Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-WingChapter 7: Risk Exposures and the Internal Control StructureSlides Authored by Somnath Bhattacharya, Ph.D.Florida Atlantic University

Internal ControlInternal Control is a state that management strives to achieve to provide reasonable assurance that the firms objectives will be achievedThese controls encompass all the measures and practices that are used to counteract exposures to risksThe control framework is called the Internal Control Structure

Objectives of the Internal Control StructurePromoting Effectiveness and Efficiency of OperationsReliability of Financial ReportingSafeguarding assetsChecking the accuracy and reliability of accounting dataCompliance with applicable laws and regulationsEncouraging adherence to prescribed managerial policies

Components and Major Considerations of the IC Structure

Internal ControlStructureFigure 7-1

Control EnvironmentThe Control Environment establishes the tone of a company, influencing the control consciousness of its employeesIt is comprised of seven components:

Management philosophy and operating styleIntegrity and ethical valuesCommitment to competenceThe Board of Directors and the Audit CommitteeOrganizational StructureAssignment of authority and responsibilityHuman resources policies and practicesExternal Influences

Highlights of CE Components - IManagement Philosophy and Operating StyleDoes management emphasize short-term profits and operating goals over long-term goals?Is management dominated by one or a few individuals?What type of business risks does management take and how are these risks managed?Is management conservative or aggressive toward selecting from available alternative accounting principles?

Figure 7-2

Highlights of CE Components - IIOrganization StructureIs an up-to-date organization chart prepared, showing the names of key personnel?Is the information systems functionseparated from incompatible functions?How is the accounting departmentorganized?Is the internal audit function separate and distinct from accounting?Do subordinate managers report to more than one supervisor?

Figure 7-2 Continued

Highlights of CE Components - IIIAssignment of Authority and ResponsibilityDoes the company prepare written employee job descriptions defining specific duties and reporting relationships?Is written approval required for changes made to information systems?Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships?Does the company properly delegate authority to employees and departments?

Figure 7-2 Continued

Highlights of CE Components - IVHuman Resource Policies and PracticesAre new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct?Is the company in compliance with the ADA? The EEOA?Are Grievance Procedures to manage conflict in force?Does the company maintain a sound Employee Relations program?Do employees work in a safe, healthy environment?Are Counseling Programs available to employees?Are proper Separation Programs in force for employees who leave the firm?Are critical employees Bonded?

Figure 7-2 Continued

Key Functions Performed by Audit CommitteesEstablish an Internal Audit DepartmentReview the Scope and Status of AuditsReview Audit Findings with the Board and ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable ConditionsMaintain a direct Line of Communication among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties

Figure 7-3

Key Functions Performed by Audit CommitteesReview the Audited Financial Statements with the Internal Auditors and the Board of DirectorsRequire periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvementSupervise special investigations, such as Fraud InvestigationsAssess the performance of Financial ManagementRequire the Review of Compliance with Laws and Regulations and with Corporate Codes of Conduct

Figure 7-3

Risk AssessmentTop management must be directly involved in Business Risk Assessment.This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.

Control Activities - IControl Activities as related to Financial Reporting may be classified according to their intended uses in a system:

Preventive Controls block adverse events, such as errors or losses, from occurring Detective Controls discover the occurrence of adverse events such as operational inefficiencyCorrective controls are designed to remedy problems discovered through detective controls Security Measures are intended to provide adequate safeguards over access to and use of assets and data records

Control Activities - IIControl Activities relating to Information Processing may also be classified according to where they will be applied within the system

General controls are those controls that pertain to all activities involving a firms AIS and assetsApplication controls relate to specific accounting tasks or transactionsThe overall trend seems to be going from specific application controls to more global general controls

Control Activities - IIIPerformance ReviewsComparing Budgets to Actual ValuesRelating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective ActionsReviewing Functional Performance such as a banks consumer loan managers review of reports by branch, region, and loan type for loan approvals and collections

Information & CommunicationAll Transactions entered for processing are Valid and AuthorizedAll valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of TransactionsThe input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary termsAll entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data setsAll required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable InformationAll transactions are recorded in the proper Accounting Period

Risk Business firms face risks that reduce the chances of achieving their control objectives.Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers.Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.

Some Typical Sources of Risk - IClerical and Operational Employees, who process transactional data and have access to AssetsComputer Programmers, who have knowledge relating to the Instructions by which transactions are processedManagers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions

Figure 7-4

Some Typical Sources of Risk - IIFormer Employees, who may still understand the Control Structure and may harbor grudges against the firmCustomers and Suppliers, who generate many of the transactions processed by the firmCompetitors, who may desire to acquire confidential information of the firmOutside Persons, such as Computer Hackers and Criminals, who have various reasons to access the firms data or its assets or to commit destructive actsActs of Nature or Accidents, such as floods, fires, and equipment breakdowns

Figure 7-4 Continued

Types of RisksUnintentional errorsDeliberate Errors (Fraud)Unintentional Losses of AssetsThefts of assetsBreaches of SecurityActs of Violence and Natural Disasters

Factors that Increase Risk ExposureFrequency - the more frequent an occurrence of a transaction thegreater the exposure to riskVulnerability - liquid and/or portable assets contribute to risk exposureSize of the potential loss - the higher the monetary value of a loss, the greater the risk exposure

Problem Conditions Affecting Risk ExposuresCollusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control proceduresLack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassmentComputer crime poses very high degreesof risk, and fraudulent activities are difficultto detect

Computer CrimeComputer crime (computer abuse) is the use of a computer to deceive for personal gain.Due to the proliferation of networks and personal computers, computer crime is expected to significantly increase both in frequency and amount of loss.It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.

