Control and Accounting Information Systems

INTRODUCTION

Why AIS threats are increasing

Control risks have increased in the last few years because:

There are computers and servers everywhere, and information is available to

an unprecedented number of workers.

Distributed computer networks make data available to many users, and these
networks are harder to control than centralized mainframe systems.

Wide area networks are giving customers and suppliers access to each
others systems and data, making confidentiality a major concern.

Historically, many organizations have not adequately protected their data due to one or
more of the following reasons:

Computer control problems are often underestimated and downplayed.

Control implications of moving from centralized, host-based computer systems to

those of a networked system or Internet-based system are not always fully
understood.

Companies have not realized that data is a strategic resource and that data security
must be a strategic requirement.

Productivity and cost pressures may motivate management to forego timeconsuming control measures.

Some vocabulary terms for this chapter:

A threat is any potential adverse occurrence or unwanted event that could injure
the AIS or the organization.

The exposure or impact of the threat is the potential dollar loss that would occur if
the threat becomes a reality.

The likelihood is the probability that the threat will occur.

Why Control and Security are important?

Devoting full-time staff to security and control concerns.

Educating employees about control measures.

Establishing and enforcing formal information security policies.

Making controls a part of the applications development process.

Moving sensitive data to more secure environments.

As an accountant, we must:

Understand how to protect systems from threats.

Have a good understanding of IT and its capabilities and risks.

Achieving adequate security and control over the information resources of an organization
should be a top management priority.

Ex.

Although computer processing may reduce clerical errors, it may increase risks of
unauthorized access or modification of data files.

Segregation of duties must be achieved differently in an AIS as computer programs

may be responsible for one or more of these functions.

One of the primary objectives of an AIS is to control a business organization.

Accountants must help by designing effective control systems and auditing or

reviewing control systems already in place to ensure their effectiveness.

Management expects accountants to be control consultants by:

Taking a proactive approach to eliminating system threats; and

Detecting, correcting, and recovering from threats when they do occur.

It is much easier to build controls into a system during the initial stage than to add them
after the fact.

Consequently, accountants and control experts should be members of the teams that
develop or modify information systems.

OVERVIEW OF CONTROL CONCEPTS

In todays dynamic business environment, companies must react quickly to changing

conditions and markets. One way to do this is to:

Hire creative and innovative employees.

Give these employees power and flexibility to:

Satisfy changing customer demands;

Pursue new opportunities to add value to the organization; and

Implement process improvements.

At the same time, the company needs control systems so they are not exposed to
excessive risks or behaviors that could harm their reputation for honesty and integrity.

Internal control is the process implemented by the board of directors, management, and
those under their direction to provide reasonable assurance that the following control
objectives are achieved:

Assets (including data) are safeguarded.

This objective includes prevention or timely detection of unauthorized

acquisition, use, or disposal of material company assets.

Records are maintained in sufficient detail to accurately and fairly reflect

company assets.

Accurate and reliable information is provided.

There is reasonable assurance that financial reports are prepared in

accordance with GAAP.

Operational efficiency is promoted and improved.

This objective includes ensuring that company receipts and expenditures are
made in accordance with management and directors authorizations.

Adherence to prescribed managerial policies is encouraged.

The organization complies with applicable laws and regulations.

Internal control is a process because:

It permeates an organizations operating activities.

It is an integral part of basic management activities.

Internal control provides reasonable, rather than absolute, assurance, because complete
assurance is difficult or impossible to achieve and prohibitively expensive.

Internal control systems have inherent limitations, including:

They are susceptible to errors and poor decisions.

They can be overridden by management or by collusion of two or more employees.

Internal control objectives are often at odds with each other.

EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.

Internal controls perform three important functions:

Preventive controls

Detective controls

Remedy problems that have occurred or discovered by:

Identifying the cause;

Correcting the resulting errors; and

Modifying the system to prevent future problems of this sort.

Internal controls are often classified as:

Discover problems quickly when they do arise.

Corrective controls

Deter problems before they arise.

General controls

Those designed to make sure an organizations control environment is stable

and well managed.

They apply to all sizes and types of systems, from large to complex
mainframe systems to client server systems to desktop/laptop computer
systems

Examples: Security management controls; information systems management

controls; IT infrastructure controls; software acquisition, development and
maintenance controls.

Application controls

Prevent, detect, and correct transaction errors and fraud.

Concerned with accuracy, completeness, validity, and authorization of the

data captured, entered into the system, processed, stored, transmitted to
other systems, and reported.

An effective system of internal controls should exist in all organizations to:

Help them achieve their missions and goals.

Minimize surprises.

SOX AND THE FOREIGN CORRUPT PRACTICES ACT

In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the
profession, this act incorporated language from an AICPA pronouncement.

The primary purpose of the act was to prevent the bribery of foreign officials to obtain
business.

A significant effect was to require that corporations maintain good systems of internal
accounting control.

Generated significant interest among management, accountants, and auditors in

designing and evaluating internal control systems.

The resulting internal control improvements werent sufficient.

In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made
headlines.

The impact on financial markets was substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002 (aka, SOX).

Applies to publicly held companies and their auditors.

The intent of SOX is to:

Prevent financial statement fraud

Make financial reports more transparent

Protect investors

Strengthen internal controls in publicly-held companies

Punish executives who perpetrate fraud

SOX has had a material impact on the way boards of directors, management, and
accountants operate.

Important aspects of SOX include:

Creation of the Public Company Accounting Oversight Board (PCAOB) to

oversee the auditing profession.

Has five members, three of whom cannot be CPAs.

Charges fees to firms to fund the PCAOB.

Sets and enforces auditing, quality control, ethics, independence, and other
standards relating to audit reports.

Currently recognizes FASB statements as being generally accepted.

New rules for auditors

They must report specific information to the companys audit committee,

such as:

Critical accounting policies and practices

Alternative GAAP treatments

Auditor-management disagreements

Audit partners must be rotated periodically.

Auditors cannot perform certain non-audit services, such as:

Bookkeeping

Information systems design and implementation

Internal audit outsourcing services

Management functions

Human resource services

Permissible non-audit services must be approved by the board of directors

and disclosed to investors.

Cannot audit a company if a member of top management was employed by

the auditor and worked on the companys audit in the past 12 months.

New rules for audit committees

Members must be on the companys board of directors and must otherwise

be independent of the company.

One member must be a financial expert.

The committee hires, compensates, and oversees the auditors, and the
auditors report directly to the committee.

New rules for management

The CEO and CFO must certify that:

The financial statements and disclosures are fairly presented, were reviewed
by management, and are not misleading.

Management is responsible for internal controls.

The auditors were advised of any material internal control weaknesses or

fraud.

Any significant changes to controls after managements evaluation were

disclosed and corrected.

If management willfully and knowingly violates the certification, they can be:

Imprisoned up to 20 years

Fined up to $5 million

Management and directors cannot receive loans that would not be available
to people outside the company.

They must disclose on a rapid and current basis material changes to their
financial condition.

New internal control requirements

New internal control requirements:

Section 404 of SOX requires companies to issue a report accompanying the

financial statements that:

States management is responsible for establishing and maintaining an

adequate internal control structure and procedures.

