Chapter 10

Users

record transactions, authorize data to be processed, have logical access to company data, and produce system output. They are responsible for safekeeping any data they may access or distribute as system output.

data processing schedule

shows when each task should be performed.

project milestones

significant points when progress is reviewed and actual and estimated completion times are compared. Each project is assigned to a manager and team who are responsible for its success or failure.

Residual risk

the risk that remains after management implements internal controls or some other response to risk

Centralization or decentralization of authority A direct or matrix reporting relationship. Organization by industry, product line, location, or marketing network. How allocation of responsibility affects information requirements. Organization of and lines of authority for accounting, auditing, and information system functions. Size and nature of company activities.

Important aspects of the organizational structure include

Perform Internal Control Evaluations

Internal control effectiveness is measured using a formal or a self-assessment evaluation. A team can be formed to conduct the evaluation, or it can be done by internal auditing.

(1) extended employee vacations mean that there are fewer people to "mind the store"; (2) students are out of school and have more time on their hands; and (3) lonely counterculture hackers increase their attacks.

It is important that control activities are in place during the end-of-the-year holiday season because a disproportionate amount of computer fraud and security break-ins takes place during this time. Some reasons for this are

Management can respond to risk in one of four ways:

Reduce. Reduce the likelihood and impact of risk by implementing an effective system of internal controls. Accept. Accept the likelihood and impact of the risk. Share. Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. Avoid. Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.

Inherent risk

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

collusion

cooperation between two or more people in an effort to thwart internal controls

Network managers

ensure that devices are linked to the organization's internal and external networks and that those networks operate properly.

System performance measurements

established to evaluate the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), and response time (how long it takes for the system to respond).

Systems analysts

help users determine their information needs and design systems to meet those needs.

Audit committee

outside, independent directors.

Control activities

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management's responsibility to develop a secure and adequately controlled system.

with respect to authorization, management should:

Give general authorization to process transactions, such as paying vendors when the goods ordered are received. However, a payment over a certain sum could require specific authorization. Approve new business relationships such as a new customer or vendor. If an unapproved vendor was added to the company's database, an employee might be able to make a payment to them as a way of embezzling money. If an unapproved customer was added, sales could be made to a customer with poor credit who is unable to pay. Approve all new user account activations to prevent an unauthorized person from having access to company data and business processes. Approve the creation or modification of computer programs to prevent unauthorized programs and code. Approve the final versions of all new programs and program modifications to ensure they are efficient and do not contain code that harms the organization or that otherwise facilitates unapproved actions.

expected loss

Impact × Likelihood

COBIT 2019 is based on the following five key principles of IT governance and management.

Meeting stakeholder needs. This helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward. Covering the enterprise end-to-end. This does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. Applying a single, integrated framework. This can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created. Enabling a holistic approach. This provides a holistic approach that results in effective governance and management of all IT functions in the company. Separating governance from management. This distinguishes between governance and management.

Companies are reluctant to report fraud because it can be a public relations disaster. The disclosure can reveal system vulnerabilities and attract more fraud or hacker attacks. Law enforcement and the courts are busy with violent crimes and have less time and interest for computer crimes in which no physical harm occurs. Fraud is difficult, costly, and time-consuming to investigate and prosecute. Many law enforcement officials, lawyers, and judges lack the computer skills needed to investigate and prosecute computer crimes. Fraud sentences are often light. A famous example involved C. Arnold Smith, former owner of the San Diego Padres, who was named Mr. San Diego of the Century. Smith was involved in the community and made large political contributions. When investigators discovered he had stolen $200 million from his bank, he pleaded no contest. His sentence was four years of probation. He was fined $30,000, to be paid at the rate of $100 a month for 25 years with no interest. Mr. Smith was 71 at the time. The embezzled money was never recovered.

Most fraud is not reported or prosecuted for several reasons:

The updated IC framework specifies that the following three principles apply to the information and communication process:

Obtain or generate relevant, high-quality information to support internal control. Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control. Communicate relevant internal control matters to external parties.

