Accounting Information Systems and Internal Control:
The accounting information systems that company’s use to pull all of this wonderful accounting information together and make it available to internal and external users. We will also learn about the internal controls that are built into the accounting information system to ensure the reliability of the financial information, the effectiveness and efficiency of operations and the company’s compliance with applicable laws and regulations. Therefore, a good system of internal control will help reduce errors and irregularities, and help minimize the “opportunity” to commit fraud.
There are a few reasons why treats to accounting information systems are increasing. The first reason is that information available is to an unprecedented number of workers. Besides, information on distributed computer networks is hard to control. Information is often distributed among many systems and thousands of employees. Customers and suppliers have access to each other’s systems and data.
Any potential adverse occurrence is called a threat or an event. The potentially dollar loss from a threat is called the exposure or impact. The probability that it will happen is called the likelihood of the threat.
Internal control is the process implemented to provide reasonable assurance that the following control objectives are achieved. It is a process because it permeates an organization’s activities and is an integral part of management activities. Internal control provides reasonable assurances. Complete assurance is difficult to achieve and prohibitively expensive.
Internal control perform three important functions:
- Preventive controls deter problems before they arise.
- Detective controls discover problems that are not prevented.
- Corrective controls identify and correct problems as well as correct and recover from the resulting errors.
Internal controls are often segregated into two categories
- General controls. This type of control makes sure an organization’s control environment is stable and well managed.
- Application controls. This type of control makes sure transactions are processed correctly.
A Harvard business professor has espoused four levels of control to help management reconcile the conflict between creativity and controls.
- Belief system. This system describes how the company creates value and helps the employees understand the management’s vision.
- Boundary system. This system helps employees act ethically by setting boundaries on employee behavior.
- Diagnostic control system. This type of system measures, monitors, and compares actual company progress to budgets and performance goals.
- Interactive control system. This system helps managers to focus on key strategic issues and to be more involved in decisions.
The Foreign Corrupt Practices Act (FCPA) was passes to prevent companies from bribing foreign officials to obtain business. In the last 75 years, the SOX is the most important business-oriented legislation. After the SOX was passed, the SEC mandated that management must base its evaluation on a recognized control framework. They also must disclose all material internal control weaknesses and must conclude that a company does not have effective financial reporting internal controls if there are material weaknesses.
There are three frameworks used to develop internal control systems.
- COBIT framework. The ISACA developed Control Objectives for Information and Related Technology (COBIT) framework. This framework addresses control from three vantage points.
- Business objectives. This is to satisfy business objectives.
- IT resources. These includes people, application systems, technology, facilities and data.
- IT processes. These are broken in four domains: planning & organization, acquisition & implementation, delivery & support and monitoring & evaluation.
- The Committee of Sponsoring Organizations (COSO) consist of a few organizations. The COSO issued internal control – integrated framework (IC), which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.
- COSO developed another control framework to improve the risk management process. It’s called Enterprise Risk Management – Integrated Framework (ERM). ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess management risks, and provide reasonable assurances that the company achieves its objectives and goals.
The internal environment, or company culture, influences how organizations establish strategies and objectives and structure business activities. A weak or deficient internal environment often results in breakdowns in risk management and control. An internal environment control consists of the following:
- Management’s philosophy, operating style, and risk appetite
- The board of directors
- Commitment to integrity, ethical values, and competence
- Organizational structure
- Methods of assigning authority and responsibility
- Human resource standards
- External influences
Companies have a risk appetite, which is the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, the risk appetite must be in alignment with company strategy. The more responsible management’s philosophy and operating style, the more clearly they are communicated, the more likely employees will behave responsibly.
An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions. Public companies has an audit committee of outside, independent directors. The audit committee is responsible for financial reporting, regulatory compliance, internal control and hiring and overseeing internal and external auditors.
The policy and procedures manual explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provide to carry out specific duties. The manual includes the chart of accounts and copies of forms and documents. It is a helpful tool for both current employees and new employees.
Employees should be hired based on educational background, experience, achievements, honesty and integrity, and meeting written job requirements. Sometimes there is a background check. A thorough background check includes talking to references, checking for a criminal record, examining credit records, and verifying educating and work experience.
One of the greatest control strengths is the honesty of the employees. Policies should convey the required level of expertise, competence, ethical behavior and integrity required. The following policies and procedures are important.
- Compensating, evaluating and promoting
- Managing disgruntled employees
- Vacations and rotation of duties
- Confidentiality agreements and fidelity bond insurance
- Prosecute and incarcerate perpetrators
Objective setting is the second ERM component. Management determines what the company hopes to achieve, often referred to as the corporate vision or mission. The company determines what must go right to achieve the objectives and establishes performance measures to determine whether they are met.
- Strategic objectives
- Operation objectives
- Reporting objectives
- Compliance objectives
The risks of an identified event are assessed in several different ways.
Inherent risks exists before management takes any steps to control the likelihood or impact of an event.
The residual risk is what remains after management implements internal controls or some other response to risk. Companies should assess inherent risk, develop a response, and then assess residual risk.
Management can respond to risk in one of four ways
- Reduce the likelihood and impact of risk by implementing internal controls
- Accept the likelihood and impact of the risk
- Share risk or transfer it to someone else
- Avoid risk by not engaging in the activity that produces the risk
Accountants and systems designers help management design effective control systems to reduce inherent risk. They also evaluate internal control systems to ensure that they are operating effectively.
