Chapter 10
Accounting
Information
Systems and
Internal Controls

Copyright © 2014 McGraw­Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw­Hill Education.


Learning Objectives
•

•

•

•

LO#1 Explain essential control concepts and
why a code of ethics and internal controls are
important.
LO#2 Explain the objectives and components of
the COSO internal control framework and the
COSO enterprise risk management framework.
LO#3 Describe the overall COBIT framework
and its implications for IT governance.
LO#4 Describe other governance frameworks
related to information systems management and
10-2
security.

LO# 1

Ethics, Sarbanes Oxley Act 2002 and
Corporate Governance
The Need for a Code of Ethics
•

•

•

Ethical behavior prompted by a code of ethics
can be considered a form of internal control.
Employees with different culture backgrounds
are likely to have different values
Many professional associations have developed
codes of ethics to assist professionals in
selecting among decisions that are not clearly
right or wrong.
10-3


LO# 1

Sarbanes Oxley Act 2002
•

•


•

SOX requires public companies registered with
the SEC and their auditors to annually assess
and report on the design and effectiveness of
internal control over financial reporting.
Established the Public Company Accounting
Oversight Board (PCAOB) to provide
independent oversight of public accounting
firms.
PCAOB Auditing Standard No. 5 (AS 5)
encourages auditors to use a risk-based, topdown approach to identify the key controls.
10-4


LO# 1

Corporate Governance
•

•

A set of processes and policies in managing an
organization with sound ethics to safeguard the
interests of its stakeholders.
Promotes accountability, fairness, and
transparency in the organization’s relationship
with its stakeholders.

10-5



LO# 1

Overview of Control Concepts
Three main functions of internal control:
•

•

•

Preventive controls deter problems before they
arise. (Authorization)
Detective controls find problems when they
arise. (Bank reconciliations and monthly trial
balances)
Corrective controls fix problems that have
been identified. (Backup files to recover
corrupted data)

Computerized environment:

10-6


LO# 2

Commonly used Internal Control
Frameworks

•

•

The SEC requires management to evaluate
internal controls based on a recognized control
framework
COSO Internal Control framework

-COSO-Committee of Sponsoring
Organizations of the Treadway Commission.
-AAA, AICPA, FEI, IIA, and IMA
-The COSO Internal Control framework is one
of the most widely accepted authority on
internal control, providing a baseline
for
10-7


LO# 2

Commonly used Internal Control
Frameworks
•

•

•

•


COSO 2.0
COSO ERM framework: focuses on the strategic
alignment of the firm’s mission with its risk
appetite.
Control Objectives for Information and related
Technology (COBIT): a control framework for the
governance and management of enterprise IT.
Information Technology Infrastructure Library
(ITIL): a set of concepts and practices for IT
service management.
10-8


LO# 2

COSO Internal Control Framework
(COSO 2.0)
1.

2.

3.

Internal control is a process consisting of
ongoing tasks and activities. It is a means
to an end, not an end in itself.
Internal control is affected by people. It is
not merely about policy manuals,
systems and forms. Rather, it is about

people at every level of a firm that impact
internal control.
Internal control can provide reasonable
assurance, not absolute assurance,
to an
10-9


LO# 2

COSO Internal Control Framework
(COSO 2.0)
Three categories of objectives:
•

•

•

Operations Objectives – effectiveness and
efficiency of a firm’s operations on financial
performance goals and safeguarding assets
Reporting Objectives – reliability of reporting,
including internal and external financial and nonfinancial reporting
Compliance Objectives – adherence to
applicable laws and regulations
10-10


LO# 2


COSO 2.0
Five components of internal control:
1.

Control Environment

2.

Risk Assessment

3.

Control Activities

4.

Information and Communication

5.

Monitoring Activities

10-11


LO# 2

COSO Enterprise Risk Management—
Integrated Framework


10-12


LO# 2

COSO Enterprise Risk Management—
Integrated Framework
Four categories of objectives:
•

•

•

•

Strategic — high-level goals, aligned with and
supporting the firm’s mission and vision
Operations — effectiveness and efficiency of
operations
Reporting — reliability of internal and external
reporting
Compliance — compliance with applicable laws
and regulations
10-13


LO# 2


COSO Enterprise Risk Management—
Integrated Framework
Eight components of internal control:
•

Internal Environment

•

Objective Setting

•

Event Identification

•

Risk Assessment

•

Risk Response

•

Control Activities

•

Information and Communication

10-14

•


LO# 2

Risk Assessment and Risk Response
•

•

•

Inherent risk : It exists already before
management takes any actions to address it.
Control risk : the threat that errors or
irregularities in the underlying transactions will
not be prevented, detected and corrected by the
internal control system.
Residual risk: the product of inherent risk and
control risk

(1) Reduce risks by designing effective business
processes and implementing internal controls.
10-15


LO# 2


Risk Assessment and Risk
Response
•

•

•

•

Cost and benefit analysis is important in
determining whether to implement an internal
control.
The benefits of an internal control should exceed
its costs.
One way to measure the benefits of a control is
using the estimated impact of a risk times the
decreased likelihood if the control is
implemented.
Expected benefit of an internal control = Impact
10-16
X Decreased Likelihood


LO# 2

Control Activities
•

•


Physical Controls: mainly manual but could
involve the physical use of computing
technology.
IT controls: processes that provide assurance
for information and help to mitigate risks
associated with the use of technology.

•

-- IT general controls (ITGC)

•

-- IT application controls
10-17


LO# 3

COBIT Framework
•

•

COBIT (Control Objectives for Information and
related Technology) is a generally accepted
framework for IT governance and management.
Governance:
firm objectives: evaluating stakeholder needs

setting direction through decision making

monitoring performance, compliance and
progress
•

Management:
10-18


LO# 3

COBIT Framework
•

•

•

•

Provides a business focus to align
business and IT objectives;
Defines the scope and ownership of IT
process and control;
Is consistent with accepted IT good
practices and standards;
Provides a common language with a set of
terms and definitions that are generally
understandable by all stakeholders;

and
10-19


LO# 4

Information Technology Infrastructure
Library (ITIL)
•

•

•

A de facto standard in Europe for the best
practices in IT infrastructure management and
service delivery.
ITIL’s value proposition centers on providing IT
service with an understanding the business
objectives and priorities, and the role that IT
services has in achieving the objectives.
ITIL adopts a lifecycle approach to IT services,
and organizes IT service management into five
high-level categories.
10-20


LO# 4

International Organization for

Standardization (ISO) 27000 Series
•

•

•

The ISO 27000 series of standards are designed
to address information security issues.
ISO 27000 series, particularly ISO 27001 and
ISO 27002, have become the most recognized
and generally accepted sets of information
security framework and guidelines.
The main objective of the ISO 27000 series is to
provide a model for establishing, implementing,
operating, monitoring, maintaining, and
improving an Information Security Management
System (ISMS).
10-21