputs, ensure
–Input validity
–Input completeness
–Input accuracy
• For master data, ensure
–update completeness
–update accuracy
24
Control Goals of Information Process
• Input validity
– Input data approved and represent actual economic events and objects
– Ex. Are all cash receipts input into the process and supported by
customer payments
• Input completeness
– Requires that all valid events or objects be captured and entered into
the system
– Ex. Are all valid customer payment captured on a customer remittance
advice (RA) and entered into the process? Input accuracy (correct data
entered correctly)
• Input Accuracy
– Requires that events be correctly captured and entered into the system
– Ex. Is correct payment amount and customer number on the RA?
– Ex. Is the correct payment amount and customer number keyed into the
system?
25
Control Goals of Information Process
• Update completeness
– Requires all events entered into the computer are reflected in their
respective master data
– Ex. Are all input cash receipts recorded in the AR master data?
• Update accuracy
– Requires that data entered into a computer are reflected correctly in
their respective master data
– Ex. Are all input cash receipts correctly recorded in the AR master
data?
26
Business Process Control Plans
• Business Process Control Plans - reflect information
processing policies and procedures that assist in
accomplishing control goals
– The Control Environment The fact that the control environment
appears at the top of the hierarchy illustrates that the control
environment comprises a multitude of factors that can either reinforce
or mitigate the effectiveness of the pervasive and application control
plans.
– Pervasive control plans also relate to a multitude of goals and
processes
• Like the control environment, they provide a climate or set of
surrounding conditions in which the various business processes
operate.
• They are broad in scope and apply equally to all business
processes, hence they pervade all systems.
– Business process control plans relate to those controls particular to
a specific process or subsystem, such as billing or cash receipts, or to
a particular technology used to process the data.
27
28
Other Classifications of Control Plans
• Preventive Controls: Issue is prevented
from occurring – cash receipts are
immediately deposited to avoid loss
• Detective Controls: Issue is discovered –
unauthorized disbursement is discovered
during reconciliation
• Corrective Controls: issue is corrected –
erroneous data is entered in the system and
reported on an error and summary report; a
clerk re-enters the data
29