Contains managements assessment of the companys internal controls.

Attests to the accuracy of the internal controls, including disclosures of

significant defects or material noncompliance found during the tests.

SOX also requires that the auditor attests to and reports on managements
internal control assessment.

Each audit report must describe the scope of the auditors internal control
tests.

After the passage of SOX, the SEC further mandated that:

Management must base its evaluation on a recognized control framework,

developed using a due-process procedure that allows for public comment. The most
likely framework is the COSO model.

The report must contain a statement identifying the framework used.

Management must disclose any and all material internal control weaknesses.

Management cannot conclude that the company has effective internal control if
there are any material weaknesses.

Levers of control

A concise belief system

Communicates company core values to employees and inspires them

to live by it.

Draws attention to how the organization creates value.

Helps employees understand managements intended direction.

Must be broad enough to appeal to all levels.

A boundary system

Helps employees act ethically by setting limits beyond which they

must not pass.

Does not create rules and standard operating procedures that can stifle
creativity and innitiative.

Encourages employees to think and act creatively to solve problems

and meet customer needs as long as they operate within limits such
as:

Meeting minimum standards of performance

Shunning off-limits activities

Avoiding actions that could damage the companys reputation.

A diagnostic control system

Ensures efficient and effective achievement of important controls.

This system measures company progress by comparing actual to

planned performance.

Helps managers track critical performance outcomes and monitor

performance of individuals, departments, and locations.

Provides feedback to enable management to adjust and fine-tune.

An interactive control system

Helps top-level managers with high-level activities that demand

frequent and regular attention. Examples:

Developing company strategy.

Setting company objectives.

Understanding and assessing threats and risks.

Monitoring changes in competitive conditions and emerging

technologies.

Developing responses and action plans to proactively deal with

these high-level issues.

Also helps managers focus the attention of subordinates on key

strategic issues and to be more involved in their decisions.

Data from this system are best interpreted and discussed in face-toface meetings.

CONTROL FRAMEWORKS

A number of frameworks have been developed to help companies develop good internal
control systems. Three of the most important are:

1. The COBIT framework

Also know as the Control Objectives for Information and Related Technology
framework.

Developed by the Information Systems Audit and Control Foundation (ISACF).

A framework of generally applicable information systems security and control

practices for IT control.

The COBIT framework allows:

Management to benchmark security and control practices of IT environments.

Users of IT services to be assured that adequate security and control exists.

Auditors to substantiate their opinions on internal control and advise on IT security

and control matters.

The framework addresses the issue of control from three vantage points or dimensions:

Business objectives

To satisfy business objectives, information must conform to certain criteria

referred to as business requirements for information.

The criteria are divided into seven distinct yet overlapping categories that
map into COSO objectives:

Effectiveness (relevant, pertinent, and timely)

Efficiency

Confidentiality

Integrity

Availability

Compliance with legal requirements

Reliability

IT resources

Includes:

People

Application systems

Technology

Facilities

Data

IT processes

Broken into four domains:

Planning and organization

Acquisition and implementation

Delivery and support

Monitoring

COBIT consolidates standards from 36 different sources into a single framework.

It is having a big impact on the IS profession.

Helps managers to learn how to balance risk and control investment in an IS

environment.

Provides users with greater assurance that security and IT controls provided by
internal and third parties are adequate.

Guides auditors as they substantiate their opinions and provide advice to

management on internal controls.

2. COSOs internal control framework

The Committee of Sponsoring Organizations (COSO) is a private sector group

consisting of:

The American Accounting Association

The AICPA

The Institute of Internal Auditors

The Institute of Management Accountants

The Financial Executives Institute

In 1992, COSO issued the Internal Control Integrated Framework:

Defines internal controls.

Provides guidance for evaluating and enhancing internal control systems.

Widely accepted as the authority on internal controls.

Incorporated into policies, rules, and regulations used to control business activities.

COSOs internal control model has five crucial components:

Control environment

The core of any business is its people.

Their integrity, ethical values, and competence make up the foundation on

which everything else rests.

Control activities

Policies and procedures must be established and executed to ensure that

actions identified by management as necessary to address risks are, in fact,
carried out.

Risk assessment

The organization must be aware of and deal with the risks it faces.

It must set objectives for its diverse activities and establish mechanisms to
identify, analyze, and manage the related risks.

Information and communication

Information and communications systems surround the control activities.

They enable the organizations people to capture and exchange information

needed to conduct, manage, and control its operations.

Monitoring

The entire process must be monitored and modified as necessary.

3. COSOs Enterprise Risk Management framework (ERM)

Nine years after COSO issued the preceding framework, it began investigating how to
effectively identify, assess, and manage risk so organizations could improve the risk
management process.

Result: Enterprise Risk Manage Integrated Framework (ERM)

An enhanced corporate governance document.

Expands on elements of preceding framework.

Provides a focus on the broader subject of enterprise risk management.

Intent of ERM is to achieve all goals of the internal control framework and help the
organization:

Provide reasonable assurance that company objectives and goals are achieved and
problems and surprises are minimized.

Achieve its financial and performance targets.

Assess risks continuously and identify steps to take and resources to allocate to
overcome or mitigate risk.

Avoid adverse publicity and damage to the entitys reputation.

ERM defines risk management as:

A process effected by an entitys board of directors, management, and other

personnel.

Applied in strategy setting and across the enterprise.

To identify potential events that may affect the entity.

And manage risk to be within its risk appetite.

In order to provide reasonable assurance of the achievement of entity objectives.

Basic principles behind ERM:

Companies are formed to create value for owners.

Management must decide how much uncertainty they will accept.

Uncertainty can result in:

Risk

Adversely affect the ability to create value; or

Erode existing value.

Opportunity

The possibility that something will happen to:

The possibility that something will happen to positively affect the

ability to create or preserve value.

The framework should help management manage uncertainty and its associated
risk to build and preserve value.

To maximize value, a company must balance its growth and return objectives and
risks with efficient and effective use of company resources.

COSO developed a model to illustrate the elements of ERM.

Columns at the top represent the four types of objectives that management must meet
to achieve company goals.

Strategic objectives

Operations objectives

Strategic objectives are high-level goals that are aligned with and support the
companys mission.

Operations objectives deal with effectiveness and efficiency of company

operations, such as:

Performance and profitability goals

Safeguarding assets

Reporting objectives

Reporting objectives help ensure the accuracy, completeness, and reliability

of internal and external company reports of both a financial and non-financial
nature.

Improve decision-making and monitor company activities and performance

more efficiently.

Compliance objectives

Compliance objectives help the company comply with applicable laws and
regulations.

External parties often set the compliance rules.

Companies in the same industry often have similar concerns in this area.

ERM can provide reasonable assurance that reporting and compliance objectives will be
achieved because companies have control over them.

However, strategic and operations objectives are sometimes at the mercy of external
events that the company cant control.

Therefore, in these areas, the only reasonable assurance the ERM can provide is that
management and directors are informed on a timely basis of the progress the company is
making in achieving them.

Columns on the right represent the companys units:

Entire company

Division

Business unit

Subsidiary

The horizontal rows are eight related risk and control components, including:

Internal environment

The tone or culture of the company.

Provides discipline and structure and is the foundation for all other
components.

