CHAPTER 1: man-made; these systems include everything from

THE INFORMATION SYSTEM : AN ACCOUNTANT’S clocks to submarines and social systems to information
PERSPECTIVE systems
Elements of a System
The Information Environment
 Multiple components
 study of AIS with the recognition that information is a  A system must contain more than one part
business resource  Relatedness
 Information flows out from the organization to external users,  A common purpose relates the multiple parts of
such as customers, suppliers, and stakeholders who have an the system
interest in the form  Although each part functions independently of the
others, all parts serve a common objective
 If a particular component does not contribute to
Internal and External Flows of Information
the common goal, then it is not part of the system

System versus Subsystem

 A system is called a subsystem when it is viewed
in relation to the larger system of which it is a part
 A subsystem is called a system when it is the
focus of attention

System decomposition
 Decomposition is the process of dividing the
Information within the organization flows in two system into smaller subsystem parts
directions:  a convenient way of representing, viewing, and
 Horizontal Flow understanding the relationships among
Support operations-level tasks with highly detailed subsystems
information about the many business transactions affecting  By decomposing a system, we can present the
the firm overall system as a hierarchy and view the
relationships between subordinate and higher-
 Veritcal Flow level subsystems
Distribute information downward from senior
managers to junior managers and operations personnel in Subsystem Intedependecy
the form of instructions, quotas, and budgets  systems’ ability to achieve its goal depends on the
effective functioning and harmonious interaction of
External users fall into two groups: its subsystems
1. Trading partners  a vital subsystem fail or becomes defective and
 Exchanges with trading partners include customer can no longer meet its specific objective, the
sales and billing information, purchase information overall system will fail to meet its objective
for suppliers, and inventory receipt information
An Information Systems Framework
2. Stakeholders
 Entities outside (or inside) the organization with a Information System
direct or indirect interest in the firm  Set of formal procedures by which data are
 stockholders, financial institutions, and collected, processed into information, and
government agencies distributed to users
 Information exchanges with these groups include
financial statements, tax returns, and stock Transaction
transaction information An event that affects or is of interest to the
 Inside stockholders include accountants and organization and is processed y its information
internal auditors system as a unit of work

System 1. Financial Transaction

 Generated mental images of computers and  economic event that affects the assets and
programming equities of the organization, is reflected in its
 Generated mental images of computers and accounts, and is measured in monetary terms
programming  Sale of product to customers, purchases of
Natural Systems inventory from vendors, and cash disbursements,
range from the atom to the universe and receipts
 Every business organization is legally bound to
correctly process these types of transactions

2. Nonfinancial Transaction
Artificial Systems
  Events that do not meet the narrow definition of a  Objective: ensure that event data entering the
financial transaction system are valid, complete, and free from material
 The firm has no legal obligation to process it errors
correctly
Two rules:
1. Relevance - information system should capture only
relevant data
2. Efficiency - Efficient data collection procedures are
designed to collected data only once

