AC330 CHAPTER 6 Instructor Outline CONTROL and ACCOUNTING INFORMATION !

TEM As an accountant you must understand how to protect systems from the threats they face. You must have a good understanding of IT and its capabilities and risks. This knowledge can help you use IT to achieve an organizations control objectives. As a result o" #our stud# o" t$is c$a%ter& #ou s$ould 'e a'le to do t$e "ollo(in)* . #. +. -. .. 0. 1. 2. !"plain basic control concepts and why computer control and security are important. $ompare and contrast the $%&IT' $%(%' and !)* control frameworks. ,escribe the major elements in the internal environment of a company. ,escribe the four types of control objectives that companies need to set. ,escribe the events that affect uncertainty and the techni/ues used to identify them. !"plain how to assess and respond to risk using the !nterprise )isk *anagement model. ,escribe control activities commonly used in companies. ,escribe how to communicate information and monitor control processes in organizations.

+$# Accountin) In"or,ation #ste,s T$reats Are Increasin)*ore than 034 of organizations have recently e"perienced a major control failure for some of the following reasons5 Increase in number of information systems means that information is available to an increasing number of workers. ,istributed 6decentralized7 computer networks are harder to control than centralized mainframe systems. 8ide area networks are giving customers and suppliers access to each others systems and data' making confidentiality a major concern

(ome of the reasons why organizations have not ade/uately protected their data are5 $omputer control problems have been underestimated and downplayed The control implications of moving from centralized' host9based computer systems to a networked or Internet9based system have not been fully understood *any companies have not realized that data security is crucial to their survival :roductivity and cost pressures have motivated management to forgo time9 consuming control measures

Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a t$reat or an event. The potential dollar loss' should a particular threat become a reality' is referred to as the e.%osure or i,%act of the threat' and the probability that the threat will happen is the li/eli$ood associated with the threat.
Page 1 of 21

+$# Control and ecurit# Are I,%ortant %ne of managements basic functions is to ensure that enterprise objectives are achieved. Thus managements decisions pertaining to controls are crucial to the firms success in meeting its objectives. $ompanies need control systems so they are not e"posed to e"cessive risk or behaviors that might harm their reputation for honesty and integrity. *anagement e"pects accountants to 6 7 take a proactive approach in eliminating system threats and 6#7 detect' correct and recover from threats when they occur O0er0ie( o" Control Conce%ts Internal control is the process implemented by the board of directors' management and those under their direction to provide reasonable assurance that the following control objectives are achieved5 (afeguarding assets' including preventing or detecting' on a timely basis' the unauthorized ac/uisition' use or disposition of material company assets *aintaining records in sufficient detail to accurately and fairly reflect company assets :roviding accurate and reliable information :roviding reasonable assurance that financial reporting is prepared in accordance with ;AA: :romoting and improving operational efficiency' including making sure company receipts and e"penditures are made in accordance with management and directors authorizations !ncouraging adherence to prescribed managerial policies $omplying with applicable laws and regulations

Pre0enti0e Controls deter problems before they arise< anticipate the problem. =iring highly /ualified personnel< appropriately segregating employee duties< and effectively controlling physical access to assets' facilities' and information are effective preventive controls. 1etecti0e Controls discover problems as soon as they arise< e"amples include duplicate checking of calculations and preparation of bank reconciliations and monthly trial balances. Correcti0e Controls remedy control problems that have been discovered. They include procedures taken to identify the cause of a problem' correct resulting errors or difficulties' and modify the system so that future problems are minimized or eliminated. !"amples include maintaining backup copies of transaction files and master files and adhering to procedures for correcting data
Page 2 of 21

