2020-04-24

CHAPTER 7
Control and
Accounting Information Systems

Tengku Fairuz Binti Tengku Embong

Faculty of Accountancy

Explain basic control concepts and

why computer control and security
Learning Objectives
are important. 01
Compare and contrast the COBIT,
02 COSO, and ERM control frameworks.

Describe the major elements in the

internal environment of a company. 03 Describe the control objectives that
companies need to set and how to

Explain how to assess and respond to

04 identify events that affect
organizational uncertainty.
risk using the Enterprise Risk
Management model. 05
06 Describe control activities commonly
used in companies.
Describe how to communicate
information and monitor control
processes in organizations.
07

1
 2020-04-24

SECTION BREAK
INTRODUCTION
Insert the title of your subtitle Here

Major Failure In Controlling Organizations Do Not

Adequately Protect Their Data
Why The Security & Integrity
✓ Information is available to an ❖ Companies view the loss of crucial
AIS unprecedented number of information as a distant, unlikely threat.
workers.
Threats ✓ Information on distributed
❖ Control implications of moving from
centralized computer systems to
Internet-based system have not been
Are computer networks is hard to
control. fully understood.

Increasing ✓ Customers and suppliers have ❖ Many companies have not realized
that data security is crucial to their
access to one another’s systems
and data survival.

❖ Productivity and cost pressures have

motivated management to forgo time-
consuming control measures.

2
 2020-04-24

Any potential adverse occurrence

or unwanted event that could be
injurious to either the AIS or the
TERMS
organization .

LIKELIHOOD
The potential dollar loss
should a particular
threat become a reality.
The probability that
the threat will
happen .

Exposures & Risk

An Exposure –
The Absence Or
Weakness Of A Control

May result in asset destruction or

theft and corruption or disruption of
the information system.

3
 2020-04-24

SECTION BREAKOF
OVERVIEW
Insert the title of your subtitle Here
CONTROL CONCEPTS

Internal Control The process implemented to provide reasonable assurance

that the following control objectives are achieved:

Safeguard assets
Maintain sufficient records 01
02
Comply with laws and
Provide accurate and reliable regulations
information 03 07

Encourage adherence with

06 management policies
Prepare financial reports 04
according to established criteria 05
Promote and improve
operational efficiency

4
 2020-04-24

Developing an internal control system

requires
▪ Thorough understanding of IT and its
capabilities and risks.
▪ How to use IT to achieve an
organization’s control objectives

Accountants and system developers help

management achieve their control objectives by
✓ Designing effective control systems that take a proactive
approach to eliminating system threats; and that detect,
correct, and recover from threats when they do occur.

✓ Making it easier to build controls into a system at the initial

stage design stage than to add them after the fact.

3 Functions 01
Preventive
Deter problems before they arise: anticipate the
controls
problem.

02
Preventive
Detective
Detective controls Discover problems as soon as they arise.
Corrective

03

Remedy control problems that have been

Corrective discovered. They include procedures taken to
controls identify the cause of a problem, correct resulting
errors or difficulties, and modify the system so
that future problems are minimized or eliminated.

10

5
 2020-04-24

2 Categories

General Application
Controls Controls

Prevent, detect, and correct transaction errors and

Designed to make sure an organization’s
fraud in application programs.
control environment is stable and well
managed
They are concerned with the accuracy, completeness,
validity, and authorization of the data captured,
entered, processed, stored, transmitted to other
systems, and reported.