Essentially, the same as control environment in the COSO internal control

framework.

Objective setting

Ensures that management implements a process to formulate strategic,

operations, reporting, and compliance objectives that support the companys
mission and are consistent with the companys tolerance for risk.

Strategic objectives are set first as a foundation for the other three.

The objectives provide guidance to companies as they identify risk-creating

events and assess and respond to those risks.

Event identification

Requires management to identify events that may affect the companys

ability to implement its strategy and achieve its objectives.

Management must then determine whether these events represent:

Risks (negative-impact events requiring assessment and response); or

Opportunities (positive-impact events that influence strategy and

objective-setting processes).

Risk assessment

Identified risks are assessed to determine how to manage them and how they
affect the companys ability to achieve its objectives.

Qualitative and quantitative methods are used to assess risks individually and
by category in terms of:

Likelihood

Positive and negative impact

Effect on other organizational units

Risks are analyzed on an inherent and a residual basis.

Corresponds to the risk assessment element in COSOs internal control

framework.

Risk response

Management aligns identified risks with the companys tolerance for risk by
choosing to:

Avoid

Reduce

Share

Accept

Management takes an entity-wide or portfolio view of risks in assessing the

likelihood of the risks, their potential impact, and costs-benefits of alternate
responses.

Control activities

To implement managements risk responses, control policies and procedures

are established and implemented throughout the various levels and functions
of the organization.

Corresponds to the control activities element in the COSO internal control

framework.

Information and communication

Information about the company and ERM components must be identified,

captured, and communicated so employees can fulfill their responsibilities.

Information must be able to flow through all levels and functions in the
company as well as flowing to and from external parties.

Employees should understand their role and importance in ERM and how
these responsibilities relate to those of others.

Has a corresponding element in the COSO internal control framework.

Monitoring

ERM processes must be monitored on an ongoing basis and modified as

needed.

Accomplished with ongoing management activities and separate evaluations.

Deficiencies are reported to management.

Corresponding module in COSO internal control framework.

The ERM model is three-dimensional.

Means that each of the eight risk and control elements are applied to the four objectives in
the entire company and/or one of its subunits.

ERM Framework Vs. the Internal Control Framework

The internal control framework has been widely adopted as the principal way to
evaluate internal controls as required by SOX. However, there are issues with it.

It has too narrow of a focus.

Examining controls without first examining purposes and risks of

business processes provides little context for evaluating the results.

Makes it difficult to know:

Which control systems are most important.

Whether they adequately deal with risk.

Whether important control systems are missing.

Focusing on controls first has an inherent bias toward past problems

and concerns.

May contribute to systems with many controls to protect against risks

that are no longer important.

These issues led to COSOs development of the ERM framework.

Takes a risk-based, rather than controls-based, approach to the organization.

Oriented toward future and constant change.

Incorporates rather than replaces COSOs internal control framework and contains
three additional elements:

Setting objectives.

Identifying positive and negative events that may affect the companys
ability to implement strategy and achieve objectives.

Developing a response to assessed risk.

CONTROL FRAMEWORKS

Controls are flexible and relevant because they are linked to current organizational
objectives.

ERM also recognizes more options than simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing it, or transferring it.

Over time, ERM will probably become the most widely adopted risk and control model.

Consequently, its eight components are the topic of the remainder of the chapter.

INTERNAL ENVIRONMENT

The most critical component of the ERM and the internal control framework.

Is the foundation on which the other seven components rest.

Influences how organizations:

Establish strategies and objectives

Structure business activities

Identify, access, and respond to risk

A deficient internal control environment often results in risk management and control
breakdowns.

Internal environment consists of the following:

Managements philosophy, operating style, and risk appetite

An organizations management has shared beliefs and attitudes about risk.

That philosophy affects everything the organization does, long- and short-term, and
affects their communications.

Companies also have a risk appetite, which is the amount of risk a company is
willing to accept to achieve its goals and objectives.

That appetite needs to be in alignment with company strategy.

The more responsible managements philosophy and operating style, the more
likely employees will behave responsibly.

This philosophy must be clearly communicated to all employees; it is not enough to

give lip service.

Management must back up words with actions; if they show little concern for
internal controls, then neither will employees.

This component can be assessed by asking questions such as:

Does management take undue business risks or assess potential risks and
rewards before acting?

Does management attempt to manipulate performance measures such as net

income?

Does management pressure employees to achieve results regardless of

methods or do they demand ethical behavior?

The board of directors

An active and involved board of directors plays an important role in internal control.

They should:

Oversee management

Scrutinize managements plans, performance, and activities

Approve company strategy

Review financial results

Annually review the companys security policy

Interact with internal and external auditors

Directors should possess management, technical, or other expertise, knowledge, or

experience, as well as a willingness to advocate for shareholders.

At least a majority should be independent, outside directors not affiliated with the
company or any of its subsidiaries.

Public companies must have an audit committee, composed entirely of independent,

outside directors.

The companys internal control structure;

Its financial reporting process; and

Its compliance with laws, regulations, and standards.

Works with the corporations external and internal auditors.

Hires, compensates, and oversees the auditors.

Auditors report all critical accounting policies and practices to the audit
committee.

Provides an independent review of managements actions.

Commitment to integrity, ethical values, and competence

The audit committee oversees:

Management must create an organizational culture that stresses integrity and

commitment to both ethical values and competence.

Ethical standards of behavior make for good business.

Tone at the top is everything.

Employees will watch the actions of the CEO, and the message of those
actions (good or bad) will tend to permeate the organization.

Companies can endorse integrity as a basic operating principle by actively teaching and
requiring it.

Management should:

Make it clear that honest reports are more important than favorable ones.

Management should avoid:

Unrealistic expectations, incentives, or temptations.

Attitude of earnings or revenue at any price.

Overly aggressive sales practices.

Unfair or unethical negotiation practices.

Implied kickback offers.

Excessive bonuses.

Bonus plans with upper and lower cutoffs.

Management should not assume that employees would always act honestly.

Consistently reward and encourage honesty.

Give verbal labels to honest and dishonest acts.

The combination of these two will produce more consistent moral behavior.

Management should develop clearly stated policies that explicitly describe honest and
dishonest behaviors, often in the form of a written code of conduct.

In particular, such a code would cover issues that are uncertain or unclear.

Dishonesty often appears when situations are gray and employees rationalize the
most expedient action as opposed to making a right vs. wrong choice.

SOX only requires a code of ethics for senior financial management. However, the ACFE
suggests that companies create a code of conduct for all employees:

Should be written at a fifth-grade level.

Should be reviewed annually with employees and signed.

This approach helps employees keep themselves out of trouble.

Helps the company if they need to take legal action against the employee.

Management should require employees to report dishonest, illegal, or unethical behavior

and discipline employees who knowingly fail to report.

Reports of dishonest acts should be thoroughly investigated.

Those found guilty should be dismissed.

Prosecution should be undertaken when possible, so that other employees are clear
about consequences.

Companies must make a commitment to competence.

Begins with having competent employees.

Varies with each job but is a function of knowledge, experience, training, and skills.

The levers of control, particularly beliefs and boundaries systems, can be used to create
the kind of commitment to integrity an organization wants.