Control procedures

Proper authorization of transactions and activities. Segregation of duties. Project development and acquisition controls. Change management controls. Design and use of documents and records. Safeguarding assets, records, and data. Independent checks on performance.

Use Responsibility Accounting Systems

Responsibility accounting systems include budgets, quotas, schedules, standard costs, and quality standards; reports comparing actual and planned performance; and procedures for investigating and correcting significant variances.

Monitor System Activities

Risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements. Cost parameters can be entered to balance acceptable levels of risk tolerance and cost-effectiveness. Software also monitors and combats viruses, spyware, adware, spam, phishing, and inappropriate e-mails. It blocks pop-up ads, prevents browsers from being hijacked, and validates a phone caller's ID by comparing the caller's voice to a previously recorded voiceprint

interactive control system

System that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions; system data are interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers. helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions. Interactive system data are interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers.

chief compliance officer (CCO)

The overwhelming tasks related to SOX and other forms of compliance have led many companies to delegate all compliance issues to a

One way to do that is to have employees agree in writing to written policies that include the following:

The technology an employee uses on the job belongs to the company. E-mails received on company computers are not private and can be read by supervisory personnel. This policy allowed a large pharmaceutical company to identify and terminate an employee who was e-mailing confidential drug-manufacturing data to an external party. Employees should not use technology to contribute to a hostile work environment.

Control Objectives for Information and Related Technology (COBIT)

consolidates control standards from many different sources into a single framework that allows (1) management to benchmark security and control practices of IT environments, (2) users to be assured that adequate IT security and controls exist, and (3) auditors to substantiate their internal control opinions and to advise on IT security and control matters.

Management's philosophy, operating style, and risk appetite. Commitment to integrity, ethical values, and competence. Internal control oversight by the board of directors. Organizational structure. Methods of assigning authority and responsibility. Human resource standards that attract, develop, and retain competent individuals. External influences.

control environment consists of

belief system

describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values.

Preventive controls

deter problems before they arise. Examples include hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information.

Detective controls

discover problems that are not prevented. Examples include duplicate checking of calculations and preparing bank reconciliations and monthly trial balances.

Computer forensics specialists

discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges. They can be compared to performing an "autopsy" on a computer system to determine whether a crime was committed as well as who committed it, and then marshalling the evidence lawyers need to prove the charges in court.

Data control

ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.

authorization

establishes policies for employees to follow and then empowers them

policy and procedures manual

explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties. The manual includes the chart of accounts and copies of forms and documents. It is a helpful on-the-job reference for current employees and a useful tool for training new employees.

steering committee

guides and oversees systems development and acquisition.

boundary system

helps employees act ethically by setting boundaries on employee behavior. Instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off-limit activities, and avoiding actions that might damage their reputation.

segregation of systems duties

implementing control procedures to clearly divide authority and responsibility within the information system function

computer security officer(CSO)

in charge of system security, independent of the information system function, and reports to the chief operating officer (COO) or the CEO

background check

includes talking to references, checking for a criminal record, examining credit records, and verifying education and work experience. Many applicants include false information in their applications or resumes

strategic master plan.

is developed and updated yearly to align an organization's information system with its business strategies. It shows the projects that must be completed, and it addresses the company's hardware, software, personnel, and infrastructure requirements.

Systems administrators

make sure all information system components operate smoothly and efficiently.

General controls

make sure an organization's control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls.

Security management

make sure that systems are secure and protected from internal and external threats.

Change management

makes sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.

general authorization

management can authorize employees to handle routine transactions without special approval, a procedure known as

diagnostic control system

measures, monitors, and compares actual company progress to budgets and performance goals. Feedback helps management adjust and fine-tune inputs and processes so future outputs more closely match goals.

control environment

or company culture, influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk. It is the foundation for all other ERM components. A weak or deficient control environment often results in breakdowns in risk management and control. It is essentially the same thing as the control environment in the IC framework.

Foreign Corrupt Practices Act (FCPA)

passed to prevent companies from bribing foreign officials to obtain business. Congress incorporated language from an American Institute of Certified Public Accountants (AICPA) pronouncement into this that required corporations to maintain good systems of internal control. Unfortunately, these requirements were not sufficient to prevent further problems.

postimplementation review

performed after a development project is completed to determine whether the anticipated benefits were achieved.