11

4 Levers of Control

01 02
Belief System Boundary System
Communicates company core values to Helps employees act ethically by setting limits
employees and inspires them to live by them on employee behavior

03 04
Diagnostic Control System Interactive Control System
Measures company progress by comparing Helps top-level managers with high-level
actual performance to planned performance activities that demand frequent and regular
(budget) attention

12

6
 2020-04-24

4 Levers of Control
Belief System
1 Communicates company core values
to employees and inspires them to
live by them
Boundary System
2 Helps employees act ethically by
setting limits on employee behavior
4 Levers
Diagnostic Control System
3 Measures company progress by
comparing actual performance to
planned performance (budget)
4 Interactive Control System
Helps top-level managers with high-
level activities that demand frequent
and regular attention

13

The Foreign Corrupt Practices Act (1977)

Prevent companies
Requires all publicly owned
from bribing foreign
corporations to maintain a system
officials to obtain
of internal accounting controls
business

14

7
 2020-04-24

Sarbanes–Oxley Acts
(SOX) (2002)
Applies to publicly held
companies and their
auditors to
✓Prevent financial statement
fraud
✓Financial report transparent
✓Protect investors
✓Strengthen internal controls
✓Punish executives who
perpetrate fraud

15

Sarbanes–Oxley Acts
(SOX) (2002)
Some of the important
aspects of The Sarbanes
-Oxley Act are:
❖ Public Company Accounting
Oversight Board (PCAOB)
❖ New rules for auditors
❖ New roles for audit
committees
❖ New rules for management
❖ New internal control
requirements

16

8
 2020-04-24

The questions on the

following slides are
about self-assessing
Self Assessment your understanding
of the topic.
Questions
To learn more about the
topic, please refer to the
details of the topic in the
textbook before
answering the questions.

17

What type of internal controls finds the problem

before it occurs?

A B C D

Detective Preventive General Corrective

controls controls controls controls

18

9
 2020-04-24

SECTION BREAK
CONTROL
Insert the title of your subtitle Here
FRAMEWORKS

19

Committee of Sponsoring
Organizations (COSO)

Control Objectives for

Information and related
Technology (COBIT)

20

10
 2020-04-24

COBIT Framework
COBIT is a framework of generally applicable
information systems security and controls 5 PRINCIPLES
practices of Information Technology control.
Separating
Meeting governance from
stakeholder management
needs
Covering the
enterprise end-to-
Management to It provides Allows auditors end Enabling a holistic
benchmark assurances that to substantiate approach
their IT security and their internal
environments controls exist control Applying a single,
and compare it opinions integrated
framework
to other
organizations

21

COBIT5 Separates Governance

from Management

You can simply impress your audience

and add a unique and appeal to your
Reports and Presentations with our
Templates. Get a modern PowerPoint
Presentation that is beautifully designed.
I hope and I believe that this Template
will your Time, Money and Reputation.

22

11
 2020-04-24

Components of COSO Frameworks

COSO’s COSO’s
Internal ERM
Control Model
Model

TABLE 7-1

23

Which of the following COSO-ERM objectives

involves parties external to the organization?

A B C D

Strategic Compliance Operation Reporting

Objectives Objectives Objectives Objectives

24

12
 2020-04-24

Which of the following is not a component of

COSO-ERM?

A B C D

Event External Risk B&C

Identification Environment Identification

25

SECTION BREAK
THE INTERNAL
Insert the title of your subtitle Here

ENVIRONMENT

26

13
 2020-04-24

Internal Environment

❖ The tone or culture of a

company and helps to
A written policy and procedures manual is
determine how risk
an important tool for assigning authorityemployees
conscious a are.
nd responsibility.
❖ A weak internal environment
often results in breakdowns
in risk management and
control.

27

Management’s philosophy,
operating style, and risk Organizational structure
appetite
Methods of assigning
authority and
Commitment to integrity, responsibility
ethical values, and
competence
Human resource standards
that attract, develop, and
Internal control oversight by retain competent
the board of directors (e.g., individuals
audit committee)
External influences

28

14
 2020-04-24

Management’s Philosophy, Operating Style & Risk Appetite

This philosophy must

be clearly The more responsible
communicated to all management’s philosophy
employees and operating style, the
RISK APPETITE: the amount of risk a more likely employees will
company is willing to accept to achieve behave responsibly
its goals and objectives

