0% found this document useful (0 votes)

3 views

Ais10 ch06

Uploaded by

rarasavitri843

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

3 views

Ais10 ch06

Uploaded by

rarasavitri843

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 314

C HAPTER 6

Control and Accounting

Information Systems

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?

• Why AIS Threats Are Increasing

– Control risks have increased in the last few years
because:
• There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
• Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
• Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 314
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.

• Some vocabulary terms for this chapter:

– A threat is any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
– The exposure or impact of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
– The likelihood is the probability that the
threat will occur.

• Control and Security are Important

– Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security
policies.
• Making controls a part of the applications development
process.
• Moving sensitive data to more secure environments.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 314
INTRODUCTION
• To use IT in achieving control objectives,
accountants must:
– Understand how to protect systems from
threats.
– Have a good understanding of IT and its
capabilities and risks.
• Achieving adequate security and control
over the information resources of an
organization should be a top management
priority.

• Control objectives are the same regardless of

the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because:
– Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
– Segregation of duties must be achieved differently in
an AIS.
– Computers provide opportunities for enhancement of
some internal controls.

• One of the primary objectives of an AIS is to

control a business organization.
– Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
• Management expects accountants to be control
consultants by:
– Taking a proactive approach to eliminating system
threats; and
– Detecting, correcting, and recovering from threats
when they do occur.

• It is much easier to build controls into a

system during the initial stage than to add
them after the fact.
• Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 314
OVERVIEW OF CONTROL CONCEPTS

• In today’s dynamic business environment,

companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization;
and
• Implement process improvements.
• At the same time, the company needs control
systems so they are not exposed to excessive
risks or behaviors that could harm their
reputation for honesty and integrity.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
• This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
• This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors’ authorizations.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is encouraged.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the

board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and
regulations.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control is a process because:

– It permeates an organization’s operating activities.
– It is an integral part of basic management activities.
• Internal control provides reasonable, rather than
absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal control systems have inherent

limitations, including:
– They are susceptible to errors and poor decisions.
– They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds with
each other.
– EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:
– Preventive controls
• Deter problems before they arise.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:
– Preventive controls
– Detective controls
• Discover problems quickly when they do arise.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:
– Preventive controls
– Detective controls
– Corrective controls
• Remedy problems that have occurred by:
– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:

– General controls
• Those designed to make sure an
organization’s control environment is stable
and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 314
OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:

– General controls
– Application controls
• Prevent, detect, and correct transaction errors
and fraud.
• Are concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 314
OVERVIEW OF CONTROL CONCEPTS

• An effective system of internal controls

should exist in all organizations to:
– Help them achieve their missions and goals
– Minimize surprises

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
– The resulting internal control improvements weren’t sufficient.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In the late 1990s and early 2000s, a series
of multi-million-dollar accounting frauds
made headlines.
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002
(aka, SOX).
• Applies to publicly held companies and their
auditors

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-held
companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the way
boards of directors, management, and
accountants operate.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
• Has five members, three of whom cannot be
CPAs.
• Charges fees to firms to fund the PCAOB.
• Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
• Currently recognizes FASB statements as
being generally accepted.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors

• They must report specific information to the company’s audit

committee, such as:
– Critical accounting policies and practices
– Alternative GAAP treatments
– Auditor-management disagreements
• Audit partners must be rotated periodically.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors

• Auditors cannot perform certain non-audit services, such as:

– Bookkeeping
– Information systems design and implementation
– Internal audit outsourcing services
– Management functions
– Human resource services

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors

• Permissible non-audit services must be approved by the

board of directors and disclosed to investors.
• Cannot audit a company if a member of top management was
employed by the auditor and worked on the company’s audit
in the past 12 months.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
– New rules for audit committees

• Members must be on the company’s board

of directors and must otherwise be
independent of the company.
• One member must be a financial expert.
• The committee hires, compensates, and
oversees the auditors, and the auditors
report directly to the committee.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 314
SOX AND THE FOREIGN CORRUPT
• The CEO andPRACTICES ACT
CFO must certify that:
– The financial statements and disclosures are fairly
• Important aspects
presented, of SOXbyinclude:
were reviewed management, and are not
misleading.
– Creation of the Public Company Accounting Oversight
– Management is responsible for internal controls.
Board (PCAOB) to oversee the auditing profession.
– The auditors were advised of any material internal control
– New rules for auditors
weaknesses or fraud.
– New rules
– Any for audit
significant committees
changes to controls after management’s
– Newevaluation
rules for were disclosed and corrected.
management

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• If management willfully and knowingly violates the
• Important aspects
certification, they canofbe:
SOX include:
– Imprisoned up to 20 years.
– Creation of the Public Company Accounting Oversight
– Fined up to $5 million.
Board (PCAOB) to oversee the auditing profession.
• Management and directors cannot receive loans that would not
– New rules for
be available auditors
to people outside the company.
•– New
They rules for auditoncommittees
must disclose a rapid and current basis material
changes
– New to their
rules financial condition.
for management

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES
• New internal ACT
control requirements:
– Section 404 of SOX requires companies to issue a
• report accompanying the financial statements that:
Important aspects of SOX include:
• States management is responsible for
– Creation of the Public Company
establishing Accounting
and maintaining Oversight
an adequate internal
Board (PCAOB) to oversee
control structure the
and auditing profession.
procedures.
– New rules for
• Contains
auditorsmanagement’s assessment of the
– New rules forcompany’s
audit
internal controls.
committees
• Attests to the accuracy of the internal controls,
– New rules forincluding
management
disclosures of significant defects or
– New internalmaterial
controlnoncompliance
requirements found during the tests.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
– New• rules
SOX also requires that the auditor attests to and reports
for audit committees
on management’s internal control assessment.
– New• rules
Eachfor management
audit report must describe the scope of the
– New internal
auditor’scontrol requirements
internal control tests.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying the
framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of Control
– Many people feel
• Communicates there is a basic conflict
company core values to employees and
between creativity
inspires and
them to live controls.
by them.
• Draws attention to how the organization creates value.
– Robert Simons has espoused four levers of
• Helps employees understand management’s intended
controls to help companies reconcile this
direction.
conflict:
• Must be broad enough to appeal to all levels.
• A concise belief system

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps employees act ethicallyACT
by setting limits beyond
which they must not pass.
• Levers
• Does ofnotControl
create rules and standard operating
procedures that can stifle creativity.
– Many people employees
feel thereto is a basic
• Encourages think and actconflict
creatively to
between creativity
solve problems and and
meet controls.
customer needs as long as
they operate within limits such as:
– Robert Simons has espoused four levers of
– Meeting minimum standards of performance
controls to help
– Shunning companies
off-limits activitiesreconcile this
conflict:
– Avoiding actions that could damage the company’s
reputation.
• A concise belief system
• A boundary system

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of Control
– Many people
• Ensures feeland
efficient there is a achievement
effective basic conflict
of important
controls.
between creativity and controls.
• This system measures company progress by comparing
– Robert
actualSimons has
to planned espoused four levers of
performance.
• Helps to
controls help companies
managers reconcile outcomes
track critical performance this
and monitor performance of individuals, departments,
conflict:
and locations.
•• AProvides
concise feedback
belief system
to enable management to adjust and
• Afine-tune.
boundary system
• A diagnostic control system

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps top-level ACT
managers with high-level activities that
demand frequent and regular attention. Examples:
– Developing company strategy.
• Levers– of Control
Setting company objectives.
– Many– people feel there
Understanding is a basic
and assessing conflict
threats and risks.
– Monitoring changes in competitive conditions and
between creativity and controls.
emerging technologies.
– Robert Simons has
– Developing espoused
responses fourplans
and action levers
to of
controlsproactively
to help deal
companies
with thesereconcile this
high-level issues.
• Also helps managers focus the attention of
conflict:
subordinates on key strategic issues and to be more
• A concise
involved belief
in theirsystem
decisions.
• •A boundary system
Data from this system are best interpreted and
• discussed in face-to-face meetings.
A diagnostic control system
• An interactive control system

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 43 of 314
CONTROL FRAMEWORKS

• A number of frameworks have been

developed to help companies develop
good internal control systems. Three
of the most important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 314
CONTROL FRAMEWORKS

• A number of frameworks have been

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 314
CONTROL FRAMEWORKS

• COBIT Framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 314
CONTROL FRAMEWORKS

• The COBIT framework allows:

– Management to benchmark security and
control practices of IT environments.
– Users of IT services to be assured that
adequate security and control exists.
– Auditors to substantiate their opinions on
internal control and advise on IT security and
control matters.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 314
• To satisfy business objectives,
CONTROL FRAMEWORKS
information must conform to
certain criteria referred to as
“business requirements for
• The framework addresses the issue of
information.”
• The criteria are divided into
control from three vantage
sevenpoints oroverlapping
distinct yet
dimensions: categories that map into COSO
objectives:
– Business objectives – Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 314
CONTROL FRAMEWORKS

• The framework addresses the issue of

control from three vantage points or
dimensions:
– Business objectives
– IT resources • Includes:
• People
• Application systems
• Technology
• Facilities
• Data

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 314
CONTROL FRAMEWORKS

• The framework addresses the issue of

control from three vantage points or
dimensions:
– Business objectives
– IT resources
– IT processes • Broken into four domains
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 314
CONTROL FRAMEWORKS

• COBIT consolidates standards from 36 different

sources into a single framework.
• It is having a big impact on the IS profession.
– Helps managers to learn how to balance risk and
control investment in an IS environment.
– Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate.
– Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 314
CONTROL FRAMEWORKS

• A number of frameworks have been

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 314
CONTROL FRAMEWORKS

• COSO’s Internal Control Framework

– The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 314
CONTROL FRAMEWORKS

