C HAPTER Control and Accounting Information Systems © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Questions to be addressed in this chapter: – What are the basic internal control concepts, and why are computer control and security important? – What is the difference between the COBIT, COSO, and ERM control frameworks? – What are the major elements in the internal environment of a company? – What are the four types of control objectives that companies need to set? – What events affect uncertainty, and how can they be identified? – How is the Enterprise Risk Management model used to assess and respond to risk? – What control activities are commonly used in companies? – How organizations communicate information and monitor control processes? © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Why AIS threats are increasing – Control risks have increased in the last few years because: • There are computers and servers everywhere, and information is available to an unprecedented number of workers • Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems • Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Historically, many organizations have not adequately protected their data due to one or more of the following reasons: – Computer control problems are often underestimated and downplayed – Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood – Companies have not realized that data is a strategic resource and that data security must be a strategic requirement – Productivity and cost pressures may motivate management to forego time-consuming control measures © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Some vocabulary terms for this chapter: – A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization – The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality – The likelihood is the probability that the threat will occur © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Control and security are important – Companies are now recognizing the problems and taking positive steps to achieve better control, including: • Devoting full-time staff to security and control concerns • Educating employees about control measures • Establishing and enforcing formal information security policies • Making controls a part of the applications development process • Moving sensitive data to more secure environments © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • To use IT in achieving control objectives, accountants must: – Understand how to protect systems from threats – Have a good understanding of IT and its capabilities and risks • Achieving adequate security and control over the information resources of an organization should be a top management priority © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • Control objectives are the same regardless of the data processing method, but a computerbased AIS requires different internal control policies and procedures because: – Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files – Segregation of duties must be achieved differently in an AIS – Computers provide opportunities for enhancement of some internal controls © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • One of the primary objectives of an AIS is to control a business organization – Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness • Management expects accountants to be control consultants by: – Taking a proactive approach to eliminating system threats; and – Detecting, correcting, and recovering from threats when they occur © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 315 INTRODUCTION • It is much easier to build controls into a system during the initial stage than to add them after the fact • Consequently, accountants and control experts should be members of the teams that develop or modify information systems © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 315 MONITORING • Key methods of monitoring performance include: – – – – – – – Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer and security consultants – Engage forensic specialists – Install fraud detection software – Implement a fraud hotline © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 300 of 315 MONITORING • Employ a computer security officer and computer consultants – The computer security officer (CSO) is in charge of AIS security • Should be independent of the IS function • Should report to the COO or CEO – Many companies also use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 301 of 315 MONITORING • Key methods of monitoring performance include: – – – – – – – Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer and security consultants – Engage forensic specialists – Install fraud detection software – Implement a fraud hotline © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 302 of 315 MONITORING • Engage forensic specialists – Forensic accountants specialize in fraud detection and investigation • Now one of the fastest growing areas of accounting due to: – SOX – SAS-99 – Boards of Directors demanding that forensic accounting be an ongoing part of the financial reporting and corporate governance process © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 303 of 315 MONITORING • Most forensic accountants are CPAs and may have received special training with the FBI, CIA, or other law enforcement agencies – In particular demand are those with the necessary computer skills to ferret out and combat fraudsters who use sophisticated technology to perpetrate their crimes – The Association of Certified Fraud Examiners (ACFE) has created a professional certification program for fraud examiners © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 304 of 315 MONITORING • Management may also need to call on computer forensic specialists for help • They assist in discovering, extracting, safeguarding, and documenting computer evidence so that its authenticity, accuracy, and integrity will not succumb to legal challenges © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 305 of 315 MONITORING • Common incidents investigated by computer forensic experts include: – – – – – Improper internet usage Fraud Sabotage Loss, theft, or corruption of data Retrieving information from emails and databases that users thought they had erased – Determining who performed certain actions on a computer © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 306 of 315 MONITORING • Key methods of monitoring performance include: – – – – – – – Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer and security consultants – Engage forensic specialists – Install fraud detection software – Implement a fraud hotline © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 307 of 315 MONITORING • Install fraud detection software – People who commit fraud tend to follow certain patterns and leave behind clues – Software has been developed to seek out these fraud symptoms – Some companies employ neural networks (programs that mimic the brain and have learning capabilities), which are very accurate in identifying suspected fraud – For example, if a husband and wife were each using the same credit card in two different stores at the same time, a neural network would probably flag at least one of the transactions immediately as suspicious – These networks and other recent advances in fraud detection software are significantly reducing the incidences of credit card fraud © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 308 of 315 MONITORING • Key methods of monitoring performance include: – – – – – – – Perform ERM evaluation Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits Employ a computer security officer and security consultants – Engage forensic specialists – Install fraud detection software – Implement a fraud hotline © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 309 of 315 MONITORING • Implement a fraud hotline – People who witness fraudulent behavior are often torn between conflicting feelings • They want to protect company assets and report fraud perpetrators • But they are uncomfortable in the whistleblower role and find it easier to remain silent – They are particularly reluctant to report if they know of others who have suffered repercussions from doing so © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 310 of 315 MONITORING • SOX mandates that companies set up mechanisms for employees to anonymously report abuses such as fraud – An effective way to comply with the law and resolve employee concerns is to provide access to an anonymous hotline – Anonymous reporting can be accomplished through: • • • • Phone lines Web-based reporting Anonymous emails Snail mail © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 311 of 315 MONITORING • Outsourcing is available through a number of third parties and offers several benefits, including: – Increased confidence on the part of employee that his/her report is truly anonymous – 24/7 availability – Often have multilingual capabilities—an important plus for multinational organizations – The outsourcer may be able to follow up with the employee if additional information is needed after the initial contact – The employee can be advised of the outcome of his report – Low cost © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 312 of 315 MONITORING • A downside to anonymous reporting mechanisms is that they will produce a significant amount of petty or slanderous reports that not require investigation • The ACFE’s 2004 Report to the Nation indicates that companies without fraud hotlines had median fraud losses that were 140% higher than companies that had fraud hotlines © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 313 of 315 SUMMARY • In this chapter, you’ve learned about basic internal control concepts and why computer control and security are so important • You’ve learned about the similarities and differences between the COBIT, COSO, and ERM control frameworks • You’ve learned about the major elements in the internal control environment of a company and the four types of control objectives that companies need to set • You’ve also learned about events that affect uncertainty and how these events can be identified • You’ve explored how the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies • Finally, you’ve learned how organizations communicate information and monitor control processes © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 314 of 315 ... members of the teams that develop or modify information systems © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart 10 of 315 OVERVIEW OF CONTROL CONCEPTS... measures © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart of 315 INTRODUCTION • Some vocabulary terms for this chapter: – A threat is any potential adverse... control over the information resources of an organization should be a top management priority © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart of 315