entry errors' as well as those for resubmitting transactions for subse/uent processing. General Controls are designed to make sure an organizations control environment is stable and well managed. (ome of the more important general controls are 6 7 information systems management controls 6#7 security management controls< 6+7 information technology infrastructure controls< and 6-7 software ac/uisition' development and maintenance controls A%%lication Controls prevent' detect and correct transaction errors and fraud. They are concerned with the accuracy' completeness' validity and authorization of the data captured' entered into the system' processed' stored' transmitted to other systems' and reported. An effective system of internal control should e"ist in all organizations to help them achieve their missions' as well as their performance and profitability goals' while minimizing surprises along the way. An effective internal control system can also help companies deal with rapidly changing economic and competitive environments and shifting customer demands and priorities. T$e ar'anes2O.le# and Forei)n Corru%t Practices Acts The Forei)n Corru%t Practices Act 345667 The primary purpose of this Act was to prevent the bribery of foreign officials in order to obtain business. =owever' a significant effect of the act was to re/uire corporations to maintain good systems of internal accounting control. The ar'anes2O.le# Act o" 8008 )esulted from several accounting frauds and scandals. Applies to publicly held companies and their auditors and was intended to prevent financial statement fraud' make financial reports more transparent' provide protection to investors' strengthen the internal controls at public companies' and punish e"ecutives who perpetrate fraud.

Page 3 of 21

(ome of the important aspects of T$e ar'anes2O.le# Act are5 Creation o" t$e Pu'lic Co,%an# Accountin) O0ersi)$t 9oard 3PCAO97: A five member board' created by The (arbanes9%"ley Act' to control the auditing profession. The :$A%& sets and enforces auditing' /uality control' ethics' independence' and other standards related to audit reports. Ne( rules "or auditors Auditors must report specific information to the companys audit committee' such as critical accounting policies and practices' alternative ;AA: treatments' and auditor9management disagreements. $:A Auditors are prohibited from performing certain nonaudit services such as bookkeeping' information systems design and implementation' internal audit outsourcing services' management functions' and human resource services for audit clients. Audit firms cannot provide services to publicly held companies if top management was previously employed by the auditing firm and worked on the companys audit in the preceding # months. Ne( roles "or audit co,,ittees Audit committee members must be on the companys board of directors and be independent of the company. At least one member of the audit committee must be a financial e"pert. The audit committee hires' compensates' and oversees the auditors' who report directly to them. Ne( rules "or ,ana)e,ent )e/uires the $!% and $>% to certify that financial statements and disclosures are fairly presented' were reviewed by management' and are not misleading. They must certify that they are responsible for internal controls and that the auditors were told about all material internal control weaknesses and fraud. *anagement can be imprisoned up to #3 years and fined up to ?.'333'333. In addition' management and directors cannot receive loans that those outside the company cannot get. Ne( internal control re;uire,ents (ection -3- of (%@ re/uires publicly held companies to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an ade/uate internal control structure and appropriate control procedures. The report must also contain managements assessment of internal controls.

>or more detailed information on The (arbanes9%"ley Act' click in the following web site5 http5AAwww.sec.govAaboutAlawsAsoa#33#.pdf

Page 4 of 21

After the (arbanes9%"ley Act was passed' the (ecurity B !"change $ommission 6(!$7 mandated that management must5 &ase its evaluation on a recognized control framework. The most likely frameworks have been formulated by The $ommittee of (ponsoring %rganizations 6$%(%7. ,isclose any and all material internal control weaknesses. $onclude that a company does not have effective internal controls over financial reporting if there are any material weaknesses.

Le0ers o" Control *any people feel there is a basic conflict between creativity and controls. In other words' you cant have both. >our levels of control have been proposed to help companies reconcile this conflict. They include the following5 6 7A concise 'elie" s#ste, that communicates company core values to employees and inspires them to live by them 6#7A 'oundar# s#ste, helps employees act ethically by setting limits beyond which an employee must not pass 6+7 To ensure the efficient and effective achievement of important goals' a dia)nostic control s#ste, measures company progress by comparing actual performance to planned performance 6budget7 6-7 An interacti0e control s#ste, helps top9level managers with high9level activities that demand fre/uent and regular attention' such as developing company strategy' setting company objectives' understanding and assessing threats and risks' monitoring changes in competitive conditions and emerging technologies' and developing responses and action plans to proactively deal with these high9 level issues. Control Fra,e(or/s CO9IT Fra,e(or/* The Information (ystems Audit and $ontrol >oundation 6I(A$>7 developed the Control O'<ecti0es "or In"or,ation and related Tec$nolo)# 3CO9IT7 framework. $%&IT is a framework of generally applicable information systems security and controls practices of IT control. The framework allows5 7 management to benchmark the security and control practices of IT environments' #7 users of IT services to be assured that ade/uate security and control e"ist' and +7 auditors to substantiate their opinions on internal control and to advise on IT security and control matters. The $%&IT framework addresses the issue of control from three dimensions5 3479usiness o'<ecti0es. To satisfy business objectives' information must conform to criteria called business re/uirement for information. The criteria are divided into se0en distinct yet overlapping cate)ories that map into $%(% objectives*