• In 1992, COSO issued the Internal

Control Integrated Framework:
– Defines internal controls.
– Provides guidance for evaluating and
enhancing internal control systems.
– Widely accepted as the authority on internal
controls.
– Incorporated into policies, rules, and
regulations used to control business activities.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 314
CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:
- Control environment
• The core of any business is its people.
• Their integrity, ethical values, and competence make
up the foundation on which everything else rests.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 314
CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:
- Control environment
- Control activities
• Policies and procedures must be established and
executed to ensure that actions identified by
management as necessary to address risks are, in
fact, carried out.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 314
CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:
- Control environment
- Control activities
- Risk assessment
• The organization must be aware of and deal with the
risks it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and
manage the related risks.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 314
CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
• Information and communications systems surround the
control activities.
• They enable the organization’s people to capture and
exchange information needed to conduct, manage, and
control its operations.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 314
CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring
• The entire process must be monitored and modified
as necessary.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 314
CONTROL FRAMEWORKS

• A number of frameworks have been

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 314
CONTROL FRAMEWORKS
• Nine years after COSO issued the preceding
framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated
Framework (ERM)
– An enhanced corporate governance document.
– Expands on elements of preceding framework.
– Provides a focus on the broader subject of enterprise
risk management.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 314
CONTROL FRAMEWORKS
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
– Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
– Avoid adverse publicity and damage to the entity’s
reputation.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 314
CONTROL FRAMEWORKS
• ERM defines risk management as:
– A process effected by an entity’s board of
directors, management, and other personnel
– Applied in strategy setting and across the
enterprise
– To identify potential events that may affect the
entity
– And manage risk to be within its risk appetite
– In order to provide reasonable assurance of
the achievement of entity objectives.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 314
CONTROL FRAMEWORKS

• Basic principles behind ERM:

– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• The possibility that something will happen to:
– Adversely affect the ability to create value; or
– Erode existing value.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 314
CONTROL FRAMEWORKS

• Basic principles behind ERM:

– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• Opportunity
• The possibility that something will happen to
positively affect the ability to create or preserve
value.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 314
CONTROL FRAMEWORKS

– The framework should help management

manage uncertainty and its associated risk to
build and preserve value.
– To maximize value, a company must balance
its growth and return objectives and risks with
efficient and effective use of company
resources.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 314
CONTROL FRAMEWORKS

• COSO developed a
model to illustrate
the elements of
ERM.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 314
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support
the company’s mission.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 314
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
– Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and
profitability goals
– Safeguarding assets

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 314
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
•management must meet to
Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Operations objectives
– Reporting objectives

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 314
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
management must often
– External parties meetset
to
achieve company goals.
the compliance rules.
– –Strategic objectives
Companies in the same
– Operations objectives
industry often have similar
– Reporting
concerns in this area.
objectives
– Compliance objectives

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 314
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 314
CONTROL FRAMEWORKS

• Columns on the
right represent the
company’s units:
– Entire company

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 314
CONTROL FRAMEWORKS

• Columns on the
right represent the
company’s units:
– Entire company
– Division

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 314
CONTROL FRAMEWORKS

• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 314
CONTROL FRAMEWORKS

• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
• The tone or culture of the
company.
• Provides discipline and
structure and is the foundation
for all other components.
• Essentially the same as control
environment in the COSO
internal control framework.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
– Objective setting

• Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives that
support the company’s mission and are consistent with the company’s
tolerance for risk.
• Strategic objectives are set first as a foundation for the other three.
• The objectives provide guidance to companies as they identify risk-
creating events and assess and respond to those risks.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 78 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
– Objective setting
– Event identification
• Requires management to identify events that may affect the company’s
ability to implement its strategy and achieve its objectives.
• Management must then determine whether these events represent:
– Risks (negative-impact events requiring assessment and
response); or
– Opportunities (positive-impact events that influence strategy and
objective-setting processes).
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 79 of 314
• Identified risks are assessed to
determine how to manage them
CONTROL FRAMEWORKS and how they affect the
company’s ability to achieve its
objectives.
• Qualitative
• The horizontaland quantitative
rows are
methods are used to assess
eight related risk and
risks individually and by
control components,
category in terms of:
including:
– Likelihood
– Internal environment
– Positive and negative
– Objective
impactsetting
– Event
– Effect
identification
on other
– Riskorganizational
assessment units
• Risks are analyzed on an
inherent and a residual basis.
• Corresponds to the risk
assessment element in COSO’s
internal control framework.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 80 of 314
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
• The horizontal rows are
– Share
eight related risk and
– Accept
control components,
• Management takes an entity-wide
including:
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
– Event identification
costs-benefits of alternate
responses.
– Risk assessment
– Risk response

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 81 of 314
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows are
management’s
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
– Internal environment
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 82 of 314
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •TheInformation
horizontalmustrows beare
able to
flow through all levels and
eight related risk and
functions in the company as
control
well ascomponents,
flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their role and
Objective importance in
setting
– ERM
Eventand how these
identification
– responsibilities
Risk assessmentrelate to those
– of others.
Risk response
• Has a corresponding element
– Control activities
in the COSO internal control
– Information and
framework.
communication

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 83 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
•control
ERM processes
components,must be
monitored on an ongoing basis
including:
and modified as needed.
– Internal environment
• Accomplished with ongoing
– Objective setting
management activities and
– Event identification
separate evaluations.
•– Risk assessment
Deficiencies are reported to
– Risk response
management.
•– Control activitiesmodule in
Corresponding
–COSO internal
Information andcontrol
framework.
communication
– Monitoring

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 84 of 314
CONTROL FRAMEWORKS
• The ERM model is
three-dimensional.
• Means that each of
the eight risk and
control elements are
applied to the four
objectives in the
entire company
and/or one of its
subunits.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 85 of 314
CONTROL FRAMEWORKS

• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
Control Framework
risks of business processes provides little context for
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
widely adopted
– Which controlas the principal
systems way to
are most important.
– Whether they adequately deal with risk.
evaluate internal controls as required by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 86 of 314
CONTROL FRAMEWORKS

• ERM Framework Vs. the Internal

Control Framework
– The internal control framework has been
widely adopted as the principal way to
• May contribute to systems with
evaluate internal controls as required by
many controls to protect
SOX.
However, there are issues with
against it. that are no longer
risks
• It has too narrow of a focus.
important.
• Focusing on controls first has an inherent bias
toward past problems and concerns.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 87 of 314
CONTROL FRAMEWORKS
• These issues led to COSO’s development of the
ERM framework.
– Takes a risk-based, rather than controls-based,
approach to the organization.
– Oriented toward future and constant change.
– Incorporates rather than replaces COSO’s internal
control framework and contains three additional
elements:
• Setting objectives.
• Identifying positive and negative events that may affect the
company’s ability to implement strategy and achieve
objectives.
• Developing a response to assessed risk.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 88 of 314
CONTROL FRAMEWORKS

– Controls are flexible and relevant because

they are linked to current organizational
objectives.
– ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 89 of 314
CONTROL FRAMEWORKS

• Over time, ERM will probably become the

most widely adopted risk and control
model.
• Consequently, its eight components are
the topic of the remainder of the chapter.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 90 of 314
INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 91 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 92 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and
risk appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 93 of 314
INTERNAL ENVIRONMENT
• Management’s Philosophy, Operating Style,
and Risk Appetite
– An organization’s management has shared beliefs
and attitudes about risk.
– That philosophy affects everything the organization
does, long- and short-term, and affects their
communications.
– Companies also have a risk appetite, which is the
amount of risk a company is willing to accept to
achieve its goals and objectives.
– That appetite needs to be in alignment with company
strategy.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 94 of 314
INTERNAL ENVIRONMENT

– The more responsible management’s

philosophy and operating style, the more
likely employees will behave responsibly.
– This philosophy must be clearly
communicated to all employees; it is not
enough to give lip service.
– Management must back up words with
actions; if they show little concern for internal
controls, then neither will employees.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 95 of 314
INTERNAL ENVIRONMENT

– This component can be assessed by asking

questions such as:
• Does management take undue business risks or
assess potential risks and rewards before acting?
• Does management attempt to manipulate
performance measures such as net income?
• Does management pressure employees to achieve
results regardless of methods or do they demand
ethical behavior?

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 96 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 97 of 314
INTERNAL ENVIRONMENT
• The Board of Directors
– An active and involved board of directors
plays an important role in internal control.
– They should:
• Oversee management
• Scrutinize management’s plans, performance, and
activities
• Approve company strategy
• Review financial results
• Annually review the company’s security policy
• Interact with internal and external auditors

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 98 of 314
INTERNAL ENVIRONMENT

• Directors should possess management,

technical, or other expertise, knowledge,
or experience, as well as a willingness to
advocate for shareholders.
• At least a majority should be independent,
outside directors not affiliated with the
company or any of its subsidiaries.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 99 of 314
INTERNAL ENVIRONMENT
• Public companies must have an audit
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process;
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and practices to
the audit committee.
– Provides an independent review of management’s
actions.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 100 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 101 of 314
INTERNAL ENVIRONMENT
• Commitment to Integrity, Ethical
Values, and Competence
– Management must create an organizational
culture that stresses integrity and commitment
to both ethical values and competence.
• Ethical standards of behavior make for good
business.
• Tone at the top is everything.
• Employees will watch the actions of the CEO, and
the message of those actions (good or bad) will
tend to permeate the organization.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 102 of 314
INTERNAL ENVIRONMENT
• Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important than
favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 103 of 314
INTERNAL ENVIRONMENT

• Management should not assume that employees

would always act honestly.
– Consistently reward and encourage honesty.
– Give verbal labels to honest and dishonest acts.
– The combination of these two will produce more
consistent moral behavior.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 104 of 314
INTERNAL ENVIRONMENT
• Management should develop clearly stated
policies that explicitly describe honest and
dishonest behaviors, often in the form of a
written code of conduct.
– In particular, such a code would cover issues that are
uncertain or unclear.
– Dishonesty often appears when situations are gray
and employees rationalize the most expedient action
as opposed to making a right vs. wrong choice.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 105 of 314
INTERNAL ENVIRONMENT

