AIS07Computer-Based Information Systems Controls

Accounting
Information
Systems
9th Edition
Marshall B. Romney
Paul John Steinbart
2003 Prentice Hall Business Publishing,

Accounting Information Systems, 9/e, Romney/Steinbart
7-1
Computer-Based Information
Systems Controls
Chapter 7
2003 Prentice Hall Business Publishing,

Accounting Information Systems, 9/e, Romney/Steinbart
7-2
Learning Objectives
1.
2.
3.
Describe the threats to an AIS and

discuss why these threats are
growing.
Explain the basic concepts of control
as applied to business organizations.
Describe the major elements in the
control environment of a business
organization.
2003 Prentice Hall Business
Publishing,
7-3
Learning Objectives, continued

4.
5.
6.
Describe control policies and procedures

commonly used in business organizations.
Evaluate a system of internal accounting
control, identify its deficiencies, and
prescribe modifications to remedy those
deficiencies.
Conduct a cost-benefit analysis for
particular threats, exposures, risks, and
controls.
Publishing,
7-4
Introduction
Jason Scott has been hired as an
internal auditor for Northwest
Industries, a diversified forest
products company.
He is assigned to audit Springers
Lumber & Supply, Northwests
building materials outlet in Montana.

Publishing,
7-5
Introduction
His supervisor, Maria Pilier, has asked him

to trace a sample of purchase transactions
to verify that proper control procedures were
followed. Jason becomes frustrated with this
task.
Why is Jason frustrated?
The
purchasing system is poorly

documented.
He keeps finding transactions that have not
been processed as Ed Yates, the accounts
payable manager, said they should be.
Publishing,
7-6
Introduction
Jasons frustrations, continued
Some vendor invoices have been paid without supporting
documents.
Purchase requisitions are missing for several items that had
been authorized by Bill Springer, purchasing v.p.
Prices charged for some items seem unusually high.
Springers is the largest supplier in the area and has a near
monopoly.
Management authority is concentrated in the company
president, Joe Springer, and his sons Bill, the purchasing
v.p., and Ted, the controller.
Maria feels that Ted may have engaged in creative
accounting.

Publishing,
7-7
Introduction
Jason ponders the following issues:

Should
he describe the unusual

transactions in his report?
Is a violation of proper control
procedures acceptable if it has been
authorized by management?
Regarding Jasons assignment, does
he have a professional or ethical
responsibility to get involved?
Publishing,
7-8
Introduction
This chapter discusses the types of
threats a company faces.
It also presents the five interrelated
components of the Committee of
Sponsoring Organizations (COSOs)
internal control model.

Publishing,
7-9
Learning Objective 1
Describe the threats to an AIS and
discuss why these threats are
growing.

Publishing,
7-10
Threats to Accounting
Information Systems
What are examples of natural and

political disasters?
fire or excessive heat

floods
earthquakes
high winds
war
Publishing,
7-11
Information Systems
What are examples of software errors

and equipment malfunctions?
hardware failures
power outages and fluctuations
undetected data transmission errors

Publishing,
7-12
Information Systems
What are examples of unintentional

acts?
accidents caused by human

carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet company
needs
Publishing,
7-13
Information Systems
What are examples of intentional

acts?
sabotage
computer fraud
embezzlement

Publishing,
7-14
Why are AIS Threats

Increasing?
Increasing numbers of client/server systems

mean that information is available to an
unprecedented number of workers.
Because LANs and client/server systems
distribute data to many users, they are
harder to control than centralized
mainframe systems.
WANs are giving customers and suppliers
access to each others systems and data,
making confidentiality a concern.
Publishing,
7-15
Explain the basic concepts

of control as applied to
business organizations.

Publishing,
7-16
Overview of Control
Concepts
What is the traditional definition of internal
control?
Internal control is the plan of organization
and the methods a business uses to
safeguard assets, provide accurate and
reliable information, promote and improve
operational efficiency, and encourage
adherence to prescribed managerial
policies.
Publishing,
7-17
Overview of Control
Concepts
1
2
What is management control?

Management control encompasses the
following three features:
It is an integral part of management
responsibilities.
It is designed to reduce errors,
irregularities, and achieve organizational
goals.
It is personnel-oriented and seeks to help
employees attain company goals.
Publishing,
7-18
Internal Control
Classifications
The specific control procedures used in the

internal control and management control
systems may be classified using the
following four internal control classifications:
1
2
3
4
Preventive, detective, and corrective controls

General and application controls
Administrative and accounting controls
Input, processing, and output controls

Publishing,
7-19
The Foreign Corrupt

Practices Act
In 1977, Congress incorporated language

from an AICPA pronouncement into the
Foreign Corrupt Practices Act.
The primary purpose of the act was to
prevent the bribery of foreign officials in
order to obtain business.
A significant effect of the act was to require
corporations to maintain good systems of
internal accounting control.
Publishing,
7-20
Committee of Sponsoring
Organizations
The Committee of Sponsoring

Organizations (COSO) is a private sector
group consisting of five organizations:
1
2
3
4
5
American Accounting Association

American Institute of Certified Public
Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
Publishing,
7-21
Organizations
In 1992, COSO issued the results of a
study to develop a definition of
internal controls and to provide
guidance for evaluating internal
control systems.
The report has been widely accepted
as the authority on internal controls.