Page 5 of 21

C C C C C C C

E""ecti0eness 6relevant' pertinent' and timely7 E""icienc# Con"identialit# Inte)rit# A0aila'ilit# Co,%liance (it$ le)al re;uire,ents Relia'ilit#

387IT resources. This includes people' application systems' technology' facilities and data. 337IT %rocesses: These are broken into four domains5 :lanning and organization' Ac/uisition and implementation' ,elivery and support and *onitoring

T$e Co,,ittee o" %onsorin) Or)ani=ations Internal Control Fra,e(or/ The Co,,ittee o" %onsorin) Or)ani=ations 3CO O7 is a private9sector group consisting of the American Accounting Association' the AI$:A' the Institute of Internal Auditors' the Institute of *anagement Accountants and the >inancial !"ecutives Institute. In DD#' $%(% issued the Internal Control > Inte)rated Fra,e(or/' which defines internal controls and provides guidance for evaluating and enhancing internal control systems. $%(%s internal control model has five crucial components' provided in Ta'le 624 on Pa)e 80?5 . $ontrol environment #. $ontrol activities +. )isk assessment -. Information and communication .. *onitoring CO O@s Enter%rise Ris/ Mana)e,ent Fra,e(or/ Enter%rise Ris/ Mana)e,ent > Inte)rated Fra,e(or/ 3ERM7 !"pands on the elements of the internal control integrated framework and provides an all9encompassing focus on the broader subject of enterprise risk management. The purpose is to achieve all the goals of the control framework and help the organization to5 :rovide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized

Page 6 of 21

Achieve its financial and performance targets Assess risks continuously and identify the steps to take and the resources to allocate to overcome or mitigate risk Avoid adverse publicity and damage to the entitys reputation

The basic principles behind enterprise risk management are5 $ompanies are formed to create value for their owners $ompany management must decide how much uncertainty it will accept as it creates value Encertainty results in risk' which is the possibility that something will occur to affect adversely the companys ability to create value or to erode e"isting value Encertainty can also results in an opportunity' which is the possibility that something will occur to affect positively the companys ability to create or preserve value The !nterprise )isk *anagement F Integrated >ramework 6!)*7 helps management manage uncertainty' and its associated risk and opportunity' so they can build and preserve value

The elements of the !)* are provided in a model shown in Fi)ure 624 on Pa)e 80A: The columns on the top of the figure represent four types of objectives that management must meet to achieve company goals. trate)ic o'<ecti0es are high9level goals that are aligned with and support the companys mission. (trategic planning is designed to help managers answer critical /uestions in a business. These /uestions include5 8hat is the organizations position in the marketplaceG 8hat does the organization want its position to beG 8hat trends and changes are occurring in the marketplaceG 8hat are the best alternatives to help the organization achieve its goalsG

O%erations o'<ecti0es deal with the effectiveness and efficiency of the company operations' such as performance and profitability goals and safeguarding assets Re%ortin) o'<ecti0es help ensure the accuracy' completeness and reliability of internal and e"ternal company reports' of both a financial and nonfinancial nature. They also improve decision making and monitor company activities and performance more efficiently.