An organization has philosophy

or shared beliefs and attitudes
about risk that affects
everything the organization
This component can be
does, long- and short-term, and
assessed by asking
affects their communications
questions such as

29

Commitment to Integrity, Ethical Values, and Competence

✓ Actively teaching and requiring it

✓ Avoiding unrealistic expectations or Incentives

that motivate dishonest or illegal acts

✓ Consistently Rewarding honesty & giving verbal

labels to honest and dishonest acts

✓ Developing a written code of conduct that

explicitly describe honest and dishonest
behaviors

✓ Requiring employees to report dishonest or

illegal acts and disciplining employees who
knowingly fail to report

✓ Making a commitment to competence

30

15
 2020-04-24

Internal Control Oversight By The Board Of Directors

An involved BOD represents

shareholders & provides an
independent review of management that
acts as a check & balance on its actions

The audit committee oversees:

Hiring & overseeing external
▪ The company’s internal control
Public companies must
and internal auditors
structure; have an AUDIT
▪ Its financial reporting process; and COMMITTEE, composed Auditors report all critical
▪ Its compliance with laws, accounting policies and
entirely of independent,
regulations, and standards. practices to the audit committee
outside directors

31

Organizational Structure

How allocation of
Centralization or
responsibility affects
decentralization of authority Provides the
information requirements
overall
framework for
planning, Organization of
Direct or matrix accounting, auditing and
reporting relationships directing,
IS functions
executing,
controlling,
Organization by industry, and
monitoring its Size and nature of
product, geographic location,
operations company activities
marketing network

Hierarchical Structures are being replaced with Flat Structures

32

16
 2020-04-24

Authority and
Management should responsibility are
make sure assigned through:

➢ Employees understand the • Formal job descriptions

Methods of entity’s objectives.
➢ Authority and responsibility
assigning authority for business objectives is
assigned to specific
and responsibility departments and individuals.
➢ Encourages employees to
take initiative in solving
problems
➢ Holds them accountable for
achieving objectives.
• Employee training
• Operating plans, schedules,
and budgets
• Codes of conduct that
define ethical behavior,
acceptable practices,
regulatory requirements,
and conflicts of interest
• Written policies and
procedures manuals (a
good job reference and job
training tool)

33

Human Resource Standards

Confidentiality
Agreements
Hiring Training Discharging And Fidelity
Bond
Insurance

Compensating, Managing Vacations Prosecute And

Evaluating & Disgruntled And Rotation Incarcerate
Promoting Employees Of Duties Hackers And
Fraud
Perpetrators

2 4 6 8

34

17
 2020-04-24

External Influences

FASB 01
02 PCAOB

SEC 03
04 Insurance Companies

Regulatory agencies for 05

banks, utilities, etc

35

Which of the following is NOT considered the

Internal Environment in COSO-ERM?

A B C D

External Management’s Ethical Values Compliance

Influences Risk Appetite With The
SEC

36

18
 2020-04-24

Which of the following statements is TRUE?

A B C D

An internal Control The Sarbanes- All of the

environment activities are Oxley Act requires answers
consists of an a component all public
organizational of COSO companies to have
structure ERM an audit committee

37

SECTION
OBJECTIVEBREAK
SETTING &
Insert the title of your subtitle Here

EVENT IDENTIFICATION

38

19
 2020-04-24

Objective Setting

❖ Management determines what

the company hopes to achieve

❖ This is often referred to as the

corporate vision or mission.

39

4 Types Of Objectives

Strategic Objectives A B Operations Objectives

High-level goals that are aligned with and Deal with effectiveness and efficiency of
support the company’s mission company operations, determine how to allocate
resources

Help ensure the accuracy, completeness, and Help the company comply with all applicable
reliability company reports; Improve decision-making laws and regulations
and monitor company activities and performance
Reporting Objectives Compliance Objectives
C D

40

20
 2020-04-24

What corporate objective is based on a company’s

mission statement?