Publishing,
7-22
Organizations
The COSO study defines internal control

as the process implemented by the
board of directors, management, and
those under their direction to provide
reasonable assurance that control
objectives are achieved with regard to:
effectiveness and efficiency of operations

reliability of financial reporting
compliance with applicable laws and
regulations
Publishing,
7-23
Organizations
COSOs internal control model has

five crucial components:
1
2
3
4
5
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
Publishing,
7-24
Information Systems Audit

and Control Foundation
The Information Systems Audit and Control

Foundation (ISACF) recently developed the
Control Objectives for Information and
related Technology (COBIT).
COBIT consolidates standards from 36
different sources into a single framework.
The framework addresses the issue of
control from three vantage points, or
dimensions:
Publishing,
7-25
Information Systems Audit

and Control Foundation
1
Information: needs to conform to certain

criteria that COBIT refers to as business
requirements for information
IT resources: people, application systems,
technology, facilities, and data
IT processes: planning and organization,
acquisition and implementation, delivery
and support, and monitoring

Publishing,
7-26
Describe the major

elements in the control
environment of a
business organization.

Publishing,
7-27
The Control Environment
The first component of COSOs internal

control model is the control environment.
The control environment consists of many
factors, including the following:
1
2
3
Commitment to integrity and ethical values

Managements philosophy and operating
style
Organizational structure

Publishing,
7-28
The Control Environment

4
5
6
7
The audit committee of the board of

directors
Methods of assigning authority and
responsibility
Human resources policies and
practices
External influences

Publishing,
7-29
Describe control
policies and procedures
commonly used in
business organizations.

Publishing,
7-30
Control Activities
The second component of COSOs
internal control model is control
activities.
Generally, control procedures fall into
one of five categories:
1
2
Proper authorization of transactions

and activities
Segregation of duties
Publishing,
7-31
Control Activities
3
4
5
Design and use of adequate

documents and records
Adequate safeguards of assets and
records
Independent checks on performance

Publishing,
7-32
Proper Authorization of
Transactions and Activities
Authorization is the empowerment
management gives employees to
perform activities and make decisions.
Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
Specific authorization is the granting
of authorization by management for
certain activities or transactions.

Publishing,
7-33
Segregation of Duties
Good internal control demands that no
single employee be given too much
responsibility.
An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.

Publishing,
7-34
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Authorization Functions
Authorization of
transactions

Publishing,
7-35
If two of these three functions are the

responsibility of a single person, problems
can arise.
Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
Publishing,
7-36
Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.

Publishing,
7-37
Design and Use of Adequate

Documents and Records
The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
Documents that initiate a transaction
should contain a space for
authorization.

Publishing,
7-38
Design and Use of Adequate

Documents and Records
The following procedures safeguard assets

from theft, unauthorized use, and
vandalism:
effectively supervising and segregating

duties
maintaining accurate records of assets,
including information
restricting physical access to cash and paper
assets
having restricted storage areas
Publishing,
7-39
Adequate Safeguards of
Assets and Records
What can be used to safeguard

assets?
cash registers
safes, lockboxes
safety deposit boxes
restricted and fireproof storage areas
controlling the environment
restricted access to computer rooms,
computer files, and information
Publishing,
7-40
Independent Checks
on Performance
Independent checks ensure that
transactions are processed accurately are
another important control element.

Publishing,
7-41
Independent Checks
on Performance
What are various types of

independent checks?
reconciliation of two independently

maintained sets of records
comparison of actual quantities with
recorded amounts
double-entry accounting
batch totals

Publishing,
7-42
Independent Checks
on Performance
Five batch totals are used in computer

systems:
1
2
A financial total is the sum of a dollar

field.
A hash total is the sum of a field that
would usually not be added.

