Control and accounting information systems ( Topic 4) Flashcards
Overview of control concepts
System to provide reasonable assurance that objectives are met such as:
- Safeguard assets.
- Maintain records in sufficient detail to report company assets accurately and fairly (e.g. prevent ‘cooking the books’).
- Provide accurate and reliable information.
- Prepare financial reports in accordance with established criteria.
- Promote and improve operational efficiency.
- Encourage adherence to prescribed managerial policies.
- Comply with applicable laws and regulations.
Functions of Internal Control
Preventive controls:
• Deter problems before they arise(e.g. control physical access)
Detective controls:
• Discover problems that were not prevented. (e.g. double check calculation)
Corrective controls:
• Correct problems (e.g. correct data entry errors, full restoration from backup after evidence found payment data improperly altered)
Internal controls are often segregated into two categories:
General
Controls designed to make sure an organization’s information system and control environment is stable and well managed.
• Overall IC system and processes (e.g. overall system security; software acquisition, development)
Application:
Application controls - Controls that prevent, detect, and cor- rect transaction errors and fraud in application programs.
• Transactions are processed correctly (e.g. authorization occurs where expected)
- They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems
Sarbanes Oxley (2002)
Developed in response to high profile corporate scandals (e.g. Enron, WorldCom, Lehman Brothers, and in Australia: OneTel, HIH, etc.
Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud.
• Public Company Accounting Oversight Board (PCAOB)
- Oversight of auditing profession, i.e. ‘auditing’ the auditors
New Auditing Rules
- Partners must rotate periodically
- Prohibited from performing certain non-audit services (e.g. information systems design and implementation; financial reporting)
– in Australia, CLERP 9 legislation is now in force
New Roles for Audit Committee
- Be part of board of directors and be independent.
- One member must be a financial expert.
- Oversees external auditors.
New Rules for Management
- Financial statements and disclosures are fairly presented, were reviewed by management (e.g. CEO/CFO), and are not misleading.
- The auditors were told about all material internal control weaknesses and fraud.
New Internal Control Requirements (Section 404 of SOX)
- Management is responsible for establishing and maintaining an adequate internal control system.
- Report accompanying Financial statements containing assessment of internal controls, attest their accuracy, and report weaknesses
Australian Criminal Code Criminal Code No. 12 of 1995 as amended
- Prison sentences of up to 10 years.
- Financial penalties for bribery.
- Fines of up to three times the benefit derived or 10% of a company’s annual turnover.
ASX Corporate Governance Guidelines
- Lay solid foundation for management and oversight.
- Structure the board to add value.
- Promote ethical and responsible decision-making.
- Safeguard integrity in financial reporting.
- Make timely and balanced disclosure.
- Respect the rights of shareholders.
- Recognise and manage risk.
- Remunerate fairly and responsibly.
SOX Management Rules
- Base evaluation of internal controls on a recognised framework.
- Disclose all material internal control weaknesses.
- Conclude a company does not have effective financial reporting internal controls if material weaknesses exist.
Control Frameworks
COBIT ( Control Objectives for Information and Related Technology )
• Framework for IT control
COSO ( Committee of Sponsoring Organizations )
• • Framework for enterprise internal controls (control-based approach)
COSO-ERM
• Expands COSO framework taking a risk-based approach
COBIT Framework
Based on the following principles: • Meeting stakeholder needs • Covering the enterprise end-to-end • Applying a single, integrated framework • Enabling a holistic approach • Separating governance from management
Governance is the responsibility of the board of directors who
(1) evaluate stake- holder needs to identify objectives,
(2) provide management with direction by prioritizing objectives, and
(3) monitor management’s performance
The 32 management processes are broken down into the following four domains:
- Align, plan, and organize (APO)
- Build, acquire, and implement (BAI)
- Deliver, service, and support (DSS)
- Monitor, evaluate, and assess (MEA)
COSO framework
- Control (internal) environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
COSO-ERM
(Enterprise Risk Management)
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring
COSO-ERM
1. Internal environment
- Management’s philosophy, operating style, and risk appetite. • loose attitude towards ‘creative accounting’
- The board of directors (e.g. independent boards vs non- independent boards).
- Commitment to integrity, ethical values, and competence
- Management endorse (or not) aggressive sales practices; unfair/unethical sales/negotiation practices; excessive bonuses based on financial results; ‘punish’ honesty
- Organisational structure (e.g. clear vs unclear lines of authority/responsibility).
