Computer-Based Information

Systems Controls

Chapter 7
 Introduction
This chapter discusses the five interrelated
components of the Committee of Sponsoring
Organizations (COSO’s) internal control model.
What is the traditional definition of internal
control?
Internal control is the plan of organization and
the methods a business uses to safeguard
assets, provide accurate and reliable
information, promote and improve operational
efficiency, and encourage adherence to
prescribed managerial policies.
Overview of Control Concepts

What is management control?

Management control encompasses the
following three features:
1 It is an integral part of management
responsibilities.
2 It is designed to reduce errors, irregularities,
and achieve organizational goals.
3 It is personnel-oriented and seeks to help
employees attain company goals.
 Internal Control Classifications

The specific control procedures used in

the internal control and management
control systems may be classified using
the following four internal control
classifications:
1 Preventive, detective, and corrective controls
2 General and application controls
3 Administrative and accounting controls
4 Input, processing, and output controls
Committee of Sponsoring Organizations
The Committee of Sponsoring
Organizations (COSO) is a private sector
group consisting of five organizations:
1 American Accounting Association
2 American Institute of Certified Public
Accountants
3 Institute of Internal Auditors
4 Institute of Management Accountants
5 Financial Executives Institute
Committee of Sponsoring Organizations

The COSO study defines internal

control as the process implemented
by the board of directors,
management, and those under their
direction to provide reasonable
assurance that control objectives are
achieved with regard to:
– effectiveness and efficiency of operations
– reliability of financial reporting
– compliance with applicable laws and
regulations
COSO’s internal control model
has five crucial components:
1Control environment
2Control activities
3Risk assessment
4Information and communication
5Monitoring
Information Systems Audit and Control Foundation

 The Information Systems Audit and Control Foundation

(ISACF) recently developed the Control Objectives for
Information and related Technology (COBIT).
 COBIT consolidates standards from 36 different sources into
a single framework.
 The framework addresses the issue of control from three
vantage points, or dimensions:
1 Information: needs to conform to certain criteria that
COBIT refers to as business requirements for information
2 IT resources: people, application systems, technology,
facilities, and data
3 IT processes: planning and organization, acquisition and
implementation, delivery and support, and monitoring
 The Control Environment
 The first component of COSO’s internal control model
is the control environment.
 The control environment consists of many factors,
including the following:
1 Commitment to integrity and ethical values
2 Management’s philosophy and operating style
3 Organizational structure
4 The audit committee of the board of directors
5 Methods of assigning authority and responsibility
6 Human resources policies and practices
7 External influences
 Control Activities
The second component of COSO’s internal
control model is control activities.
Generally, control procedures fall into one of
five categories:
1 Proper authorization of transactions and
activities
2 Segregation of duties
3 Design and use of adequate documents and
records
4 Adequate safeguards of assets and records
5 Independent checks on performance
Proper Authorization of Transactions
and Activities
Authorization is the empowerment
management gives employees to perform
activities and make decisions.
Digital signature or fingerprint is a means
of signing a document with a piece of data
that cannot be forged.
Specific authorization is the granting of
authorization by management for certain
activities or transactions.
Segregation of Duties

Good internal control demands that no

single employee be given too much
responsibility.
An employee should not be in a position to
perpetrate and conceal fraud or
unintentional errors.
Segregation of Duties

Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail Authorization Functions
Authorization of
Recording Functions transactions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Segregation of Duties
 If two of these three functions are the
responsibility of a single person, problems can
arise.
 Segregation of duties prevents employees from
falsifying records in order to conceal theft of
assets entrusted to them.
 Prevent authorization of a fictitious or inaccurate
transaction as a means of concealing asset
thefts.
Segregation of Duties

Segregation of duties prevents an

employee from falsifying records to cover
up an inaccurate or false transaction that
was inappropriately authorized.
Design and Use of Adequate
Documents and Records
The proper design and use of documents
and records helps ensure the accurate
and complete recording of all relevant
transaction data.
Documents that initiate a transaction
should contain a space for authorization.
Design and Use of Adequate
Documents and Records
 The following procedures safeguard assets from
theft, unauthorized use, and vandalism:
– effectively supervising and segregating duties
– maintaining accurate records of assets, including
information
– restricting physical access to cash and paper assets
– having restricted storage areas
Adequate Safeguards of
Assets and Records
What can be used to safeguard assets?
– cash registers
– safes, lockboxes
– safety deposit boxes
– restricted and fireproof storage areas
– controlling the environment
– restricted access to computer rooms, computer
files, and information
 Independent Checks on Performance
Independent checks ensure that transactions
are processed accurately are another
important control element.
What are various types of independent
checks?
– reconciliation of two independently maintained sets of
records
– comparison of actual quantities with recorded amounts
– double-entry accounting
– batch totals
Independent Checks on Performance
Five batch totals are used in computer
systems:
1 A financial total is the sum of a dollar field.
2 A hash total is the sum of a field that would usually
not be added.
3 A record count is the number of documents
processed.
4 A line count is the number of lines of data entered.
5 A cross-footing balance test compares the grand
total of all the rows with the grand total of all the
columns to check that they are equal.
 Risk Assessment
 The third component of COSO’s internal control model
is risk assessment.
 Companies must identify the threats they face:
– strategic — doing the wrong thing
– financial — having financial resources lost, wasted, or stolen
– information — faulty or irrelevant information, or unreliable
systems
 Companies that implement electronic data interchange (EDI)
must identify the threats the system will face, such as:
1 Choosing an inappropriate technology
2 Unauthorized system access
3 Tapping into data transmissions
4 Loss of data integrity
Risk Assessment

5 Incomplete transactions
6 System failures
7 Incompatible systems
Risk Assessment

Some threats pose a greater risk because

the probability of their occurrence is more
likely. For example:
A company is more likely to be the victim
of a computer fraud rather than a terrorist
attack.
Risk and exposure must be considered
together.
Estimate Cost and Benefits

No internal control system can provide

foolproof protection against all internal
control threats.
The cost of a foolproof system would be
prohibitively high.
One way to calculate benefits involves
calculating expected loss.
Estimate Cost and Benefits

The benefit of a control procedure is the

difference between the expected loss with
the control procedure(s) and the expected
loss without it.

Expected loss = risk × exposure

 Information and Communication
The fourth component of COSO’s internal
control model is information and
communication.
Accountants must understand the
following:
1 How transactions are initiated
2 How data are captured in machine-readable form or
converted from source documents
3 How computer files are accessed and updated
4 How data are processed to prepare information
5 How information is reported
6 How transactions are initiated
Information and Communication
 All of these items make it possible for the system
to have an audit trail.
 An audit trail exists when individual company
transactions can be traced through the system.
Monitoring Performance

The fifth component of COSO’s internal

control model is monitoring.
What are the key methods of monitoring
performance?
– effective supervision
– responsibility accounting
– internal auditing
The Four Principles of a Reliable
System
1. Availability of the system when needed.
2. Security of the system against unauthorized
physical and logical access.
3. Maintainability of the system as required
without affecting its availability, security, and
integrity.
4. Integrity of the system to ensure that
processing is complete, accurate, timely, and
authorized.
 The Criteria Used To Evaluate Reliability
Principles
 For each of the four principles of reliability, three
criteria are used to evaluate whether or not the
principle has been achieved.
1. The entity has defined, documented, and
communicated performance objectives, policies, and
standards that achieve each of the four principles.
2. The entity uses procedures, people, software, data,
and infrastructure to achieve each principle in
accordance with established policies and standards.
3. The entity monitors the system and takes action to
achieve compliance with the objectives, policies, and
standards for each principle.
End of Chapter 7