Publishing,
7-43
Independent Checks
on Performance
3
4
5
A record count is the number of

documents processed.
A line count is the number of lines of
data entered.
A cross-footing balance test compares
the grand total of all the rows with the
grand total of all the columns to check
that they are equal.
Publishing,
7-44
Evaluate a system of
internal accounting
control, identify its
deficiencies, and prescribe
modifications to remedy
those deficiencies.
Publishing,
7-45
Risk Assessment
The third component of COSOs internal

control model is risk assessment.
Companies must identify the threats they
face:
strategic doing the wrong thing

financial having financial resources lost,
wasted, or stolen
information faulty or irrelevant
information, or unreliable systems
Publishing,
7-46
Risk Assessment
Companies that implement electronic

data interchange (EDI) must identify
the threats the system will face, such
as:
1
2
3
4
Choosing an inappropriate technology

Unauthorized system access
Tapping into data transmissions
Loss of data integrity
Publishing,
7-47
Risk Assessment
5
6
7
Incomplete transactions
System failures
Incompatible systems

Publishing,
7-48
Risk Assessment
Some threats pose a greater risk
because the probability of their
occurrence is more likely. For
example:
A company is more likely to be the
victim of a computer fraud rather than
a terrorist attack.
Risk and exposure must be
considered together.
Publishing,
7-49
Conduct a cost-benefit
analysis for particular
threats, exposures,
risks, and controls.

Publishing,
7-50
Estimate Cost and Benefits

No internal control system can provide
foolproof protection against all internal
control threats.
The cost of a foolproof system would
be prohibitively high.
One way to calculate benefits involves
calculating expected loss.

Publishing,
7-51
Estimate Cost and Benefits
The benefit of a control procedure is

the difference between the expected
loss with the control procedure(s) and
the expected loss without it.
Expected loss = risk exposure

Publishing,
7-52
Information and
Communication
The fourth component of COSOs

internal control model is information
and communication.

Publishing,
7-53
Information and
Communication
Accountants must understand the following:

1
2
3
4
5
6
How transactions are initiated

How data are captured in machine-readable
form or converted from source documents
How computer files are accessed and
updated
How data are processed to prepare
information
How information is reported
How transactions are initiated
Publishing,
7-54
Information and
Communication
All of these items make it possible for the

system to have an audit trail.
An audit trail exists when individual
company transactions can be traced
through the system.

Publishing,
7-55
Monitoring Performance
The fifth component of COSOs
internal control model is monitoring.
What are the key methods of
monitoring performance?
effective supervision
responsibility accounting
internal auditing
Publishing,
7-56
Case Conclusion
What happened to Jasons report?
A high-level internal audit team was
dispatched to Montana.
The team discovered that the
problems identified by Jason occurred
almost exclusively in transactions with
three large vendors from whom
Springers had purchased several
million dollars of inventory.

Publishing,
7-57
Case Conclusion
One of the Springers held a significant

ownership interest in each of these three
companies.
They also found evidence that several of
Springers employees were paid for more
hours than documented by timekeeping,
and that inventories were overstated.
Northwest settled the case with the
Springers.
Publishing,
7-58
End of Chapter 7

Publishing,
7-59

AIS07Computer-Based Information Systems Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS07Computer-Based Information Systems Controls

Uploaded by

Copyright:

Available Formats

Accounting

2003 Prentice Hall Business Publishing,

2003 Prentice Hall Business Publishing,

Describe the threats to an AIS and

Learning Objectives, continued

Describe control policies and procedures

2003 Prentice Hall Business

His supervisor, Maria Pilier, has asked him

purchasing system is poorly

2003 Prentice Hall Business

Jason ponders the following issues:

he describe the unusual

2003 Prentice Hall Business

2003 Prentice Hall Business

What are examples of natural and

fire or excessive heat

What are examples of software errors

2003 Prentice Hall Business

What are examples of unintentional

accidents caused by human

What are examples of intentional

2003 Prentice Hall Business

Why are AIS Threats

Increasing numbers of client/server systems

Explain the basic concepts

2003 Prentice Hall Business

What is management control?

The specific control procedures used in the

Preventive, detective, and corrective controls

2003 Prentice Hall Business

The Foreign Corrupt

In 1977, Congress incorporated language

The Committee of Sponsoring

American Accounting Association

2003 Prentice Hall Business

The COSO study defines internal control

effectiveness and efficiency of operations

COSOs internal control model has

Information Systems Audit

The Information Systems Audit and Control

Information Systems Audit

Information: needs to conform to certain

2003 Prentice Hall Business

Describe the major

2003 Prentice Hall Business

The Control Environment

The first component of COSOs internal

Commitment to integrity and ethical values

2003 Prentice Hall Business

The Control Environment

The audit committee of the board of

2003 Prentice Hall Business

2003 Prentice Hall Business

Proper authorization of transactions

Design and use of adequate

2003 Prentice Hall Business

2003 Prentice Hall Business

2003 Prentice Hall Business

2003 Prentice Hall Business

If two of these three functions are the

2003 Prentice Hall Business

Design and Use of Adequate

2003 Prentice Hall Business

Design and Use of Adequate