- Methods of assigning authority and responsibility (e.g. based on policy and procedures).
- Human resource standards (e.g. hiring, training, compensation, leave and rotation of duties, termination) Example:Jérôme Kerviel
- External influences (e.g. regulators).
COSO-ERM
2. Objective setting
Strategic:
• High-level goals aligned with corporate mission
Operational:
• Effectiveness and efficiency of operations
Reporting:
- Objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
• Complete and reliable
• Improve decision making
Compliance:
• Laws and regulations are followed - help the company com- ply with all applicable laws and regulations.
COSO-ERM
3.Event Identification
Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives
Positive or negative impacts (or both)
Events may trigger other events
All events should be anticipated
○ E.g. choosing inappropriate technology
○ Unauthorized access
○ Incomplete transactions
○ System failures
COSO-ERM
4 Risk Assessment
Identify Risk:
• Identify likelihood of risk
• • Certain-likely-possible-unlikely-rare
• Identify positive or negative impact
• • Catastrophic-sever-major-moderate-minor-insignificant
Types of Risk:
• Inherent
Risk that exists before any plans are made to control it
- E.g. risk of not having computers password-protected
• Residual
- Remaining risk after controls are in place to reduce it
- E.g. Risk that password not safeguarded by employee
COSO-ERM
5 Risk Response
Estimate cost and benefits
ESTIMATE COSTS AND BENEFITS
- The objective in designing an internal control system is to provide reasonable assurance that events do not take place
One way to estimate the value of internal controls involves expected loss, the mathemati- cal product of impact and likelihood:
- Expected loss = Impact x Likelihood
Determine cost and benefit effectiveness
Implement control or accept,share ,or avoid the risk
Reduce: • Implement effective internal control Accept: • Do nothing, accept likelihood of risk Share: • Buy insurance, outsource, hedge Avoid: • Do not engage in activity that produces risk
COSO-ERM
6 Control Activities
• Proper authorisation of transactions and activities.
- Signature or code (e.g. digital signature) on document to signal authority over a process.
- Separation of duties.
- Project development and acquisition controls.
- Change management controls.
- Design and use of documents and records. - staggered printing schedule, does it match what it printed by the teller
- Safeguarding assets, records, and data.
- Independent checks on performance.
Seperation of Accounting Duties - model
On images document
Segregation of systems duties as to divide authority and responsibility between the following systems functions
- System administration - Systems administrators make sure all information system components operate smoothly and efficiently
- Network management - Network managers ensure that devices are linked to the organization’s internal and external networks and that those networks operate properly.
- Security management - Security management makes sure that systems are secure and protected from internal and external threats.
- Change management - Change management is the process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability
- Users - Users record transactions, authorize data to be processed, and use system output.
- Systems analysts - Systems analysts help users determine their information needs and design systems to meet those needs.
- Programmers - Programmers take the analysts’ design and develop, code, and test computer programs.
- Computer operators - Computer operators run the software on the company’s computers. They ensure that data are input properly, processed correctly, and that needed output is produced.
- Information system librarian - The information system librarian maintains custody of corporate databases, files, and programs in a separate storage area called the information system library.
- Data control. - The data control group ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.
Project Development and Acquisition Controls
- A steering committee - guides and oversees systems development and acquisition.
- A strategic master plan
- is developed and updated yearly to align an organization’s in- formation system with its business strategies. It shows the projects that must be com- pleted, and it addresses the company’s hardware, software, personnel, and infrastructure
requirements. - A project development plan - shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones—significant points when progress is reviewed and actual and estimated completion times are compared
- A data processing schedule - shows when each task should be performed
- System performance measurements - are established to evaluate the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), and response time (how long it takes for the system to
respond) . - A post-implementation review - is performed after a development project is completed to
determine whether the anticipated benefits were achieved.
Independent Checks On Performance
• Top-level reviews (e.g. variance analysis)
Management should monitor company results and periodically compare actual company performance to (1) planned performance, as shown in budgets, targets, and forecasts; (2) prior period performance; and (3) competitors’ performance.
• Analytical reviews (e.g. credits sales increase should be consistent
with accounts receivable increases; what if they are inconsistent?!)
An analytical review is an examination of the relationships between different sets of data. For example, as credit sales increase, so should accounts receivable. In addition, there are relationships between sales and accounts such as cost of goods sold, inventory, and freight out.
