CHAPTER 7

CONTROL AND ACCOUNTING INFORMATION SYSTEMS

Learning Objectives:
1. Explain basic control concepts and why computer control and
security are important.
2. Compare and contrast the COBIT, COSO, and ERM control frameworks.
3. Describe the major elements in the internal environment of a
company.
4. Describe the four types of control objectives that companies need
to set.
5. Describe the events that affect uncertainty and the techniques
used to identify them.
6. Explain how to assess and respond to risk using the Enterprise
Risk Management model.
7. Describe control activities commonly used in companies.
8. Describe how to communicate information and monitor control
processes in organizations.

Introduction
Why Accounting Information Systems Threats Are Increasing
More than 60 percent of organizations have recently experienced a
major control failure for some of the following reasons:
1. Increase in number of information systems means that
information is available to an increasing number of workers.
2. Distributed (decentralized) computer networks are harder to
control than centralized mainframe systems.
3. Wide area networks are giving customers and suppliers access
to each others systems and data, making confidentiality a
major concern
Some of the reasons why organizations do not adequately protect
there data are:
1. Computer control problems have been underestimated and
downplayed.
2. The control implications of moving from centralized, hostbased computer systems to a networked or Internet-based
system have not been fully understood.

Page 1 of 25

3. Many companies have not realized that data security is

crucial to their survival.
4. Productivity and cost pressures have motivated management to
forgo time-consuming control measures.
Any potential adverse occurrence or unwanted event that could be
injurious to either the accounting information system or the
organization is referred to as a threat or an event.
The potential dollar loss should a particular threat become a
reality is referred to as the exposure or impact of the threat.
The probability that the threat will happen is the likelihood
associated with the threat

Why Control and Security Are Important

As an accountant you must have a good understanding of Information
Technology (IT) and its capabilities and risks.
Although internal control objectives remain the same regardless of
the data processing method, a computer-based AIS requires
different internal control policies and procedures.
One of the primary objectives of an accounting information system
is to control a business organization.
One of managements basic functions is to ensure that enterprise
objectives are achieved. Thus managements decisions pertaining to
controls are crucial to the firms success in meeting its
objectives.
Management expects accountants to:
1.

Take a proactive approach to eliminating system threats.

2.

Detect, correct, and recover from threats when they occur.

Overview of Control Concepts

My simple definition of internal control is:
To keep the honest employees honest and get rid of the
dishonest employees.
Internal control is the process implemented by the board of
directors, management, and those under their direction to provide
reasonable assurance that the following control objectives are
achieved:
1. Safeguarding assets, including preventing or detecting, on a
timely basis, the unauthorized acquisition, use, or
disposition of material company assets
2. Maintaining records in sufficient detail to accurately and

Page 2 of 25

fairly reflect company assets

3. Providing accurate and reliable information
4. Providing reasonable assurance that financial reporting is
prepared in accordance with GAAP
5. Promoting and improving operational efficiency, including
making sure company receipts and expenditures are made in
accordance with management and directors authorizations
6. Encouraging adherence to prescribed managerial policies
7. Complying with applicable laws and regulations
Preventive controls deter problems before they arise; anticipate
the problem.
Detective controls discover problems as soon as they arise; what
we normally call in auditing following the problem.
Corrective controls remedy control problems that have been
discovered. They include procedures taken to identify the cause of
a problem, correct resulting errors or difficulties, and modify
the system so that future problems are minimized or eliminated.
Again in auditing, in addition to reporting the cause of problems,
we were required to give management the effect of the problem that
answers managements reply: So what?
General controls are designed to make sure an organizations
control environment is stable and well managed.
Some of the more important general controls are:
1.

Information systems management controls

2.

Security management controls

3.

Information technology infrastructure controls

4.