D. Data processing
Tasks in the data processing stage range from
simple to complex

E. Data management
The organization’ database is its physical
repository for financial and non financial data.
a. Data attribute
Management Infromation System
 Most elemental piece of potential useful data
 Processes nonfinancial transactions that are not normally
in the database
processed by traditional AIS b. Record
 Complete set of attributes for a single
General Model for AIS occurrence within an entity class
c. Files
 A complete set of records of an identical class
d. Data management Tasks
 Involves three fundamental tasks: storage,
retrieval, and deletion
 Storage – assigns keys to new records and
stores them in their proper location in the
database
 Retrieval – task of locating and extracting an
existing record form the database for
processing
 Deletion – task of permanently removing
obsolete or redundant records from the
Elements of the General Model database
A. End users
a. External users F. Information generation
 Creditors, stockholders, potential investors, Process of compiling, arranging, formatting, and
regulatory agencies, tax authorities, suppliers, presenting information to users
and customers
b. Internal Users G. Feedback
 Include management at every level of  Form of output that is sent back to the system as a
organization, as well as operations personnel source of data
 The organization has a great deal of latitude  May be internal or external and issued to initiate or
in the way it meets the needs of internal users alter a process
 Internal reporting is governed primarily by
what gets the job done Organizational Structure Business Segments
 Firms organize into segments to promote internal
B. Data Sources efficiencies through specialization of labor and
Financial transactions that enter the information cost effective resource allocations
system from both internal and external sources
a. External financial transactions 1. Geographical location
 Most common source of data for most 2. Product line
organizations 3. Business function
b. Internal financial transaction
 Involve in the exchange or movement of
resources within the organization
Functional Segmentation Material Management
 Objective: plan and control the materials inventory
C. Data Collection of the company
 First operational stage in the information system
Three sub-functions
1. Purchasing
2. Receiving
3. Stores

Production Distributed Data Processing

 Production activities occur in the conversion cycle  The topic of DDP is quite broad, touching on such
in which raw materials, labor, and plant assets are related topics as end user computing, commercial
used to create finished products software, networking, and office automation
 Involves reorganizing the IT function into small
A. Primary manufacturing activities information processing units (IPUs) that are
B. Production support services distributed to end user and placed under their
control
Marketing  IPU’s may be distributed according to business
 Deals with the strategic problems of product function, geographic location, or both
promotion, advertising, and market research
 On an operational level, marketing performs such The Evolution of Information System Models
daily activities as sales order entry  Manual Process Model
 Flat-file Model
Distribution  Database Model
 Activity of getting the product to the customer after  REA Model
the sale
 A critical step The Role of Accountant
Accountant as users
Personnel
 Competent and reliable employees are a valuable Accountant as Designers
resource to a business a. Conceptual system
b. Physical system
Finance
 Manages the financial resources of the firm Accountant as System Auditors
through banking and treasury activities, portfolio Auditing
management, credit evaluation, cash a. External auditing
disbursements, and cash receipts  Assurance
 It auditing
The Accounting Function
 Manages the financial information resource of the b. Internal auditing
firm
 It plays two important roles in transaction
processing:

a. Accounting captures and records the financial

effects of the firm’s transaction

b. The accounting function distributes transaction

information to operations personnel to coordinate
many of their key tasks

Accounting Interdependence
 Information reliability rests heavily on this concept
 Accounting activities must be separate and
independent of the functional area that maintain
custody of physical resources

CHAPTER 2:
The Information Technology INTRODUCTION TO TRANSACTION PROCESSING
A. Centralized Data Processing
a. Database administration Financial transaction
b. Data Processing
c. Systems development and maintenance
  economic event that affects the assets and
equities of the firm, is reflected in its accounts, and
is measured in monetary terms

similar types of transactions are grouped together into

three transaction cycles:
1. Expenditure cycle
 time lag between the two due to credit relations
with suppliers
 Physical component (acquisition of goods)
 financial component (cash disbursements to Accounting Records in a Computer-Based System
the supplier)
2. Conversion Cycle
 the production system (planning, scheduling,
and control of the physical product through the
manufacturing process)
 the cost accounting system (monitors the flow of
cost information related to production)

3. Revenue cycle
 time lag between the two due to credit relations
with customers:
 physical component (sales order
processing)
 financial component (cash receipts)

Manual System Accounting Records

 Source documents
 used to capture and formalize transaction data
needed for transaction processing

 Product documents
 the result of transaction processing
Explanation of steps in Figure:
 Turnaround documents 1. Compare the AR balance in the balance sheet with the master
 a product document of one system that becomes a file AR control account balance.
source document for another system 2. Reconcile the AR control figure with the AR subsidiary account
total.
 Journals 3. Select a sample of update entries made to accounts in the A
 a record of chronological entry subsidiary ledger and trace these to transactions in the sales
 Special journals - specific classes of
journal (archive file).
transactions that occur in high frequency
4. From these journal entries, identify source documents that can
 general journal - nonrecurring, infrequent,
and dissimilar transactions be pulled from their files and verified. If necessary, confirm these
source documents by contacting the customers
 Ledger
 book of financial accounts Audit Trail
 general ledger - shows activity for each
account listed on the chart of accounts
 subsidiary ledger - shows activity by detail
for each account type

Accountants should be able to trace in both directions.