• Reconciliation of independently maintained records (e.g. do bank statement balances agree/reconcile with company account balances?)
Records should be rec- onciled to documents or records with the same balance. For example, a bank reconciliation verifies that company checking account balances agree with bank statement balances
• Comparison of actual quantities with recorded amounts
Significant assets are periodically counted and reconciled to company records. At the end of each clerk’s shift, cash in a cash register drawer should match the amount on the cash register tape. Inven- tory should be periodically counted and reconciled to inventory records.
• Double-entry accounting
The maxim that debits equal credits provides numerous opportunities for independent checks.
• Independent review
After a transaction is processed, a second person reviews the work of the first, checking for proper authorization, reviewing supporting documents, and checking the accuracy of prices, quantities, and extensions.
COSO-ERM
7 Information and Communication
Primary purpose of an AIS: • Gather • Record • Process • Summarise • Communicate.
Communicate across organization what internal controls have been created, why they have been created, and the manner in which they operate
The updated IC framework specifies that the following three principles apply to the information and communication process:
- Obtain or generate relevant, high-quality information to support internal control
- Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control
- Communicate relevant internal control matters to external parties
COSO-ERM
8 Monitoring
Perform internal control evaluations (e.g., internal audit)
Implement effective supervision
Internal control effectiveness is measured using a formal or a self-assessment evaluation. A team can be formed to conduct the evalua- tion, or it can be done by internal auditing
Use responsibility accounting systems (e.g., budgets)
Effective supervision involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who
Monitor system activities
Risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vul- nerabilities, report weaknesses found, and suggest improvements
Track purchased software and mobile devices
The Business Software Alliance (BSA) tracks down and fines companies that violate software license agreements. To com- ply with copyrights and protect themselves from software piracy lawsuits, companies should periodically conduct software audits.
Conduct periodic audits (e.g., external, internal, network security)
External, internal, and network security audits can assess and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces errors
Employ computer security officer
A computer security officer (CSO) is in charge of system security, independent of the information system function, and reports to the chief operating officer (COO) or the CEO. The overwhelm- ing tasks related to SOX and other forms of compliance have led many companies to delegate all compliance issues to a chief compliance officer (CCO)
Engage forensic specialists
Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Their increasing presence is due to sev- eral factors, most notably SOX, new accounting rules, and demands by boards of directors that forensic investigations be an ongoing part of the financial reporting and corporate governance process
Install fraud detection software
Fraudsters follow distinct patterns and leave clues behind that can be discovered by fraud detection software.
Implement fraud hotline
People witnessing fraudulent behavior are often torn between two conflicting feelings.
Information for Management characterised by:
Effectiveness
• Information must be relevant and timely.
Efficiency
• Information must be produced in a cost-effective manner.
Confidentiality
• Sensitive information must be protected from unauthorised disclosure.
Integrity
• Information must be accurate, complete, and valid.
Availability
• Information must be available whenever needed.
Compliance
• Controls must ensure compliance with internal policies and with external legal and regulatory requirements.
Reliability
• Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.
Trust Services Framework
Security
• Access to the system and data is controlled and restricted to legitimate users.
Confidentiality
• Sensitive organizational data is protected.
Privacy
• Personal information about customers, trading partners, investors, and employees are protected.
Processing integrity
• Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability
• System and information are available.
Foundation of the Trust Services Framework:
• Management issue, not a technology issue
- S286 Corporations Act 2001 states:
o Financial statements and notes for the financial year comply with the Accounting Standards; and
o Financial statements and notes for the financial year give a true and fair view.
- Accuracy of an organisation’s financial statements depends upon the reliability of its information systems.
Management’s Role in Security
- Create security aware culture
- Inventory and value company information resources
- Assess risk, select risk response
• Develop and communicate security
- Plans, policies and procedures
Acquire and deploy IT security resources
Monitor and evaluate effectiveness
Security Approach
Defense-in-depth and the time-based model of information security
- Have multiple layers of control.
- Overlapping/complementary/redundant
Time-based model
Combination of detective and corrective controls
• For an effective information security system:
P> D+C
• P = the time it takes an attacker to break through the organisation’s preventive controls.
• D = the time it takes to detect that an attack is in progress.
• C = the time it takes to respond to the attack.
Time based model example
E.g.
