C
HAPTER 6
Control and Accounting
Information Systems
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
1 of 315
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of
a company?
– What are the four types of control objectives that
companies need to set?
– What events affect uncertainty, and how can they be
identified?
– How is the Enterprise Risk Management model used to
assess and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and
monitor control processes?
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
2 of 315
INTRODUCTION
• Why AIS threats are increasing
– Control risks have increased in the last few years
because:
• There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
• Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
• Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
3 of 315
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the
following reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or
Internet-based system are not always fully understood.
– Companies have not realized that data is a strategic
resource and that data security must be a strategic
requirement.
– Productivity and cost pressures may motivate management
to forego time-consuming control measures.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
4 of 315
INTRODUCTION
• Some vocabulary terms for this chapter:
– A threat is any potential adverse occurrence or unwanted
event that could injure the AIS or the organization.
– The exposure or impact of the threat is the potential dollar
loss that would occur if the threat becomes a reality.
– The likelihood is the probability that the threat will occur.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
5 of 315
INTRODUCTION
• Control and security are important
– Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security
policies.
• Making controls a part of the applications development
process.
• Moving sensitive data to more secure environments.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
6 of 315
INTRODUCTION
• To use IT in achieving control objectives,
accountants must:
– Understand how to protect systems from threats.
– Have a good understanding of IT and its capabilities and
risks.
• Achieving adequate security and control over the
information resources of an organization should be a
top management priority.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
7 of 315
INTRODUCTION
• Control objectives are the same regardless of
the data processing method, but a computerbased AIS requires different internal control
policies and procedures because:
– Computer processing may reduce clerical errors
but increase risks of unauthorized access or
modification of data files.
– Segregation of duties must be achieved differently
in an AIS.
– Computers provide opportunities for
enhancement of some internal controls.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
8 of 315
INTRODUCTION
• One of the primary objectives of an AIS is to
control a business organization.
– Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
• Management expects accountants to be control
consultants by:
– Taking a proactive approach to eliminating system
threats; and
– Detecting, correcting, and recovering from threats
when they do occur.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
9 of 315
INTRODUCTION
• It is much easier to build controls into a system
during the initial stage than to add them after the
fact.
• Consequently, accountants and control experts
should be members of the teams that develop or
modify information systems.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
10 of 315
OVERVIEW OF CONTROL CONCEPTS
• In today’s dynamic business environment,
companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization;
and
• Implement process improvements.
• At the same time, the company needs control
systems so they are not exposed to
excessive risks or behaviors that could harm
their reputation for honesty and integrity.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
11 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
•
This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
12 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
13 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
14 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
15 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
• This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors’ authorizations.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
16 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is
encouraged.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
17 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and
regulations.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
18 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control is a process because:
– It permeates an organization’s operating activities.
– It is an integral part of basic management
activities.
• Internal control provides reasonable, rather
than absolute, assurance, because complete
assurance is difficult or impossible to
achieve and prohibitively expensive.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
19 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal control systems have inherent
limitations, including:
– They are susceptible to errors and poor decisions.
– They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds
with each other.
– EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
20 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three important functions:
– Preventive controls
• Deter problems before they arise.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
21 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three important functions:
– Preventive controls
– Detective controls
•
Discover problems quickly when they do arise.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
22 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three important functions:
– Preventive controls
– Detective controls
– Corrective controls
• Remedy problems that have occurred by:
– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
23 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal controls are often classified as:
– General controls
• Those designed to make sure an
organization’s control environment is stable
and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
24 of 315
OVERVIEW OF CONTROL CONCEPTS
• Internal controls are often classified as:
– General controls
– Application controls
•
•
Prevent, detect, and correct transaction errors
and fraud.
Concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
25 of 315