Software acquisition, development, and maintenance controls

Application controls prevent, detect, and correct transaction

errors and fraud. They are concerned with the accuracy,
completeness, validity, and authorization of the data.
The Sarbanes-Oxley and Foreign Corrupt Practices Acts
The Foreign Corrupt Practices Act (1977)
The primary purpose of this Act was to prevent the
bribery of foreign officials in order to obtain
business.
The Sarbanes-Oxley Act of 2002

Page 3 of 25

Applies to publicly held companies and their auditors

and was intended to prevent financial statement fraud,
make financial reports more transparent, provide
protection to investors, strengthen the internal
controls at public companies, and punish executives
who perpetrate fraud.
Some of the important aspects of The Sarbanes-Oxley Act are:
1. Public Company Accounting Oversight Board (PCAOB)
A five member board, created by The Sarbanes-Oxley
Act, to control the auditing profession.
2. New rules for auditors
Auditors must report specific information to the
companys audit committee, such as critical accounting
policies and practices, alternative GAAP treatments,
and auditor-management disagreements.
CPA Auditors are prohibited from performing certain
nonaudit services such as bookkeeping, information
systems design and implementation, internal audit
outsourcing services, management functions, and human
resource services.
3. New roles for audit committees
Audit committee members must be on the companys board
of directors and be independent of the company.
4. New rules for management
Requires the CEO and CFO to certify that financial
statements and disclosures are fairly presented, were
reviewed by management, and are not misleading.
Management can be imprisoned up to 20 years and fined
up to $5,000,000.
The following provides Websites for news regarding the
Enron and WorldCom scandals:
Enron Traders Caught on Tape
http://www.cbsnews.com/stories/2004/06/01/eveningnews/main620626.shtml
The Enron Fraud
http://www.enronfraud.com/
The Enron Scandal
http://studenthome.nku.edu/%7Eelixs/pages/page1.htm
The Case Against Enron

Page 4 of 25

http://news.bbc.co.uk/1/hi/business/1752954.stm
Play the Enron Blame Game
http://slate.msn.com/?id=2061470
Anderson Conviction Overturned
http://money.cnn.com/2005/05/31/news/midcaps/scandal_andersen_scotus/ind
ex.htm?cnn=yes
SEC vs. WorldCom
http://www.sec.gov/spotlight/worldcom.htm
WorldCom Special Coverage
http://news.findlaw.com/legalnews/lit/worldcom/
WorldComs Financial Bomb
http://money.cnn.com/2002/06/25/news/worldcom/index.htm
5. New internal control requirements
Requires publicly held companies to issue a report
accompanying the financial statements that states
management is responsible for establishing and
maintaining an adequate internal control structure and
appropriate control procedures.
For more detailed information on The Sarbanes-Oxley Act,
click on the following Website:
http://www.sec.gov/about/laws/soa2002.pdf
After the Sarbanes-Oxley Act was passed, the Security & Exchange
Commission mandated that management must:
1. Base its evaluation on a recognized control framework.
The most likely frameworks are formulated by The
Committee of Sponsoring Organizations (COSO).
2. Disclose any and all material internal control
weaknesses.
3. Conclude that a company does not have effective
internal controls over financial reporting if there
are any material weaknesses.

Levers of Control
Many people feel there is a basic conflict between creativity and
controls. In other words, you cant have both.

Page 5 of 25

Four levels of control to help companies to reconcile this

conflict:
1.

The first is a concise belief system that

communicates company core values to employees and
inspires them to live by them.

2.

A boundary system helps employees act ethically by

setting limits beyond which an employee must not pass.

3.

To ensure the efficient and effective achievement of

important goals, a diagnostic control system measures
company progress by comparing actual performance to
planned performance (budget).

4.

An interactive control system helps top-level

managers with high-level activities that demand
frequent and regular attention, such as developing
company strategy, setting company objectives,
understanding and assessing threats and risks,
monitoring changes in competitive conditions and
emerging technologies, and developing responses and
action plans to proactively deal with these high-level
issues

Control Frameworks
COBIT Framework
The Information Systems Audit and Control Foundation (ISACF)
developed the Control Objectives for Information and related
Technology (COBIT) framework. COBIT is a framework of generally
applicable information systems security and controls practices of
Information Technology control.
The framework allows
1.

Management to benchmark the security and control

practices of Information Technology environments
2. User of Information Technology services to be assured
that adequate security and control exist
3. Auditors to substantiate their opinions on internal
control and to advise on Information Technology security
and control matters
The framework addresses the issue of control from three
dimensions:
1.

Business objectives. To satisfy business

objectives, information must conform to criteria called
business requirement for information.
To satisfy business objectives, information must conform
to certain criteria referred to as business requirements
for information.

