Skip to main content
Back

Control and Accounting Information Systems: Internal Controls, Risk Management, and Regulatory Frameworks

NotesPracticeVideo lessons

Study Guide - Smart Notes

Tailored notes based on your materials, expanded with key definitions, examples, and context.

Control and Accounting Information Systems

Introduction

Accounting Information Systems (AIS) are essential for organizations to achieve their objectives by ensuring the integrity, reliability, and security of financial data. This chapter focuses on the importance of internal controls, risk management, and regulatory frameworks in the context of AIS.

Why Is Control Needed?

Threats, Exposure, and Likelihood

  • Threat/Event: Any potential adverse occurrence or unwanted event that could harm the AIS or the organization.

  • Exposure/Impact: The potential dollar loss if a threat becomes a reality.

  • Likelihood: The probability that a threat will occur.

Effective controls are necessary to minimize the risk and impact of threats to accounting systems.

Primary Objective of an AIS

Organizational Control and Accountant Responsibilities

  • Control the organization to achieve its objectives.

  • Accountants are expected to:

    • Take a proactive approach to eliminating system threats.

    • Detect, correct, and recover from threats when they occur.

Internal Controls

Objectives of Internal Controls

  • Safeguard assets

  • Maintain sufficient records

  • Provide accurate and reliable information

  • Prepare financial reports according to established criteria

  • Promote and improve operational efficiency

  • Encourage adherence to management policies

  • Comply with laws and regulations

Functions of Internal Controls

  • Preventive controls: Deter problems from occurring.

  • Detective controls: Discover problems that are not prevented.

  • Corrective controls: Identify and correct problems; recover from the problems.

Regulatory Frameworks

Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley Act (SOX)

  • FCPA (1977):

    • Prevents companies from bribing foreign officials to obtain business.

    • Requires publicly owned corporations to maintain a system of internal accounting control.

  • SOX (2002):

    • Prevents financial statement fraud.

    • Ensures financial report transparency.

    • Protects investors.

    • Strengthens internal controls.

    • Punishes executives who perpetrate fraud.

Control Frameworks

Overview

  • COBIT: Framework for IT control.

  • COSO: Framework for enterprise internal controls (control-based approach).

  • COSO-ERM: Expands COSO framework to include risk-based approach.

COBIT Framework

  • Current version: COBIT5

  • Principles:

    • Meeting stakeholder needs

    • Covering the enterprise end-to-end

    • Applying a single, integrated framework

    • Enabling a holistic approach

    • Separating governance from management

COBIT5 Governance vs. Management

Governance

Management

Evaluate, Direct, Monitor

Plan (APO), Build (BAI), Run (DSS), Monitor (MEA)

Components of COSO Frameworks

COSO

COSO-ERM

Control (internal) environment

Internal environment

Risk assessment

Objective setting

Control activities

Event identification

Information and communication

Risk assessment

Monitoring

Risk response

Control activities

Information and communication

Monitoring

Internal Environment

Elements

  • Management's philosophy, operating style, and risk appetite

  • Commitment to integrity, ethical values, and competence

  • Internal control oversight by Board of Directors

  • Organizing structure

  • Methods of assigning authority and responsibility

  • Human resource standards

Objective Setting

Types of Objectives

  • Strategic objectives: High-level goals

  • Operations objectives: Effectiveness and efficiency of operations

  • Reporting objectives: Improve decision making and monitor performance

  • Compliance objectives: Compliance with applicable laws and regulations

Event Identification

Process and Key Questions

Identifying incidents, both external and internal, that could affect the achievement of organizational objectives.

  • What could go wrong?

  • How can it go wrong?

  • What is the potential harm?

  • What can be done about it?

Risk Assessment

Perspectives and Types

  • Likelihood: Probability that the event will occur

  • Impact: Estimate potential loss if event occurs

Types of Risk:

  • Inherent risk: Risk that exists before plans are made to control it

  • Residual risk: Risk that remains after controls are implemented

Formula for Expected Loss:

Risk Response

Methods

  • Reduce: Implement effective internal control

  • Accept: Do nothing, accept likelihood and impact of risk

  • Share: Buy insurance, outsource, or hedge

  • Avoid: Do not engage in the activity

Control Activities

Common Activities

  • Proper authorization of transactions and activities

  • Segregation of duties

  • Project development and acquisition controls

  • Change management controls

  • Design and use of documents and records

  • Safeguarding assets, records, and data

  • Independent checks on performance

Segregation of Accounting Duties

Custodial Functions

Recording Functions

Authorization Functions

Handling cash, inventory, writing checks, receiving checks in the mail

Preparing source documents, maintaining journals and ledgers, preparing reconciliations, preparing performance reports

Authorization of transactions or decisions

Segregation prevents employees from both authorizing and recording transactions, reducing the risk of fraud and errors.

Segregation of Systems Duties

  • System administration

  • Network management

  • Security management

  • Change management

  • Users

  • Systems analysts

  • Programmers

  • Computer operators

  • Information system librarian

  • Data control

Dividing authority and responsibility among these functions helps prevent unauthorized access and errors.

Monitoring

Control Process Monitoring

  • Perform internal control evaluations (e.g., internal audit)

  • Implement effective supervision

  • Use responsibility accounting systems (e.g., budgets)

  • Monitor system activities

  • Track purchased software and mobile devices

  • Conduct periodic audits (e.g., external, internal, network security)

  • Employ computer security officer

  • Engage forensic specialists

  • Install fraud detection software

  • Implement fraud hotline

Key Terms

Selected Definitions

  • Internal controls: Processes designed to provide reasonable assurance regarding the achievement of objectives.

  • Preventive controls: Controls that deter problems before they occur.

  • Detective controls: Controls that discover problems that have occurred.

  • Corrective controls: Controls that identify and correct problems.

  • COBIT: Control Objectives for Information and Related Technology, a framework for IT governance and management.

  • COSO: Committee of Sponsoring Organizations, provides frameworks for internal control and enterprise risk management.

  • ERM: Enterprise Risk Management, a process for identifying and managing risks across an organization.

  • FCPA: Foreign Corrupt Practices Act, U.S. law addressing accounting transparency and anti-bribery.

  • SOX: Sarbanes-Oxley Act, U.S. law for financial transparency and internal controls in public companies.

Additional info: These notes expand on the original slides by providing definitions, context, and examples for key concepts, and by reconstructing tables for comparison and classification.

Pearson Logo

Study Prep