Requires more than lip service and signing forms.

Must be systems in which top management actively participates in order to:

Demonstrate the importance of the system.

Create buy-in and a team spirit.

Management should require employees to report dishonest, illegal, or unethical behavior

and discipline employees who knowingly fail to report.

Reports of dishonest acts should be thoroughly investigated.

Those found guilty should be dismissed.

Prosecution should be undertaken when possible, so that other employees are clear
about consequences.

Companies must make a commitment to competence.

Begins with having competent employees.

Varies with each job but is a function of knowledge, experience, training, and skills.

The levers of control, particularly beliefs and boundary systems, can be used to create the
kind of commitment to integrity an organization wants.

Requires more than lip service and signing forms.

Must be systems in which top management actively participates in order to:

Demonstrate the importance of the system.

Create buy-in and a team spirit.

Organizational structure

A companys organizational structure defines its lines of authority, responsibility,

and reporting.

Provides the overall framework for planning, directing, executing, controlling,

and monitoring its operations.

Important aspects or organizational structure:

Degree of centralization or decentralization.

Assignment of responsibility for specific tasks.

Direct-reporting relationships or matrix structure.

Organization by industry, product, geographic location, marketing network.

How the responsibility allocation affects managements information needs.

Organization of accounting and IS functions.

Size and nature of company activities.

Statistically, fraud occurs more frequently in organizations with complex structures.

The structures may unintentionally impede communication and clear assignment of

responsibility, making fraud easier to commit and conceal; or

The structure may be intentionally complex to facilitate the fraud.

In todays business world, the hierarchical organizations with many layers of management
are giving way to flatter organizations with self-directed work teams.

Team members are empowered to make decisions without multiple layers of

approvals.

Emphasis is on continuous improvement rather than on regular evaluations.

Methods of assigning authority and responsibility

These changes have a significant impact on the nature and type of controls needed.

Management should make sure:

Employees understand the entitys objectives.

Authority and responsibility for business objectives is assigned to specific

departments and individuals.

Ownership of responsibility encourages employees to take initiative in solving

problems and holds them accountable for achieving objectives.

Management:

Must be sure to identify who is responsible for the IS security policy.

Should monitor results so decisions can be reviewed and, if necessary,

overruled.

Authority and responsibility are assigned through:

Formal job descriptions

Employee training

Operating plans, schedules, and budgets

Codes of conduct that define ethical behavior, acceptable practices, regulatory

requirements, and conflicts of interest

Written policies and procedures manuals (a good job reference and job training tool)
which covers:

Proper business practices

Knowledge and experience needed by key personnel

Resources provided to carry out duties

Policies and procedures for handling particular transactions

The organizations chart of accounts

Sample copies of forms and documents

Human resources standards

Employees are both the companys greatest control strength and the greatest
control weakness.

Organizations can implement human resource policies and practices with respect to
hiring, training, compensating, evaluating, counseling, promoting, and discharging
employees that send messages about the level of competence and ethical behavior
required.

Policies on working conditions, incentives, and career advancement can powerfully

encourage efficiency and loyalty and reduce the organizations vulnerability.

The following policies and procedures are important:

Hiring

Should be based on educational background, relevant work experience, past

achievements, honesty and integrity, and how well candidates meet written job
requirements.

Employees should undergo a formal, in-depth employment interview.

Resumes, reference letters, and thorough background checks are critical.

Background checks can involve:

Verifying education and experience.

Talking with references.

Checking for criminal records, credit issues, and other publicly available data.

Note that you must have the employees or candidates written permission to
conduct a background check, but that permission does not need to have an
expiration date.

Background checks are important because recent studies show that about 50% of
resumes have been falsified or embellished.

Sometimes professional firms are hired to do the background checks because applicants
are becoming more aggressive in their deceptions.

Some get phony degrees from online diploma mills.

A Pennsylvania district attorney recently filed suit against a Texas university

for issuing an MBA to the DAs 6-year-old black cat.

Others actually hack (or hire someone to hack) into the systems of universities to
create or alter transcripts and other academic data.

No employee should be exempted from background checks. Anyone from the custodian to
the company president is capable of committing fraud, sabotage, etc.

Compensating

Employees should be paid a fair and competitive wage.

Poorly compensated employees are more likely to feel the resentment and financial
pressures that lead to fraud.

Appropriate incentives can motivate and reinforce outstanding performance.

Training

Evaluating and promoting

Discharging

Managing disgruntled employees

Vacations and rotation of duties

Confidentiality insurance and fidelity bonds

Policies on training

Training programs should familiarize new employees with:

Their responsibilities.

Expected performance and behavior.

Training needs to be ongoing, not just one time.

Companies who shortchange training are more likely to experience security

breaches and fraud.

Many believe employee training and education are the most important elements of
fraud prevention and security programs.

Fraud is less likely to occur when employees believe security is everyones business.

An ideal corporate culture exists when:

Employees are proud of their company and protective of its assets.

They believe fraud hurts everyone and that they therefore have a
responsibility to report it.

These cultures do not just happen. They must be created, taught, and practiced, and the
following training should be provided:

Fraud awareness

Company policies, procedures, history, culture, and operating style.

Employees should be aware of frauds prevalence and dangers, why people

do it, and how to deter and detect it.

Ethical considerations

The company should promote ethical standards in its practice and its
literature.

Acceptable and unacceptable behavior should be defined and labeled,

leaving as little gray area as possible.

Punishment for fraud and unethical behavior.

Employees should know the consequences (e.g., reprimand, dismissal,

prosecution) of bad behavior.

Should be disseminated as a consequence rather than a threat.

EXAMPLE: Using a computer to steal or commit fraud is a federal crime, and

anyone doing so faces immediate dismissal and/or prosecution.

The company should display notices of program and data ownership and
advise employees of the penalties of misuse.

Training can take place through:

Informal discussions

Formal meetings

Periodic memos

Written guidelines

Codes of ethics

Circulating reports of unethical behavior and its consequences

Promoting security and fraud training programs

Evaluating and promoting

Do periodic performance appraisals to help employees understand their strengths

and weaknesses.

Base promotions on performance and qualifications.

Discharging

Fired employees are disgruntled employees.

Disgruntled employees are more likely to commit a sabotage or fraud against the
company.

Employees who are terminated (whether voluntary or involuntary) should be

removed from sensitive jobs immediately and denied access to information
systems.

Managing disgruntled employees

Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud
candidates than satisfied employees.

The organization can try to reduce the employees pressures through grievance
channels and counseling.

Difficult to do because many employees feel that seeking counseling will

stigmatize them in their jobs.

Disgruntled employees should not be allowed to continue in jobs where they could
harm the organization.

Vacations and rotation of duties

Some fraud schemes, such as lapping and kiting, cannot continue without the
constant attention of the perpetrator.

Mandatory vacations or rotation of duties can prevent these frauds or lead to early
detection.

These measures will only be effective if someone else is doing the job while the
usual employee is elsewhere.

Confidentiality insurance and fidelity bonds

Employees, suppliers, and contractors should be required to sign and abide by

nondisclosure or confidentiality agreements.

Key employees should have fidelity bond insurance coverage to protect the
company against losses from fraudulent acts by those employees.