Page 7 of 21

Co,%liance o'<ecti0es help the company comply with all applicable laws and regulations. The columns on the right side of the figure represent the companys units. The horizontal rows are the eight interrelated risk and control components of $%(% and include the following5 . Internal en0iron,ent. This is the tone or culture of a company and helps determine how risk conscious employees are. #. O'<ecti0e settin). !)* ensures that company management puts into place a process to formulate strategic' operations' reporting and compliance objectives that support the companys mission and that are consistent with the companys tolerance for risk. +. E0ent identi"ication. !)* re/uires management to identify events that may affect the companys ability to implement its strategy and achieve its objectives -. Ris/ assess,ent. Identified frisks are assessed to determine how to manage them and how they affect the companys ability to achieve its objectives. .. Ris/ res%onse. To align identified risks with the companys tolerance for risk' management can choose to avoid' reduce' share' or accept the risks. 0. Control acti0ities. To implement managements risk responses' control policies and procedures are established and implemented throughout the various levels and functions in the organization. 1. In"or,ation and co,,unication. Information about the company and the various !)* components must be identified' captured and communicated so employees can fulfill their responsibilities 2. Monitorin). To remain effective' !)* processes must be monitored on an ongoing basis and modified as needed T$e ERM Fra,e(or/ Bersus t$e Internal Control Fra,e(or/ The internal control framework has been widely adopted as the principal way to evaluate internal controls' as re/uired by the (arbanes9%"ley Act. =owever' it has too narrow a focus. The !)* is a more comprehensive framework which takes a risk9based' rather than a controls9based approach to the organization that is oriented toward the future and constant change

Page 8 of 21

T$e Internal En0iron,ent is the most important component of the ERM and internal control frameworks. An internal environment consists of items such as the following5 . #. +. -. .. 0. 1. *anagements philosophy' operating style and risk appetite The board of directors $ommitment to integrity' ethical values and competence %rganizational structure *ethods of assigning authority and responsibility =uman resource standards !"ternal influences

Mana)e,ent@s %$iloso%$#& o%eratin) st#le and ris/ a%%etite $ompanies have a ris/ a%%etite' which is the amount of risk a company is willing to accept in order to achieve its goals and objectives. The more responsible managements philosophy and operating style and the more clearly they are communicated' the more likely employees will behave responsibly. *anagements philosophy' operating style and risk appetite can be assessed by answering /uestions such as these5 ,oes management take undue business risks to achieve its objectives' or does it assess potential risks and rewards prior to actingG ,oes management attempt to manipulate such performance measures as net income so that its performance can be seen in a more favorable lightG ,oes management pressure employees to achieve results regardless of the methods' or does it demand ethical behaviorG In other words' does management believe the ends justify the meansG

T$e 'oard o" directors and audit co,,ittee (hould oversee management and scrutinize its plans' performance' and activities< approve company strategy< review financial results< annual review the companys security policy< and interact with internal and e"ternal auditors. The (arbanes9%"ley Act re/uires all public companies to have an audit co,,ittee composed entirely of outside 6nonemployee7' independent directors. The audit committee is responsible for overseeing the corporations internal control structure' its financial reporting process' and its compliance with related laws' regulations and standards. The committee works closely with the corporations e"ternal and internal auditors. The audit committee must understand their business and its objective and processes' be able to recognize risk' and understand risk management and internal controls. Co,,it,ent to inte)rit#& et$ical 0alues& and co,%etence

Page 9 of 21

It is important to create an organizational culture that stresses integrity and commitment to both ethical values and competence. $ompanies endorse integrity as a basic operating principle by actively teaching and re/uiring it. *anagement should consistently reward and encourage honesty and give verbal labels to honest and dishonest behavior. *anagement should develop clearly stated policies that e"plicitly describe honest and dishonest behaviors. $ompanies should re/uire employees to report any dishonest' illegal or unethical acts and discipline employees who knowingly fail to report violations. Or)ani=ational structure Important aspects of organizational structure include5 $entralization or decentralization of authority Assignment of responsibility for specific tasks 8hether there is a direct reporting relationship 6i.e. functional organizational structure or divisional organizational structure7 or more of a matri" structure. A matri" organizational structure is a design that utilizes functional and divisional chains of commend simultaneously in the same part of the organization. %rganization by industry' product line' geographical location' or by a particular distribution or marketing network The way responsibility allocation affects managements information re/uirements The organization of the accounting and information system functions The size and the nature of company activities