• SOX only requires a code of ethics for senior

financial management. However, the ACFE
suggests that companies create a code of
conduct for all employees:
– Should be written at a fifth-grade level.
– Should be reviewed annually with employees and
signed.
– This approach helps employees keep themselves out
of trouble.
– Helps the company if they need to take legal action
against the employee.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 106 of 314
INTERNAL ENVIRONMENT
• Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge, experience,
training, and skills.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 107 of 314
INTERNAL ENVIRONMENT
• The levers of control, particularly beliefs
and boundaries systems, can be used to
create the kind of commitment to integrity
an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 108 of 314
INTERNAL ENVIRONMENT
• Management should require employees to
report dishonest, illegal, or unethical
behavior and discipline employees who
knowingly fail to report.
– Reports of dishonest acts should be
thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when
possible, so that other employees are clear
about consequences.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 109 of 314
INTERNAL ENVIRONMENT

• Companies must make a commitment to

competence.
– Begins with having competent employees.
– Varies with each job but is a function of
knowledge, experience, training, and skills.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 110 of 314
INTERNAL ENVIRONMENT
• The levers of control, particularly beliefs
and boundary systems, can be used to
create the kind of commitment to integrity
an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 111 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 112 of 314
INTERNAL ENVIRONMENT

• Organizational Structure
– A company’s organizational structure defines
its lines of authority, responsibility, and
reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 113 of 314
INTERNAL ENVIRONMENT

• Important aspects or organizational structure:

– Degree of centralization or decentralization.
– Assignment of responsibility for specific tasks.
– Direct-reporting relationships or matrix structure
– Organization by industry, product, geographic
location, marketing network
– How the responsibility allocation affects
management’s information needs
– Organization of accounting and IS functions
– Size and nature of company activities

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 114 of 314
INTERNAL ENVIRONMENT

• Statistically fraud occurs more frequently

in organizations with complex structures
– The structures may unintentionally impede
communication and clear assignment of
responsibility, making fraud easier to commit
and conceal; or
– The structure may be intentionally complex to
facilitate the fraud.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 115 of 314
INTERNAL ENVIRONMENT

• In today’s business world, the hierarchical

organizations with many layers of management
are giving way to flatter organizations with self-
directed work teams.
– Team members are empowered to make decisions
without multiple layers of approvals.
– Emphasis is on continuous improvement rather than
on regular evaluations.
– These changes have a significant impact on the
nature and type of controls needed.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 116 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 117 of 314
INTERNAL ENVIRONMENT
• Methods of Assigning Authority and
Responsibility
– Management should make sure:
• Employees understand the entity’s objectives
• Authority and responsibility for business objectives is
assigned to specific departments and individuals
– Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS security
policy.
• Should monitor results so decisions can be reviewed and, if
necessary, overruled.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 118 of 314
INTERNAL ENVIRONMENT
• Authority and responsibility are assigned through:
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job reference
and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization’s chart of accounts
• Sample copies of forms and documents

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 119 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 120 of 314
INTERNAL ENVIRONMENT
• Human Resources Standards
– Employees are both the company’s greatest control
strength and the greatest control weakness.
– Organizations can implement human resource
policies and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
– Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency
and loyalty and reduce the organization’s vulnerability.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 121 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 122 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 123 of 314
INTERNAL ENVIRONMENT

• Hiring
– Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
– Employees should undergo a formal, in-depth
employment interview.
– Resumes, reference letters, and thorough
background checks are critical.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 124 of 314
INTERNAL ENVIRONMENT
• Background checks can involve:
– Verifying education and experience
– Talking with references
– Checking for criminal records, credit issues, and other
publicly available data.
– Note that you must have the employee’s or
candidate’s written permission to conduct a
background check, but that permission does not need
to have an expiration date.
– Background checks are important because recent
studies show that about 50% of resumes have been
falsified or embellished.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 125 of 314
INTERNAL ENVIRONMENT
• Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
– Some get phony degrees from online “diploma mills.”
• A Pennsylvania district attorney recently filed suit against a
Texas “university” for issuing an MBA to the DA’s 6-year-old
black cat.
– Others actually hack (or hire someone to hack) into
the systems of universities to create or alter
transcripts and other academic data.
• No employee should be exempted from
background checks. Anyone from the custodian
to the company president is capable of
committing fraud, sabotage, etc
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 126 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 127 of 314
INTERNAL ENVIRONMENT

• Compensating
– Employees should be paid a fair and
competitive wage.
– Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
– Appropriate incentives can motivate and
reinforce outstanding performance.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 128 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 129 of 314
INTERNAL ENVIRONMENT

• Policies on Training
– Training programs should familiarize new employees
with:
• Their responsibilities.
• Expected performance and behavior.
• Company policies, procedures, history, culture, and
operating style.
– Training needs to be ongoing, not just one-time.
– Companies who shortchange training are more likely
to experience security breaches and fraud.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 130 of 314
INTERNAL ENVIRONMENT

– Many believe employee training and

education are the most important elements of
fraud prevention and security programs.
– Fraud is less likely to occur when employees
believe security is everyone’s business.
– An ideal corporate culture exists when:
• Employees are proud of their company and
protective of its assets.
• They believe fraud hurts everyone and that they
therefore have a responsibility to report it.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 131 of 314
INTERNAL ENVIRONMENT

• These cultures do not just happen. They must

be created, taught, and practiced, and the
following training should be provided:
– Fraud awareness
• Employees should be aware of fraud’s prevalence and
dangers, why people do it, and how to deter and detect it.
– Ethical considerations
• The company should promote ethical standards in its
practice and its literature.
• Acceptable and unacceptable behavior should be defined
and labeled, leaving as little gray area as possible.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 132 of 314
INTERNAL ENVIRONMENT
– Punishment for fraud and unethical behavior.
• Employees should know the consequences (e.g.,
reprimand, dismissal, prosecution) of bad behavior.
• Should be disseminated as a consequence rather
than a threat.
• EXAMPLE: “Using a computer to steal or commit
fraud is a federal crime, and anyone doing so
faces immediate dismissal and/or prosecution.”
• The company should display notices of program
and data ownership and advise employees of the
penalties of misuse.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 133 of 314
INTERNAL ENVIRONMENT
• Training can take place through:
– Informal discussions
– Formal meetings
– Periodic memos
– Written guidelines
– Codes of ethics
– Circulating reports of unethical behavior and
its consequences
– Promoting security and fraud training
programs

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 134 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 135 of 314
INTERNAL ENVIRONMENT

• Evaluating and promoting

– Do periodic performance appraisals to help
employees understand their strengths and
weaknesses.
– Base promotions on performance and
qualifications.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 136 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 137 of 314
INTERNAL ENVIRONMENT

• Discharging
– Fired employees are disgruntled employees.
– Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
– Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 138 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 139 of 314
INTERNAL ENVIRONMENT

• Managing disgruntled employees

– Disgruntled employees may be isolated and/or
unhappy, but are much likelier fraud candidates than
satisfied employees.
– The organization can try to reduce the employee’s
pressures through grievance channels and
counseling.
• Difficult to do because many employees feel that seeking
counseling will stigmatize them in their jobs.
– Disgruntled employees should not be allowed to
continue in jobs where they could harm the
organization.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 140 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 141 of 314
INTERNAL ENVIRONMENT

• Vacations and rotation of duties

– Some fraud schemes, such as lapping and
kiting, cannot continue without the constant
attention of the perpetrator.
– Mandatory vacations or rotation of duties can
prevent these frauds or lead to early
detection.
– These measures will only be effective if
someone else is doing the job while the usual
employee is elsewhere.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 142 of 314
INTERNAL ENVIRONMENT

• The following policies and procedures are

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 143 of 314
INTERNAL ENVIRONMENT

• Confidentiality agreements and fidelity

bond insurance
– Employees, suppliers, and contractors should
be required to sign and abide by
nondisclosure or confidentiality agreements.
– Key employees should have fidelity bond
insurance coverage to protect the company
against losses from fraudulent acts by those
employees.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 144 of 314
INTERNAL ENVIRONMENT
• In addition to the preceding policies, the
company should seek prosecution and
incarceration of hackers and fraud perpetrators
• Most fraud cases and hacker attacks go
unreported. They are not prosecuted for several
reasons.
– Companies fear:
• Public relations nightmares
• Copycat attacks
– But unreported fraud and intrusions create a false
sense of security.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 145 of 314
INTERNAL ENVIRONMENT
– Law enforcement officials and courts are busy with
violent crimes and may regard teen hacking as
“childish pranks.”
– Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
– Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,
prosecute, and evaluate computer crimes.
– When cases are prosecuted and a conviction
obtained, penalties are often very light. Judges often
regard the perps as “model citizens.”

