Control and Accounting Information System

WHY THREATS ARE INCREASING IN ACCOUNTING SYSTEMS?

 Informaon is available to a
vast amount of employees…
some of them unauthorized
to access the
informaon
 Informaon on computer
networks may be di$cult to
control
 Customers and suppliers
have access to each other’s
informaon
 Informaton is available to a vast amount of employees. Some of them unauthorized to access
the informaton
 Informaton on computer networks may be difficult to control
 Customers and suppliers have access to each other’s informaton.

Internal controls are the processes implemented to provide reasonable assurance that the following
control objectves are achieved:
  Safeguard assets—prevent or detect their unauthorized acquisiton, use, or dispositon.
 Maintain records in sufficient detail to report company assets accurately and fairly.
 Provide accurate and reliable informaton.
 Prepare financial reports in accordance with established criteria.
 Promote and improve operatonal efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulatons.

Internal controls perform three important functons:

1. Preventve controls deter problems before they arise. Examples include hiring qualified
personnel, segregatng employee dutes, and controlling physical access to assets and
informaton.
2. Detectve controls discover problems that are not prevented. Examples include duplicate
checking of calculatons and preparing bank reconciliatons and monthly trial balances.
3. Correctve controls identfy and correct problems as well as correct and recover from the
resultng errors. Examples include maintaining backup copies of files, correctng data entry
errors, and resubmitting transactons for subsequent processing.

Internal controls are often segregated into two categories:

1. General controls make sure an organizaton’s control environment is stable and well managed.
Examples include security; IT infrastructure; and software acquisiton, development, and
maintenance controls.
2. Applicaton controls prevent, detect, and correct transacton errors and fraud in applicaton
programs. They are concerned with the accuracy, completeness, validity and authorizaton of the
data captured, entered, processed, stored, transmitted to other systems, and reported.

Robert Simons, a Harvard business professor, has espoused four levers of control to help management
reconcile the conflict between creatvity and controls.
1. A belief system describes how a company creates value, helps employees understand
management’s vision, communicates company core values, and inspires employees to live by
those values.
2. A boundary system helps employees act ethically by setting boundaries on employee behavior.
Instead of telling employees exactly what to do, they are encouraged to creatvely solve
problems and meet customer needs while meetng minimum performance standards, shunning
off-limit actvites, and avoiding actons that might damage their reputaton.
3. A diagnostc control system measures, monitors, and compares actual company progress to
budgets and performance goals. Feedback helps management adjust and fine-tune inputs and
processes so future outputs more closely match goals.
4. An interactve control system helps managers to focus subordinates’ attenton on key strategic
issues and to be more involved in their decisions. Interactve system data are interpreted and
discussed in face-to-face meetngs of superiors, subordinates, and peers.
Regrettably, not all organizatons have an effectve internal control system. For instance, one
report indicated that the FBI is plagued by IT infrastructure vulnerabilites and security problems, some
of which were identfied in an audit 16 years previously. Specific areas of concern were security
standards, guidelines, and procedures; segregaton of dutes; access controls, including password
management and usage; backup and recovery controls; and software development and change controls.

CONTROL FRAMEWORKS

CONTROL OBJECTIVES FOR COMMITTEE OF SPONSORING RISK MANAGEMENT

INFORMATION AND RELATED
TECHNOLOGY (COBIT)
Consolidates control
standards into one
framework. This allows the
benchmark of security
practces, assurance of the
security and proving and
supportng the opinions in
relaton to IT security and
control
ORGANISATIONS (COSO)
Private sector group consistng
of the American Accountng
Associaton, AICPA, the
Insttute of Internal Auditors,
the Insttute of Management
Accountants andthe Financial
Executves Insttute
FRAMEWORK (COSO-ERM)
Secondary control framework
management use to set their
strategies and identfy
problems that may hinder the
entty.

The COBIT 5 framework The 5 components included in The basic principles include:
represents the best practces the Internal Control
- forming companies to create
 for effectve IT management:
- Meetng stakeholder needs
- Covering the whole
enterprise
- Applying one integrated
framework
- Enable a holistc approach
- Differentaton between
governance and management
framework are: value
- Control environment - whilst creatng value,
decisions must be made
- Risk assessment about the certainty
- Control actvites - uncertainty can result in
- Informaton and high risk of the company to
protect values
communicaton
- Monitoring - it can also result in
opportunity, that can a6ect
the values of the company
- management of uncertainty

THE INTERNAL ENVIRONMENT

The internal environment, or company culture, influences how organizatons establish strategies and
objectves; structure business actvites; and identfy, assess, and respond to risk. It is the foundaton for
all other ERM components. A weak or deficient internal environment often results in breakdowns in risk
management and control. It is essentally the same thing as the control environment in the IC
framework. An internal environment consists of the following:
1. Management’s philosophy, operatng style, and risk appette
2. Commitment to integrity, ethical values, and competence
3. Internal control oversight by the board of directors
4. Organizatonal structure
5. Methods of assigning authority and responsibility
6. Human resource standards that attract, develop, and retain competent individuals
7. External influences.