A B C D

Strategic Operations Compliance Reporting

objectives objectives objectives objectives

41

Event Identification

❖ Incidents or occurrences that

emanate from internal or
external sources

❖ That affect implementation of

strategy or achievement of
objectives

❖ Impact can be positive,

negative, or both

42

21
 2020-04-24

Common Techniques To Identify Events

Use comprehensive lists of

potential events
Perform an internal analysis
01
02

Monitor leading events and 06 Analyze business processes

trigger points 03

04
Conduct workshops and 05 Perform data mining and
interviews analysis

43

SECTION BREAK
RISK ASSESSMENT
Insert the title of your subtitle Here

AND RISK RESPONSE

44

22
 2020-04-24

Risk Assessment & Risk Response

❖ Inherent risk - The risk that

exists before management takes
any steps to control the likelihood
or impact of a risk

❖ Residual risk - The risk that

remains after management
implements internal controls or
some other form of response to
risk

45

4 Ways To Respond To Risk

Reduce It Share It
Reduce the likelihood and impact of Share or transfer some of it to
risk by implementing an effective others by buying insurance,
system of internal controls outsourcing, or hedging

Avoid It
Accept It Avoid risk by not engaging in
the activity that produces the
Accept the likelihood and impact
risk
of risk

46

23
 2020-04-24

Risk Assessment Approach

To Designing Internal Controls

 Event identification
◦ The first step in risk assessment and
response strategy is event identification,
which we have already discussed.

47

Risk Assessment Approach

To Designing Internal Controls
 Estimate likelihood and impact
◦ Some events pose more risk because they
are more probable than others.
◦ Some events pose more risk because their
dollar impact would be more significant.
◦ Likelihood and impact must be considered
together:
◦ If either increases, the materiality of the
event and the need to protect against it rises.

48

24
 2020-04-24

Risk Assessment Approach

To Designing Internal Controls

 Identify controls
◦ Management must identify one or more controls
that will protect the company from each event.
◦ In evaluating benefits of each control procedure,
consider effectiveness and timing.
◦ A preventive control is better than a detective
one.
◦ However, if preventive controls fail, detective
controls are needed to discover the problem, and
corrective controls are needed to recover.
◦ Consequently, the three complement each other,
and a good internal control system should have
all three.

49

Risk Assessment Approach

To Designing Internal Controls

 Estimate costs and benefits

◦ No internal control system can provide
foolproof protection against all events, as the
cost would be prohibitive.
◦ Also, some controls negatively affect
operational efficiency, and too many controls
can make it very inefficient.

 The benefits of an internal control

procedure must exceed its costs.

50

25
 2020-04-24

Risk Assessment Approach

To Designing Internal Controls
 Benefits can be hard to quantify, but include:
◦ Increased sales and productivity
◦ Reduced losses
◦ Better integration with customers and suppliers
◦ Increased customer loyalty
◦ Competitive advantages
◦ Lower insurance premiums
 Costs are usually easier to measure than benefits.
 Primary cost is personnel, including:
◦ Time to perform control procedures
◦ Costs of hiring additional employees to effectively
segregate duties
◦ Costs of programming controls into a system

51

Risk Assessment Approach

To Designing Internal Controls

 Determine cost-benefit effectiveness

◦ After estimating benefits and costs,
management determines if the control is cost
beneficial, i.e., is the cost of implementing a
control procedure less than the change in
expected loss that would be attributable to
the change?

52

26
 2020-04-24

Risk Assessment Approach

To Designing Internal Controls
 Implement the control or avoid, share, or
accept the risk
◦ When controls are cost effective, they should be
implemented so risk can be reduced.

 Risks that are not reduced must be accepted,

shared, or avoided.
◦ If the risk is within the company’s risk tolerance,
they will typically accept the risk.
◦ A reduce or share risk is used to bring residual risk
into an acceptable risk tolerance range.
◦ An avoid risk is typically only used when there is no
way to cost-effectively bring risk into an acceptable
risk tolerance range.

