7. Control and Accounting Information Systems

Question 1

Explain the goal of internal control concepts

Answer 1

Internal controls are the processes implemented to provide reasonable assurance that the control objectives are met.

Question 2

What are the three internal control objectives/functions?

Answer 2

Internal controls perform three important functions:
Preventive control
Detective controls
Corrective controls

Question 3

Explain preventive control

Forebygge

Answer 3

Preventive controls that deter problems before they arise

Question 4

Explain detective controls

Opdage

Answer 4

Detective control: discover problems that were not prevented

Question 5

Explain corrective controls

Løse

Answer 5

Corrective control: identify and correct problems and recover

Question 6

Explain Control Objective for Information and Related Technology Standards (COBIT), is a collection of generally accepted and applicable standards in information technology, prepared by the International Information Systems Audit and Control Association

Tip: security and control framework allows
1. management, 2. user, 3. auditors

Answer 6

COBIT (focus IT): control objectives for information and related technology, a security and control framework allows:

The benefit of a standard framework for IT controls:

1. It allows management to benchmark their environments and compare with other organizations.
2. Because the framework is comprehensive, it provides assurances that IT security and controls exist.
3. Allows auditors to substantiate their internal control opinions.

Question 7

Explain COSO internal control framework
(A counterpart from COBIT is COSO for financial control).

Tip: guidance and enchancing

Answer 7

Internal Control – Integrated Framework, a framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems

Question 8

Explain Enterprise Risk Management (ERP)

Used by who and what is it used for?

Answer 8

Enterprise Risk Management adds three layer to the risk management process from the COSO. Used by board of directors and management to set strategy.

Question 9

How can the organization minimizing uncertainty

Tip: strategic, operations, reporting, compliance

Answer 9

The organizational can minimize uncertainty with

1. strategic (goals)
2. operations (effectiveness & efficiency)
3. reporting (accuracy + completenes + reliability)
4. compliance (laws) objectives

Question 10

Before the risk assessment, managers identify what could go wrong, internal and external, after that:

The factors in risk assessment: likelihood, positive or negativ impacts, effect on other organizational units.

And types of risk, inherent and residual risk.

Explain inherent(before) and residual risk (after).

Remember risk is a difficult job to asses!!

Answer 10

Inherent = susceptibility of risk or significant control problems in the absence of internal control

Residual = risk that remains after implementation of internal control

Remember risk is a difficult job to asses!!!!

Question 11

How can the management respons to risk?

Answer 11

Four ways management can respons to risk are reduce, accept, share or avoid the risk.

Question 12

Segregation of duties is spilt into two categories

1. Segregation of accounting duties
2. Segregation of system duties

Explain the first one about authorization, recording and custodial

Answer 12

Segregation of accounting duties is achieved authorization, recording and custody are separated

Authorization: approving transactions and decisions
Recording: preparing source documents: entering data into the computer and maintaining journals, ledgers, files or databases
Custody: handling cash, tools, inventory, or fixed assets, receiving incoming customer checks, writing checks

Question 13

Explain segregation of system duties

Tip: authority and responsibility

Answer 13

Segregation of system duties are when implementing control procedures to clearly divide authority and responsibility within the information system.

The text book listed many examples including; system administrator, network management, security management etc. on page 241.

Question 14

What is a primary objective of an AIS

Tip: proactive means creating or controlling a situation rather than just responding to it after it has happened.

Answer 14

To enable control of the organization so the organization can achieve its objectives.
Management expects accountants to:
Take a proactive approach to eliminating system threats.

Detect, correct, and recover from threats when they occur.

Question 15

Tell about SOX

Tip: publicly held companies and their auditors

prevent, transparency, protect, strengthen and punish.

Answer 15

SOX is legislation passed (2002) applies to all publicly held companies and their auditors to:

Prevent financial statement fraud
Financial report transparency
Protect investors
Strengthen internal controls
punish executives who perpetrate fraud

Question 16

Explain COBIT is based on the five principles:

1. Meeting stakeholder needs.
2. Covering the enterprise end-to-end.
3. Applying a single, integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management

Answer 16

1. Meeting stakeholders needs means that enterprises exist to create value to their shareholders. Thus, the governance objective is value creation.
2. Covering the enterprise from end-to-end means that COBIT5 addresses governance and management of information and information-related technologies throughout the enterprise, and thus not only on IT functions.
3. Applying a single, integrated framework means that COBIT5 can align with other governance frameworks such as COSO and COSO-ERM.
4. Enabling a holistic approach includes the following enablers:
   Processes - a set of activities to achieve an overall IT related goal.
   Organizational structures - key decision-making entity.
   Culture, ethics, and behavior of individuals and the organization.
   Principles and policies guide the day-to-day management.
   Information.
   Infrastructure, technology, and applications.
   People, skills, and competencies.
5. Separating governance from management