Page 6 of 25

The criteria are divided into seven distinct yet

overlapping categories that map into COSO objectives:

Effectiveness (relevant, pertinent, and timely)

Efficiency

Confidentiality

Integrity

Availability

Compliance with legal requirements

Reliability
[Refer to power point slide #8-4 from chapter8]
2.

Information Technology resources. This

includes people, application systems, technology,
facilities, and data

3.

Information Technology processes

These are broken into four domains:

Planning and organization

Acquisition and implementation

Delivery and support

Monitoring

The Committee of Sponsoring Organizations Internal Control

Framework
The Committee of Sponsoring Organizations (COSO) is a
private-sector group consisting of the American Accounting
Association, the AICPA, the Institute of Internal Auditors,
the Institute of Management Accountants, and the Financial
Executives Institute.
In 1992, COSO issued the Internal ControlIntegrated
Framework, which defines internal controls and provides
guidance for evaluating and enhancing internal control
systems.
COSOs internal control model has five crucial components,
provided in Table 7-1 on page 187:
1. Control environment
2. Control activities

Page 7 of 25

3. Risk assessment
4. Information and communication
5. Monitoring

COSOs Enterprise Risk Management Framework

Enterprise Risk ManagementIntegrated Framework (ERM)
Expands on the elements of the internal control integrated
framework and provides an all-encompassing focus on the
broader subject of enterprise risk management.
The purpose is to achieve all the goals of the control
framework and help the organization to:
1. Provide reasonable assurance that company objectives
and goals are achieved and problems and surprises are
minimized
2. Achieve its financial and performance targets
3. Assess risks continuously and identify the steps to
take and the resources to allocate to overcome or
mitigate risk
4. Avoid adverse publicity and damage to the entitys
reputation
The basic principles behind enterprise risk management are:
1. Companies are formed to create value for their owners.
2. Company management must decide how much uncertainty it
will accept as it creates value.
3. Uncertainty results in risk, which is the possibility
that something will occur to affect adversely the
companys ability to create value or to erode existing
value.
4. Uncertainty can also result in an opportunity, which
is the possibility that something will occur to affect
positively the companys ability to create or preserve
value.
5. The Enterprise Risk ManagementIntegrated Framework
(ERM) helps management manage uncertainty, and its
associated risk and opportunity, so they can build and
preserve value.
The elements of the ERM are provided in a model shown in
Figure 7-1 on page 188.

Page 8 of 25

Strategic objectives are high-level goals that are aligned

with and support the companys mission.
Strategic planning is designed to help managers answer
critical questions in a business. These questions include:
1. What is the organizations position in the
marketplace?
2. What does the organization want its position to be?
3. What trends and changes are occurring in the
marketplace
4. What are the best alternatives to help the
organization achieve its goals?
Operations objectives deal with the effectiveness and
efficiency of the company operations, such as performance
and profitability goals and safeguarding assets.
Reporting objectives help ensure the accuracy, completeness,
and reliability of internal and external company reports, of
both a financial and nonfinancial nature.
Compliance objectives help the company comply with all
applicable laws and regulations.
The eight interrelated risk and control components of COSO
are listed in Figure 7-1 on page 188.
1. Internal environment. This is the tone or culture of a
company and helps determine how risk conscious
employees are.
2. Objective setting. ERM ensures that company management
puts into place a process to formulate strategic,
operations, reporting, and compliance objectives that
support the companys mission and that are consistent
with the companys tolerance for risk.
3. Event identification. ERM requires management to
identify events that may affect the companys ability
to implement its strategy and achieve its objectives.
4. Risk assessment. Identified risks are assessed to
determine how to manage them and how they affect the
companys ability to achieve its objectives.
5. Risk response. To align identified risks with the
companys tolerance for risk, management can choose to
avoid, reduce, share, or accept the risks.
6. Control activities. To implement managements risk
responses, control policies and procedures are
established and implemented throughout the various
levels and functions in the organization.

Page 9 of 25

7. Information
company and
identified,
can fulfill

and communication. Information about the

the various ERM components must be
captured, and communicated so employees
their responsibilities

8. Monitoring. To remain effective, ERM processes must be

monitored on an ongoing basis and modified as needed.

The ERM Framework versus the Internal Control Framework

The internal control framework has been widely adopted as
the principal way to evaluate internal controls, as required
by the Sarbanes-Oxley Act. However, it has too narrow a
focus.
The ERM is a more comprehensive framework which takes a
risk-based, rather than a controls-based approach to the
organization that is oriented toward the future and constant
change.