Application controls

prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.

Neural networks

programs with learning capabilities and can accurately identify fraud

Does management take undue business risks to achieve its objectives, or does it assess potential risks and rewards prior to acting? Does management manipulate performance measures, such as net income, so they are seen in a more favorable light? Does management pressure employees to achieve results regardless of the methods, or does it demand ethical behavior? In other words, do the ends justify the means?

risk appetite can be assessed by answering questions such as

Computer operators

run the software on the company's computers and ensure that data are properly entered, processed correctly, properly stored, and that the needed output is produced.

segregation of accounting duties

separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud

Public Company Accounting Oversight Board (PCAOB)

sets and enforces auditing, quality control, ethics, independence, and other auditing standards. It consists of five people who are appointed by the Securities and Exchange Commission (SEC).

project development plan

shows the tasks to be performed, who will perform them, project costs, completion dates

Forensic investigators

specialize in fraud are a fast-growing group in the accounting profession. Their increasing presence is due to several factors, most notably SOX, new accounting rules, and demands by boards of directors

risk appetite

the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, risk appetite must be in alignment with company strategy.

Internal Control—Integrated Framework (IC)

the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.

Internal controls

the processes implemented to provide reasonable assurance that the following control objectives are achieved: Safeguard assets—prevent or detect their unauthorized acquisition, use, or disposition. Maintain records in sufficient detail to report company assets accurately and fairly. Provide accurate and reliable information. Prepare financial reports in accordance with established criteria. Promote and improve operational efficiency. Encourage adherence to prescribed managerial policies. Comply with applicable laws and regulations.

programmers

using the system analyst's design, are responsible for developing, coding, and testing all new software applications.

Companies using systems integrators should use the same project management processes and controls as internal projects. In addition, they should:

Develop clear specifications. This includes exact descriptions and system definitions, explicit deadlines, and precise acceptance criteria. Suffolk County, New York, spent 12 months and $500,000 preparing detailed specifications for a $16 million criminal justice system before accepting bids. Only 6 of 22 invited integrators bid on the project because of the county's rigorous cost and quality standards. County officials believe their diligent upfront efforts helped ensure their new system's success and saved the county $3 million. Monitor the project. Companies should establish formal procedures for measuring and reporting a project's status. The best approach is to divide the project into manageable tasks, assign responsibility for each task, and meet at least monthly to review progress and assess quality.

Implement Effective Supervision

Effective supervision involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets. Supervision is especially important in organizations without responsibility reporting or an adequate segregation of duties.

separated accounting duties:

Authorization—approving transactions and decisions. Recording—preparing source documents; entering data into computer systems; and maintaining journals, ledgers, files, or databases. Custody—handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks.

Align, plan, and organize (APO). Build, acquire, and implement (BAI). Deliver, service, and support (DSS). Monitor, evaluate, and assess (MEA).

COBIT: The 35 management processes are broken down into the following four domains:

specific authorization

Certain activities or transactions may be of such consequence that management grants

Developing a written code of conduct that explicitly describes honest and dishonest behaviors. For example, most purchasing agents agree that accepting $5,000 from a supplier is dishonest, but a weekend vacation is not as clear-cut. A major cause of dishonesty comes from rationalizing unclear situations and allowing the criterion of expediency to replace the criterion of right versus wrong. Companies should document that employees have read and understand the code of conduct. Put processes in place to use the company's code of conduct to evaluate individual and team performance and to address any deviations in a timely and consistent manner. Actively teaching and requiring the code of conduct—for example, making it clear that honest reports are more important than favorable ones. Avoiding unrealistic expectations or incentives that motivate dishonest or illegal acts, such as overly aggressive sales practices, unfair or unethical negotiation tactics, and bonuses excessively based on reported financial results. Consistently rewarding honesty and giving verbal labels to honest and dishonest behavior. If companies punish or reward honesty without labeling it as such, or if the standard of honesty is inconsistent, then employees will display inconsistent moral behavior. Requiring employees to report dishonest or illegal acts and disciplining employees who knowingly fail to report them. All dishonest acts should be investigated, and dishonest employees should be dismissed and prosecuted to show that such behavior is not allowed. Making a commitment to competence. Companies should hire competent employees with the necessary knowledge, experience, training, and skills.