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 146 of 314
INTERNAL ENVIRONMENT

• Internal environment consists of the following:

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 147 of 314
INTERNAL ENVIRONMENT

• External influences
– External influences that affect the control
environment include requirements imposed
by:
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 148 of 314
OBJECTIVE SETTING
• Objective setting is the
second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 149 of 314
OBJECTIVE SETTING

• Top management, with board approval, must

articulate why the company exists and what it
hopes to achieve.
– Often referred to as the corporate vision or mission.
• Uses the mission statement as a base from
which to set corporate objectives.
• The objectives:
– Need to be easy to understand and measure.
– Should be prioritized.
– Should be aligned with the company’s risk appetite.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 150 of 314
OBJECTIVE SETTING

• Objectives set at the corporate level are

linked to and integrated with a cascading
series of sub-objectives in the various sub-
units.
• For each set of objectives:
– Critical success factors (what has to go right)
must be defined.
– Performance measures should be established
to determine whether the objectives are met.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 151 of 314
OBJECTIVE SETTING

• Objective-setting process proceeds as follows:

– First, set strategic objectives, the high-level goals that
support the company’s mission and create value for
shareholders.
– To meet these objectives, identify alternative ways of
accomplishing them.
– For each alternative, identify and assess risks and
implications.
– Formulate a corporate strategy.
– Then set operations, compliance, and reporting
objectives.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 152 of 314
OBJECTIVE SETTING

• As a rule of thumb:
– The mission and strategic objectives are
stable.
– The strategy and other objectives are more
dynamic:
• Must be adapted to changing conditions.
• Must be realigned with strategic objectives.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 153 of 314
OBJECTIVE SETTING
• Operations objectives:
– Are a product of management preferences,
judgments, and style
– Vary significantly among entities:
• One may adopt technology; another waits until the
bugs are worked out.
– Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
– Give clear direction for resource allocation—a
key success factor.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 154 of 314
OBJECTIVE SETTING

• Compliance and reporting objectives:

– Many are imposed by external entities, e.g.:
• Reports to IRS or to EPA
• Financial reports that comply with GAAP
– A company’s reputation can be impacted
significantly (for better or worse) by the quality
of its compliance.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 155 of 314
EVENT IDENTIFICATION
• Events are:
– Incidents or occurrences that
emanate from internal or
external sources
– That affect implementation of
strategy or achievement of
objectives.
– Impact can be positive,
negative, or both.
– Events can range from
obvious to obscure.
– Effects can range from
inconsequential to highly
significant.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 156 of 314
EVENT IDENTIFICATION

• By their nature, events represent

uncertainty:
– Will they occur?
– If so, when?
– And what will the impact be?
– Will they trigger another event?
– Will they happen individually or concurrently?

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 157 of 314
EVENT IDENTIFICATION

• Management must do its best to anticipate all

possible events—positive or negative—that
might affect the company:
– Try to determine which are most and least likely.
– Understand the interrelationships of events.
• COSO identified many internal and external
factors that could influence events and affect a
company’s ability to implement strategy and
achieve objectives.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 158 of 314
EVENT IDENTIFICATION
• Availability of capital; lower or higher costs of
capital
• Lower barriers to entry, resulting in new
• Some of these factors
competition include:
• Price movements up or down
– External factors:
• Ability to issue credit and possibility of default
• Economic• factors
Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or
currency fluctuations
• Rising or lowering unemployment rates
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal
legal liability

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 159 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– External factors:
• Economic factors
• Natural environment
• Natural disasters such as fires,
floods, or earthquakes
• Emissions and waste
• Energy restrictions or
shortages
• Restrictions limiting
development

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 160 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– External factors:
• Economic factors
• Natural environment
• Political factors • Election of government
officials with new agendas
• New laws and regulations
• Public policy, including higher
or lower taxes
• Regulation affecting the
company’s ability to compete

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 161 of 314
EVENT IDENTIFICATION
• Changing demographics, social
mores, family structures, and
• Some of these factors include:
work/life priorities
• Consumer behavior that
– External factors:
changes demand for products
• Economic factors and services or creates new
• Natural environment buying opportunities
• Corporate citizenship
• Political factors
• Privacy
• Social factors • Terrorism
• Human resource issues
causing production shortages
or stoppages

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 162 of 314
EVENT IDENTIFICATION
• New e-business technologies
• Some of these factors thatinclude:
lower infrastructure costs
or increase demand for IT-
– External factors: based services
• Economic factors • Emerging technology
• Increased or decreased
• Natural environment
availability of data
• Political factors
• Interruptions or down time
• Social factors caused by external parties
• Technological factors

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 163 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– Internal factors:
• Infrastructure
• Inadequate access or poor allocation of capital
• Availability and capability of company assets
• Complexity of systems

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 164 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– Internal factors:
• Infrastructure
• Personnel
• Employee skills and capability
• Employees acting dishonestly or unethically
• Workplace accidents, health or safety
concerns
• Strikes or expiration of labor agreements

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 165 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– Internal factors:
• Infrastructure
• Personnel
• Process
• Process modification without proper change
management procedures
• Poorly designed processes
• Process execution errors
• Suppliers cannot deliver quality goods on time

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 166 of 314
EVENT IDENTIFICATION

• Some of these factors include:

– Internal factors:
• Infrastructure
• Personnel
• Process
• Technology
• Insufficient capacity to handle peak IT usages
• Security breaches
• Data or system unavailability from internal factors
• Inadequate data integrity
• Poor systems selection/development
• Inadequately maintained systems
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 167 of 314
EVENT IDENTIFICATION

• Lists can help management identify factors,

evaluate their importance, and examine those
that can affect objectives.
• Identifying events at the activity and entity levels
allows companies to focus their risk assessment
on major business units or functions and align
their risk tolerance and risk appetite.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 168 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential
events
• Often produced by special software that can
tailor lists to an industry, activity, or process.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 169 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential events
– Perform an internal analysis
• An internal committee analyzes events, contacting
appropriate insiders and outsiders for input.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 170 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
• Appropriate transactions, activities, and events
are monitored and compared to predefined
criteria to determine when action is needed.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 171 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
– Conduct workshops and interviews
• Employee knowledge and expertise is gathered
in structured discussions or individual
interviews.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 172 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
• Examine data on prior events to identify trends
– Conductand
workshops andidentify
causes that help interviews
possible events.
– Perform data mining and analysis

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 173 of 314
EVENT IDENTIFICATION

• Companies usually use two or more of the

following techniques together to identify
events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
– Conduct workshops
• Analyze and
internal and interviews
external factors that affect
inputs, processes, and outputs to identify events
– Perform
thatdata
mightmining and analysis
help or hinder the process.
– Analyze processes

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 174 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• The fourth and fifth
components of
COSO’s ERM model
are risk assessment
and risk response.
• COSO indicates
• The risk that exists before
there aretakes
management twoanytypes
steps to
of risk:
control the likelihood or impact
of–a Inherent
risk. risk

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 175 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• The fourth and fifth
components of
COSO’s ERM model
are risk assessment
and risk response.
• COSO indicates
there are two types
• The risk that remains after
ofmanagement
risk: implements
–internal
Inherent riskor some other
controls
–form
Residual risk
of response to risk.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 176 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• The most effective way to reduce
– Reduce it the likelihood and impact of risk is
to implement an effective system
of internal controls.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 177 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Don’t act to prevent or mitigate
it.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 178 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it
• Transfer some of it to others via
– Share it activities such as insurance,
outsourcing, or hedging.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 179 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– • Don’t engage in the activity that
Reduce it
produces it.
– Accept it • May require:
– Share it – Sale of a division
– Avoid it – Exiting a product line
– Canceling an expansion plan

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 180 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Accountants:
– Help management design effective controls to
reduce inherent risk
– Evaluate internal control systems to ensure
they are operating effectively
– Assess and reduce inherent risk using the risk
assessment and response strategy

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 181 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Event
Estimate the impact of potential
Identification loss from each threat

– The first step in risk Identify set of controls to

assessment and guard against threat
response strategy Estimate costs and benefits
is event from instituting controls
identification, which
we have already Is it
cost-
Avoid,
No share, or
discussed. beneficial
to protect accept
system risk

Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 182 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate Likelihood
and Impact Estimate the impact of potential
– Some events pose loss from each threat
more risk because they
are more probable than Identify set of controls to
others. guard against threat
– Some events pose
more risk because their Estimate costs and benefits
dollar impact would be from instituting controls
more significant.
– Likelihood and impact
Is it
must be considered cost- No
Avoid,
together: beneficial share, or
accept
– If either increases, the to protect
system risk
materiality of the event
and the need to protect Yes
against it rises. Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 183 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Identify Controls
Estimate the impact of potential
– Management must loss from each threat
identify one or more
controls that will Identify set of controls to
guard against threat
protect the
company from each Estimate costs and benefits
event. from instituting controls
– In evaluating
benefits of each Is it
cost- No
Avoid,
control procedure, beneficial
to protect
share, or
accept
consider system risk
effectiveness and Yes
timing. Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 184 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• All other factors equal:
– A preventive control is Estimate the impact of potential
better than a detective loss from each threat
one.
– However, if preventive Identify set of controls to
controls fail, detective guard against threat
controls are needed to
discover the problem, Estimate costs and benefits
and corrective controls from instituting controls
are needed to recover.
– Consequently, the three
complement each Is it
Avoid,
cost-
other, and a good beneficial
No share, or
internal control system to protect accept
should have all three. system risk
– Similarly, a company Yes
should use all four Reduce risk by implementing set of
levers of control. controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 185 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate Costs and
Benefits Estimate the impact of potential
loss from each threat
– It would be cost-
prohibitive to create an Identify set of controls to
internal control system guard against threat
that provided foolproof
protection against all Estimate costs and benefits
events. from instituting controls
– Also, some controls
negatively affect Is it
Avoid,
operational efficiency, cost- No share, or
beneficial
and too many controls to protect accept
can make it very system risk
inefficient. Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 186 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The benefits of an internal
control procedure must Estimate the impact of potential
exceed its costs. loss from each threat
• Benefits can be hard to
quantify, but include: Identify set of controls to
– Increased sales and guard against threat
productivity
– Reduced losses Estimate costs and benefits
– Better integration with from instituting controls
customers and
suppliers
– Increased customer Is it
cost-
Avoid,
No share, or
loyalty beneficial
accept
– Competitive to protect
system risk
advantages
– Lower insurance Yes
premiums Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 187 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Costs are usually
easier to measure Estimate the impact of potential
loss from each threat
than benefits.
• Primary cost is Identify set of controls to
personnel, including: guard against threat
– Time to perform control
Estimate costs and benefits
procedures from instituting controls
– Costs of hiring
additional employees to
Is it
effectively segregate cost- No
Avoid,
share, or
duties beneficial
accept
to protect
– Costs of programming system risk
controls into a system Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 188 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Other costs of a poor
control system include: Estimate the impact of potential
– Lost sales loss from each threat
– Lower productivity
– Drop in stock price if Identify set of controls to
guard against threat
security problems arise
– Shareholder or
Estimate costs and benefits
regulator lawsuits from instituting controls
– Fines and penalties
imposed by
governmental agencies Is it
Avoid,
cost- No
beneficial share, or
to protect accept
system risk

Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 189 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The expected loss
related to a risk is Estimate the impact of potential
loss from each threat
measured as:
– Expected loss = Identify set of controls to
impact x likelihood guard against threat
• The value of a Estimate costs and benefits
control procedure from instituting controls
is the difference
between: Is it
cost-
Avoid,
No
– Expected loss with beneficial share, or
to protect accept
control procedure system risk
– Expected loss Yes
without it Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 190 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Determine Cost-
Benefit Effectiveness Estimate the impact of potential
loss from each threat
– After estimating
benefits and costs, Identify set of controls to
management guard against threat
determines if the
control is cost Estimate costs and benefits
beneficial, i.e., is the from instituting controls
cost of implementing a
control procedure less Is it
than the change in cost-
No
Avoid,
beneficia share, or
expected loss that l accept
would be attributable to to protect risk
the change? system
Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 191 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• In evaluating costs and
benefits, management Estimate the impact of potential
must consider factors other loss from each threat
than those in the expected
benefit calculation.
Identify set of controls to
– If an event threatens an
guard against threat
organization’s
existence, it may be
Estimate costs and benefits
worthwhile to institute
from instituting controls
controls even if costs
exceed expected
benefits. Is it
cost- Avoid,
– The additional cost can beneficia No share, or
be viewed as a l accept
catastrophic loss to protect risk
insurance premium. system
Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 192 of 314
• Expected Loss without control procedure = $800,000 x .12 = $96,000.
• Expected RISK
loss withASSESSMENT ANDx RISK
control procedure = $800,000 .005 = $4,000.
• Estimated value of control procedure = $96,000 - $4,000 = $92,000.
• Estimated cost of controlRESPONSE
procedure = $43,000 (given).
• Benefits exceed costs by $92,000 - $43,000 = $49,000.
• Let’s go through an example:
• In this case, Hobby Hole should probably install the motion detectors.
– Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce
the probability of a catastrophic theft.
– A catastrophic theft could result in losses of $800,000.
– Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
– Companies with motion detectors only have about
a .5% probability of catastrophic theft.
– The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $43,000.
– Should Hobby Hole install the motion detectors?

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 193 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Implement the
Estimate the impact of potential
Control or Avoid, loss from each threat
Share, or Accept the
Risk Identify set of controls to
guard against threat
– When controls are cost
effective, they should Estimate costs and benefits
be implemented so risk from instituting controls
can be reduced.
Is it
cost- Avoid,
beneficia No share, or
l accept
to protect risk
system
Yes
Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 194 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Risks that are not reduced
must be accepted, shared, Estimate the impact of potential
or avoided. loss from each threat
– If the risk is within the
company’s risk Identify set of controls to
tolerance, they will guard against threat
typically accept the risk.
– A reduce or share Estimate costs and benefits
response is used to from instituting controls
bring residual risk into
an acceptable risk
Is it
tolerance range. cost- Avoid,
– An avoid response is beneficia No share, or
typically only used l accept
when there is no way to to protect
system
risk
cost-effectively bring Yes
risk into an acceptable
risk tolerance range. Reduce risk by implementing set of
controls to guard against threat

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 195 of 314
CONTROL ACTIVITIES
• The sixth component of
COSO’s ERM model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 196 of 314
CONTROL ACTIVITIES
• It is management’s responsibility to develop a
secure and adequately controlled system.
– Controls are much more effective when built in on the
front end.
– Consequently, systems analysts, designers, and end
users should be involved in designing adequate
computer-based control systems.
• Management must also establish a set of
procedures to ensure control compliance and
enforcement.
– Usually the purview of the information security officer
and the operations staff.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 197 of 314
CONTROL ACTIVITIES

• It is critical that controls be in place during

the year-end holiday season. A
disproportionate amount of computer fraud
and security break-ins occur during this
time because:
– More people are on vacation and fewer
around to mind the store.
– Students are not tied up with school.
– Counterculture hackers may be lonely.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 198 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 199 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 200 of 314
CONTROL ACTIVITIES
• Proper Authorization of Transactions
and Activities
– Management lacks the time and resources to
supervise each employee activity and
decision.
– Consequently, they establish policies and
empower employees to perform activities
within policy.
– This empowerment is called authorization
and is an important part of an organization’s
control procedures.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 201 of 314
CONTROL ACTIVITIES

• Authorizations are often documented by signing

initializing, or entering an authorization code.
• Computer systems can record digital
signatures as a means of signing a document.
• Employees who process transactions should
verify the presence of the appropriate
authorizations.
• Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 202 of 314
CONTROL ACTIVITIES
• Typically at least two levels of authorization:
– General authorization
• Management authorizes employees to handle routine
transactions without special approval.
– Special authorization
• For activities or transactions that are of significant
consequences, management review and approval is
required.
• Might apply to sales, capital expenditures, or write-offs over a
particular dollar limit.
• Management should have written policies for
both types of authorization and for all types of
transactions.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 203 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 204 of 314
CONTROL ACTIVITIES
• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 205 of 314
CONTROL ACTIVITIES
• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 206 of 314
CONTROL ACTIVITIES

• To learn a little about segregation of

duties, let’s first meet Bill.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 207 of 314
CONTROL ACTIVITIES

• Bill has charge of a pile of the

organization’s money—let’s say $1,000.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 208 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Bill also keeps the books for that

money.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 209 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Bill has a date tonight, and he’s a little desperate to

impress that special someone, so he takes $100 of
the cash. (Thinks he’s only borrowing it, you know.)

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 210 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Bill has a date tonight, and he’s a little desperate to

impress that special someone, so he takes $100 of
the cash. (Thinks he’s only borrowing it, you know.)

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 211 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Bill also records an entry in the books to show that

$100 was spent for some “legitimate” purpose. Now
the balance in the books is $900.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 212 of 314
CONTROL ACTIVITIES

Ledger

$900

• How will Bill ever get caught at his

theft?
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 213 of 314
CONTROL ACTIVITIES

• Now let’s change the story. Bill has

charge of the pile of cash.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 214 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• But Mary keeps the books.

• This arrangement is a form of segregation of duties.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 215 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Bill gets in a pinch again and takes

$100 of the organization’s cash.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 216 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• How will Bill get caught?

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 217 of 314
CONTROL ACTIVITIES

• Segregation of Accounting Duties

– Effective segregation of accounting duties is achieved
when the following functions are separated:
• Authorization—approving transactions and decisions.
• Recording—Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
• Custody—Handling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organization’s bank account.
– If any two of the preceding functions are the
responsibility of one person, then problems can arise.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 218 of 314
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
• Handling cash • Preparing source
• Handling inventories, tools, documents
or fixed assets • Maintaining journals,
• Writing checks ledgers, or other files
• • Preparing reconciliations
Receiving checks in mail
• Preparing performance
reports

• EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can steal some of the cash and falsify accounts to
conceal the theft. FUNCTIONS
• • Authorization of
SOLUTION: The pink fence (segregation of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 219 of 314
• EXAMPLE OF PROBLEM: A
person who has custody of

CONTROL ACTIVITIES checks for transactions that

he has authorized can
authorize fictitious
transactions and then steal
CUSTODIAL FUNCTIONS RECORDING
the payments.FUNCTIONS
• Handling cash •• Preparing source
SOLUTION: The green
• Handling inventories, tools, documents
fence (segregation of
or fixed assets • Maintaining
custody and journals,
authorization)
• Writing checks ledgers, or
prevents other files
employees from
• • authorizing fictitious or
Preparing reconciliations
Receiving checks in mail
• inaccurate transactions as a
Preparing performance
means
reportsof concealing a theft.

AUTHORIZATION
FUNCTIONS
• Authorization of
transactions

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 220 of 314
• EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the CONTROL ACTIVITIES
transactions can authorize
and record fictitious
CUSTODIAL
payments FUNCTIONS
that might, for RECORDING FUNCTIONS
• Handling
example, cashto the
be sent • Preparing source
• Handlinghome
employee’s addresstools,
inventories, documents
or the address
or fixed of a shell
assets • Maintaining journals,
company
• Writinghe creates.
checks ledgers, or other files
• SOLUTION:
• ReceivingThe purple • Preparing reconciliations
checks in mail
fence (segregation of • Preparing performance
recording and authorization) reports
prevents employees from
falsifying records to cover
up inaccurate or false
transactions that were
inappropriately authorized.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 221 of 314
CONTROL ACTIVITIES

• In a system that incorporates an effective

separation of duties, it should be difficult
for any single employee to commit
embezzlement successfully.
• But when two or more people collude,
then segregation of duties becomes
impotent and controls are overridden.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 222 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• If this happens . . .

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 223 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Then segregation of duties is out the window.