One way to estimate the value of the internal controls involves the expected loss, the mathematical product of impact and likelihood.
Expected loss = impact x likelihood
The value of a control procedure is the difference between the expected loss with the control procedure and the expected loss without it.
Control activities are policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management’s responsibility to develop a secure and adequately controlled system.
Controls are much more effective when placed in the system as it is built, rather than as an afterthought. Managers need to involve systems analysts, designers, and end users when designing computer-based control systems.
Control procedures fall into the following categories
- Proper authorization of transactions and activities
- Segregation of duties
- Project development and acquisition controls
- Change management controls
- Design and use of documents and records
- Safeguarding assets, records and data
- Independent checks on performance
Because management lacks the time and resources to supervise each company activity and decision, it establish policies for employees to follow and then empowers them. This empowerment, called authorization, is an important control procedure. Authorization are often documented by signing, initializing, or entering an authorization code on a document.
Computer systems can record a digital signature, a means of signing a document with data that cannot be forged.
Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur. In contrast, there is a procedure known as general authorization. This is without special approval.
Good internal control requires that no single employee be given too much responsibility over business transactions and processes. An employee should not be in a position to commit and conceal fraud. Segregation of duties is discussed in two separate sections: segregation of accounting duties and segregation of system duties.
Effective segregation of accounting duties is achieved when the following functions are separated (see also figure 7.3 on page 217).
- Authorization: approving transactions and decisions
- Recording: preparing source documents
- Custody: handling cash, tools, inventory, or fixed assets
With Segegration of system duties, authority and responsibility should be divided clearly among the following functions
- Systems administration: make sure all information system components operate smoothly and efficiently.
- Network management: ensure that devices are linked to the organization’s internal and external networks.
- Security management: makes sure that systems are secured and protected from internal and external threats.
- Change management: is the process of making sure that changes are made smoothly and efficiently.
- Users: record transactions, authorize data to be processed and use system output.
- Programming: take the analyst’ design and create a system
- Computer operations: run the software on the company’s computers.
- Information system library: maintains custody of corporate databases, files and programs in a separate storage area.
- Data control
Important system development controls are the following
- A steering committee. This committee guides and oversees systems development and acquisition.
- A strategic masterplan. This is a plan developed and updated every year to align an organization’s information system with its business strategies.
- A project development plan. This is a plan that shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones.
- A data processing schedule. This schedule shows when each task should be performed.
- System performance measurements. These are established to evaluate the system. Measurements include throughput, utilization and response time.
- A post-implementation review. This review is performed after a development project is completed to determine whether the anticipated benefits were achieved.
Some companies hire a systems integrator to manage a systems development effort involving its own personnel, its client, and other vendors. Companies using systems integrators should use the same project management processes and controls as internal projects. They should develop clear specifications and monitor the project.
Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately. They include the following:
- Top level reviews.
- The management should monitor company results and periodically compare actual company performance to a planned, prior period or competitor’s performance.
- Analytical reviews.
- This is an examination of the relationship between different sets of data.
- Reconciliation of independently maintained records.
- Records should be reconciled to documents or records with the same balance.
- Comparison of actual quantities with recorded amounts.
- Significant assets are periodically counted and reconciled to company records.
- Double-entry accounting.
- The maximum that debits equal credits provides numerous opportunities for independent checks.
- Independent review.
- After a transaction is processes, a second person reviews the work of the first, checking for proper authorization etc.
Information and communication constitute the seventh component of the ERM and is also a very important component in the accounting information system. This relates directly to the primary purpose of an AIS, which is to gather, record, process, store, summarize, and communicate information about an organization.
An audit trail allows transactions to be traced back and forth between their origination and de financial statements.
Accounting systems generally consists of seven subsystems, each designed to process a particular type of transaction using the same sequence of procedures, called accounting circles.
ERM processes must be continuously monitored and modified as needed, and deficiencies must be reported to management. Key methods of monitoring performance include the following:
- Perform ERM evaluations.
- The effectiveness is measured using a formal or a self-assessment ERM evaluation.
- Implement effective supervision.
This involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets.
- Use responsibility accounting systems.
- This systems include budgets, quotas, schedules, standard costs, and quality standards.
- Monitor system activities.
- For example risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found and suggests also improvements. The software also monitors and combats viruses, spyware, adware, spam etc.
- Track purchased software and mobile devices
The business software alliance (BSA) tracks down and fines companies that violate software license agreements. The increasing number of mobile devices should be tracked and monitored, because their loss could represent a substantial exposure.
- Conduct periodic audits.
- External, internal and network securities audits can assets and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces erros. Auditors should regularly test susyem controls and periodically browse system usage files looking voor suspicious activities.
- Employee a computer security officer and a chief compliance officer.
- A computer security officer (CSO) is in charge of system security, independent of the information system function and reports to the chief operating officer (COO) of the CEO.
- Engage forensic specialists
Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Computer forensics specialists discover, extract, safeguard and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
- Install fraud detection software
- Neural networks are programs with learning capabilities. These networks can accurately identify fraud.
- Implement a fraud hotline.
- A fraud hotline is an effective way to comply with the law and resolve whistle-blower conflict.