Kế toán kiểm toán - Chapter 7: Computer - Based information systems controls

Accounting Information Systems9th EditionMarshall B. Romney Paul John Steinbart7-1©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartComputer-Based Information Systems ControlsChapter 77-2©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning ObjectivesDescribe the threats to an AIS and discuss why these threats are growing.Explain the basic concepts of control as applied to business organizations.Describe the major elements in the control environment of a business organization.3©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objectives, continuedDescribe control policies and procedures commonly used in business organizations.Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.4©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionJason Scott has been hired as an internal auditor for Northwest Industries, a diversified forest products company.He is assigned to audit Springer’s Lumber & Supply, Northwest’s building materials outlet in Montana.5©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionHis supervisor, Maria Pilier, has asked him to trace a sample of purchase transactions to verify that proper control procedures were followed. Jason becomes frustrated with this task.Why is Jason frustrated?The purchasing system is poorly documented.He keeps finding transactions that have not been processed as Ed Yates, the accounts payable manager, said they should be.6©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionJason’s frustrations, continuedSome vendor invoices have been paid without supporting documents.Purchase requisitions are missing for several items that had been authorized by Bill Springer, purchasing v.p.Prices charged for some items seem unusually high.Springer’s is the largest supplier in the area and has a near monopoly.Management authority is concentrated in the company president, Joe Springer, and his sons Bill, the purchasing v.p., and Ted, the controller.Maria feels that Ted may have engaged in “creative accounting.”7©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionJason ponders the following issues:Should he describe the unusual transactions in his report?Is a violation of proper control procedures acceptable if it has been authorized by management?Regarding Jason’s assignment, does he have a professional or ethical responsibility to get involved?8©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionThis chapter discusses the types of threats a company faces.It also presents the five interrelated components of the Committee of Sponsoring Organizations (COSO’s) internal control model.9©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 1 Describe the threats to an AIS and discuss why these threats are growing.10©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThreats to Accounting Information SystemsWhat are examples of natural and political disasters?fire or excessive heatfloodsearthquakeshigh windswar11©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThreats to Accounting Information SystemsWhat are examples of software errors and equipment malfunctions?hardware failurespower outages and fluctuationsundetected data transmission errors12©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThreats to Accounting Information SystemsWhat are examples of unintentional acts?accidents caused by human carelessnessinnocent errors of omissionslost or misplaced datalogic errorssystems that do not meet company needs13©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThreats to Accounting Information SystemsWhat are examples of intentional acts?sabotagecomputer fraudembezzlement14©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartWhy are AIS Threats Increasing?Increasing numbers of client/server systems mean that information is available to an unprecedented number of workers.Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.15©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 2 Explain the basic concepts of control as applied to business organizations.16©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartOverview of Control Concepts What is the traditional definition of internal control? Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.17©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartOverview of Control ConceptsWhat is management control?Management control encompasses the following three features:It is an integral part of management responsibilities.It is designed to reduce errors, irregularities, and achieve organizational goals.It is personnel-oriented and seeks to help employees attain company goals.18©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInternal Control ClassificationsThe specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications:Preventive, detective, and corrective controls General and application controlsAdministrative and accounting controlsInput, processing, and output controls19©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThe Foreign Corrupt Practices ActIn 1977, Congress incorporated language from an AICPA pronouncement into the Foreign Corrupt Practices Act.The primary purpose of the act was to prevent the bribery of foreign officials in order to obtain business.A significant effect of the act was to require corporations to maintain good systems of internal accounting control.20©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCommittee of Sponsoring OrganizationsThe Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations:American Accounting Association American Institute of Certified Public AccountantsInstitute of Internal AuditorsInstitute of Management AccountantsFinancial Executives Institute21©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCommittee of Sponsoring OrganizationsIn 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems.The report has been widely accepted as the authority on internal controls.22©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCommittee of Sponsoring OrganizationsThe COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:effectiveness and efficiency of operations reliability of financial reportingcompliance with applicable laws and regulations23©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCommittee of Sponsoring OrganizationsCOSO’s internal control model has five crucial components: Control environmentControl activitiesRisk assessmentInformation and communicationMonitoring24©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInformation Systems Auditand Control FoundationThe Information Systems Audit and Control Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT).COBIT consolidates standards from 36 different sources into a single framework.The framework addresses the issue of control from three vantage points, or dimensions:25©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInformation Systems Auditand Control FoundationInformation: needs to conform to certain criteria that COBIT refers to as business requirements for informationIT resources: people, application systems, technology, facilities, and dataIT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring26©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 3 Describe the major elements in the control environment of a business organization.27©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThe Control EnvironmentThe first component of COSO’s internal control model is the control environment.The control environment consists of many factors, including the following:Commitment to integrity and ethical valuesManagement’s philosophy and operating styleOrganizational structure28©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThe Control EnvironmentThe audit committee of the board of directorsMethods of assigning authority and responsibilityHuman resources policies and practicesExternal influences29©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 4 Describe control policies and procedures commonly used in business organizations.30©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartControl ActivitiesThe second component of COSO’s internal control model is control activities.Generally, control procedures fall into one of five categories:Proper authorization of transactions and activitiesSegregation of duties31©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartControl ActivitiesDesign and use of adequate documents and recordsAdequate safeguards of assets and recordsIndependent checks on performance32©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartProper Authorization of Transactions and ActivitiesAuthorization is the empowerment management gives employees to perform activities and make decisions.Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.Specific authorization is the granting of authorization by management for certain activities or transactions.33©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of DutiesGood internal control demands that no single employee be given too much responsibility.An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.34©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of DutiesRecording FunctionsPreparing source documentsMaintaining journalsPreparing reconciliationsPreparing performance reportsCustodial FunctionsHandling cashHandling assetsWriting checksReceiving checks in mailAuthorization FunctionsAuthorization oftransactions35©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of DutiesIf two of these three functions are the responsibility of a single person, problems can arise.Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.36©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of Duties Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.37©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartDesign and Use of Adequate Documents and RecordsThe proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.Documents that initiate a transaction should contain a space for authorization.38©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartDesign and Use of Adequate Documents and RecordsThe following procedures safeguard assets from theft, unauthorized use, and vandalism:effectively supervising and segregating dutiesmaintaining accurate records of assets, including informationrestricting physical access to cash and paper assetshaving restricted storage areas39©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartAdequate Safeguards ofAssets and RecordsWhat can be used to safeguard assets?cash registerssafes, lockboxessafety deposit boxesrestricted and fireproof storage areascontrolling the environmentrestricted access to computer rooms, computer files, and information40©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIndependent Checkson Performance Independent checks ensure that transactions are processed accurately are another important control element.41©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIndependent Checkson PerformanceWhat are various types of independent checks? reconciliation of two independently maintained sets of recordscomparison of actual quantities with recorded amountsdouble-entry accountingbatch totals42©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIndependent Checkson PerformanceFive batch totals are used in computer systems:A financial total is the sum of a dollar field.A hash total is the sum of a field that would usually not be added.43©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIndependent Checkson PerformanceA record count is the number of documents processed.A line count is the number of lines of data entered.A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.44©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 5 Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.45©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartRisk AssessmentThe third component of COSO’s internal control model is risk assessment.Companies must identify the threats they face:strategic — doing the wrong thingfinancial — having financial resources lost, wasted, or stoleninformation — faulty or irrelevant information, or unreliable systems46©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartRisk AssessmentCompanies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:Choosing an inappropriate technologyUnauthorized system accessTapping into data transmissionsLoss of data integrity47©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartRisk AssessmentIncomplete transactionsSystem failuresIncompatible systems48©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartRisk Assessment Some threats pose a greater risk because the probability of their occurrence is more likely. For example:A company is more likely to be the victim of a computer fraud rather than a terrorist attack.Risk and exposure must be considered together.49©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 6 Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.50©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartEstimate Cost and BenefitsNo internal control system can provide foolproof protection against all internal control threats.The cost of a foolproof system would be prohibitively high.One way to calculate benefits involves calculating expected loss.51©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartExpected loss = risk × exposureEstimate Cost and BenefitsThe benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.52©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInformation and CommunicationThe fourth component of COSO’s internal control model is information and communication.53©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInformation and CommunicationAccountants must understand the following:How transactions are initiatedHow data are captured in machine-readable form or converted from source documentsHow computer files are accessed and updatedHow data are processed to prepare informationHow information is reportedHow transactions are initiated54©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInformation and CommunicationAll of these items make it possible for the system to have an audit trail.An audit trail exists when individual company transactions can be traced through the system.55©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartMonitoring PerformanceThe fifth component of COSO’s internal control model is monitoring.What are the key methods of monitoring performance?effective supervisionresponsibility accountinginternal auditing56©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCase ConclusionWhat happened to Jason’s report?A high-level internal audit team was dispatched to Montana.The team discovered that the problems identified by Jason occurred almost exclusively in transactions with three large vendors from whom Springer’s had purchased several million dollars of inventory.57©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCase ConclusionOne of the Springers held a significant ownership interest in each of these three companies.They also found evidence that several of Springer’s employees were paid for more hours than documented by timekeeping, and that inventories were overstated.Northwest settled the case with the Springers.58©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartEnd of Chapter 759©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart