Kế toán, kiểm toán - Chapter 7: Control and ais

Chapter 7Control and AISCopyright © 2012 Pearson Education7-1Learning ObjectivesExplain basic control concepts and explain why computer control and security are important.Compare and contrast the COBIT, COSO, and ERM control frameworks.Describe the major elements in the internal environment of a companyDescribe the four types of control objectives that companies need to set.Describe the events that affect uncertainty and the techniques used to identify them.Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.Describe control activities commonly used in companies.Describe how to communicate information and monitor control processes in organizations.Copyright © 2012 Pearson Education7-2Internal ControlSystem to provide reasonable assurance that objectives are met such as:Safeguard assets.Maintain records in sufficient detail to report company assets accurately and fairly.Provide accurate and reliable information.Prepare financial reports in accordance with established criteria.Promote and improve operational efficiency.Encourage adherence to prescribed managerial policies.Comply with applicable laws and regulations.Copyright © 2012 Pearson Education7-3Internal ControlFunctionsPreventiveDeter problemsDetectiveDiscover problemsCorrectiveCorrect problemsCategoriesGeneralOverall IC system and processesApplicationTransactions are processed correctlyCopyright © 2012 Pearson Education7-4Sarbanes Oxley (2002)Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraudPublic Company Accounting Oversight Board (PCAOB)Oversight of auditing professionNew Auditing RulesPartners must rotate periodicallyProhibited from performing certain non-audit servicesCopyright © 2012 Pearson Education7-5Sarbanes Oxley (2002)New Roles for Audit CommitteeBe part of board of directors and be independentOne member must be a financial expertOversees external auditorsNew Rules for ManagementFinancial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.The auditors were told about all material internal control weak- nesses and fraud.New Internal Control RequirementsManagement is responsible for establishing and maintaining an adequate internal control system.Copyright © 2012 Pearson Education7-6SOX Management RulesBase evaluation of internal control on a recognized framework.Disclose all material internal control weaknesses.Conclude a company does not have effective financial reporting internal controls of material weaknesses.Copyright © 2012 Pearson Education7-7Internal Control FrameworksControl Objectives for Information and Related Technology (COBIT)Business objectivesIT resourcesIT processes Committee of Sponsoring Organizations (COSO)Internal control—integrated frameworkControl environmentControl activitiesRisk assessmentInformation and communicationMonitoringCopyright © 2012 Pearson Education7-8Internal ControlEnterprise Risk Management ModelRisk-based vs. control-basedCOSO elements +Setting objectivesEvent identificationRisk assessmentCan be controlled but also AcceptedDiversifiedSharedTransferredCopyright © 2012 Pearson Education7-9Control EnvironmentManagement’s philosophy, operating style, and risk appetiteThe board of directorsCommitment to integrity, ethical values, and competenceOrganizational structureMethods of assigning authority and responsibilityHuman resource standardsExternal influencesCopyright © 2012 Pearson Education7-10ERM—Objective SettingStrategicHigh-level goals aligned with corporate missionOperationalEffectiveness and efficiency of operationsReportingComplete and reliableImprove decision makingComplianceLaws and regulations are followedCopyright © 2012 Pearson Education7-11ERM—Event Identification“an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.”Positive or negative impacts (or both)Events may trigger other eventsAll events should be anticipatedCopyright © 2012 Pearson Education7-12Risk AssessmentIdentify RiskIdentify likelihood of riskIdentify positive or negative impactTypes of RiskInherentRisk that exists before any plans are made to control itResidualRemaining risk after controls are in place to reduce itCopyright © 2012 Pearson Education7-13ERM—Risk ResponseReduceImplement effective internal controlAcceptDo nothing, accept likelihood of riskShareBuy insurance, outsource, hedgeAvoidDo not engage in activity that produces riskCopyright © 2012 Pearson Education7-14Event/Risk/Response ModelCopyright © 2012 Pearson Education7-15Control ActivitiesPolicies and procedures to provide reasonable assurance that control objectives are met:Proper authorization of transactions and activitiesSignature or code on document to signal authority over a processSegregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performanceCopyright © 2012 Pearson Education7-16Segregation of Accounting DutiesNo one employee should be given too much responsibilitySeparate:AuthorizationApproving transactions and decisionsRecordingPreparing source documentsEntering data into an AISMaintaining accounting recordsCustodyHandling cash, inventory, fixed assetsReceiving incoming checksWriting checksCopyright © 2012 Pearson Education7-17Information and CommunicationPrimary purpose of an AISGatherRecordProcessSummarizeCommunicateCopyright © 2012 Pearson Education7-18MonitoringEvaluate internal control framework.Effective supervision.Responsibility accounting system.Monitor system activities.Track purchased software and mobile devices.Conduct periodic audits.Employ a security officer and compliance officer.Engage forensic specialists.Install fraud detection software.Implement a fraud hotline.Copyright © 2012 Pearson Education7-19Segregation of System DutiesLike accounting system duties should also be separatedThese duties include:System administrationNetwork managementSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system librarianData controlCopyright © 2012 Pearson Education7-20