The Internal Environment

The internal environment is the most important component of the
ERM and internal control frameworks.
An internal environment consists of items such as the following:
1. Managements philosophy, operating style, and risk appetite
2. The board of directors
3. Commitment to integrity, ethical values, and competence
4. Organizational structure
5. Methods of assigning authority and responsibility
6. Human resource standards
7. External influences

Managements philosophy, operating style, and risk appetite

Companies have a risk appetite, which is the amount of risk
a company is willing to accept in order to achieve its goals
and objectives.
The more responsible managements philosophy and operating
style and the more clearly they are communicated, the more
likely employees will behave responsibly.
Managements philosophy, operating style, and risk appetite
can be assessed by answering questions such as these:

Page 10 of 25

1. Does management take undue business risks to achieve

its objectives, or does it assess potential risks and
rewards prior to acting?
2. Does management attempt to manipulate such performance
measures as net income so that its performance can be
seen in a more favorable light?
3. Does management pressure employees to achieve results
regardless of the methods, or does it demand ethical
behavior? In other words, does management believe the
ends justify the means?

The board of directors

The Sarbanes-Oxley Act requires all public companies to have
an audit committee composed entirely of outside
(nonemployee), independent directors.
The audit committee is responsible for overseeing the
corporations internal control structure, its financial
reporting process, and its compliance with related laws,
regulations, and standards.

Commitment to integrity, ethical values, and competence

It is important to create an organizational culture that
stresses integrity and commitment to both ethical values and
competence.
Companies endorse integrity as a basic operating principle
by actively teaching and requiring it.
Management should consistently reward and encourage honesty
and give verbal labels to honest and dishonest behavior.
Management should develop clearly stated policies that
explicitly describe honest and dishonest behaviors.
Companies should require employees to report any dishonest,
illegal, or unethical acts and discipline employees who
knowingly fail to report violations.

Organizational structure
Important aspects of organizational structure include:
1. Centralization or decentralization of authority
2. Assignment of responsibility for specific tasks
3. Whether there is a direct reporting relationship
(i.e., functional organizational structure or
divisional organizational structure) or more of a
matrix structure. A matrix organizational structure is
a design that utilizes functional and divisional

Page 11 of 25

chains of command simultaneously in the same part of

the organization. Organization charts for the three
mentioned structures are attached to this Chapter 6
instructors manual.
4. Organization by industry, product line, geographical
location, or by a particular distribution or marketing
network
5. The way responsibility allocation affects managements
information requirements
6. The organization of the accounting and information
system functions
7. The size and the nature of company activities

Methods of assigning authority and responsibility

Authority and responsibility are assigned through formal job
descriptions; employee training; operating plans, schedules,
and budgets; a formal company code of conduct; and a written
policy and procedures manual.

Human resource standards

The following policies and procedures are important:
1.

Hiring. To obtain the most qualified and

ethical employees, hiring should be based on
educational background, relevant work experience, past
achievements, honesty and integrity, and how well
potential employees meet written job requirements.

2.

A thorough background check includes verifying

educational and work experience, talking to
references, checking for a criminal record, and
checking credit records.

3.

Compensating. It is important to pay

employees a fair and competitive wage. Poorly paid
employees are likely to feel resentment and make up
the difference in their wages by stealing money or
property, or both.

4.

Training. Training programs should

familiarize new employees with their responsibilities;
expected levels of performance and behavior; and the
companys policies and procedures, history, culture,
and operating style.
Training on fraud and ethics:

Fraud awareness

Ethical considerations

Page 12 of 25

Punishment for fraud and unethical behavior

5.

Evaluating and Promoting. Employees should be

given periodic performance appraisals that help them
understand their strengths and weaknesses. Promotion
should be based on performance and how well qualified
employees are for the next position.

6.

Discharging. A company should take care when

firing employees. To prevent sabotage or copying
confidential data before they leave, dismissed
employees should be removed from sensitive jobs
immediately and denied access to the information
system.

7.

Managing Disgruntled Employees. Some

employees who commit fraud are seeking revenge for a
perceived wrong done to them. Hence, companies should
have procedures for identifying disgruntled employees
and either helping them resolve their feelings or
removing them from jobs where they might be able to
harm the organization or perpetrate a fraud.

8.

Vacations and Rotation of Duties. Many fraud

schemes such as lapping and kiting require the ongoing
attention of the perpetrator. Many of these employee
frauds are discovered when the perpetrator is suddenly
forced, by illness or accident, to take time off.

9.

Confidentiality Agreements and Fidelity Bond

Insurance. All employees, suppliers, and contractors
should be required to sign and abide by a
nondisclosure or confidentiality agreement. Fidelity
bond insurance coverage of key employees protects
companies against losses arising from deliberate acts
of fraud by bonded employees.
Prosecute and Incarcerate Hackers and Fraud
Perpetrators. Most fraud cases and hacker attacks go
unreported and are not prosecuted for several reasons:

Companies are reluctant to report computer

crimes and intrusionsa recent study showed only
36 percent reporting intrusionsbecause a highly
visible fraud is a public relations disaster.

Law enforcement officials and the courts are so

busy with violent crimes that they have little
time for computer crimes in which no physical
harm occurs.

Fraud is difficult, costly, and time-consuming

to investigate and prosecute.

Many law enforcement officials, lawyers, and

Page 13 of 25

judges lack the computer skills needed to

investigate, prosecute, and evaluate computer
crimes.

When fraud cases are prosecuted and a conviction

is obtained, the sentences received are often
light.

External influences
Financial Accounting Standards Board (FASB)
Public Company Accounting Oversight Board (PCAOB)
Security and Exchange Commission (SEC)

Objective Setting
Objective setting is the second ERM component because it must
precede the other six components.
Top management, with board approval, needs to articulate why the
company exists and what it hopes to achieve.
This is often referred to as the corporate vision or mission.
The company uses its mission statement as a base from which it
sets and prioritizes corporate objectives.
Strategic objectives, which are high-level goals that support the
companys mission and are intended to create shareholder value,
must be set first.
Operations objectives, which are a product of management
preferences, judgments, and style, may vary significantly.
Operation objectives deal with the effectiveness and efficiency of
company operations, such as performance and profitability goals
and safeguard assets.
Compliance objectives help the company comply with all applicable
laws and regulations.
Reporting objectives help ensure the accuracy, completeness, and
reliability of internal and external company reports, of both a
financial and nonfinancial nature. They also improve decision
making and monitor company activities and performance more
efficiently.

Event Identification
COSO defines an event as an incident or occurrence emanating from
internal or external sources that affects implementation of
strategy or achievement of objectives.

Page 14 of 25

A few of the events, or threats, that the company will face are:
1. Choosing an inappropriate technology
2. Unauthorized system access
3. Tapping into data transmission
4. Loss of data integrity
5. Incomplete transactions
6. System failures
7. Incompatible systems
Some of the more common techniques companies use to identify
events follow. One, two, or more of these techniques are used
together.
1.

Use comprehensive lists of potential events.

2.

Perform an internal analysis.

3.

Monitor leading events and trigger points.

4.

Conduct workshops and interviews.

5.

Perform data mining and analysis.

6.

Analyze business processes.

Risk Assessment and Risk Response

The fourth and fifth components of COSOs ERM mode are risk
assessment and risk response
The risks that exist before management takes any steps to control
the likelihood or impact of a risk is inherent risk.
The risk that remains after management implements internal
controls, or some other response to risk, is residual risk.
The ERM model indicates that there are four ways to respond to
risk:
1.

Reduce. The most effective way to reduce the

likelihood and impact of risk is to implement an
effective system of internal controls.

2.

Accept. Accepts the likelihood and impact of the risk

by not acting to prevent or mitigate it.

3.

Share. Share some of the risk or transfer it to

someone else. For example, buy insurance, outsource an

Page 15 of 25

activity, or enter into hedging transactions.

Auditing definition of hedges: hedges protect an entity
against the risk of adverse price or interest-rate
movements on its assets, liabilities, or anticipated
transactions. A hedge avoids or reduces risk by
counterbalancing losses with gains on separate positions.
Hedge, in securities, is a transaction that reduces the
risk of an investment.
Hedge fund is a special type of investment fund with
fewer restrictions on the types of investments it can
make. Of note is a hedge funds ability to sell short. In
exchange for the ability to use more aggressive
strategies, hedge funds are more exclusive (i.e., fewer
people), usually only the wealthy are allowed to invest
in hedge funds.
There are three main types of hedges; fair value hedges,
cash flow hedges, and foreign currency hedgeswhich are
beyond the scope of this class.
4.