Met$ods o" assi)nin) aut$orit# and res%onsi'ilit# Authority and responsibility are assigned through formal job descriptions< employee training< operating plans' schedules' and budgets< a formal company code of conduct< and a written policy and procedures manual. Hu,an resource standards The following policies and procedures are important5 6 7 Hirin). To obtain the most /ualified and ethical employees' hiring should be based on educational background' relevant work e"perience' past achievements' honesty and integrity' and how well potential employees meet written job re/uirements. A t$orou)$ 'ac/)round c$ec/ includes verifying educational and work e"perience' talking to references' checking for a criminal record' and checking credit records. 6#7 Co,%ensatin). It is important to pay employees a fair and competitive wage. :oorly paid employees are likely to feel resentment and make up the
Page 10 of 21

difference in their wages by stealing money or property' or both. 6+7 Trainin). Training programs should familiarize new employees with their responsibilities< e"pected levels of performance and behavior< and the companys policies and procedures' history' culture and operating style. Trainin) on "raud and et$ics5 >raud awareness !thical considerations :unishment for fraud and unethical behavior 6-7 E0aluatin) and Pro,otin). !mployees should be given periodic performance appraisals that help them understand their strengths and weaknesses. :romotion should be based on performance and how well /ualified employees are for the net position. 6.7 1isc$ar)in). A company should take care when firing employees. To prevent sabotage or copying confidential data before they leave' dismissed employees should be removed from sensitive jobs immediately and denied access to the information system. 607 Mana)in) 1is)runtled E,%lo#ees. (ome employees who commit fraud are seeking revenge for a perceived wrong done to them. =ence' companies should have procedures for identifying disgruntled employees and either helping them resolve their feelings or removing them from jobs where they might be able to harm the organization or perpetrate a fraud. 617 Bacations and rotation o" duties. *any fraud schemes such as lapping and kiting re/uire the ongoing attention of the perpetrator. *any of these employee frauds are discovered when the perpetrator is suddenly forced' by illness or accident' to take time off. 627 Con"identialit# A)ree,ents and Fidelit# 9ond Insurance. All employees' suppliers' and contractors should be re/uired to sign and abide by a nondisclosure or confidentiality agreement. >idelity bond insurance coverage of key employees protects companies against losses arising from deliberate acts of fraud by bonded employees. 6D7Prosecute and Incarcerate Hac/ers and Fraud Per%etrators. *ost fraud cases and hacker attacks go unreported and are not prosecuted for several reasons5 .$ompanies are reluctant to report computer crimes and intrusions F a recent study showed only +04 reporting intrusions F because a highly

Page 11 of 21

visible fraud is a public relations disaster. #.Haw enforcement officials and the courts are so busy with violent crimes that they have little time for computer crimes in which no physical harm occurs. +.>raud is difficult' costly and time9consuming to investigate and prosecute -. *any law enforcement officials' lawyers and judges lack the computer skills needed to investigate' prosecute and evaluate computer crimes. ..8hen fraud cases are prosecuted and a conviction is obtained' the sentences received are often light. E.ternal in"luences >inancial Accounting (tandards &oard 6>A(&7 :ublic $ompany Accounting %versight &oard 6:$A%&7 (ecurity and !"change $ommission 6(!$7 O'<ecti0e ettin) %bjective setting is the second !)* component. It must precede the other si" components. Top management' with board approval' needs to articulate why the company e"ists and what it hopes to achieve. This is often referred to as the corporate vision or mission. The company uses its mission statement as a base from which it sets and prioritizes cor%orate o'<ecti0es. trate)ic o'<ecti0es' which are high9level goals that support the companys mission and are intended to create shareholder value' must be set first. O%erations o'<ecti0es' which are a product of management preferences' judgments' and style' may vary significantly amount entities. %peration objectives deal with the effectiveness and efficiency of company operations' such as performance and profitability goals and safeguard assets. Co,%liance o'<ecti0es help the company comply with all applicable laws and regulations. Re%ortin) o'<ecti0es help ensure the accuracy' completeness and reliability of internal and e"ternal company reports' of both a financial and non9financial nature. They also improve decision making and monitor company activities and performance more efficiently. E0ent Identi"ication

Page 12 of 21

$%(% defines an e0ent as an incident or occurrence emanating from internal or e"ternal sources that affects implementation of strategy or achievement of objectives. Ta'le 628 on Pa)e 84A lists some of the many internal and e"ternal factors that $%(% indicated could influence events and affect a companys ability to implement its strategy and achieve its objectives. !conomic Iatural !nvironment :olitical (ocial Technological Infrastructure :ersonnel :rocess Technology A few of the events' or threats' that a company might face as it implements an electronic data interchange system are5 . #. +. -. .. 0. 1. $hoosing an inappropriate technology Enauthorized system access Tapping into data transmission Hoss of data integrity Incomplete transactions (ystem failures Incompatible systems

