Accounting Information Systems:

Essential Concepts and Applications

Fourth Edition by Wilkinson, Cerullo, Raval,

and Wong-On-Wing

Chapter 7: Risk Exposures

and the Internal Control
Structure
Slides Authored by Somnath
Florida Atlantic University

Bhattacharya, Ph.D.

Internal Control
Internal Control is a state that
management strives to achieve to
provide reasonable assurance that the
firms objectives will be achieved
These controls encompass all the
measures and practices that are used
to counteract exposures to risks
The control framework is called the
Internal Control Structure

Objectives of the Internal

Control Structure
Promoting Effectiveness and Efficiency of
Operations
Reliability of Financial Reporting
Safeguarding assets
Checking the accuracy and reliability of
accounting data
Compliance with applicable laws and regulations
Encouraging adherence to prescribed
managerial policies

Components and Major

Considerations of the IC Structure
Internal Control
Structure

Control
Environment

Risk
Assessment

Control
Activities

Activities related
to Financial
Reporting

Monitoring

Activities related
to Information
Processing

General
Controls
Figure 7-1

Information
&
Communication

Application
Controls

Control Environment
The Control Environment establishes the tone
of a company, influencing the control
consciousness of its employees
It is comprised of seven components:

Management philosophy and operating style

Integrity and ethical values
Commitment to competence
The Board of Directors and the Audit Committee
Organizational Structure
Assignment of authority and responsibility
Human resources policies and practices
External Influences

Highlights of CE Components - I
Management Philosophy and Operating
Style
Does management emphasize short-term
profits and operating goals over long-term
goals?
Is management dominated by one or a few
individuals?
What type of business risks does management
take and how are these risks managed?
Is management conservative or aggressive
toward selecting from available alternative
accounting principles?

Figure 7-2

Highlights of CE Components - II
Organization Structure
Is an up-to-date organization chart prepared,
showing the names of key personnel?
Is the information systems function
separated from incompatible functions?
How is the accounting department
organized?
Is the internal audit function separate and
distinct from accounting?
Do subordinate managers report to more than
one supervisor?

Figure 7-2 Continued

Highlights of CE Components - III

Assignment of Authority and
Responsibility
Does the company prepare written employee
job descriptions defining specific duties and
reporting relationships?
Is written approval required for changes
made to information systems?
Does the company clearly delineate
employees and managers the boundaries of
authority-responsibility relationships?
Does the company properly delegate
authority to employees and departments?

Figure 7-2 Continued

Highlights of CE Components - IV
Human Resource Policies and Practices
Are new personnel indoctrinated with respect to
Internal Controls, Ethics Policies, and Corporate Code
of Conduct?
Is the company in compliance with the ADA? The
EEOA?
Are Grievance Procedures to manage conflict in force?
Does the company maintain a sound Employee
Relations program?
Do employees work in a safe, healthy environment?
Are Counseling Programs available to employees?
Are proper Separation Programs in force for
employees who leave the firm?
Are critical employees Bonded?
Figure 7-2 Continued

Key Functions Performed

by Audit Committees
Establish an Internal Audit Department
Review the Scope and Status of Audits
Review Audit Findings with the Board
and ensure that Management has
taken proper action recommended in
the Audit Report and Letter of
Reportable Conditions
Maintain a direct Line of
Communication among the Board,
Management, External and Internal
Auditors, and periodically arrange
Meetings among the parties
Figure 7-3

Key Functions Performed

by Audit Committees
Review the Audited Financial
Statements with the Internal Auditors
and the Board of Directors
Require periodic Quality Reviews of the
operations of the Internal Audit
Departments to identify areas needing
improvement
Supervise special investigations, such
as Fraud Investigations
Assess the performance of Financial
Management
Require the Review of Compliance with
Laws and Regulations and with
Corporate Codes of Conduct
Figure 7-3

Risk Assessment
Top management must be directly
involved in Business Risk Assessment.
This involves the Identification and
Analysis of Relevant Risks that may
prevent the attainment of Company-wide
Objectives and Objectives of
Organizational Units and the formation of
a plan to determine how to manage the
risks.