Avoid. Risk is avoided by not engaging in the activity

that produces the risk. This may require the company to
sell a division, exit a product line, or not expand as
anticipated.
Accountants can assess and reduce inherent risk using the
risk assessment and response strategy shown in Figure 7-2
on page 194.

Estimate Likelihood and Impact

Some events pose a greater risk because the probability of
their occurrence is more likely
For example, a company is more likely to be the victim of a
fraud than of an earthquake, and employees are more likely
to make unintentional errors than they are to commit fraud.

Identify Controls
Management must identify one or more controls that will
protect the company from each event.

Estimate Costs and Benefits

No internal control system can provide foolproof protection
against all events, as the cost would be prohibitive.
In addition, because many controls negatively affect
operational efficiency, too many controls slow the system
and make it inefficient.

Page 16 of 25

The benefits of an internal control procedure must exceed

its costs.
Benefits can be hard to quantify, but include:
1. Increased sales and productivity
2. Reduced losses
3. Better integration with customers and suppliers
4. Increased customer loyalty
5. Competitive advantages
6. Lower insurance premiums
Costs are usually easier to measure than benefits.
Primary cost is personnel, including:
1. Time to perform control procedures
2. Costs of hiring additional employees to effectively
segregate duties
3. Costs of programming controls into a system
Other costs of a poor control system include:
1. Lost sales
2. Lower productivity
3. Drop in stock price if security problems arise
4. Shareholder or regulator lawsuits
5. Fines and penalties imposed by governmental agencies
One way to estimate the value of internal controls involves
expected loss, the mathematical product of impact and
likelihood:
Expected loss = Impact x Likelihood
Determine Cost/Benefit Effectiveness
Total pay period payroll cost $10,000
Extra cost of $600 per pay period will reduce the likelihood
of the even from 15 percent to 1 percent.
The expected risk cost without the extra $600 validation
procedure is $1,500 [$10,000 x 15%].
The expected risk cost with the extra $600 validation
procedure is $100 [$10,000 x 1%].
The expected benefit of validation procedure is $800 as
shown in Table 7-2 on page 195.
Implement Control or Avoid, Share, or Accept the Risk

Page 17 of 25

When controls are cost-effective, they should be implemented

so that risk can be reduced.
Risks that are not reduced must be accepted, shared,
or voided

Control Activities
The sixth component of COSOs ERM model is control activities,
which are policies, procedures, and rules that provide reasonable
assurance that managements control objectives are met and the
risk responses are carried out.
Generally, control procedures fall into one of the following
categories:
1. Proper authorization of transactions and activities
Management establishes policies for employees to follow
and then empowers employees to perform accordingly. This
empowerment called authorization, is an important part of
an organizations control procedures.
Authorizations are often documented by signing,
initializing, or entering an authorization code on a
transaction document or record. Computer systems are now
capable of recording a digital signature, a means of
signing a document with a piece of data that cannot be
forged.
Employees who process transactions should verify the
presence of the appropriate authorization(s).
Certain activities or transactions may be of such
consequence that management grants specific authorization
for them to occur.
For example,
required for
expenditures
write-off in

management review and approval are often

sales in excess of $20,000, capital
in excess of $10,000, or uncollectible
excess of $5,000.

In contrast, management can authorize employees to handle

routine transactions without special approval, a
procedure known as general authorization.
2. Segregation(separation) of duties [Figure 7-3 on page
197]

Authorizationapproving transactions and decisions

Recordingpreparing source documents; entering data

into online systems; maintaining journals, ledgers,
files, or databases; preparing reconciliations; and
preparing performance reports

Page 18 of 25

Custodyhandling cash, tools, inventory, or fixed

assets; receiving incoming customer checks; writing
checks on the organizations bank account