(ome of the more common techni/ues companies use to identify events follow. %ne' two or more of these techni/ues are used together. Ese comprehensive lists of potential events :erform an internal analysis *onitor leading events and trigger points $onduct workshops and interviews :erform data mining and analysis Analyze business processes

Ris/ Assess,ent and Ris/ Res%onse The fourth and fifth components of $%(%s !)* mode are risk assessment and risk response. The risk that e"ists before management takes any steps to control the likelihood or impact of a risk is in$erent ris/. The risk that remains after management implements internal controls' or some other response to risk' is residual ris/. The !)* model indicates that there are four ways to respond to risk5 . Reduce. The most effective way to reduce the likelihood and impact of

Page 13 of 21

risk is to implement an effective system of internal controls #. Acce%t. Accepts the likelihood and impact of the risk by not acting to prevent or mitigate it +. $are. (hare some of the risk or transfer it to someone else. >or e"ample' buy insurance' outsource an activity' or enter into hedging transactions. -. A0oid. )isk is avoided by not engaging in the activity that produces the risk. This may re/uire the company to sell a division' e"it a product line' or not e"pand as anticipated. Accountants can assess and reduce inherent risk using the risk assessment and response strategy shown in Fi)ure 628 on Pa)e 846: Esti,ate Li/eli$ood and I,%act (ome events pose a greater risk because the probability of their occurrence is more likely. >or e"ample' a company is more likely to be the victim of a fraud than of an earth/uake' and employees are more likely to make unintentional errors than they are to commit fraud Identi"# Controls *anagement must identify one or more controls that will protect the company from each event. Esti,ate Costs and 9ene"its Io internal control system can provide foolproof protection against all events' as the cost would be prohibitive. In addition' because many controls negatively affect operational efficiency' too many controls slow the system and make it inefficient. The benefits of an internal control procedure must e"ceed its costs. &enefits can be hard to /uantify' but include5 C Increased sales and productivity C )educed losses C &etter integration with customers and suppliers C Increased customer loyalty C $ompetitive advantages C Hower insurance premiums $osts are usually easier to measure than benefits. :rimary cost is personnel' including5 C Time to perform control procedures C $osts of hiring additional employees to effectively segregate duties C $osts of programming controls into a system %ther costs of a poor control system include5

Page 14 of 21

C C C C C

Host sales Hower productivity ,rop in stock price if security problems arise (hareholder or regulator lawsuits >ines and penalties imposed by governmental agencies

%ne way to estimate the value of internal controls involves e.%ected loss' the mathematical product of impact and likelihood5 !"pected loss J Impact " Hikelihood 1eter,ine CostC9ene"it E""ecti0eness Total pay period payroll cost ? 3'333. >or an e"tra cost of ?033 per pay period a validation step will reduce the likelihood of the event from .4 to 4. The e"pected risk cost without the e"tra ?033 validation procedure is ? '.33 K? 3'333 " .4L. The e"pected risk cost with the e"tra ?033 validation procedure is ? 33 K? 3'333 " 4L. The e"pected benefit of validation procedure is ?233 as shown in Ta'le 623 on Pa)e 845: I,%le,ent Control or A0oid& $are& or Acce%t t$e Ris/ 8hen controls are cost9effective' they should be implemented so that risk can be reduced. )isks that are not reduced must be accepted' shared' or avoided. Control Acti0ities The si"th component of $%(%s !)* model is control acti0ities' which are policies' procedures' and rules that provide reasonable assurance that managements control objectives are met and the risk responses are carried out. ;enerally' control procedures fall into one of the following categories5 4: Pro%er aut$ori=ation o" transactions and acti0ities *anagement establishes policies for employees to follow and then empowers employees to perform accordingly. This empowerment called aut$ori=ation' is an important part of an organizations control procedures. Authorizations are often documented by signing' initializing' or entering an authorization code on a transaction document or record. $omputer systems are now capable of recording a di)ital si)nature' a means of signing a document with a piece of data that cannot be forged. !mployees who process transactions should verify the presence of the appropriate authorization6s7. $ertain activities or transactions may be of such conse/uence that management grants s%eci"ic aut$ori=ation for them to occur.