Collusion overrides segregation.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 224 of 314
CONTROL ACTIVITIES
• Employees can collude with other employees or
with customers or vendors.
• The most frequent form of employee/vendor
collusions include:
– Billing at inflated prices
– Performing substandard work and receiving full
payment
– Payment for non-performance
– Duplicate billings
– Improperly funneling more work to or purchasing
more goods from a colluding company

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 225 of 314
CONTROL ACTIVITIES

• The most frequent form of

employee/customer collusions include:
– Unauthorized loans or insurance payments
– Receipt of assets or services at unauthorized
discount prices
– Forgiveness of amounts owed
– Unauthorized extension of due dates

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 226 of 314
CONTROL ACTIVITIES

• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
– An employee should not be in a position to commit
and conceal fraud or unintentional errors.
– Segregation of duties is discussed in two sections:
• Segregation of accounting duties
• Segregation of duties within the systems function

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 227 of 314
CONTROL ACTIVITIES
• Segregation of Duties Within the
Systems Function
– In a highly integrated information system,
procedures once performed by separate
individuals are combined.
– Therefore, anyone who has unrestricted
access to the computer, its programs, and live
data could have the opportunity to perpetrate
and conceal fraud.
– To combat this threat, organizations must
implement effective segregation of duties
within the IS function.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 228 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
• Responsible for ensuring that
the different parts of an
information system operate
smoothly and efficiently.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 229 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
• Ensures that all applicable devices are
linked to the organization’s internal
and external networks and that the
networks operate continuously and
properly.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 230 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management • Ensures that all aspects of the
– Security management system are secure and protected
from internal and external
threats.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 231 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management • Manages changes to the
– Change management organization’s information
system to ensure they are made
smoothly and efficiently and to
prevent errors and fraud.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 232 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users • Record transactions, authorize
data to be processed, and use
system output.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 233 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users • Help users determine their
– Systems analysts information needs and design
systems to meet those needs.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 234 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programming • Use design provided by the
systems analysts to write the
computer programs for the
information system.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 235 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programming • Run the software on the
– Computer operations company’s computers.
• Ensure that data are input
properly, correctly processed,
and needed output is produced.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 236 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts • Maintains custody of corporate
– Programming databases, files, and programs in
– Computer operations a separate storage area.
– Information systems library

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 237 of 314
CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– • Ensures that source data have
Security management
– Change management been properly approved.
– Users • Monitors the flow of work
– Systems analysts through the computer.
– • Reconciles input and output.
Programming
– • Maintains a record of input
Computer operations
– errors to ensure their correction
Information systems library
and resubmission.
– Data control •
Distributes system output.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 238 of 314
CONTROL ACTIVITIES

• It is important that different people perform the

preceding functions.
– Allowing a person to do two or more jobs exposes the
company to the possibility of fraud.
• In addition to adequate segregation of duties,
organizations should ensure that the people who
design, develop, implement, and operate the IS
are qualified and well trained.
• The same holds true for systems security
personnel.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 239 of 314
CONTROL ACTIVITIES

• Generally, control procedures fall into one of the

following categories:
– Proper authorization of transactions and activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 240 of 314
CONTROL ACTIVITIES
• Project Development and Acquisition Controls
– It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
• Should contain appropriate controls for:
– Management review and approval
– User involvement
– Analysis
– Design
– Testing
– Implementation
– Conversion
• Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 241 of 314
CONTROL ACTIVITIES

• Examples abound of poorly managed

projects that have wasted large sums of
money because certain basic principles of
project management control were ignored.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 242 of 314
• A multi-year strategic plan
should align the
CONTROL ACTIVITIES
organization’s information
system with its business
• The following basic principles strategies
of control
and show the
projects thatshould
must bebe
applied to systems development in order
completed toto reduce
achieve the
long-
potential for cost overruns andrange
project failure and to
goals.
• Should address
improve the efficiency and effectiveness of the IS:
hardware,
– Strategic master plan software, personnel, and
infrastructure requirements.
• Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
• Should be evaluated several
times a year to ensure the
organization can acquire
needed components and
maintain existing ones.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 243 of 314
• A project development plan
shows how a project will be
CONTROL ACTIVITIES
completed, including:
• Modules or tasks to be
• The following basic principles of performed
control should be
• Who will perform them
applied to systems development in order to reduce the
• Anticipated completion dates
potential for cost overruns and project failure and to
• Project costs
improve the efficiency and effectiveness of the IS:
• Project milestones should be
– Strategic master plan
specified—points when progress
– Project controls is reviewed and actual completion
times are compared to estimates
• Each project should be assigned
to a manager and team who are
responsible for its success or
failure.
• At project completion, a project
evaluation of the team members
should be performed.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 244 of 314
CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
– Strategic master plan
– Project controls
– Data processing schedule
• Data processing tasks should
be organized according to a
schedule to maximize the use
of scarce computer resources.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 245 of 314
CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
– Strategic master plan
– Project controls
– Data processing schedule
– Steering committee • A steering committee should
guide and oversee systems
development and acquisition.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 246 of 314
CONTROL ACTIVITIES
• To be evaluated properly, a
• The following basic principles of control should be
system should be assessed
applied to systems development in order to reduce the
with measures such as:
potential for cost overruns and–project failure and to
Throughput (output per
improve the efficiency and effectiveness of the IS:
unit of time)
– Strategic master plan – Utilization (percent of time
– Project controls it is used productively)
– Data processing schedule – Response time (how long it
– Steering committee takes to respond)
– System performance measurements

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 247 of 314
CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
– Strategic master plan
• A review should be performed
– Project controls
after a development project is
– Data processing schedule completed to determine if the
– Steering committee anticipated benefits were
– System performance measurementsachieved.
– Post-implementation review • Helps control project
development activities and
encourage accurate and
objective initial cost and
benefit estimates.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 248 of 314
CONTROL ACTIVITIES
• To simplify and improve systems development,
some companies hire a systems integrator—a
vendor who uses common standards and
manages the development effort using their own
personnel and those of the client and other
vendors.
– Many companies rely on the integrator’s assurance
that the project will be completed on time.
– Unfortunately, the integrator is often wrong.
– These third-party systems development projects are
subject to the same cost overruns and missed
deadlines as systems developed internally.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 249 of 314
CONTROL ACTIVITIES
• Before third parties bid, provide clear
• When using systems
specifications, integrators,
including:
companies should
– Exact adhere
descriptions andto the same
definitions of the system
– Explicit deadlines
basic rules used for project management
– Precise acceptance criteria
of internal projects.
• While In toaddition,
it’s expensive they
develop these
specifications, it will save money in the end.
should:
– Develop clear specifications

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 250 of 314
• A sponsors committee should monitor third-party
development projects.
CONTROL ACTIVITIES
– Established by the CIO and chaired by the
project’s internal champion.
– Should include department managers from all
• When using –systems integrators,
units that will use the system.
Should establish formal procedures for
companies should adhere
measuring to the
and reporting same
project status.
basic rules used
– Best for project
approach is to: management
• Divide project into manageable tasks.
of internal projects.
• AssignIn addition, they
responsibility for each task.
should: • Meet on a regular basis (at least monthly)
to review progress and assess quality.
– Develop clear specifications
– Monitor the systems integration project

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 251 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 252 of 314
CONTROL ACTIVITIES

• Change Management Controls

– Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
– Change management is the process of making sure
that the changes do not negatively affect:
• Systems reliability
• Security
• Confidentiality
• Integrity
• Availability

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 253 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 254 of 314
CONTROL ACTIVITIES
• Design and Use of Adequate Documents and
Records
– Proper design and use of documents and records
helps ensure accurate and complete recording of all
relevant transaction data.
– Form and content should be kept as simple as
possible to:
• Promote efficient record keeping
• Minimize recording errors
• Facilitate review and verification
– Documents that initiate a transaction should contain a
space for authorization.
– Those used to transfer assets should have a space
for the receiving party’s signature.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 255 of 314
CONTROL ACTIVITIES

• Documents should be sequentially pre-

numbered:
– To reduce likelihood that they would be used
fraudulently.
– To help ensure that all valid transactions are
recorded.
• A good audit trail facilitates:
– Tracing individual transactions through the system.
– Correcting errors.
– Verifying system output.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 256 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 257 of 314
CONTROL ACTIVITIES
• Safeguard Assets, Records, and Data
– When people consider safeguarding assets, they
most often think of cash and physical assets, such as
inventory and equipment.
– Another company asset that needs to be protected is
information.
– According to the ACFE’s 2004 National Fraud Survey,
theft of information made up only 17.3% of non-cash
misappropriations; however, the median cost of an
information theft was $340,000. This cost was 126%
higher than the next most costly non-asset theft.
(Equipment theft had a median cost of $150,000.)

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 258 of 314
CONTROL ACTIVITIES

• Many people mistakenly believe that the

greatest risks companies face are from
outsiders.
• However, employees pose a much greater
risk when it comes to loss of data
because:
– They know the system and its weaknesses
better.
– They are better able to hide their illegal acts.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 259 of 314
CONTROL ACTIVITIES
• Insiders also create less-intentional threats to
systems, including:
– Accidentally deleting company data
– Turning viruses loose
– Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
• These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
• Companies also face significant risks from
customers and vendors that have access to
company data.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 260 of 314
CONTROL ACTIVITIES

• Many steps can be taken to safeguard

both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters 7 and 8 discuss computer-based
controls. In addition, it is important to:
– Maintain accurate records of all assets
• Periodically reconcile recorded amounts to
physical counts.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 261 of 314
CONTROL ACTIVITIES

• Many steps can be taken to safeguard

both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters 7 and 8 discuss computer-based
• Use restricted storage areas
for inventories and equipment.
controls. In addition, •it Use
is important
cash registers,to:
safes,
– Maintain accurate records
lockboxes, and safe deposit
of all assets
boxes to limit access to cash,
• Periodically reconcile recorded amounts
securities, to assets.
and paper
physical counts.
• Restrict access to assets

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 262 of 314
CONTROL ACTIVITIES
• Many steps can be taken to safeguard
both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters 7 and 8 discuss
• Use computer-based
fireproof storage areas,
controls. In addition, it is important
locked to: backup
filing cabinets,
– Maintain accurate records
of files (including copies at
of all assets
off-site locations).
• Periodically reconcile recorded amounts
• Limit access to checks
to blank
physical counts. and documents to authorized
• Restrict access to assets personnel.
• Protect records and documents

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 263 of 314
CONTROL ACTIVITIES
• Generally, control procedures fall into one
of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 264 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Let’s look at Bill and Mary again. Assume that Bill

stole cash but Mary did NOT alter the books.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 265 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Can Bill’s theft be discovered if an independent party

doesn’t compare a count of the cash to what’s
recorded on the books?