If two of these three functions are the responsibility

of a single person, then problems can arise.
For example;
The former city treasurer of Fairfax,
Virginia, was convicted of embezzling
$600,000 from the city treasury. When
residents used cash to pay their taxes,
she would keep the currency. She recorded
tax collections on the property tax
records but did not report them to the
city controller.
The utilities director of Newport Beach,
California, who was responsible for
authorizing transactions and had custody
of cash, was charged with embezzling $1.2
million. He forged invoices or easement
documents (the right to pass through a
persons land), authorizing payments to a
real or fictitious property owner.
The payroll director of the Los Angeles
Dodgers, who was responsible for both
authorization and recording functions,
pleaded guilty to embezzling $330,000 from
the team. He credited employees for hours
not worked and then received a kickback of
50 percent of their extra compensation.
Collusion is when two or more people are working
together to override the preventive aspect of the
internal control system
3. Segregation of Systems Duties:

Systems administration. Systems administrators

are responsible for ensuring that the different
parts of an information system operate smoothly
and efficiently.

Network management. Network managers ensure that

all applicable devices are linked to the
organizations internal and external networks
and that the networks operate continuously and
properly.

Security management. Security management ensures

that all aspects of the system are secure and
protected from all internal and external
threats.

Page 19 of 25

Change management. These individuals manage all

changes to an organizations information system
to ensure they are made smoothly and efficiently
and to prevent errors and fraud.

Users. Users record transactions, authorize data

to be processed, and use system output.

Systems analysis. Systems analysts help users

determine their information needs and then
design an information system to meet those
needs.

Programming. Programmers take the design

provided by systems analysts and create an
information system by writing the computer
programs.

Computer operations. Computer operators run the

software on the companys computers. They ensure
that data are input properly and correctly
processed and needed output is produced.

Information system library. The information

system librarian maintains custody of corporate
databases, files, and programs in a separate
storage area called the information system
library.

Data control. The data control group ensures

that source data have been properly approved,
monitors the flow of work through the computer,
reconciles input and output, maintains a record
of input errors to ensure their correction and
resubmission, and distributes systems output.

Project development and acquisition controls

1.

Strategic master plan. To align an organizations

information system with its business strategies, a
multiyear strategic master plan is developed and
updated yearly.

2.

Project controls. A project development plan shows how

a project will be completed, including the modules or
tasks to be performed and who will perform them, the
dates they should be completed, and project costs.
Project milestonessignificant points when
progress is reviewed and actual and estimated
completion times are compared.
A performance evaluation of project team members
should be prepared as each project is completed.

Page 20 of 25

3.

Data processing schedule. To maximize the use of

scarce computer resources, all data processing tasks
should be organized according to a data processing
schedule.

4.

Steering committee. A steering committee should be

formed to guide and oversee systems development and
acquisition.

5.

System performance measurements. For a system to be

evaluated properly, it must be assessed using system
performance measurements.
Common measurements include throughput (output
per unit of time), utilization (percentage of
time the system is being productively used), and
response time (how long it takes the system to
respond).

6.

Post-implementation review. After a development

project is completed, a post-implementation review
should be performed to determine if the anticipated
benefits were achieved.
To simplify and improve systems development, some
companies hire a systems integrator, a vendor who uses
common standards and manages a cooperative systems
development effort involving its own development
personnel and those of the client and other vendors.
Companies that use systems integrators should:

Develop clear specifications.

Monitor the systems integration project.

Change management controls

Change management is the process of making sure changes do not
negatively affect systems reliability, security, confidentiality,
integrity, and availability.
Design and use of documents and records
The proper design and use of electronic and paper documents and
records help ensure the accurate and complete recording of all
relevant transaction data.

Safeguarding assets, records, and data

In addition to safeguarding cash and physical assets such as
inventory and equipment, a company needs to protect its
information.
Many people mistakenly believe that the greatest risks companies
face are from outsiders.

Page 21 of 25

Companies also face significant risks from customers and vendors

that have access to company data.
Some of the computer-based controls that can be put into place to
safeguard assets include:
1.

Create and enforce appropriate policies and procedures.

2.

Maintain accurate records of all assets.

3.

Restrict access to assets.

4.

Protect records and documents.

Independent checks on performance

1.

Top level reviews. Management at all levels should

monitor company results and periodically compare actual
company performance to (a) planned performance, as shown
in budgets, targets, and forecasts; (b) prior period
performance; and (c) the performance of competitors.

2.

Analytical reviews. An analytical review is an

examination of the relationship between different sets of
data.

3.

Reconciliation of two independently maintained sets of

records.

4.

Comparison of actual quantities with recorded amounts.