Page 15 of 21

>or e"ample' management review and approval are often re/uired for sales in e"cess of ?#3'333' capital e"penditures in e"cess of ? 3'333' or uncollectible write9off in e"cess of ?.'333. In contrast' management can authorize employees to handle routine transactions without special approval' a procedure know as )eneral aut$ori=ation. 8: e)re)ation 3se%aration7 o" duties: Fi)ure 623 on Pa)e 888L Aut$ori=ation F approving transactions and decisions Recordin) F preparing source documents< entering data into online systems< maintaining journals' ledgers' files or databases< preparing reconciliations< and preparing performance reports Custod# F handling cash' tools' inventory' or fi"ed assets< receiving incoming customer checks< writing checks on the organizations bank account. If two of these three functions are the responsibility of a single person' then problems can arise. $ollusion is when two or more people are working together to override the preventive aspect of the internal control system e)re)ation o" #ste,s 1uties5 a. #ste,s ad,inistration. (ystems administrators are responsible for ensuring that the different parts of an information system operate smoothly and efficiently b. Net(or/ ,ana)e,ent. Ietwork managers ensure that all applicable devices are linked to the organizations internal and e"ternal networks and that the networks operate continuously and properly c. ecurit# ,ana)e,ent. (ecurity management ensures that all aspects of the system are secure and protected from all internal and e"ternal threats d. C$an)e ,ana)e,ent. These individuals manage all changes to an organizations information system to ensure they are made smoothly and efficiently and to prevent errors and fraud e. Users. Esers record transactions' authorize data to be processed' and use system output

Page 16 of 21

f. #ste,s anal#sis. (ystems analysts help users determine their information needs and then design an information system to meet those needs g. Pro)ra,,in). :rogrammers take the design provided by systems analysts and create an information system by writing the computer programs h. Co,%uter o%erations. $omputer operators run the software on the companys computers. They ensure that data are input properly and correctly processed and needed output is produced i. In"or,ation s#ste, li'rar#. The information system librarian maintains custody of corporate databases' files and programs in a separate storage area called the in"or,ation s#ste, li'rar# j. 1ata control. The data control group ensures that source data have been properly approved' monitors the flow of work through the computer' reconciles input and output' maintains a record of input errors to ensure their correction and resubmission' and distributes systems output Pro<ect de0elo%,ent and ac;uisition controls . trate)ic ,aster %lan. To align an organizations information system with its business strategies' a multiyear strategic master plan is developed and updated yearly Pro<ect controls. A %ro<ect de0elo%,ent %lan shows how a project will be completed' including the modules or tasks to be performed and who will perform them' the dates they should be completed' and project costs. Pro<ect ,ilestones F significant points when progress is reviewed and actual and estimated completion times are compared. A %er"or,ance e0aluation of project team members should be prepared as each project is completed. +. 1ata %rocessin) sc$edule. To ma"imize the use of scarce computer resources' all data processing tasks should be organized according to a data %rocessin) sc$edule. teerin) co,,ittee. A steering committee should be formed to guide and oversee systems development and ac/uisition #ste, %er"or,ance ,easure,ents. >or a system to be evaluated

#.

-. ..

Page 17 of 21

properly' it must be assessed using system performance measurements. $ommon measurements include t$rou)$%ut 6output per unit of time7' utili=ation 6percentage of time the system is being productively used7 and res%onse ti,e 6how long it takes the system to respond7. 0. Post2i,%le,entation re0ie(. After a development project is completed' a post9implementation review should be performed to determine if the anticipated benefits were achieved. To simplify and improve systems development' some companies hire a s#ste,s inte)rator' a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors. $ompanies that use systems integrators should5 ,evelop clear specifications *onitor the systems integration project

C$an)e ,ana)e,ent controls C$an)e ,ana)e,ent is the process of making sure changes do not negatively affect systems reliability' security' confidentiality' integrity and availability. 1esi)n and use o" docu,ents and records The proper design and use of electronic and paper documents and records help ensure the accurate and complete recording of all relevant transaction data. a"e)uardin) assets& records and data In addition to safeguarding cash and physical assets such as inventory and e/uipment' a company needs to protect its information. *any people mistakenly believe that the greatest risks companies face are from outsiders. $ompanies also face significant risks from customers and vendors that have access to company data. (ome of the computer9based controls that can be put into place to safeguard assets include5 $reate and enforce appropriate policies and procedures *aintain accurate records of all assets )estrict access to assets :rotect records and documents