Sampling and confirmation are two common techniques.
Flow of Economic Events Into the General ledger

Example of tracing an Audit Trail

  use symbols to represent the processes, data sources,
data flows, and entities in a system
 represent the logical elements of the system
 do not represent the physical system

Data Flow Diagram Symbols

Computer-Based Systems
 The audit trail is less observable in computer-based systems
than traditional manual systems.
 The data entry and computer programs are the physical trail
 The data are stored in magnetic files. 3. Document Flow Charts
 illustrate the relationship among processes and the
Computer Files documents that flow between them
 Master file - generally contains account data (e.g. general  contain more details than data flow diagrams
ledger and subsidiary file)  clearly depict the separation of functions in a system
 Transaction File - a temporary file containing transactions
since the last update Symbol Set for Document Flowchcarts
 Reference File - contains relatively constant information
used in processing (e.g., tax tables, customer addresses)
 Archive File - contains past transactions fo reference
purposes

Documenttation Techniques
 Documentation in a CB environment is necessary for many
reasons.

Five common documentation techniques:

1. Entity Relationship Diagram
 a documentation technique to represent the
relationship between entities in a system. 4. System flowcharts
 The REA model version of ERD is widely used in AIS.  are used to represent the relationship between the key
REA uses 3 types of entities: elements--input sources, programs, and output
 resources (cash, raw materials) products--of computer systems
 events (release of raw materials into the  depict the type of media being used (paper, magnetic
production process) tape, magnetic disks, and terminals)
 agents (inventory control clerk, vendor,  in practice, not much difference between document
production worker) and system flowcharts
 Cardinalities System Flowcharts Symbols
represents the numerical mapping between entities:
 one-to-one
 one-to-many
 many-to-many

2. Data Flow Diagram

5. Program Flowcharts
  illustrate the logic used in programs
Program Flowchart Symbols

Computer - Based Accounting Systems

Modern Systems versus Legacy Systems Two broad classes of systems:
 Modern system characteristics 1. Batch systems
 client-server based and process transactions in real  A batch is a group of similar transactions that are
time accumulated over time and then processed together
 use relational database tables  The transactions must be independent of one another
 have high degree of process integration and data during the time period over which the transactions are
sharing accumulated in order for batch processing to be
 some are mainframe based and use batch processing appropriate
 A time lag exists between the event and the
 Some firms employ legacy systems for certain aspects of processing.
their data processing.
 Accountants need to understand legacy systems. Steps in Batch Processing/ Sequential File
 Keystroke
 Legacy system characteristics source documents are transcribed by clerks to
 mainframe-based applications magnetic tape for processing later
 batch oriented  Edit Run
 early legacy systems use flat files for data storage identifies clerical errors in the batch and places them
 later legacy systems use hierarchical and network into an error file
databases  Sort Run
 data storage systems promote a single-user places the transaction file in the same order as the
environment that discourages information integration master file using a primary key
 Update Run
Updating Master Files: Primary Keys (PK) and Secondary Keys changes the value of appropriate fields in the master
(SK) file to reflect the transaction
 Backup Procedure
the original master continues to exist and a new
master file is created

Advantages of Batch Processing

 Organizations can increase efficiency by grouping large
numbers of transactions into batches rather than processing
each event separately.
 Batch processing provides control over the transaction
process via control figures.

