Đang tải... (xem toàn văn)
Chapter 10 - Accounting information systems and internal controls. After reading this chapter, you should be able to: Explain essential control concepts and why a code of ethics and internal controls are important, explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework,...
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGrawHill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGrawHill Education Learning Objectives • • • • LO#1 Explain essential control concepts and why a code of ethics and internal controls are important LO#2 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework LO#3 Describe the overall COBIT framework and its implications for IT governance LO#4 Describe other governance frameworks related to information systems management and 10-2 security LO# Ethics, Sarbanes Oxley Act 2002 and Corporate Governance The Need for a Code of Ethics • • • Ethical behavior prompted by a code of ethics can be considered a form of internal control Employees with different culture backgrounds are likely to have different values Many professional associations have developed codes of ethics to assist professionals in selecting among decisions that are not clearly right or wrong 10-3 LO# Sarbanes Oxley Act 2002 • • • SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting Established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms PCAOB Auditing Standard No (AS 5) encourages auditors to use a risk-based, topdown approach to identify the key controls 10-4 LO# Corporate Governance • • A set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders Promotes accountability, fairness, and transparency in the organization’s relationship with its stakeholders 10-5 LO# Overview of Control Concepts Three main functions of internal control: • • • Preventive controls deter problems before they arise (Authorization) Detective controls find problems when they arise (Bank reconciliations and monthly trial balances) Corrective controls fix problems that have been identified (Backup files to recover corrupted data) Computerized environment: 10-6 LO# Commonly used Internal Control Frameworks • • The SEC requires management to evaluate internal controls based on a recognized control framework COSO Internal Control framework -COSO-Committee of Sponsoring Organizations of the Treadway Commission -AAA, AICPA, FEI, IIA, and IMA -The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for 10-7 LO# Commonly used Internal Control Frameworks • • • • COSO 2.0 COSO ERM framework: focuses on the strategic alignment of the firm’s mission with its risk appetite Control Objectives for Information and related Technology (COBIT): a control framework for the governance and management of enterprise IT Information Technology Infrastructure Library (ITIL): a set of concepts and practices for IT service management 10-8 LO# COSO Internal Control Framework (COSO 2.0) Internal control is a process consisting of ongoing tasks and activities It is a means to an end, not an end in itself Internal control is affected by people It is not merely about policy manuals, systems and forms Rather, it is about people at every level of a firm that impact internal control Internal control can provide reasonable assurance, not absolute assurance, to an 10-9 LO# COSO Internal Control Framework (COSO 2.0) Three categories of objectives: • • • Operations Objectives – effectiveness and efficiency of a firm’s operations on financial performance goals and safeguarding assets Reporting Objectives – reliability of reporting, including internal and external financial and nonfinancial reporting Compliance Objectives – adherence to applicable laws and regulations 10-10 LO# COSO 2.0 Five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 10-11 LO# COSO Enterprise Risk Management— Integrated Framework 10-12 LO# COSO Enterprise Risk Management— Integrated Framework Four categories of objectives: • • • • Strategic — high-level goals, aligned with and supporting the firm’s mission and vision Operations — effectiveness and efficiency of operations Reporting — reliability of internal and external reporting Compliance — compliance with applicable laws and regulations 10-13 LO# COSO Enterprise Risk Management— Integrated Framework Eight components of internal control: • Internal Environment • Objective Setting • Event Identification • Risk Assessment • Risk Response • Control Activities • Information and Communication 10-14 • LO# Risk Assessment and Risk Response • • • Inherent risk : It exists already before management takes any actions to address it Control risk : the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system Residual risk: the product of inherent risk and control risk (1) Reduce risks by designing effective business processes and implementing internal controls 10-15 LO# Risk Assessment and Risk Response • • • • Cost and benefit analysis is important in determining whether to implement an internal control The benefits of an internal control should exceed its costs One way to measure the benefits of a control is using the estimated impact of a risk times the decreased likelihood if the control is implemented Expected benefit of an internal control = Impact 10-16 X Decreased Likelihood LO# Control Activities • • Physical Controls: mainly manual but could involve the physical use of computing technology IT controls: processes that provide assurance for information and help to mitigate risks associated with the use of technology • IT general controls (ITGC) • IT application controls 10-17 LO# COBIT Framework • • COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance and management Governance: firm objectives: evaluating stakeholder needs setting direction through decision making monitoring performance, compliance and progress • Management: 10-18 LO# COBIT Framework • • • • Provides a business focus to align business and IT objectives; Defines the scope and ownership of IT process and control; Is consistent with accepted IT good practices and standards; Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; and 10-19 LO# Information Technology Infrastructure Library (ITIL) • • • A de facto standard in Europe for the best practices in IT infrastructure management and service delivery ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives ITIL adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories 10-20 LO# International Organization for Standardization (ISO) 27000 Series • • • The ISO 27000 series of standards are designed to address information security issues ISO 27000 series, particularly ISO 27001 and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS) 10-21 ... and regulations 1 0- 10 LO# COSO 2.0 Five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 1 0- 11 LO# COSO... Treadway Commission -AAA, AICPA, FEI, IIA, and IMA -The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for 1 0- 7 LO# Commonly... 1 0- 6 LO# Commonly used Internal Control Frameworks • • The SEC requires management to evaluate internal controls based on a recognized control framework COSO Internal Control framework -COSO-Committee