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 266 of 314
CONTROL ACTIVITIES

Ledger

$1,000

• Segregation of duties only has value when

supplemented by independent checks.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 267 of 314
CONTROL ACTIVITIES

• Internal checks to ensure that transactions

are processed accurately are an important
control element.
• These checks should be performed by
someone independent of the party(ies)
responsible for the activities.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 268 of 314
CONTROL ACTIVITIES

• The following independent checks are

typically used:
– Top-level reviews
• Management at all levels should monitor company
results and periodically compare actual performance
to:
– Planned performance as shown in budgets, targets,
and forecasts
– Prior-period performance
– The performance of competitors

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 269 of 314
CONTROL ACTIVITIES

• The following independent checks are

typically used:
– Top-level reviews
– Analytical reviews
• Examinations of relationships between different sets of
data.
• EXAMPLE: If credit sales increased significantly during
the period and there were no changes in credit policy,
then bad debt expense should probably have increased
also.
• Management should periodically analyze and review
data relationships to detect fraud and other business
problems.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 270 of 314
CONTROL ACTIVITIES
• Check the accuracy and completeness of records by
• reconciling them with other records that should have the
The following independent checks are
same balance.
typically used:
• EXAMPLES:
– Bank reconciliations
– Top-level reviews
– Comparing accounts payable control account to sum
– Analytical reviewsaccounts.
of subsidiary
– Reconciliation of independently
maintained sets of records

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 271 of 314
CONTROL ACTIVITIES

• The following independent checks are

typically used:• Periodically count significant assets
and reconcile the count to company
– Top-level reviews
records.
– Analytical reviews
• EXAMPLE: Annual physical inventory.
• High-dollar items and critical
– Reconciliation ofcomponents
independently maintained
should be counted more
sets of records frequently.
– Comparison of actual quantities with
recorded amounts

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 272 of 314
CONTROL ACTIVITIES

• The following independent checks are

typically used:
– Top-level reviews
– Analytical reviews
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with recorded
• Ensure that debits equal
amounts credits.
– Double-entry accounting

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 273 of 314
CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with recorded
amounts • After one person processes a
transaction, another reviews
– Double-entry accountingtheir work.
– Independent review

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 274 of 314
INFORMATION AND COMMUNICATION
• The seventh component of
COSO’s ERM model.
• The primary purpose of the AIS is
to gather, record, process, store,
summarize, and communicate
information about an organization.
• So accountants must understand
how:
– Transactions are initiated
– Data are captured in or
converted to machine-readable
form
– Computer files are accessed
and updated
– Data are processed
– Information is reported to
internal and external parties

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 275 of 314
INFORMATION AND COMMUNICATION

• Accountants must also understand the

accounting records and procedures,
supporting documents, and specific
financial statement accounts involved in
processing and reporting transactions.
• The preceding items facilitate an audit trail
which allows for transactions to be traced
from origin to financial statements and vice
versa.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 276 of 314
INFORMATION AND COMMUNICATION

• According to the AICPA, an AIS has five

primary objectives:
– Identify and record all valid transactions.
– Properly classify transactions.
– Record transactions at their proper monetary
value.
– Record transactions in the proper accounting
period.
– Properly present transactions and related
disclosures in the financial statements.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 277 of 314
INFORMATION AND COMMUNICATION

• Accounting systems generally consist of several

accounting subsystems, each designed to
process transactions of a particular type.
• Though they differ with respect to the type of
transactions processed, all accounting
subsystems follow the same sequence of
procedures, referred to as accounting cycles.
• The five major accounting cycles and their
related control objectives and procedures are
detailed in Chapters 10-14.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 278 of 314
MONITORING
• The eighth
component of
COSO’s ERM
model.
• Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 279 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 280 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Perform ERM Evaluation

– Can measure ERM effectiveness through a
formal evaluation or through a self-
assessment process.
– A special group can be assembled to conduct
the evaluation or it can be done by internal
auditing.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 282 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Implement Effective Supervision

– Involves:
• Training and assisting employees;
• Monitoring their performance;
• Correcting errors; and
• Safeguarding assets by overseeing employees
with access.
– Especially important in organizations that:
• Can’t afford elaborate responsibility reporting; or
• Are too small for segregation of duties.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 284 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Use Responsibility Accounting

– Includes use of:
• Budgets, quotas, schedules, standard costs, and
quality standards;
• Performance reports that compare actual with
planned performance and highlight variances;
• Procedures for investigating significant variances
and taking timely actions to correct adverse
conditions.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 286 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Monitor System Activities

– Risk analysis and management software
packages are available to:
• Review computer and network security measures;
• Detect illegal entry into systems;
• Test for weaknesses and vulnerabilities;
• Report weaknesses found; and
• Suggest improvements.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 288 of 314
MONITORING
• Cost parameters can be entered to
balance acceptable levels of risk tolerance
and cost-effectiveness.
• Software is also available to monitor and
combat viruses, spyware, spam, pop-up
ads, and to prevent browsers from being
hijacked.
• Also helps companies recover from frauds
and malicious actions and restore systems
to pre-incident status.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 289 of 314
MONITORING
• System transactions and activities should be
recorded in a log which indicates who accessed
what data, when, and from which terminal.
• Logs should be reviewed frequently to monitor
system activity and trace any problems to their
source.
• Data collected can be used to:
– Evaluate employee productivity;
– Control company costs;
– Fight corporate espionage and other attacks; and
– Comply with legal requirements.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 290 of 314
MONITORING
• Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
• Employers cannot discreetly observe communications of
employees when those employees have a “reasonable
expectation of privacy.”
• Employers must therefore ensure that employees realize
their business communications are not “private.” One way
to accomplish that objective is to have written policies that
employees agree to in writing which indicate:
– The technology employees use on the job belongs to the
company.
– Emails received on company computers are not private and can
be read by supervisory personnel.
– Employees should not use technology in any way to contribute
to a hostile work environment.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 291 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Track Purchased Software

– The Business Software Alliance (BSA) aggressively
tracks down and fines companies who violate
software license agreements.
– To comply with copyrights, companies should
periodically conduct software audits to ensure that.
• There are enough licenses for all users;
• The company is not paying for more licenses than needed.
– Employees should be informed of the consequences
of using unlicensed software.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 293 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Conduct Periodic Audits

– To monitor risk and detect fraud and errors,
the company should have periodic:
• External audits
• Internal audits
• Special network security audits
– Auditors should test system controls and
browse system usage files looking for
suspicious activities (discussed in Chapter 9).

• Again, care should be exercised that

employees’ privacy rights are not violated.
• Therefore, inform employees that auditors
will conduct random surveillance, which:
– Avoids privacy violations
– Creates a “perception of detection” that can
deter crime and reduce errors

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 296 of 314
MONITORING
• Internal auditing involves:
– Reviewing the reliability and integrity of
financial and operating information.
– Providing an appraisal of internal control
effectiveness.
– Assessing employee compliance with
management policies and procedures and
applicable laws and regulations.
– Evaluating the efficiency and effectiveness of
management.

• Internal audits can detect:

– Excess overtime
– Under-used assets
– Obsolete inventory
– Padded expense reimbursements
– Excessively loose budgets and quotas
– Poorly justified capital expenditures
– Production bottlenecks

• Internal auditing should be organizationally

independent of the accounting and
operating functions.
• The head should report to the audit
committee of the board of directors rather
than to the controller or CFO.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 299 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Employ a Computer Security Officer

and Computer Consultants
– The computer security officer (CSO) is in
charge of AIS security
• Should be independent of the IS function
• Should report to the COO or CEO
– Many companies also use outside computer
consultants or in-house teams to test and
evaluate their security procedures and
computer systems.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 301 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Engage Forensic Specialists

– Forensic accountants specialize in fraud
detection and investigation.
• Now one of the fastest growing areas of
accounting due to:
– SOX
– SAS-99
– Boards of Directors demanding that forensic accounting
be an ongoing part of the financial reporting and
corporate governance process.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 303 of 314
MONITORING
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
– In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
– The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.

• Management may also need to call on

computer forensic specialists for help.
• They assist in discovering, extracting,
safeguarding, and documenting computer
evidence so that its authenticity, accuracy,
and integrity will not succumb to legal
challenges.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 305 of 314
MONITORING
• Common incidents investigated by
computer forensic experts include:
– Improper internet usage
– Fraud
– Sabotage
– Loss, theft, or corruption of data
– Retrieving information from emails and
databases that users thought they had erased
– Determining who performed certain actions on
a computer

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 306 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 307 of 314
MONITORING
• Install Fraud Detection Software
– People who commit fraud tend to follow certain patterns and
leave behind clues.
– Software has been developed to seek out these fraud
symptoms.
– Some companies employ neural networks (programs that
mimic the brain and have learning capabilities) which are very
accurate in identifying suspected fraud.
– For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
– These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 308 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline

• Implement a Fraud Hotline

– People who witness fraudulent behavior are
often torn between conflicting feelings.
• They want to protect company assets and report
fraud perpetrators.
• But they are uncomfortable in the whistleblower
role and find it easier to remain silent.
– They are particularly reluctant to report if they
know of others who have suffered
repercussions from doing so.

• SOX mandates that companies set up

mechanisms for employees to anonymously
report abuses such as fraud.
– An effective way to comply with the law and resolve
employee concerns is to provide access to an
anonymous hotline.
– Anonymous reporting can be accomplished through:
• Phone lines
• Web-based reporting
• Anonymous emails
• Snail mail

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 311 of 314
MONITORING
• Outsourcing is available through a number of third
parties and offers several benefits, including:
– Increased confidence on the part of employee that his/her
report is truly anonymous.
– 24/7 availability.
– Often have multilingual capabilities—an important plus for
multinational organizations.
– The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
– The employee can be advised of the outcome of his report.
– Low cost.

• A downside to anonymous reporting

mechanisms is that they will produce a
significant amount of petty or slanderous reports
that do not require investigation.
• The ACFE’s 2004 Report to the Nation indicates
that companies without fraud hotlines had
median fraud losses that were 140% higher than
companies that had fraud hotlines.

© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 313 of 314
SUMMARY
• In this chapter, you’ve learned about basic internal control
concepts and why computer control and security are so
important.
• You’ve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
• You’ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
• You’ve also learned about events that affect uncertainty and
how these events can be identified.
• You’ve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
• Finally, you’ve learned how organizations communicate
information and monitor control processes.