53

SECTION BREAK
CONTROL ACTIVITIES
Insert the title of your subtitle Here

54

27
 2020-04-24

Control Activities

❖ Policies, procedures, and rules that

provide reasonable assurance that
management’s control objectives are met
and their risk responses are carried out

❖ It is management’s responsibility to
develop a secure and adequately
controlled system and establish a set of
procedures to ensure control compliance
and enforcement

55

7 Categories of Control Procedures

Proper authorization of
transactions and activities
Independent checks on 1
performance
7 2
Segregation of duties

Safeguard assets, records,

and data 6 3
Project development
and acquisition controls

Design and use of documents 5 4

and records
Change management controls

56

28
 2020-04-24

Management establishes policies

and empower employees to
perform activities within policy
Authorizations are often documented
by signing initializing, or entering an
authorization code or digital
signatures

General authorization - Management

authorizes employees to handle routine
transactions without special approval

1. Proper Authorization Of Special authorization - For activities

or transactions that are of significant
Transactions And Activities consequences, management review
and approval is required

Employees who process transactions should

verify the presence of the appropriate
authorizations

57

2a. Segregation of Accounting

Duties

Good internal control requires that

no single employee of a company
have too much responsibility over
transactions and business
processes

Segregation of duties prevents an

employee from committing and
concealing fraud

58

29
 2020-04-24

CONTROL ACTIVITIES

 To learn a little about segregation of

duties, let’s first meet Bill.

59

CONTROL ACTIVITIES

 Bill is in charge of a pile of the

organization’s money—let’s say $1,000.

60

30
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 Bill also keeps the books for that

money.

61

CONTROL ACTIVITIES

Ledger

$1,000

 Bill has a date tonight, and he’s a little desperate to

impress that special someone, so he takes $100 of the
cash. (Thinks he’s only borrowing it, you know.)

62

31
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 Bill has a date tonight, and he’s a little desperate to

impress that special someone, so he takes $100 of the
cash. (Thinks he’s only borrowing it, you know.)

63

CONTROL ACTIVITIES

Ledger

$900

 Bill also records an entry in the books to show that

$100 was spent for some “legitimate” purpose. Now
the balance in the books is $900.

64

32
 2020-04-24

CONTROL ACTIVITIES

Ledger

$900

 How will Bill ever get caught at his

theft?

65

CONTROL ACTIVITIES

 Now let’s change the story. Bill is in

charge of the pile of cash.

66

33
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 But Mary keeps the books.

 This arrangement is a form of segregation of duties.

67

CONTROL ACTIVITIES

Ledger

$1,000

 Bill gets in a pinch again and takes $100

of the organization’s cash.

68

34
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 How will Bill get caught?

69

CONTROL ACTIVITIES

Ledger

$1,000

 If this happens . . .

70

35
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

Then segregation of duties is out the window.

Collusion overrides segregation.

71

Employee/Vendor
Collusion is when Collusions
two or more people
• Billing at inflated prices
are working • Performing substandard
together to override work and receiving full
the preventive payment
• Payment for non-
aspect of the performance
internal control • Duplicate billings
system • Improperly funnelling more
work to or purchasing more
goods from a colluding
company
Employee/Customer
Collusions
• Unauthorized loans or
insurance payments
• Receipt of assets or
services at
unauthorized discount
prices
• Forgiveness of
amounts owed
• Unauthorized
extension of due dates

72

36
 2020-04-24

2b. Segregation Of 09
Systems Duties 08 Information
Systems
Computer Library
Operations
05
In a highly integrated
03 Users 04
information system, procedures
once performed by separate Security 06 Change
Management
individuals are combined Management Systems
Analysts
Therefore, anyone who has
unrestricted access to the 10 07
computer, its programs, and
live data could have the
Data
Control
Programming 02
opportunity to perpetrate and Network
conceal fraud Management