2. Real - Time Systems

 process transactions individually at the moment the
Database Backup Procedures economic event occurs
 Destructive updates leave no backup.  have no time lag between the economic event and the
 To preserve adequate records, backup procedures processing
must be implemented, as shown below:  generally require greater resources than batch
 The master file being updated is copied as a processing since they require dedicated processing
backup. capacity; however, these cost differentials are
 A recovery program uses the backup to create a decreasing
pre - update version of the master file.  oftentimes have longer systems development time
 Making Ethical Decisions
Business organizations have conflicting responsibilities
Why do so many AIS use batch processing?
to their employees, shareholders, customers, and the public.
 AIS processing is characterized by high-volume,
Every major decision has consequences that potentially
independent transactions, such are recording cash
harm or benefit these constituents.
receipts checks received in the mail.
 The processing of such high-volume checks can be
Proportionality
done during an off-peak computer time.
 The benefit from a decision must outweigh the risks.
 This is one reason why batch processing maybe done
 Furthermore, there must be no alternative decision
using real-time data collection.
that provides the same or greater benefit with less risk.

 Justice
 The benefits of the decision should be distributed fairly
to those who share the risks. Those who do not benefit
CHAPTER 3:
should not carry the burden of risk.
ETHICS, FRAUD, AND INTERNAL CONTROL
 Minimize risk
 Even if judged acceptable by the principles, the
Ethical Issues in Business
decision should be implemented so as to minimize all
 Ethical standards are derived from societal mores and
of the risks and avoid any unnecessary risks.
deep-rooted personal beliefs about issues of right and
wrong that are not universally agreed upon
Computer Ethics
 It is quite possible for two individuals, both of whom
 analysis of the nature and social impact of computer
consider themselves to be acting ethically, to be on
technology
opposite sides of an issue. Often, we confuse ethical
 corresponding formulation and justification of policies
issues with legal issues
for the ethical use of such technology
 concerns about software as well as hardware
Business Ethics
 concerns about networks connecting computers as
 Ethics
well as computers themselves.
 pertains to the principles of conduct that individuals
use in making choices and guiding their behavior in
Pop Computer Ethics
situations that involve the concepts of right and wrong
 exposure to stories and reports found in the popular
media regarding the good or bad ramifications of
 Business ethics involves finding the answers to two
computer technology
question:
 society at large needs to be aware of such things as
 How do managers decide what is right in conducting
computer viruses and computer systems designed to
their business?
aid handicapped persons.
 Once managers have recognized what is right, how do
they achieve it?
Para Computer Ethics
 involves taking a real interest in computer ethics cases
and acquiring some level of skill and knowledge in the
field.

Theoretical Computer Ethics

  interest to multidisciplinary researchers who apply the
theories of philosophy, sociology, and psychology to Professional Behavior
computer science with the goal of bringing some new  A professional accountant should comply with relevant
understanding to the field. laws and regulations and should avoid any action that
discredits the profession.
A NEW PROBLEM OR JUST A NEW TWIST ON AN OLD PROBLEM?
Integrity
Privacy  A professional accountant should be straightforward
 Full control of what and how much information about and honest in all professional and business
themselves is available to others, and to whom it is relationships.
available.
 Creation and maintenance of huge, shared databases Confidentiality
make it necessary to protect people from the potential  A professional accountant should respect the
misuse of data confidentiality of information acquired as a result of
professional and business relationships.
Security (Accuracy and Confidentiality)
 An attempt to avoid such undesirable events as a loss Objectivity
of confidentiality or data integrity.  A professional accountant should not allow bias,
 To prevent fraud and other misuse of computer conflict of interest or undue influence of others to
systems. override professional or business judgments.

Ownership of property Professional Competence and Due Care

 Designed to preserve real property rights to cover  A professional accountant has a continuing duty to
what is referred to as intellectual property. maintain professional knowledge and skill at the level
 Copyright laws have been invoked in an attempt to required to ensure that a client or employer receives
protect those who develop software from having it competent professional service based on current
copied developments in practice.