In addition to the preceding policies, the company should seek prosecution and
incarceration of hackers and fraud perpetrators

Most fraud cases and hacker attacks go unreported. They are not prosecuted for several
reasons.

Companies fear:

Public relations nightmares

Copycat attacks

But unreported fraud and intrusions create a false sense of security.

Law enforcement officials and courts are busy with violent crimes and may regard
teen hacking as childish pranks.

Fraud is difficult, costly, and time-consuming to investigate and prosecute.

Law enforcement officials, lawyers, and judges often lack the computer skills
needed to investigate, prosecute, and evaluate computer crimes.

When cases are prosecuted and a conviction obtained, penalties are often very
light. Judges often regard the perps as model citizens.

External influences
External influences that affect the control environment include requirements
imposed by:

FASB

PCAOB

SEC

Insurance commissions

Regulatory agencies for banks, utilities, etc.

OBJECTIVE SETTING

Objective setting is the second ERM component.

It must precede many of the other six components.

For example, you must set objectives before you can define events that affect your ability
to achieve objectives

Top management, with board approval, must articulate why the company exists and what
it hopes to achieve.

Often referred to as the corporate vision or mission.

Uses the mission statement as a base from which to set corporate objectives.

The objectives:

Need to be easy to understand and measure.

Should be prioritized.

Should be aligned with the companys risk appetite.

Objectives set at the corporate level are linked to and integrated with a cascading series
of sub-objectives in the various sub-units.

For each set of objectives:

Critical success factors (what has to go right) must be defined.

Performance measures should be established to determine whether the objectives

are met.

Objective-setting process proceeds as follows:

First, set strategic objectives, the high-level goals that support the companys
mission and create value for shareholders.

To meet these objectives, identify alternative ways of accomplishing them.

For each alternative, identify and assess risks and implications.

Formulate a corporate strategy.

Then set operations, compliance, and reporting objectives.

As a rule of thumb:

The mission and strategic objectives are stable.

The strategy and other objectives are more dynamic:

Must be adapted to changing conditions.

Must be realigned with strategic objectives.

Operations objectives:

Are a product of management preferences, judgments, and style.

Vary significantly among entities:

One may adopt technology; another waits until the bugs are worked out.

Are influenced by and must be relevant to the industry, economic conditions, and
competitive pressures.

Give clear direction for resource allocationa key success factor.

Compliance and reporting objectives:

Many are imposed by external entities, e.g.:

Reports to IRS or to EPA

Financial reports that comply with GAAP

A companys reputation can be impacted significantly (for better or worse) by the

quality of its compliance.

EVENT IDENTIFICATION

Events are:

Incidents or occurrences that emanate from internal or external sources.

That affect implementation of strategy or achievement of objectives.

Impact can be positive, negative, or both.

Events can range from obvious to obscure.

Effects can range from inconsequential to highly significant.

By their nature, events represent uncertainty:

Will they occur?

If so, when?

And what will the impact be?

Will they trigger another event?

Will they happen individually or concurrently?

Management must do its best to anticipate all possible eventspositive or negativethat

might affect the company:

Try to determine which are most and least likely.

Understand the interrelationships of events.

COSO identified many internal and external factors that could influence events and affect
a companys ability to implement strategy and achieve objectives.

Some of these factors include:

External factors:

Economic factors

Availability of capital; lower or higher costs of capital

Lower barriers to entry, resulting in new competition

Price movements up or down

Ability to issue credit and possibility of default

Concentration of competitors, customers, or vendors

Presence or absence of liquidity

Movements in the financial markets or currency fluctuations

Rising or lowering unemployment rates

Mergers or acquisitions

Potential regulatory, contractual, or criminal legal liability

Natural environment

Natural disasters such as fires, floods, or earthquakes

Emissions and waste

Energy restrictions or shortages

Restrictions limiting development

Political factors

Election of government officials with new agendas

New laws and regulations

Public policy, including higher or lower taxes

Regulation affecting the companys ability to compete

Social factors

Changing demographics, social mores, family structures, and work/life

priorities

Consumer behavior that changes demand for products and services or

creates new buying opportunities

Corporate citizenship

Privacy

Terrorism

Human resource issues causing production shortages or stoppages

Technological factors

New e-business technologies that lower infrastructure costs or increase

demand for IT-based services

Emerging technology

Increased or decreased availability of data

Interruptions or down time caused by external parties

Internal factors:

Infrastructure

Inadequate access or poor allocation of capital

Availability and capability of company assets

Complexity of systems

Personnel

Employee skills and capability

Employees acting dishonestly or unethically

Workplace accidents, health or safety concerns

Strikes or expiration of labor agreements

Process

Process modification without proper change management procedures

Poorly designed processes

Process execution errors

Suppliers cannot deliver quality goods on time

Technology

Insufficient capacity to handle peak IT usages

Security breaches

Data or system unavailability from internal factors

Inadequate data integrity

Poor systems selection/development

Inadequately maintained systems

Lists can help management identify factors, evaluate their importance, and examine those
that can affect objectives.

Identifying events at the activity and entity levels allows companies to focus their risk
assessment on major business units or functions and align their risk tolerance and risk
appetite.

Companies usually use two or more of the following techniques together to identify
events:

Use comprehensive lists of potential events

Perform an internal analysis

Employee knowledge and expertise is gathered in structured discussions or

individual interviews.

Perform data mining and analysis

Appropriate transactions, activities, and events are monitored and compared

to predefined criteria to determine when action is needed.

Conduct workshops and interviews

An internal committee analyzes events, contacting appropriate insiders and

outsiders for input.

Monitor leading events and trigger points

Often produced by special software that can tailor lists to an industry,

activity, or process.

Examine data on prior events to identify trends and causes that help identify
possible events.

Analyze processes

Analyze internal and external factors that affect inputs, processes, and
outputs to identify events that might help or hinder the process.

RISK ASSESSMENT AND RISK RESPONSE

The fourth and fifth components of COSOs ERM model are risk assessment and risk
response.

COSO indicates there are two types of risk:

Inherent risk

Residual risk

The risk that exists before management takes any steps to control the
likelihood or impact of a risk.

The risk that remains after management implements internal controls or

some other form of response to risk.

Companies should:

Assess inherent risk

Develop a response

Then assess residual risk

The ERM model indicates four ways to respond to risk:

Reduce it

Accept it

The most effective way to reduce the likelihood and impact of risk is to
implement an effective system of internal controls.

Dont act to prevent or mitigate it.

Share it

Avoid it

Dont engage in the activity that produces it.

May require:

Sale of a division

Exiting a product line

Canceling an expansion plan

Accountants:

Help management design effective controls to reduce inherent risk.

Evaluate internal control systems to ensure they are operating effectively.

Assess and reduce inherent risk using the risk assessment and response strategy.

Event identification

Transfer some of it to others via activities such as insurance, outsourcing, or

hedging.

The first step in risk assessment and response strategy is event identification, which
we have already discussed.

Estimate likelihood and impact

Some events pose more risk because they are more probable than others.

Some events pose more risk because their dollar impact would be more significant.

Likelihood and impact must be considered together:

If either increases, the materiality of the event and the need to protect against it
rises.