Inde%endent c$ec/s on %er"or,ance

Page 18 of 21

To% le0el re0ie(s. *anagement at all levels should monitor company results and periodically compare actual company performance to 6a7 planned performance' as shown in budgets' targets and forecasts< 6b7 prior period performance< and 6c7 the performance of competitors Anal#tical re0ie(s. An analytical review is an e"amination of the relationship between different sets of data Reconciliation o" t(o inde%endentl# ,aintained sets o" records Co,%arison o" actual ;uantities (it$ recorded a,ounts 1ou'le2entr# accountin)5 debits must e/ual credits Inde%endent re0ie(. After one person processes a transaction' a second person sometimes reviews the work of the first.

In"or,ation and Co,,unication Accounting Information (ystems has "i0e %ri,ar# o'<ecti0es5 7 #7 +7 -7 .7 Monitorin) Per"or, ERM E0aluations I,%le,ent E""ecti0e u%er0ision Use Res%onsi'ilit# Accountin) Monitor #ste, Acti0ities There are software packages available to review computer and network security measures' detect illegal entry into systems' test for weaknesses and vulnerabilities' report weaknesses found' and suggest improvements. (oftware is also available to monitor and combat viruses' spyware' spam and pop9up ads and to prevent browsers from being hijacked. Identify and record all valid transactions :roperly classify transactions )ecord transactions at their proper monetary value )ecord transactions in the proper accounting period :roperly present transactions and related disclosures in the financial statements

Page 19 of 21

All system transactions and activities should be recorded in a log that indicates who accessed what data' when and from which online device. In monitoring employees computers at work or at home' companies must be careful to ensure that they dont violate the employees privacy. To help' one way would be to have written policies that employees agree to in writing which indicate5 The technology employees use on the job belongs to the company !9mails received on company computers are not private and can be read by supervisory personnel !mployees should not use technology in any way to contribute to a hostile work environment

Trac/ Purc$ased o"t(are The &usiness (oftware Alliance 6&(A7 is very aggressive in tracking down and finding companies who violate software license agreements. Conduct Periodic Audits %ne way to monitor risk and detect fraud and errors is to conduct periodic e"ternal and internal audits' as well as special network security audits. Internal audits involve reviewing the reliability and integrity of financial and operating information and providing an appraisal of internal control effectiveness. Internal audits can detect e"cess overtime' underused assets' obsolete inventory' padded travel e"pense reimbursements' e"cessively loose budgets and /uotas' poorly justified capital e"penditures and production bottlenecks. E,%lo# a Co,%uter ecurit# O""icer and Co,%uter Consultants A co,%uter securit# o""icer 3C O7 is in charge of AI( security and should be independent of the information system function and report to the $%% or $!%. The overwhelming number of new tasks related to (%@ and other forms of compliance has led many larger companies to delegate all compliance issues to a c$ie" co,%liance o""icer 3CCO7: En)a)e Forensic %ecialists >orensic accountants specialize in fraud detection and investigation. >orensic accounting is now one of the fastest9growing areas of accounting due to the (arbanes9%"ley law' new accounting rules such as (A( Io. DD' and boards of directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process. *ost forensic accountants are $:As' and many have received specialized training with the >&I' the I)(' or other law enforcement agencies. $omputer forensics is discovering' e"tracting'

Page 20 of 21

safeguarding and documenting computer evidence such that its authenticity' accuracy' and integrity will not succumb to legal challenges.

Install Fraud 1etection o"t(are :eople who commit fraud tend to follow certain patterns and leave behind clues. (oftware has been developed to uncover fraud symptoms. %ther companies have neural net(or/s 6programs that mimic the brain and have learning capabilities7' which are /uite accurate in identifying suspected fraud. I,%le,ent a Fraud Hot Line The (arbanes9%"ley Act mandates that companies set up mechanisms for employees to report abuses such as fraud. Fraud $otlines provide a means for employees can anonymously report fraud.

)eturn to =omepage

Page 21 of 21