To combat this threat, 01

organizations must implement Systems
effective segregation of duties Administration
within the IS function

73

3. Project Development
Strategic
Master and Acquisition
Steering
Plan
Committee Controls

Project
Development
Data
Plan
Processing
Schedule

System Post-
Performance implementation
Measurements Review

74

37
 2020-04-24

4. Change Management Controls

Organizations constantly modify their

information systems to reflect new business
practices and take advantage of information
technology advances

Change management is the process of making

sure that the changes do not negatively affect:
✓ Systems reliability
✓ Security
✓ Confidentiality
✓ Integrity
✓ Availability

75

5. Design And Use Of Adequate Documents And Records

To ensure accurate and complete Contain a space Pre-numbered

recording of all relevant for authorization documents
transaction data

Form and content Space for the A good audit

should be kept as receiving party’s trail
simple as possible signature

76

38
 2020-04-24

6. Safeguard Assets, Records, And Data

Create and enforce Maintain accurate Restrict access to Protect records

appropriate policies records of assets and documents
and procedures all assets

77

7. Independent
Checks on
Performance

✓ Top level reviews

✓ Analytical reviews
✓ Reconciliation of two independently
maintained sets of records
✓ Comparison of actual quantities
with recorded amounts
✓ Double-entry accounting
✓ Independent review

78

39
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 Let’s look at Bill and Mary again. Assume that Bill

stole cash but Mary did NOT alter the books.

79

CONTROL ACTIVITIES

Ledger

$1,000

 Can Bill’s theft be discovered if an independent party

doesn’t compare a count of the cash to what’s
recorded on the books?

80

40
 2020-04-24

CONTROL ACTIVITIES

Ledger

$1,000

 Segregation of duties only has value when

supplemented by independent checks.

81

Which of the following does not violate separation

of duties?

A B C D

Approving Approving Receiving Writing

purchase orders payment to checks in the checks and
and receiving vendors and mail and receiving
items ordered completing the maintaining the checks in
monthly bank cash receipts the mail
reconciliation journal

82

41
 2020-04-24

COMMUNICATION
SECTION BREAK
INFORMATION & MONITOR
Insert the title of your subtitle Here

CONTROL PROCESSES

83

Information and Communication

❖ Accountants must understand how:

▪ Transactions are initiated
▪ Data are captured in or converted to
machine-readable form
▪ Computer files are accessed and
updated
▪ Data are processed
▪ Information is reported to internal
and external parties

84

42
 2020-04-24

3 Principles Apply To The Information

& Communication Process:
An AIS has 5 primary
objectives: ✓ Obtain or generate relevant,
◦ Identify and record all valid high quality information to
transactions. support internal control
◦ Properly classify transactions.
◦ Record transactions at their ✓ Internally communicate the
proper monetary value. information , objectives &
◦ Record transactions in the responsibility to support
proper accounting period. other components of internal
control
◦ Properly present transactions
and related disclosures in the
financial statements. ✓ Communicate relevant
internal control matters to
external parties

85

Monitoring

❖ The internal control system that is

selected / developed must be
continuously monitored, evaluated and
modified as needed

❖ Monitoring can be accomplished with a

series of ongoing events or by separate
evaluations

86

43
 2020-04-24

Key Methods Of Monitoring Performance

Implement A Perform Internal
Fraud Hotline Control Evaluation

Install Fraud Implement Effective

Detection Software Supervision

Engage Forensic
Specialists
Use Responsibility
Accounting Systems

Employ A Computer Monitor System

Security Officer & Activities
A Chief Compliance
Officer Conduct Periodic Track Purchased Software
Audits & Mobile Devices

87

Key Methods Of Monitoring Performance

Perform Internal
Control Evaluation

• Can measure ERM effectiveness through a

formal evaluation or through a self-assessment
process.
• A special group can be assembled to conduct
the evaluation, or it can be done by internal
auditing.