Identify controls

Management must identify one or more controls that will protect the company from
each event.

In evaluating benefits of each control procedure, consider effectiveness and timing.

RISK ASSESSMENT AND RISK RESPONSE

All other factors equal:

A preventive control is better than a detective one.

However, if preventive controls fail, detective controls are needed to discover the
problem, and corrective controls are needed to recover.

Consequently, the three complement each other, and a good internal control
system should have all three.

Similarly, a company should use all four levers of control.

Estimate costs and benefits

It would be cost-prohibitive to create an internal control system that provided

foolproof protection against all events.

Also, some controls negatively affect operational efficiency, and too many controls
can make it very inefficient.

The benefits of an internal control procedure must exceed its costs.

Benefits can be hard to quantify, but include:

Increased sales and productivity

Reduced losses

Better integration with customers and suppliers

Increased customer loyalty

Competitive advantages

Lower insurance premiums

Costs are usually easier to measure than benefits.

Primary cost is personnel, including:

Time to perform control procedures

Costs of hiring additional employees to effectively segregate duties

Costs of programming controls into a system

Other costs of a poor control system include:

Lost sales

Lower productivity

Drop in stock price if security problems arise

Shareholder or regulator lawsuits

Fines and penalties imposed by governmental agencies

The expected loss related to a risk is measured as:

The value of a control procedure is the difference between:

Expected loss with control procedure

Expected loss without it

RISK ASSESSMENT AND RISK RESPONSE

Determine cost-benefit effectiveness

Expected loss = impact x likelihood

After estimating benefits and costs, management determines if the control is cost
beneficial, i.e., is the cost of implementing a control procedure less than the change
in expected loss that would be attributable to the change?

In evaluating costs and benefits, management must consider factors other than those in
the expected benefit calculation.

If an event threatens an organizations existence, it may be worthwhile to institute

controls even if costs exceed expected benefits.

The additional cost can be viewed as a catastrophic loss insurance premium.

RISK ASSESSMENT AND RISK RESPONSE

Lets go through an example:

Hobby Hole is trying to decide whether to install a motion detector system in its
warehouse to reduce the probability of a catastrophic theft.

A catastrophic theft could result in losses of $800,000.

Local crime statistics suggest that the probability of a catastrophic theft at Hobby
Hole is 12%.

Companies with motion detectors only have about a .5% probability of catastrophic
theft.

The present value of purchasing and installing a motion detector system and paying
future security costs is estimated to be about $43,000.

Should Hobby Hole install the motion detectors?

Implement the control or avoid, share, or accept the risk

When controls are cost effective, they should be implemented so risk can be
reduced.

RISK ASSESSMENT AND RISK RESPONSE

Risks that are not reduced must be accepted, shared, or avoided.

If the risk is within the companys risk tolerance, they will typically accept the risk.

A reduce or share response is used to bring residual risk into an acceptable risk
tolerance range.

An avoid response is typically only used when there is no way to cost-effectively

bring risk into an acceptable risk tolerance range.

CONTROL ACTIVITIES

The sixth component of COSOs ERM model.

Control activities are policies, procedures, and rules that provide reasonable assurance
that managements control objectives are met and their risk responses are carried out.

CONTROL ACTIVITIES

It is managements responsibility to develop a secure and adequately controlled system.

Controls are much more effective when built in on the front end.

Consequently, systems analysts, designers, and end users should be involved in

designing adequate computer-based control systems.

Management must also establish a set of procedures to ensure control compliance and
enforcement.

Usually, the purview of the information security officer and the operations staff.

CONTROL ACTIVITIES

It is critical that controls be in place during the year-end holiday season. A

disproportionate amount of computer fraud and security break-ins occur during this time
because:

More people are on vacation and fewer around to mind the store.

Students are not tied up with school.

Counterculture hackers may be lonely.

Generally, control procedures fall into one of the following categories:

Proper authorization of transactions and activities

Segregation of duties

Project development and acquisition controls

Change management controls

Design and use of documents and records

Safeguard assets, records, and data

Independent checks on performance

Generally, control procedures fall into one of the following categories:

Proper authorization of transactions and activities

Management lacks the time and resources to supervise each employee activity and
decision.

Consequently, they establish policies and empower employees to perform activities

within policy.

This empowerment is called authorization and is an important part of an

organizations control procedures.

Authorizations are often documented by signing initializing, or entering an authorization

code.

Computer systems can record digital signatures as a means of signing a document.

Employees who process transactions should verify the presence of the appropriate
authorizations.

Auditors review transactions for proper authorization, as their absence indicates a possible
control problem.

Typically at least two levels of authorization:

General authorization

Management authorizes employees to handle routine transactions without

special approval.

Special authorization

For activities or transactions that are of significant consequences,

management review and approval is required.

Might apply to sales, capital expenditures, or write-offs over a particular

dollar limit.

Management should have written policies for both types of authorization and for all types
of transactions.

Segregation of duties

Good internal control requires that no single employee be given too much
responsibility over business transactions or processes.

An employee should not be in a position to commit and conceal fraud or

unintentional errors.

Segregation of duties is discussed in two sections:

Segregation of accounting duties

Effective segregation of accounting duties is achieved when the following functions

are separated:

AuthorizationApproving transactions and decisions.

RecordingPreparing source documents; maintaining journals, ledgers, or

other files; preparing reconciliations; and preparing performance reports.

CustodyHandling cash, maintaining an inventory storeroom, receiving

incoming customer checks, writing checks on the organizations bank
account.

Employees can collude with other employees or with customers or vendors.

The most frequent form of employee/vendor collusions include:

Billing at inflated prices

Performing substandard work and receiving full payment

Payment for non-performance

Duplicate billings

Improperly funneling more work to or purchasing more goods from a colluding

company

The most frequent form of employee/customer collusions include:

Unauthorized loans or insurance payments

Receipt of assets or services at unauthorized discount prices

Forgiveness of amounts owed

Unauthorized extension of due dates

Segregation of duties within the systems function

In a highly integrated information system, procedures once performed by separate

individuals are combined.

Therefore, anyone who has unrestricted access to the computer, its programs, and
live data could have the opportunity to perpetrate and conceal fraud.

To combat this threat, organizations must implement effective segregation of duties

within the IS function.

Authority and responsibility must be divided clearly among the following functions:

Systems administration

Responsible for ensuring that the different parts of an information system

operate smoothly and efficiently.

Network management

Security management

Use design provided by the systems analysts to write the computer programs
for the information system.

Computer operations

Run the software on the companys computers.

Ensure that data are input properly, correctly processed, and needed output
is produced.

Information systems library

Help users determine their information needs and design systems to meet
those needs.

Programming

Record transactions, authorize data to be processed, and use system output.

Systems analysts

Manages changes to the organizations information system to ensure they are

made smoothly and efficiently and to prevent errors and fraud.

Users

Ensures that all aspects of the system are secure and protected from internal
and external threats.

Change management

Ensures that all applicable devices are linked to the organizations internal
and external networks and that the networks operate continuously and
properly.

Maintains custody of corporate databases, files, and programs in a separate

storage area.

Data control

Ensures that source data have been properly approved.

Monitors the flow of work through the computer.

Reconciles input and output.