5.

Double-entry accounting: debits must equal credits.

6.

Independent review. After one person processes a

transaction, a second person sometimes reviews the work
of the first.

Information and Communication

Accounting Information Systems has five primary objectives:
1. Identify and record all valid transactions.
2. Properly classify transactions.
3. Record transactions at their proper monetary value.
4. Record transactions in the proper accounting period.

Page 22 of 25

5. Properly present transactions and related disclosures in

the financial statements.

Monitoring
Perform ERM Evaluations.
Implement Effective Supervision.
Use Responsibility Accounting.
Monitor System Activities.
There are software packages available to review computer and
network security measures, detect illegal entry into
systems, test for weaknesses and vulnerabilities, report
weaknesses found, and suggest improvements.
Software is also available to monitor and combat viruses,
spyware, spam, pop-up ads, and to prevent browsers from
being hijacked.
All system transactions and activities should be recorded in
a log that indicates who accessed what data, when, and from
which online device.
The Privacy Foundation estimated that one-third of all
American workers with access to computers are monitored, and
that number is expected to increase.
CNN News (March 19, 2001), estimated that seventy-five
percent of all companies in the United States currently
monitor their employees computers. And now it has spread to
the home.
In monitoring employees computers at work or at home,
companies must be careful to ensure that they dont violate
the employees privacy.
To help, one way would be to have written policies
that employees agree to in writing which indicate:
1.

The technology employees use on the job belongs

to the company.

2.

E-mails received on company computers are not

private and can be read by supervisory
personnel.

3.

Employees should not use technology in any way

to contribute to a hostile work environment.

Perhaps some of you have also seen this happen; many

government activities and offices have taken the
computer games off their computers.

Page 23 of 25

Track Purchased Software

The Business Software Alliance (BSA) is very aggressive in
tracking down and finding companies who violate software
license agreements.
Companies should periodically conduct software audits.

Conduct Periodic Audits

One way to monitor risk and detect fraud and errors is to
conduct periodic external and internal audits, as well as
special network security audits.
Internal audits involve reviewing the reliability and
integrity of financial and operating information and
providing an appraisal of internal control effectiveness.
Internal audits can detect excess overtime, underused
assets, obsolete inventory, padded travel expense
reimbursements, excessively loose budgets and quotas, poorly
justified capital expenditures, and production bottlenecks.

Employ a Computer Security Officer and Computer Consultants

A computer security officer (CSO) is in charge of AIS security and
should be independent of the information system function and
report to the COO or CEO.
The overwhelming number of new tasks related to SOX and other
forms of compliance has led many larger companies to delegate all
compliance issues to a chief compliance officer (CCO).

Engage Forensic Specialists

Forensic accountants specialize in fraud detection and
investigation. Forensic accounting is now one of the
fastest-growing areas of accounting due to the SarbanesOxley Act, new accounting rules such as SAS No. 99, and
boards of directors demanding that forensic accounting be an
ongoing part of the financial reporting and corporate
governance process.
Most forensic accountants are CPAs, and many have received
specialized training with the FBI, the IRS, or other law
enforcement agencies.
Computer forensics is discovering, extracting, safeguarding,
and documenting computer evidence such that its
authenticity, accuracy, and integrity will not succumb to
legal challenges.

Install Fraud Detection Software

People who commit fraud tend to follow certain patterns and
leave behind clues, such as things that do not make sense.

Page 24 of 25

Software has been developed to uncover these fraud symptoms

ReliaStar Financial used a fraud detection package from IBM
to detect the following:
1. Hundreds of thousands of dollars in fraudulent claims
from a Los Angeles chiropractor. The software noticed
that all of the chiropractors patients lived more than
50 miles from the doctors office and flagged the bills
for investigation.
2. A Long Island doctor who submitted bills weekly for a
rare and expensive procedure that is normally done once
or twice in a lifetime.
3. A podiatrist who saw four patients and then billed
ReliaStar for almost 500 separate procedures.
Other companies have neural networks (programs that mimic
the brain and have learning capabilities), which are quite
accurate in identifying suspected fraud.

Implement a Fraud Hot Line

The Sarbanes-Oxley Act mandates that companies set up
mechanisms for employees to report abuses such as fraud.
Fraud hotlines provide a means for employees to anonymously
report fraud.

Page 25 of 25