Equity in Access FRAUD AND ACCOUNTANTS

 Some barriers to access are intrinsic to the technology FRAUD
of information systems, but some are avoidable  Fraud denotes a false representation of a material fact
through careful system design. made by one party to another party with the intent to
deceive and induce the other party to justifiably rely
Environmental Issues on the fact to his or her detriment
 Computers with high-speed printers allow for the
production of printed documents faster than ever According to common law, a fraudulent act must meet the
before. following five conditions:
1. False representation. There must be a false statement or a
Artificial Intelligence nondisclosure.
 A new set of social and ethical issues has arisen out of
the popularity of expert systems. 2. Material fact. A fact must be a substantial factor in inducing
someone to act.
Unemployment and Displacement
 jobs have been and are being changed as a result of 3. Intent. There must be the intent to deceive or the knowledge
the availability of computer technology. that one’s statement is false

Misuse of Computers 4. Justifiable reliance. The misrepresentation must have been a

 Copying proprietary software and using a company’s substantial factor on which the injured party relied.
computer for personal benefit.
5. Injury or loss. The deception must have caused injury or loss to
the victim of the fraud.
CODE OF ETHICS FOR PROFESSIONAL ACCOUNTANTS IN THE
PHILIPPINES Fraud in Business Environment
 The Code of Ethics for Professional Accountants in the  an intentional deception, misappropriation of
Philippines is based on the revised Code of Ethics for company’s assets, or manipulation of its financial data
Professional Accountants (2006 revision) developed by to the advantage of the perpetrator
the International Federation of Accountants (IFAC).
The Code of Ethics is mandatory for all CPA's and is In accounting literature, fraud is also commonly known as white-
applicable to professional services performed in the collar crime, defalcation embezzlement, and irregularities.
Philippines on or after June 30, 2008.
Two Levels of Fraud  Education
1. Employee Fraud  Those with more education occupy higher positions in
 fraud by nonmanagement employees, is generally their organizations and therefore have greater access
designed to directly convert cash or other assets to the to company funds and other assets
employee’s personal benefit.
 Collusion
Employee fraud usually involves three steps:  One reason for segregating occupational duties is to
1) stealing something of value (an asset), deny potential perpetrators the opportunity they need
2) converting the asset to a usable form (cash), and to commit fraud. When individuals in critical positions
3) concealing the crime to avoid detection. collude, they create opportunities to control or gain
access to assets that otherwise would not exist.
2. Management Fraud
 more insidious than employee fraud because it often Fraud Schemes
escapes detection until the organization has suffered 1. Fraudulent Statements
irreparable damage or loss  Refer to false or misleading claims made with the
intent to deceive or mislead others, usually for
Management fraud typically contains three special personal gain or to avoid liability.
characteristics:  These statements are deliberately dishonest and can
1) The fraud is perpetrated at levels of management above be used in legal, financial, or business contexts to trick
the one to which internal control structures generally relate. someone into believing something untrue
2) The fraud frequently involves using the financial statements
to create an illusion that an entity is healthier and more Underlying Problems in Fraudulent Statements
prosperous than, in fact, it is.  Lack of Auditor Independence.
3) If the fraud involves misappropriation of assets, it  Lack of Director Independence.
frequently is shrouded in a maze of complex business  Questionable Executive Compensation Schemes
transactions, often involving related third parties.  Inappropriate Accounting Practices

Factors that Contribute to Fraud SARBANES-OXLEY ACT AND FRAUD (SOX)