- Firewalls/passwords/tokens/biometrics increase P - An intrusion detection system decreases D - Sophisticated methods to respond to breaches decrease C
Basic steps criminals use to attack an organization’s information system:
- Conduct reconnaissance - Similarly, computer attackers begin by collecting information about their target. Perusing an orga- nization’s financial statements, Securities and Exchange Commission (SEC) filings, web- site, and press releases can yield much valuable information. The objective of this initial reconnaissance is to learn as much as possible about the target and to identify potential vulnerabilities.
- Attempt social engineering - use of deception to obtain unauthorized access to information resources is referred to as social engineering. Social engineering can take place in count- less ways, limited only by the creativity and imagination of the attacker. Social engineering attacks often take place over the telephone
- Scan and map the target - If an attacker cannot successfully penetrate the target system via social engineering, the next step is to conduct more detailed reconnaissance to identify potential points of remote entry. The attacker uses a variety of automated tools to identify
computers that can be remotely accessed and the types of software they are running. - Research. Once the attacker has identified specific targets and knows what versions of software are running on them, the next step is to conduct research to find known vulner-
abilities for those programs and learn how to take advantage of those vulnerabilities. - Execute the attack. The criminal takes advantage of a vulnerability to obtain unauthorized access to the target’s information system.
- Cover tracks. After penetrating the victim’s information system, most attackers attempt to
cover their tracks and create “back doors” that they can use to obtain access if their initial attack is discovered and controls are implemented to block that method of entry.
Mitigating risk
- Preventive Control
- Culture of security
- Training of employees
- User access controls (authentication and authorisation)
- Physical access controls (locks, guards etc.)
- Network access controls (firewalls, intrusion prevention systems etc.)
- Device and software hardening controls (configuration options)
User access Controls
Authentication—verifies who a person is:
• Something person knows(e.g.passwords,PINs)
• Something person has(smartcards,IDcards)
• Some biometric characteristic (finger print; iris/retina)
• Combination of all three
Authorisation—determines what a person can access. (e.g. restricting access to files and applications)
files (no access/read/read and update/read, update, delete)
application (no access/execute)
(see Access Control Matrix next slide)
multifactor authentication
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
multimodal authentication
The use of multiple authentication credentials of the same type to achieve a greater level of security.
penetration test
An authorized attempt to break into the orga- nization’s information system
Network Access Control (Perimeter Defense)
Border router:
• Connects an organisation’s information system to the Internet.
Firewall
• Software or hardware used to filter information.
Demilitarised Zone (DMZ) • Separate network that permits controlled access from the Internet to selected resources.
Intrusion Prevention Systems (IPS)
• Monitors patterns in the traffic flow, rather than only inspecting individual
packets, to identify and automatically block attacks.
Device and Software Hardening (Internal Defense)
End-Point Configuration
• Disable unnecessary features that may be vulnerable to attack on.
• - Servers, printers, workstations
• - Use vulnerability scanners to identify vulnerable end-points User Account
Management
Software Design
• Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.
Detective Controls
Log Analysis
• Process of examining logs to identify evidence of possible attacks.
Intrusion Detection
• Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyse those logs for signs of attempted or successful intrusions. •
E.g. compare known network access patterns with observed network access patterns
• Multiple attempts to access an account
Managerial Reports (e.g. # of passwords violating standards)
Security Testing
e.g. penetration testing: authorised attempt to break into an organisation’s IS.
Corrective Controls
Computer Incident Response Team (problem recognition/containment/recovery/follow-up)
Chief Information Security Officer (CISO):
- Independent responsibility for information security assigned to someone at an appropriate senior level.
Patch Management: Fix known vulnerabilities by installing the latest updates. - Security programs - Operating systems - Applications programs
Virtualisation
• Multiple systems are run on one computer.
- In the past organisations had multiple servers and computers, however it was safer that they were separate – virtualization combines cuts costs – however risk that all information is in one spot
Cloud computing
Cloud Computing
cloud computing - using a browser to remotely access software, data storage, hard- ware, and applications.
• Remotely accessed resources
- Software applications
- Data storage
- Hardware
Virtutalisation and cloud computing
Opportunities and Risks
Risks
• Increased exposure if breach occurs.
• Reduced authentication standards.
Opportunities
• Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein.
Internet of Things (IoT)
The embedding of sensors in a multitude of devices (lights, heating and air conditioning, appliances, etc.) so that those devices can now connect to the Internet. The IoT has significant implications for information security. On the one hand, it makes the design of an effective set of controls much more complex