Control Activities - I
Control Activities as related to Financial
Reporting may be classified according to their
intended uses in a system:
Preventive Controls block adverse events, such as
errors or losses, from occurring
Detective Controls discover the occurrence of
adverse events such as operational inefficiency
Corrective controls are designed to remedy problems
discovered through detective controls
Security Measures are intended to provide adequate
safeguards over access to and use of assets and data
records

Control Activities - II
Control Activities relating to Information
Processing may also be classified according
to where they will be applied within the system
General controls are those controls that pertain to
all activities involving a firms AIS and assets
Application controls relate to specific accounting
tasks or transactions

The overall trend seems to be going from

specific application controls to more global
general controls

Control Activities - III

Performance Reviews
Comparing Budgets to Actual Values
Relating Different Sets of Data-Operating or
Financial-to one another, together with
Analyses of the relationships and Investigative
and Corrective Actions
Reviewing Functional Performance such as a
banks consumer loan managers review of
reports by branch, region, and loan type for
loan approvals and collections

Information & Communication

All Transactions entered for processing are Valid and
Authorized
All valid transactions are captured and entered for
processing on a Timely Basis and in Sufficient Detail
to permit the proper Classification of Transactions
The input data of all entered transactions are
Accurate and Complete, with the transactions being
expressed in proper Monetary terms
All entered transactions are processed properly to
update all affected records of Master Files and/or
Other Types of Data sets
All required Outputs are prepared according to
Appropriate Rules to provide Accurate and Reliable
Information
All transactions are recorded in the proper
Accounting Period

Risk
Business firms face risks that reduce the
chances of achieving their control objectives.
Risk exposures arise from internal sources,
such as employees, as well as external
sources, such as computer hackers.
Risk assessment consists of identifying
relevant risks, analyzing the extent of
exposure to those risks, and managing risks
by proposing effective control procedures.

Some Typical Sources of Risk - I

Clerical and Operational Employees, who
process transactional data and have access
to Assets
Computer Programmers, who have
knowledge relating to the Instructions
by which transactions are processed
Managers and Accountants, who have access
to Records and Financial Reports and often
have Authority to Approve Transactions

Figure 7-4

Some Typical Sources of Risk - II

Former Employees, who may still understand the
Control Structure and may harbor grudges against
the firm
Customers and Suppliers, who generate many of
the transactions processed by the firm
Competitors, who may desire to acquire confidential
information of the firm
Outside Persons, such as Computer Hackers and
Criminals, who have various reasons to access the
firms data or its assets or to commit destructive
acts
Acts of Nature or Accidents, such as floods, fires,
and equipment breakdowns

Figure 7-4 Continued

Types of Risks

Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence and Natural
Disasters

Factors that Increase

Risk Exposure
Frequency - the more frequent an
occurrence of a transaction the
greater the exposure to risk
Vulnerability - liquid and/or portable
assets contribute to risk exposure
Size of the potential loss - the higher
the monetary value of a loss, the
greater the risk exposure

Problem Conditions
Affecting Risk Exposures
Collusion (both internal and external), which
is the cooperation of two or more people for a
fraudulent purpose, is difficult to counteract
even with sound control procedures
Lack of Enforcement Management may not
prosecute wrongdoers because of the
potential embarrassment
Computer crime poses very high degrees
of risk, and fraudulent activities are difficult
to detect

Computer Crime
Computer crime (computer abuse) is the
use of a computer to deceive for personal
gain.
Due to the proliferation of networks and
personal computers, computer crime is
expected to significantly increase both in
frequency and amount of loss.
It is speculated that a relatively small
proportion of computer crime gets detected
and an even smaller proportion gets reported.

Examples of Computer
Crime
Theft of Computer Hardware &
Software
Unauthorized Use of Computer
Facilities for Personal Use
Fraudulent Modification or Use of
Data or Programs

Reasons Why Computers

Cause Control Problems

Processing is Concentrated
Audit Trails may be Undermined
Human Judgment is bypassed
Data are stored in Device-Oriented rather than
Human-Oriented forms

Invisible Data
Stored data are Erasable
Data are stored in a Compressed form
Stored data are relatively accessible

Computer Equipment is Powerful but Complex

and Vulnerable

Feasibility of Controls
Audit Considerations
Cost-Benefit Considerations
Determine Specific Computer Resources Subject to Control
Determine all Potential Threats to the companys Computer
System
Assess the Relevant Risks to which the firm is exposed
Measure the Extent of each Relevant Risk exposure in dollar
terms
Multiply the Estimated Effect of each Relevant Risk Exposure
by the Estimated Frequency of Occurrence over a Reasonable
Period, such as a year
Compute the Cost of Installing and Maintaining a Control that
is to Counter each Relevant Risk Exposure
Compare the Benefits against the Costs of Each Control

Legislation
The Foreign Corrupt Practices Act of 1977
Of the Federal Legislation governing the
use of computers, The Computer Fraud and
Abuse Act of 1984 (amended in 1986) is
perhaps the most important
This act makes it a federal crime to intentionally
access a computer for such purposes as: (1)
obtaining top-secret military information,
personal, financial or credit information
(2) committing a fraud
(3) altering or destroying federal information

Methods for Thwarting

Computer Abuse
Enlist top-management support so that
awareness of computer abuse will filter down
through management ranks.
Implement and enforce control procedures.
Increase employee awareness in the seriousness
of computer abuse, the amount of costs, and the
disruption it creates.
Establish a code of conduct.
Be aware of the common characteristics of most
computer abusers.