1. situational pressures  This landmark legislation was written to deal with
2. opportunities, and problems related to capital markets, corporate
3. personal characteristics (ethics) governance, and the auditing profession and has
fundamentally changed the way public companies do
Financial Losses From Fraud business and how the accounting profession performs
The actual cost of fraud is difficult to quantify for a number of its attest function
reasons:  The act establishes a framework to modernize and
1) not all fraud is detected reform the oversight and regulation of public company
2) of that detected, not all is reported auditing.
3) in many fraud cases, incomplete information is gathered
4) information is not properly distributed to management or PHILIPPINE STANDARD ON AUDITING (PSA) 240
law enforcement authorities; and  THE AUDITOR’S RESPONSIBILITIES RELATING TO FRAUD
5) too often, business organizations decide to take no civil or IN AN AUDIT OF FINANCIAL STATEMENTS
criminal action against the perpetrator(s) of fraud.  deals with the auditor’s responsibilities relating to
fraud in an audit of financial statements.
The perpetrators of fraud  it expands on how PSA 315, “Identifying and Assessing
 Gender the Risks of Material Misstatement Through
 Whereas the demographic picture is changing, more Understanding the Entity and Its Environment,” and
men than women occupy positions of authority in PSA 330, “The Auditor’s Responses to Assessed Risks,”
business organizations, which provide them greater are to be applied in relation to risks of material
access to assets. misstatement due to fraud.
 This PSA is effective for audits of financial statements
 Position for periods beginning on or after December 15, 2009.
 Those in the highest positions have the greatest access
to company funds and assets. SARBANES-OXLEY ACT AND FRAUD
Its principal reforms pertain to:
1) the creation of an accounting oversight board,
 Age 2) auditor independence,
 Older employees tend to occupy higher-ranking 3) corporate governance and responsibility,
positions and therefore generally have greater access 4) disclosure requirements, and
to company assets 5) penalties for fraud and other violations
2. Corruption  The theft, corruption, illegal copying, or intentional
 refers to the abuse of power or position for personal destruction of computer software.
gain, often involving unethical or illegal practices  The theft, misuse, or misappropriation of computer
 undermines trust in institutions, damages the rule of hardware
law, and can hinder economic and social development
E. Data Collection
Four principal types of corruption:  first operational stage in the information system. the
1) Bribery objective is to ensure that event data entering the
 involves giving, offering, soliciting, or receiving things  system are valid, complete, and free from material
of value to influence an official in the performance of errors.
his or her lawful duties Two rules govern the design of data collection procedures:
2) Illgeal gratuities 1. Relevance - The information system should capture only
 involves giving, receiving, offering, or soliciting relevant data
something of value because of an official act that has 2. Efficiency - Efficient data collection procedures are designed to
been taken. This is similar to a bribe, but the collect data only once
transaction occurs after the fact
3) Conflicts of Interest Data Collection Fraud
 occurs when an employee acts on behalf of a third  Masquerading
party during the discharge of his or her duties or has  involves a perpetrator gaining access to the
self-interest in the activity being performed system from a remote site by pretending to
4) Economic extortion be an authorized user. This usually requires
 the use (or threat) of force (including economic first gaining authorized access to a password
sanctions) by an individual or organization to obtain  Piggybacking
something of value  a technique in which the perpetrator at a
remote site taps into the
Asset Misappropriation telecommunications lines and latches on to
 Most common form of fraud scheme. an authorized user who is logging in to the
 Assets can be misappropriated either directly or system
indirectly for the perpetrator’s benefit.  Hacking
 Transactions involving cash, checking accounts,  may involve piggybacking or masquerading
inventory, supplies, equipment, and information are techniques
the most vulnerable to abuse
F. Data Processing
A. Charges to Expense Accounts.  Once collected, data usually require processing to
 The theft of an asset creates an imbalance in the basic produce information. Tasks in the data processing
accounting equation (assets = equities), which the stage range from simple to complex.
criminal must adjust if the theft is to go undetected  Data processing frauds fall into two classes: program
fraud and operations fraud.