Examples of Computer CrimeTheft of Computer Hardware & SoftwareUnauthorized Use of Computer Facilities for Personal UseFraudulent Modification or Use of Data or Programs

Reasons Why Computers Cause Control ProblemsProcessing is ConcentratedAudit Trails may be UnderminedHuman Judgment is bypassedData are stored in Device-Oriented rather than Human-Oriented formsInvisible DataStored data are ErasableData are stored in a Compressed formStored data are relatively accessibleComputer Equipment is Powerful but Complex and Vulnerable

Feasibility of ControlsAudit ConsiderationsCost-Benefit ConsiderationsDetermine Specific Computer Resources Subject to ControlDetermine all Potential Threats to the companys Computer SystemAssess the Relevant Risks to which the firm is exposedMeasure the Extent of each Relevant Risk exposure in dollar termsMultiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a yearCompute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk ExposureCompare the Benefits against the Costs of Each Control

LegislationThe Foreign Corrupt Practices Act of 1977Of the Federal Legislation governing the use of computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most importantThis act makes it a federal crime to intentionally access a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information (2) committing a fraud(3) altering or destroying federal information

Methods for Thwarting Computer AbuseEnlist top-management support so that awareness of computer abuse will filter down through management ranks.Implement and enforce control procedures.Increase employee awareness in the seriousness of computer abuse, the amount of costs, and the disruption it creates. Establish a code of conduct.Be aware of the common characteristics of most computer abusers.

Methods for Thwarting Computer AbuseRecognize the symptoms of computer abuse such as:behavioral or lifestyle changes in an employeeaccounting irregularities such as forged, altered or destroyed input documents or suspicious accounting adjustmentsabsent or ignored control proceduresthe presence of many odd or unusual anomalies that go unchallengedEncourage ethical behavior

Control Problems Caused by Computerization: Data CollectionManual SystemComputer-based SystemFigure 7-6

Characteristics

Characteristics

Risk Exposures

Compensating Controls

Data recorded in paper source documents

Data sometimes captured without use of source documents

Audit trail may be partially lost

Printed copies of source documents prepared by computer systems

Data reviewed for errors by clerks

Data often not subject to review by clerks

Errors, accidental or deliberate, may be entered for processing

Edit checks performed by computer system

Control Problems Caused by Computerization: Data ProcessingManual SystemComputer-based SystemFigure 7-6 Continued

Characteristics

Characteristics

Risk Exposures

Compensating Controls

Processing steps performed by clerks who possess judgment

Processing steps performed by CPU blindly in accordance with program instructions

Errors may cause incorrect results of processing

Outputs reviewed by users of computer system; carefully developed computer processing programs

Processing steps among various clerks in separate departments

Processing steps concentrated within computer CPU

Unauthorized manipulation of data and theft of assets can occur on larger scale

Restricted access to computer facilities; clear procedure for authorizing changes to programs

Processing requires use of journals and ledgers

Processing does not require use of journals

Audit trail may be partially lost

Printed journals and other analyses

Processing performed relatively slowly

Processing performed very rapidly

Effects of errors may spread rapidly through files

Editing of all data during input and processing steps

Control Problems Caused by Computerization: Data Storage & RetrievalManual SystemComputer-based SystemFigure 7-6 Continued

Characteristics

Characteristics

Risk Exposures

Compensating Controls

Data stored in file drawers throughout the various departments

Data compressed on magnetic media (e.g., tapes, disks)

Data may be accessed by unauthorized persons or stolen

Security measures at points of access and over data library

Data stored on hard copies in human- readable form

Data stored in invisible, eraseable, computer-readable form

Data are temporarily unusable by humans, and might possibly be lost

Data files printed periodically; backup of files; protection against sudden power losses

Stored data accessible on a piece-meal basis at various locations

Stored data often readily accessible from various locations via terminals

Data may be accessed by unauthorized persons

Security measures at points of access

Control Problems Caused by Computerization: Information GenerationManual SystemComputer-based SystemFigure 7-6 Continued

Characteristics

Characteristics

Risk Exposures

Compensating Controls

Outputs generated laboriously and usually in small volumes

Outputs generated quickly and neatly, often in large volumes

Inaccuracies may be buried in impressive-looking outputs that users accept on faith

Reviews by users of outputs, including the checking of amounts

Outputs usually in hard-copy form

Outputs provided in various forms, including soft-copy displays and voice responses

Information stored on magnetic media is subject to modification (only hard copy provides permanent record)

Backup of files; periodic printing of stored files onto hard-copy records

Control Problems Caused by Computerization: EquipmentManual SystemComputer-based SystemFigure 7-6 Continued

Characteristics

Characteristics

Risk Exposures

Compensating Controls

Relatively simple, inexpensive, and mobile

Relatively complex, expensive, and in fixed locations

Business operations may be intentionally or unintentionally interrupted; data or hardware may be destroyed; operations may be delayed through inefficiencies

Backup of data and power supply and equipment; preventive maintenance of equipment; restrictions on access to computer facilities; documentation of equipment usage and processing procedures

Accounting Information Systems: Essential Concepts and Applications Fourth Edition by Wilkinson, Cerullo,Raval, and Wong-On-WingCopyright 2000 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.