COMMITMENT TO INTEGRITY, ETHICAL VALUES, AND COMPETENCE

Organizatons need a culture that stresses integrity and commitment to ethical values and competence.
Ethics pays—ethical standards are good business. Integrity starts at the top, as company employees
adopt top management attitudes about risks and controls. A powerful message is sent when the CEO,
confronted with a difficult decision, makes the ethically correct choice.
Companies endorse integrity by:
● Actvely teaching and requiring it—for example, making it clear that honest reports are more
important than favorable ones.
● Avoiding unrealistc expectatons or incentves that motvate dishonest or illegal acts, such as
overly aggressive sales practces, unfair or unethical negotaton tactcs, and bonuses excessively
based on reported financial results.
● Consistently rewarding honesty and giving verbal labels to honest and dishonest behavior. If
companies punish or reward honesty without labeling it as such, or if the standard of honesty is
inconsistent, then employees will display inconsistent moral behavior.
● Developing a written code of conduct that explicitly describes honest and dishonest behaviors.
For example, most purchasing agents agree that acceptng $5,000 from a supplier is dishonest,
but a weekend vacaton is not as clear-cut. A major cause of dishonesty comes from ratonalizing
unclear situatons and allowing the criterion of expediency to replace the criterion of right versus
wrong. Companies should document that employees have read and understand the code of
conduct.
● Requiring employees to report dishonest or illegal acts and disciplining employees who
knowingly fail to report them. All dishonest acts should be investgated, and dishonest
employees should be dismissed and prosecuted to show that such behavior is not allowed.
● Making a commitment to competence. Companies should hire competent employees with the
necessary knowledge, experience, training, and skills.

INTERNAL CONTROL OVERSIGHT BY THE BOARD OF DIRECTORS

An involved board of directors represents shareholders and provides an independent review of
management that acts as a check and balance on its actons. SOX requires public companies to have an
audit committee of outside, independent directors. The audit committee is responsible for financial
reportng, regulatory compliance, internal control, and hiring and overseeing internal and external
auditors, who report all critcal accountng policies and practces to them. Directors should also approve
company strategy and review security policies.

ORGANIZATIONAL STRUCTURE
A company’s organizatonal structure provides a framework for planning, executng, controlling, and
monitoring operatons. Important aspects of the organizatonal structure include the following:
● Centralizaton or decentralizaton of authority
● A direct or matrix reportng relatonship
● Organizaton by industry, product line, locaton, or marketng network
● How allocaton of responsibility affects informaton requirements
● Organizaton of and lines of authority for accountng, auditng, and informaton system functons
● Size and nature of company actvites

CONTROL ACTIVITIES
Control actvites are policies, procedures, and rules that provide reasonable assurance that control
objectves are met and risk responses are carried out. It is management’s responsibility to develop a
secure and adequately controlled system. Management must make sure that:
1. Controls are selected and developed to help reduce risks to an acceptable level.
2. Appropriate general controls are selected and developed over technology.
3. Control actvites are implemented and followed as specified in company policies and procedures.
The informaton security officer and the operatons staff are responsible for ensuring that control
procedures are followed.
Controls are much more effectve when placed in the system as it is built, rather than as an afterthought.
As a result, managers need to involve systems analysts, designers, and end users when designing
computer-based control systems. It is important that control actvites be in place during the end-of-the-
year holiday season, because a disproportonate amount of computer fraud and security break-ins takes
place during this tme. Some reasons for this are (1) extended employee vacatons mean that there are
fewer people to “mind the store”; (2) students are out of school and have more tme on their hands; and
(3) lonely counterculture hackers increase their attacks.
Control procedures fall into the following categories:
1. Proper authorizaton of transactons and actvites
2. Segregaton of dutes
3. Project development and acquisiton controls
4. Change management controls
5. Design and use of documents and records
6. Safeguarding assets, records, and data
7. Independent checks on performance.

CASE: INTEL’S OPERATIONS CENTER

1. Alleviate the problem caused by the finance and purchasing "champion" leaving the
company in the middle of the project:

 Arrange meetngs between the new manager and the old manager to transfer ideas and informaton
from the old manager to the new manager.
 Have the top manager address the importance of the project with the new manager.
 Have an agreement with the new manager that ongoing projects will be completed according to pre-
approved plans. Changes will be accepted only for justfiable and critcal issues.

2. Avoid "mid-stream" changes to a project:

 Probably the real effect from the design cannot be totally revealed untl late in the project.
 Prototype and proof-of-concept implementaton may reveal problems earlier in the project.
 Intel did the right choice to change the design contractor to avoid the problem of "escalaton of
commitment."

3. Reconcile conflicts between cost effectveness and system functonality/scalability:

 Intel resolved conflicts between cost effectveness and system functonality/scalability through
negotaton, justficaton, strategic values, and politcs.
 For the overall benefits to an organizaton, top management should arbitrate such conflicts.

4. Alternatve evaluaton matrix:

 Additonal criteria may include scalability, functonality, user-friendliness, and adaptability.

 Steps to select an alternatve from the matrix:
 Assign a weight to each criterion based on its importance.
 Assign a score to each criterion for each alternatve.
 Multply the weight and score for each criterion for each alternatve.
 Sum the products from the previous step for each alternatve.
 Select the alternatve with the highest value from the previous step.

5. Number of workstatons to payoff the operatons service center:

The total project cost = 5200000 Benefit from each workstation = 4500

Alternative Cost Capacity (yrs) Annual cost Required # of workstation in one

year
Low-end $1,000,00 2 $ 500,000 111
0
Current 520,0000 3 1,733,333 385
Middle 650,0000 4 1,625,000 361
High-end 800,0000 5 1,600,000 356

6. Economic justficaton:

Tangible Benefit Intangible Benefit

Ergonomics  Less sick leave  Higher employee morale
  Lower health insurance  Higher employee productivity
payment

Scalability  Less budget to upgrade  Less user retraining

 No need to replace hardware  More user time for other tasks
and software  Less time to redesign

The tangible benefit can be estimated on a dollar basis per employee per year. Historical data have to be
reviewed to get an approximate for each benefit category. For intangible benefits, a proxy has to be
determined for each category. Absenteeism, productivity by operator errors; etc may undermine
employee morale.