B. Lapping  Program fraud includes the following techniques:

 Lapping involves the use of customer checks, received 1) creating illegal programs that can access data files to
in payment of their accounts, to conceal cash alter, delete, or insert values into accounting records.
previously stolen by an employee 2) destroying or corrupting a program’s logic using a
computer virus; or.
C. Transaction Fraud 3) altering program logic to cause the application to
 Transaction fraud involves deleting, altering, or adding process data incorrectly
false transactions to divert assets to the perpetrator

D. Computer Fraud Schemes  Operation Fraud

 objectives of the fraud are the same—  the misuse or theft of the firm’s computer resources.
misappropriation of assets—the techniques used to This often involves using the computer to conduct
commit computer fraud vary greatly personal business
 The theft, misuse, or misappropriation of assets by
altering computer-readable records and files. G. Database Management
 The theft, misuse, or misappropriation of assets by  The organization’s database is its physical repository
altering the logic of computer software. for financial and nonfinancial data.
 The theft or illegal use of computer-readable  Database management involves three fundamental
information. tasks: storage, retrieval, and deletion
 Database management fraud 2) circumvention
 includes altering, deleting, corrupting, destroying, or 3) management override
stealing an organization’s data 4) changing conditions

H. Information Generation Exposures of weak internal control (risk)

 process of compiling, arranging, formatting, and  Destruction of an asset
presenting information to users  Theft of an asset
 Information can be an operational document such as a  Corruption of information
sales order, a structured report, or a message on a  Disruption of the information system
computer screen
Useful information has the following characteristics: Preventive controls
 Relevance. The contents of a report or document must  Passive techniques designed to reduce the frequency
serve a purpose. of occurrence of undesirable events.
 Timeliness. The age of information is a critical factor I  Force compliance with prescribed or desired actions
determining its usefulness. and thus screen out aberrant events
 Accuracy. Information must be free from material errors
 Completeness. No piece of information essential to a Detective controls
decision or task should be missing.  These are devices, techniques, and procedures
 Summarization. Information should be aggregated in designed to identify and expose undesirable events
accordance with a user’s needs that elude preventive controls.
 Reveal specific types of errors by comparing actual
Information Gathering Fraud occurrences to pre-established standards
 Scavenging involves searching through the trash of the
computer center for discarded output Corrective controls
 Eavesdropping involves listening to output transmissions  Actions taken to reverse the effects of errors detected
over telecommunications lines in the previous step.

Internal Control Concepts and Techniques Statement on auditing standards (SAS) No.78
The internal control system comprises policies, practices, and  The current authoritative document for specifying
procedures employed by the organization to achieve four broad internal control objectives and techniques which is
objectives: based on the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) framework
 To safeguard assets of the firm.
 To ensure the accuracy and reliability of accounting records Sarbanes-Oxley and Internal Control
and information.  Requires management of public companies to
 To promote efficiency in the firm’s operations. implement an adequate system of internal controls
 To measure compliance with management’s prescribed over their financial reporting process. Management’s
policies and procedures. responsibilities for this are codified in Sections 302 and
404 of SOX
MODIFYING ASSUMPTIONS
Management responsibility Components of SAS 78 / COSO INTERNAL CONTROL
 This concept holds that the establishment and FRAMEWORK
maintenance of a system of internal control is a  Control Environment
management responsibility  Risk Assessment
 Information and Communication
 Monitoring
 Control Activities