Maintains a record of input errors to ensure their correction and resubmission.

Distributes system output.

It is important that different people perform the preceding functions.

Allowing a person to do two or more jobs exposes the company to the possibility of
fraud.

In addition to adequate segregation of duties, organizations should ensure that the people
who design, develop, implement, and operate the IS are qualified and well trained.

The same holds true for systems security personnel.

Project development and acquisition controls

Its important to have a formal, appropriate, and proven methodology to govern the
development, acquisition, implementation, and maintenance of information systems
and related technologies.

Should contain appropriate controls for:

Management review and approval

User involvement

Analysis

Design

Testing

Implementation

Conversion

Should make it possible for management to trace information inputs from

source to disposition and vice versa (the audit trail).

Examples abound of poorly managed projects that have wasted large sums of money
because certain basic principles of project management control were ignored.

The following basic principles of control should be applied to systems development in

order to reduce the potential for cost overruns and project failure and to improve the
efficiency and effectiveness of the IS:

Strategic master plan

A multi-year strategic plan should align the organizations information system

with its business strategies and show the projects that must be completed to
achieve long-range goals.

Should address hardware, software, personnel, and infrastructure

requirements.

Each year, the board and top management should prepare and approve the
plan and its supporting budget.

Should be evaluated several times a year to ensure the organization can

acquire needed components and maintain existing ones.

Project controls

A project development plan shows how a project will be completed, including:

Modules or tasks to be performed

Who will perform them

Anticipated completion dates

Project costs

Project milestones should be specifiedpoints when progress is reviewed and

actual completion times are compared to estimates.

Each project should be assigned to a manager and team who are responsible
for its success or failure.

At project completion, a project evaluation of the team members should be

performed.

Data processing schedule

Steering committee

A steering committee should guide and oversee systems development and

acquisition.

System performance measurements

Data processing tasks should be organized according to a schedule to

maximize the use of scarce computer resources.

To be evaluated properly, a system should be assessed with measures such

as:

Throughput (output per unit of time)

Utilization (percent of time it is used productively)

Response time (how long it takes to respond)

Post-implementation review

A review should be performed after a development project is completed to

determine if the anticipated benefits were achieved.

Helps control project development activities and encourage accurate and

objective initial cost and benefit estimates.

To simplify and improve systems development, some companies hire a systems integrator
a vendor who uses common standards and manages the development effort using their
own personnel and those of the client and other vendors.

Many companies rely on the integrators assurance that the project will be
completed on time.

Unfortunately, the integrator is often wrong.

These third-party systems development projects are subject to the same cost
overruns and missed deadlines as systems developed internally.

When using systems integrators, companies should adhere to the same basic rules used
for project management of internal projects. In addition, they should:

Develop clear specifications

Before third parties bid, provide clear specifications, including:

Exact descriptions and definitions of the system

Explicit deadlines

Precise acceptance criteria

Although its expensive to develop these specifications, it will save money in

the end.

Monitor the systems integration project

A sponsors committee should monitor third-party development projects.

Established by the CIO and chaired by the projects internal champion.

Should include department managers from all units that will use the
system.

Should establish formal procedures for measuring and reporting project

status.

Best approach is to:

Divide project into manageable tasks.

Assign responsibility for each task.

Meet on a regular basis (at least monthly) to review progress

and assess quality.

Change management controls

Organizations constantly modify their information systems to reflect new business

practices and take advantage of information technology advances.

Change management is the process of making sure that the changes do not
negatively affect:

Systems reliability

Security

Confidentiality

Integrity

Availability

Design and use of adequate documents and records

Proper design and use of documents and records helps ensure accurate and
complete recording of all relevant transaction data.

Form and content should be kept as simple as possible to:

Promote efficient record keeping

Minimize recording errors

Facilitate review and verification

Documents that initiate a transaction should contain a space for authorization.

Those used to transfer assets should have a space for the receiving partys
signature.

Documents should be sequentially pre-numbered:

To reduce likelihood that they would be used fraudulently.

To help ensure that all valid transactions are recorded.

A good audit trail facilitates:

Tracing individual transactions through the system.

Correcting errors.

Verifying system output.

Safeguard assets, records, and data

When people consider safeguarding assets, they most often think of cash and
physical assets, such as inventory and equipment.

Another company asset that needs to be protected is information.

According to the ACFEs 2004 National Fraud Survey, theft of information made up
only 17.3% of non-cash misappropriations; however, the median cost of an
information theft was $340,000. This cost was 126% higher than the next most
costly non-asset theft. (Equipment theft had a median cost of $150,000.)

Many people mistakenly believe that the greatest risks companies face are from outsiders.

However, employees pose a much greater risk when it comes to loss of data because:

They know the system and its weaknesses better.

They are better able to hide their illegal acts.

Insiders also create less-intentional threats to systems, including:

Accidentally deleting company data.

Turning viruses loose.

Trying to fix hardware or software without appropriate expertise (i.e., when in doubt,
unplug it).

These actions can result in crashed networks, corrupt data, and hardware and software
malfunctions.

Companies also face significant risks from customers and vendors that have access to
company data.

Many steps can be taken to safeguard both information and physical assets from theft,
unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In
addition, it is important to:

Maintain accurate records of all assets

Periodically reconcile recorded amounts to physical counts.

Restrict access to assets

Use restricted storage areas for inventories and equipment.

Use cash registers, safes, lockboxes, and safe deposit boxes to limit
access to cash, securities, and paper assets.

Protect records and documents

Use fireproof storage areas, locked filing cabinets, backup of files

(including copies at off-site locations).

Limit access to blank checks and documents to authorized personnel.

Independent checks on performance

Internal checks to ensure that transactions are processed accurately are an important
control element.

These checks should be performed by someone independent of the party(ies) responsible

for the activities.

The following independent checks are typically used:

Top-level reviews

Management at all levels should monitor company results and periodically

compare actual performance to:

Planned performance as shown in budgets, targets, and forecasts

Prior-period performance

The performance of competitors

Analytical reviews

Examinations of relationships between different sets of data.

EXAMPLE: If credit sales increased significantly during the period and there
were no changes in credit policy, then bad debt expense should probably
have increased also.

Management should periodically analyze and review data relationships to

detect fraud and other business problems.

Reconciliation of independently maintained sets of records

Check the accuracy and completeness of records by reconciling them with

other records that should have the same balance.

EXAMPLES:

Bank reconciliations

Comparing accounts payable control account to sum of subsidiary

accounts.

Comparison of actual quantities with recorded amounts

Periodically, count significant assets and reconcile the count to company

records.

EXAMPLE: Annual physical inventory.

High-dollar items and critical components should be counted more frequently.

Double-entry accounting

Ensure that debits equal credits.

Independent review

After one person processes a transaction, another reviews their work.

INFORMATION AND COMMUNICATION

The seventh component of COSOs ERM model.

The primary purpose of the AIS is to gather, record, process, store, summarize, and
communicate information about an organization.

So accountants must understand how:

Transactions are initiated

Data are captured in or converted to machine-readable form

Computer files are accessed and updated

Data are processed

Information is reported to internal and external parties

Accountants must also understand the accounting records and procedures, supporting
documents, and specific financial statement accounts involved in processing and reporting
transactions.