PSRAS - Steps To Success Ebook
No ratings yet
PSRAS - Steps To Success Ebook
6 pages
Auditing Information Systems: Enhancing Performance of the Enterprise
From Everand
Auditing Information Systems: Enhancing Performance of the Enterprise
Abraham Nyirongo
No ratings yet
AIS Chapter 4
No ratings yet
AIS Chapter 4
48 pages
CO - General Ledger Allocation Cycle
0% (1)
CO - General Ledger Allocation Cycle
12 pages
Ais10 Ab Az Ch06
No ratings yet
Ais10 Ab Az Ch06
314 pages
Ais10 ch06
No ratings yet
Ais10 ch06
309 pages
Hapter 6: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
No ratings yet
Hapter 6: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
315 pages
Chapter 6 Control and Accounting Information Systems
100% (4)
Chapter 6 Control and Accounting Information Systems
314 pages
Hapter 6: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
No ratings yet
Hapter 6: © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
314 pages
AIS - Chap. VI - Control - PV
No ratings yet
AIS - Chap. VI - Control - PV
270 pages
Control and Accounting Information Systems
No ratings yet
Control and Accounting Information Systems
314 pages
CIS Midterms
No ratings yet
CIS Midterms
42 pages
CHAPTER07
No ratings yet
CHAPTER07
31 pages
Chapter 7 - Control and Accounting Information Systems
100% (6)
Chapter 7 - Control and Accounting Information Systems
3 pages
AIS - Chapter 4 Control and AIS
No ratings yet
AIS - Chapter 4 Control and AIS
6 pages
SAS#7-ACC100
No ratings yet
SAS#7-ACC100
13 pages
CHAPTER 5 - Controls of AIS
No ratings yet
CHAPTER 5 - Controls of AIS
26 pages
Ethics, Fraud, and Internal Control
No ratings yet
Ethics, Fraud, and Internal Control
37 pages
Ais Chapter Six
No ratings yet
Ais Chapter Six
6 pages
Internal Control and Control Risk
No ratings yet
Internal Control and Control Risk
43 pages
Accounting Information Systems 14th Edition (eBook PDF) instant download
100% (2)
Accounting Information Systems 14th Edition (eBook PDF) instant download
41 pages
CH7 Lecture Slides
No ratings yet
CH7 Lecture Slides
30 pages
Ch 5
No ratings yet
Ch 5
40 pages
12 13InternalControl Class
No ratings yet
12 13InternalControl Class
53 pages
Lecture 06 Topic 3A System Reliability and Internal Controls (Complete)
No ratings yet
Lecture 06 Topic 3A System Reliability and Internal Controls (Complete)
8 pages
03-Control AIS - Romney
No ratings yet
03-Control AIS - Romney
144 pages
Arens14e_ch10_ppt
No ratings yet
Arens14e_ch10_ppt
50 pages
Internal Control
No ratings yet
Internal Control
20 pages
03-Ethics, Fraud, and Internal Control
No ratings yet
03-Ethics, Fraud, and Internal Control
22 pages
Group 5
No ratings yet
Group 5
33 pages
Arens14e ch10 PPT
No ratings yet
Arens14e ch10 PPT
50 pages
Internal Control On AIT Final Topic
No ratings yet
Internal Control On AIT Final Topic
59 pages
Chapter 4 - Control and Accounting
No ratings yet
Chapter 4 - Control and Accounting
53 pages
Business and Information Process Rules, Risks, and Controls: Internal Control Systems
No ratings yet
Business and Information Process Rules, Risks, and Controls: Internal Control Systems
15 pages
AISCH04 Transaction Processing and The Internal Control Process
No ratings yet
AISCH04 Transaction Processing and The Internal Control Process
47 pages
013255271X PPT 07
No ratings yet
013255271X PPT 07
20 pages
Risk Exposures and The Internal Control Structure
No ratings yet
Risk Exposures and The Internal Control Structure
20 pages
Accounting Information System (Internal Control)
No ratings yet
Accounting Information System (Internal Control)
27 pages
Chapter 7
No ratings yet
Chapter 7
49 pages
Accounting Information Systems 14th Edition (eBook PDF)pdf download
100% (2)
Accounting Information Systems 14th Edition (eBook PDF)pdf download
43 pages
Accounting Information Systems: Fourteenth Edition, Global Edition
No ratings yet
Accounting Information Systems: Fourteenth Edition, Global Edition
24 pages
13 Developing Internal Control System
No ratings yet
13 Developing Internal Control System
10 pages
CH 10
No ratings yet
CH 10
47 pages
Bus Software Week 7
No ratings yet
Bus Software Week 7
5 pages
Accounting Information System (Midterms)
No ratings yet
Accounting Information System (Midterms)
5 pages
Cpa Review School of The Philippines Auditing Theory
No ratings yet
Cpa Review School of The Philippines Auditing Theory
16 pages
ACC 100 Day 7 Internal Control
No ratings yet
ACC 100 Day 7 Internal Control
30 pages
CHAPTER 4 Audit I
No ratings yet
CHAPTER 4 Audit I
24 pages
Auditing, Assurance and Internal Control
100% (1)
Auditing, Assurance and Internal Control
11 pages
Control and Accounting Information Systems
No ratings yet
Control and Accounting Information Systems
20 pages
ACC-100-Day-7-Internal-Control
No ratings yet
ACC-100-Day-7-Internal-Control
31 pages
Section 404 Audits of Internal Control and Control Risk
No ratings yet
Section 404 Audits of Internal Control and Control Risk
50 pages
Resume of Accounting Decision Tools
No ratings yet
Resume of Accounting Decision Tools
5 pages
Ethics, Fraud and Internal Control
No ratings yet
Ethics, Fraud and Internal Control
20 pages
Auditing Computer-Based Information Systems
No ratings yet
Auditing Computer-Based Information Systems
6 pages
Chapter 3 Ethics, Fraud, and Internal Control Business Ethics
No ratings yet
Chapter 3 Ethics, Fraud, and Internal Control Business Ethics
8 pages
AIS Chapter 6
No ratings yet
AIS Chapter 6
32 pages
Internal Controls
No ratings yet
Internal Controls
11 pages
CIS Synthesis
No ratings yet
CIS Synthesis
10 pages
Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control
From Everand
Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control
Ed Danter
No ratings yet
Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
From Everand
Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
Eugene A. Razzetti
No ratings yet
CISSP Domain 1 Study Guide Security and Risk Management: CISSP Study Guide - Updated 2024, #1
From Everand
CISSP Domain 1 Study Guide Security and Risk Management: CISSP Study Guide - Updated 2024, #1
Gandiv
No ratings yet
Assignment 1
No ratings yet
Assignment 1
6 pages
الادوية (ملزمة) PDF
100% (1)
الادوية (ملزمة) PDF
49 pages
EULER- Space Capsule Album
No ratings yet
EULER- Space Capsule Album
18 pages
17C6B. Borr Drilling Well Control Manual
No ratings yet
17C6B. Borr Drilling Well Control Manual
390 pages
TE B Gearbox Design Oral Questions
No ratings yet
TE B Gearbox Design Oral Questions
5 pages
Prep Math's
No ratings yet
Prep Math's
5 pages
Models - Woptics.step Index Fiber Bend
No ratings yet
Models - Woptics.step Index Fiber Bend
24 pages
HUMACLIA
No ratings yet
HUMACLIA
66 pages
Green Cream Illustration Organic Waste Presentation
No ratings yet
Green Cream Illustration Organic Waste Presentation
24 pages
Assignment#2
No ratings yet
Assignment#2
5 pages
Gas Processing Manual v1311 PDF
100% (2)
Gas Processing Manual v1311 PDF
61 pages
Synchronizer Performance Malfunction in Manual Gearboxes
No ratings yet
Synchronizer Performance Malfunction in Manual Gearboxes
9 pages
Solar MPPT Charge Controller User Manual
No ratings yet
Solar MPPT Charge Controller User Manual
16 pages
JAPANESE Architecture
0% (1)
JAPANESE Architecture
15 pages
Peptamen AF Unflavored PI 1
No ratings yet
Peptamen AF Unflavored PI 1
1 page
Chapter 9: The Biomechanics of The Human Spine
100% (1)
Chapter 9: The Biomechanics of The Human Spine
6 pages
Emcs Head Drive Unit Sa47 Spare Parts
No ratings yet
Emcs Head Drive Unit Sa47 Spare Parts
2 pages
Locks in Oracle
No ratings yet
Locks in Oracle
4 pages
Demnok Lannik The Warlock
No ratings yet
Demnok Lannik The Warlock
16 pages
INA Catalogo de Rolamentos em Polegada
No ratings yet
INA Catalogo de Rolamentos em Polegada
53 pages
Active Directory Training
100% (2)
Active Directory Training
124 pages
Malabar Hill Protests Mobile Towers On Sahyadri Government Guesthouse
No ratings yet
Malabar Hill Protests Mobile Towers On Sahyadri Government Guesthouse
1 page
PE3 - Module 2
No ratings yet
PE3 - Module 2
9 pages
Essentials of Excel VBA, Python, and R: Volume II: Financial Derivatives, Risk Management and Machine Learning Lee pdf download
No ratings yet
Essentials of Excel VBA, Python, and R: Volume II: Financial Derivatives, Risk Management and Machine Learning Lee pdf download
51 pages
Organic Chemistry Principles and Mechanisms (Second Edition) pdf download
100% (1)
Organic Chemistry Principles and Mechanisms (Second Edition) pdf download
30 pages
Appendix 16 Submittal of Technical Inquiries To The Boiler and Pressure Vessel Committee
No ratings yet
Appendix 16 Submittal of Technical Inquiries To The Boiler and Pressure Vessel Committee
2 pages
Artificial Intelligence (AI)
No ratings yet
Artificial Intelligence (AI)
34 pages
Simple Investing by Stock
No ratings yet
Simple Investing by Stock
14 pages