Control environment
Reasonable assurance  Sets the tone for the organization and influences the
 The internal control system should provide reasonable control awareness of its management and employees
assurance that the four broad objectives of internal
control are met in a cost-effective manner Important Elements of the Control Environment
 The integrity and ethical values of management.
Methods of data processing  The structure of the organization.
The techniques of achieving the objectives will vary with different  The procedures for delegating responsibility and authority.
types of technology  Management’s methods for assessing performance.
 External influences, such as examinations by regulatory
Limitations agencies.
1) the possibility of error  Management’s philosophy and operating style.
 The participation of the organization’s board of directors  Accurately record transactions in the time period In which
and the audit committee, if one exists. they occurred
 The organization’s policies and practices for managing its
human resources SAS 78/COSO requires that auditors obtain sufficient knowledge
of the organization’s information system to understand:
Techniques of the Control Environment  The classes of transactions that are material to the financial
1. Auditors should assess the integrity of the organization’s statements and how those transactions are initiated.
management and may use investigative agencies to report  The accounting records and accounts that are used in the
on the backgrounds of key managers. processing of material transactions
2. Auditors should be aware of conditions that would  The transaction processing steps involved from the initiation
predispose the management of an organization to commit of a transaction to its inclusion in the financial statements.
fraud.  The financial reporting process used to prepare financial
3. Auditors should understand a client’s business and industry statements, disclosures, and accounting estimates
and should be aware of condition speculiar to the industry
that may affect the audit. Auditors should read industry Monitoring
related literature and familiarize themselves with the risks The process by which the quality of internal control design and
that are inherent in the business operation can be assessed.
 Separate Procedures gather evidence of control
Risk Assessment adequacy by testing controls and then communicate
Organizations must perform a risk assessment to identify, control strengths and weaknesses to management.
analyze, and manage risks relevant to financial reporting  Ongoing monitoring may be achieved by integrating
special computer modules into the information system
 Changes in the operating environment that impose new or that capture key data and/or permit tests of controls
changed competitive pressures on the firm. to be conducted as part of routine operations
 New personnel who have a different or inadequate  Judicious use of management reports
understanding of internal control
 New or reengineered information systems that affect Control Activities
transaction processing The policies and procedures used to ensure that appropriate
 Significant and rapid growth that strains existing internal actions are taken to deal with the organization’s identified risks.
controls
 The implementation of new technology into the production  IT Controls relate specifically to the computer
process or information system that impacts transaction environment.
processing.  They fall into two broad groups: general controls and
 The introduction of new product lines or activities with application controls.
which the organization has little experience  Physical Control relates primarily to the human
 Organizational restructuring resulting in the reduction activities employed in accounting systems
and/or reallocation of personnel such that business
operations and transaction processing are affected Categories of Physical Control Activities
 Entering into foreign markets that may impact operations  TRANSACTION AUTHORIZATION
(that is, the risks associated with foreign cur- rency  The purpose of transaction authorization is to
transactions). ensure that all material transactions processed by
 Adoption of a new accounting principle that impacts the the information system are valid and in
preparation of financial statements accordance with management’s objectives.
SAS 78/COSO requires that auditors obtain sufficient knowledge Authorizations may be general or specific.
of the organization’s risk assessment procedures to understand  SEGREGATION OF DUTIES
how management identifies, prioritizes, and manages the risks  One of the most important control activities is the
related to financial reporting segregation of employee duties to minimize
Information and Communication incompatible functions. Segregation of duties can take
 The accounting information system consists of the many forms, depending on the specific duties to be
records and methods used to initiate, identify, analyze, controlled.
classify, and record the organization’s transactions and
to account for the related assets and liabilities  SUPERVISION
 An underlying assumption of supervision control is that
Effective Accouting information System the firm employs competent and trustworthy
 Identify and record all valid financial transactions personnel. Supervision is often called a compensating
 Provide timely information about transactions in sufficient control.
detail to permit proper classification and financial reporting
 Accurately measure the financial value of transactions so  ACCOUNTING RECORDS
their effects can be recorded in financial statements  Consist of source documents, journals, and ledgers.
These records capture the economic essence of
 transactions and provide an audit trail of economic
events.

 INDEPENDENT VERIFICATION
 Independent checks of the accounting system to
identify errors and misrepresentations.

Examples of Independent verification

1) Reconciling batch totals at points during transaction
processing.
2) Comparing physical assets with accounting records.
3) Reconciling subsidiary accounts with control accounts.
4) Reviewing management reports (both computer and
manually generated) that summarize business activity.