The preceding items facilitate an audit trail which allows for transactions to be traced from
origin to financial statements and vice versa.

According to the AICPA, an AIS has five primary objectives:

Identify and record all valid transactions.

Properly classify transactions.

Record transactions at their proper monetary value.

Record transactions in the proper accounting period.

Properly present transactions and related disclosures in the financial statements.

How to safeguard information and physical assets:

Create and enforce appropriate policies and procedures.

Maintain accurate records of all assets.

Restrict access to assets.

Protect records and documents.

Accounting systems generally consist of several accounting subsystems, each designed to

process transactions of a particular type.

Though they differ with respect to the type of transactions processed, all accounting
subsystems follow the same sequence of procedures, referred to as accounting cycles.

MONITORING

The eighth component of COSOs ERM model.

Monitoring can be accomplished with a series of ongoing events or by separate

evaluations.

MONITORING

Key methods of monitoring performance include:

Perform ERM evaluation

Can measure ERM effectiveness through a formal evaluation or through a selfassessment process.

A special group can be assembled to conduct the evaluation or it can be done by

internal auditing.

Implement effective supervision

Involves:

Training and assisting employees;

Monitoring their performance;

Correcting errors; and

Safeguarding assets by overseeing employees with access.

Cant afford elaborate responsibility reporting; or

Are too small for segregation of duties.

Use responsibility accounting

Especially important in organizations that:

Includes use of:

Budgets, quotas, schedules, standard costs, and quality standards;

Performance reports that compare actual with planned performance and

highlight variances; and

Procedures for investigating significant variances and taking timely actions to

correct adverse conditions.

Monitor system activities

Risk analysis and management software packages are available to:

Review computer and network security measures;

Detect illegal entry into systems;

Test for weaknesses and vulnerabilities;

Report weaknesses found; and

Suggest improvements.

Cost parameters can be entered to balance acceptable levels of risk tolerance and costeffectiveness.

Software is also available to monitor and combat viruses, spyware, spam, pop-up ads, and
to prevent browsers from being hijacked.

Also helps companies recover from frauds and malicious actions and restore systems to
pre-incident status.

System transactions and activities should be recorded in a log which indicates who
accessed what data, when, and from which terminal.

Logs should be reviewed frequently to monitor system activity and trace any problems to
their source.

Data collected can be used to:

Evaluate employee productivity;

Control company costs;

Fight corporate espionage and other attacks; and

Comply with legal requirements.

Companies that monitor system activities need to ensure they do not violate employee
privacy rights.

Employers cannot discreetly observe communications of employees when those

employees have a reasonable expectation of privacy.

Employers must therefore ensure that employees realize their business communications
are not private. One way to accomplish that objective is to have written policies that
employees agree to in writing which indicate:

The technology employees use on the job belongs to the company.

Emails received on company computers are not private and can be read by
supervisory personnel.

Employees should not use technology in any way to contribute to a hostile work
environment.

Track purchased software

The Business Software Alliance (BSA) aggressively tracks down and fines companies
who violate software license agreements.

To comply with copyrights, companies should periodically conduct software audits to

ensure that.

There are enough licenses for all users; and

The company is not paying for more licenses than needed.

Employees should be informed of the consequences of using unlicensed software.

Conduct periodic audits

To monitor risk and detect fraud and errors, the company should have periodic:

External audits

Internal audits

Special network security audits

Auditors should test system controls and browse system usage files looking for
suspicious activities (discussed in Chapter 9).

Again, care should be exercised that employees privacy rights are not violated.

Therefore, inform employees that auditors will conduct random surveillance, which:

Avoids privacy violations

Creates a perception of detection that can deter crime and reduce errors

Internal auditing involves:

Reviewing the reliability and integrity of financial and operating information.

Providing an appraisal of internal control effectiveness.

Assessing employee compliance with management policies and procedures and

applicable laws and regulations.

Evaluating the efficiency and effectiveness of management.

Internal audits can detect:

Excess overtime

Under-used assets

Obsolete inventory

Padded expense reimbursements

Excessively loose budgets and quotas

Poorly justified capital expenditures

Production bottlenecks

Internal auditing should be organizationally independent of the accounting and operating

functions.

The head should report to the audit committee of the board of directors rather than to the
controller or CFO.

Employ a computer security officer and computer consultants

The computer security officer (CSO) is in charge of AIS security

Should be independent of the IS function

Should report to the COO or CEO

Many companies also use outside computer consultants or in-house teams to test
and evaluate their security procedures and computer systems.

Engage forensic specialists

Forensic accountants specialize in fraud detection and investigation.

Now one of the fastest growing areas of accounting due to:

SOX

SAS-99

Boards of Directors demanding that forensic accounting be an ongoing

part of the financial reporting and corporate governance process.

Most forensic accountants are CPAs and may have received special training with the FBI,
CIA, or other law enforcement agencies.

In particular demand are those with the necessary computer skills to ferret out and
combat fraudsters who use sophisticated technology to perpetrate their crimes.

The Association of Certified Fraud Examiners (ACFE) has created a professional

certification program for fraud examiners.

Management may also need to call on computer forensic specialists for help.

They assist in discovering, extracting, safeguarding, and documenting computer evidence

so that its authenticity, accuracy, and integrity will not succumb to legal challenges.

Common incidents investigated by computer forensic experts include:

Improper internet usage

Fraud

Sabotage

Loss, theft, or corruption of data

Retrieving information from emails and databases that users thought they had
erased

Determining who performed certain actions on a computer

Install fraud detection software

People who commit fraud tend to follow certain patterns and leave behind clues.

Software has been developed to seek out these fraud symptoms.

Some companies employ neural networks (programs that mimic the brain and
have learning capabilities), which are very accurate in identifying suspected fraud.

For example, if a husband and wife were each using the same credit card in two
different stores at the same time, a neural network would probably flag at least one
of the transactions immediately as suspicious.

These networks and other recent advances in fraud detection software are
significantly reducing the incidences of credit card fraud.

Implement a fraud hotline

People who witness fraudulent behavior are often torn between conflicting feelings.

They want to protect company assets and report fraud perpetrators.

But they are uncomfortable in the whistleblower role and find it easier to
remain silent.

They are particularly reluctant to report if they know of others who have suffered
repercussions from doing so.

MONITORING

SOX mandates that companies set up mechanisms for employees to anonymously report
abuses such as fraud.

An effective way to comply with the law and resolve employee concerns is to
provide access to an anonymous hotline.

Anonymous reporting can be accomplished through:

Phone lines

Web-based reporting

Anonymous emails

Snail mail

Outsourcing is available through a number of third parties and offers several benefits,
including:

Increased confidence on the part of employee that his/her report is truly

anonymous.

24/7 availability.

Often have multilingual capabilitiesan important plus for multinational

organizations.

The outsourcer may be able to do follow up with the employee if additional

information is needed after the initial contact.

The employee can be advised of the outcome of his report.

Low cost.

A downside to anonymous reporting mechanisms is that they will produce a significant

amount of petty or slanderous reports that do not require investigation.

The ACFEs 2004 Report to the Nation indicates that companies without fraud hotlines had
median fraud losses that were 140% higher than companies that had fraud hotlines.