Companies endorse integrity by:

To set up a controlled system management must make sure that:

Controls are selected and developed to help reduce risks to an acceptable level. Appropriate general controls are selected and developed over technology. Control activities are implemented and followed as specified in company policies and procedures.

Corrective controls

Controls that identify and correct problems as well as correct and recover from the resulting errors, such as maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing. identify and correct problems as well as correct and recover from the resulting errors. examples include maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.

computer-based controls that help safeguard assets. In addition, it is important to:

Create and enforce appropriate policies and procedures. All too often, policies and procedures are created but not enforced. A laptop with the names, Social Security numbers, and birthdates of 26.5 million people was stolen from the home of a Veteran Affairs (VA) Department analyst. The VA did not enforce its policies that sensitive data be encrypted and not leave VA offices. Notifying all 26.5 million people and buying them a credit-checking service cost taxpayers $100 million. Two years prior to the theft, an inspector general report identified the inadequate control of sensitive data as a weakness, but it had never been addressed. Maintain accurate records of all assets. Periodically reconcile the recorded amounts of company assets to physical counts of those assets. Restrict access to assets. Restricting access to storage areas protects inventories and equipment. Cash registers, safes, lockboxes, and safety deposit boxes limit access to cash and paper assets. More than $1 million was embezzled from Perini Corp. because blank checks were kept in an unlocked storeroom. An employee made out checks to fictitious vendors, ran them through an unlocked check-signing machine, and cashed the checks. Protect records and documents. Fireproof storage areas, locked filing cabinets, backup files, and off-site storage protect records and documents. Access to blank checks and documents should be limited to authorized personnel. In Inglewood, California, a janitor stole 34 blank checks, wrote checks from $50,000 to $470,000, forged the names of city officials, and cashed them.

Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately. They include the following:

Top-level reviews. Management should monitor company results and periodically compare actual company performance to (1) planned performance, as shown in budgets, targets, and forecasts; (2) prior period performance; and (3) competitors' performance. Analytical reviews. An analytical review is an examination of the relationships between different sets of data. For example, as credit sales increase, so should accounts receivable. In addition, there are relationships between sales and accounts such as cost of goods sold, inventory, and freight out. Reconciliation of independently maintained records. Records should be reconciled to documents or records with the same balance. For example, a bank reconciliation verifies that company checking account balances agree with bank statement balances. Another example is comparing subsidiary ledger totals with general ledger totals. Comparison of actual quantities with recorded amounts. Significant assets are periodically counted and reconciled to company records. At the end of each clerk's shift, cash in a cash register drawer should match the amount on the cash register tape. Inventory should be periodically counted and reconciled to inventory records. Double-entry accounting. The maxim that debits equal credits provides numerous opportunities for independent checks. Debits in a payroll entry may be allocated to numerous inventory and/or expense accounts; credits are allocated to liability accounts for wages payable, taxes withheld, employee insurance, and union dues. After the payroll entries, comparing total debits and credits is a powerful check on the accuracy of both processes. Any discrepancy indicates the presence of an error. Independent review. After a transaction is processed, a second person reviews the work of the first, checking for proper authorization, reviewing supporting documents, and checking the accuracy of prices, quantities, and extensions.

digital signature

a means of electronically signing a document with data that cannot be forged

fraud hotline

a phone number employees can call to anonymously report fraud and abuse

systems integrator

an outside party hired to manage a company's systems development effort

Sarbanes-Oxley Act (SOX)

applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud. This is the most important business-oriented legislation in the last 80 years. It changed the way boards of directors and management operate and had a dramatic impact on CPAs who audit them.

Database administrators

are responsible for coordinating, controlling, and managing the database.

Committee of Sponsoring Organizations (COSO)

consists of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. In 1992, This issued Internal Control—Integrated Framework