Methods for Thwarting

Computer Abuse
Recognize the symptoms of computer abuse
such as:
behavioral or lifestyle changes in an employee
accounting irregularities such as forged, altered or
destroyed input documents or suspicious
accounting adjustments
absent or ignored control procedures
the presence of many odd or unusual anomalies
that go unchallenged

Encourage ethical behavior

Control Problems Caused by

Computerization: Data Collection
Manual System

Computer-based System

Characteristics

Characteristics

Risk Exposures

Compensating
Controls

Data recorded in
paper source
documents

Data sometimes
captured without
use of source
documents

Audit trail may be

partially lost

Printed copies of
source documents
prepared by
computer systems

Data reviewed for Data often not

errors by clerks
subject to review
by clerks

Figure 7-6

Errors, accidental Edit checks

or deliberate, may performed by
be entered for
computer system
processing

Control Problems Caused by

Computerization: Data Processing
Manual System

Characteristics

Computer-based System

Characteristics

Risk Exposures

Compensating
Controls

Processing steps
performed by CPU
blindly in accordance
with program
instructions
Processing steps
Processing steps
among various clerks in concentrated within
separate departments
computer CPU

Errors may cause

incorrect results of
processing

Processing requires use Processing does not

of journals and ledgers require use of journals

Audit trail may be

partially lost

Outputs reviewed by
users of computer
system; carefully
developed computer
processing programs
Restricted access to
computer facilities;
clear procedure for
authorizing changes to
programs
Printed journals and
other analyses

Processing performed
relatively slowly

Effects of errors may

spread rapidly through
files

Editing of all data

during input and
processing steps

Processing steps
performed by clerks
who possess judgment

Figure 7-6 Continued

Processing performed
very rapidly

Unauthorized
manipulation of data
and theft of assets can
occur on larger scale

Control Problems Caused by Computerization:

Data Storage & Retrieval
Manual System

Computer-based System

Characteristics

Characteristics

Risk Exposures

Compensating
Controls

Data stored in file

drawers
throughout the
various
departments
Data stored on
hard copies in
human- readable
form

Data compressed
on magnetic
media (e.g.,
tapes, disks)

Data may be
accessed by
unauthorized
persons or stolen

Security measures
at points of access
and over data
library

Data stored in
invisible,
eraseable,
computer-readable
form

Stored data
accessible on a
piece-meal basis
at various
locations

Stored data often

readily accessible
from various
locations via
terminals

Data are
temporarily
unusable by
humans, and
might possibly be
lost
Data may be
accessed by
unauthorized
persons

Data files printed

periodically;
backup of files;
protection against
sudden power
losses
Security measures
at points of access

Figure 7-6 Continued

Control Problems Caused by Computerization:

Information Generation
Manual System

Computer-based System

Characteristics

Characteristics

Outputs
generated
laboriously and
usually in small
volumes
Outputs usually in
hard-copy form

Outputs generated
quickly and neatly,
often in large
volumes

Figure 7-6 Continued

Risk Exposures

Inaccuracies may
be buried in
impressive-looking
outputs that users
accept on faith
Outputs provided Information stored
in various forms,
on magnetic
including soft-copy media is subject to
displays and voice modification (only
responses
hard copy
provides
permanent record)

Compensating
Controls

Reviews by users
of outputs,
including the
checking of
amounts
Backup of files;
periodic printing of
stored files onto
hard-copy records

Control Problems Caused by

Computerization: Equipment
Manual System

Computer-based System

Characteristics

Characteristics

Risk Exposures

Compensating
Controls

Relatively simple,
inexpensive, and
mobile

Relatively
complex,
expensive, and in
fixed locations

Business
operations may be
intentionally or
unintentionally
interrupted; data
or hardware may
be destroyed;
operations may be
delayed through
inefficiencies

Backup of data
and power supply
and equipment;
preventive
maintenance of
equipment;
restrictions on
access to
computer
facilities;
documentation of
equipment usage
and processing
procedures

Figure 7-6 Continued

Accounting Information Systems:

Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing

Copyright 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.