88

44
 2020-04-24

Key Methods Of Monitoring Performance

• Involves:
✓ Training and assisting employees; Implement Effective
✓ Monitoring their performance; Supervision

✓ Correcting errors; and

✓ Safeguarding assets by overseeing
employees with access.
• Especially important in organizations without
responsibility reporting or an adequate
segregation of duties

89

Key Methods Of Monitoring Performance

• Includes use of:

✓ Budgets, quotas, schedules, standard costs, and
quality standards;
✓ Performance reports that compare actual with
planned performance and highlight variances;
and
✓ Procedures for investigating significant variances Use Responsibility
and taking timely actions to correct adverse Accounting Systems
conditions.

90

45
 2020-04-24

Key Methods Of Monitoring Performance

• Risk analysis and management software packages are

available to:
✓ Review computer and network security measures;
✓ Detect illegal entry into systems;
✓ Test for weaknesses and vulnerabilities;
✓ Report weaknesses found; and
✓ Suggest improvements.
• Software is also available to monitor and combat viruses,
spyware, spam, pop-up ads, and to prevent browsers from
being hijacked.
• System transactions and activities should be recorded in a
log which indicates who accessed what data, when, and
from which terminal. Monitor System
Activities

91

Key Methods Of Monitoring Performance

• The Business Software Alliance (BSA) aggressively tracks

down and fines companies who violate software license
agreements.
• To comply with copyrights, companies should periodically
conduct software audits to ensure that.
✓ There are enough licenses for all users; and
✓ The company is not paying for more licenses than
needed.
• Mobile device should be tracked & monitored (who has them,
what tasks they perform, the security features installed)

Track Purchased Software

& Mobile Devices

92

46
 2020-04-24

Key Methods Of Monitoring Performance

• To monitor risk and detect fraud and errors, the company should
have periodic:
✓ External audits
✓ Internal audits
✓ Special network security audits
• Internal auditing involves:
✓ Reviewing the reliability and integrity of financial and operating
information.
✓ Evaluate internal control effectiveness.
✓ Assessing employee compliance with management policies and
procedures and applicable laws and regulations.
• Internal auditing should be organizationally independent of the
accounting and operating functions

Conduct Periodic
Audits

93

Key Methods Of Monitoring Performance

• The computer security officer (CSO)

oversees AIS security
✓ Should be independent of the IS function
✓ Should report to the COO or CEO

Employ A Computer
Security Officer &
A Chief Compliance
Officer

94

47
 2020-04-24

Key Methods Of Monitoring Performance

• Forensic accountants specialize in fraud detection and

investigation.
• Most forensic accountants are CPAs and may have
received special training with the FBI, CIA, or other
Engage Forensic
law enforcement agencies
Specialists • Computer forensic specialists assist in
discovering, extracting, safeguarding, and
documenting computer evidence so that its
authenticity, accuracy, and integrity will not succumb
to legal challenges

95

Key Methods Of Monitoring Performance

Install Fraud
Detection Software • People who commit fraud tend to follow
certain patterns and leave clues behind that
can be discovered by fraud detection software
• Some companies employ neural networks
(programs that mimic the brain and have
learning capabilities), which are very accurate
in identifying suspected fraud.

96

48
 2020-04-24

Key Methods Of Monitoring Performance

Implement A
Fraud Hotline

• People who witness fraudulent behavior are often torn

between conflicting feelings.
✓ They want to protect company assets and report fraud
perpetrators.
✓ But they are uncomfortable in the whistle-blower role and find
it easier to remain silent.
• They are particularly reluctant to report if they know of
others who have suffered repercussions from doing so.
• SOX mandates that companies set up mechanisms for
employees to anonymously report fraud & abuses.
• A fraud hotline is an effective way to comply with the law
and resolve whistle-blower conflict.

97

Thank you
End of Chapter 7

98

49