internal control system (sistem informasi akuntansi)

©2003 Prentice Hall Business Publishing,

Accounting Information Systems, 9/e, Romney/Steinbart7-1

INTERNAL

CONTROL

SYSTEM



Learning Objectives

1. Describe the threats to an AIS and

discuss why these threats are

growing.

2. Explain the basic concepts of control

as applied to business organizations.

3. Describe the major elements in the

control environment of a business

organization.



Learning Objectives, continued

4. Describe control policies and procedures

commonly used in business organizations.

5. Evaluate a system of internal accounting

control, identify its deficiencies, and

prescribe modifications to remedy those

deficiencies.

6. Conduct a cost-benefit analysis for

particular threats, exposures, risks, and

controls.



Introduction

Jason Scott has been hired as an

internal auditor for Northwest

Industries, a diversified forest

products company.

He is assigned to audit Springer’s

Lumber & Supply, Northwest’s

building materials outlet in Montana.



Introduction

His supervisor, Maria Pilier, has asked him to trace a sample of purchase transactions to verify that proper control procedures were followed. Jason becomes frustrated with this task.

Why is Jason frustrated?

The purchasing system is poorly documented.

He keeps finding transactions that have not been processed as Ed Yates, the accounts payable manager, said they should be.



Introduction

Jason’s frustrations, continued

Some vendor invoices have been paid without supporting documents.

Purchase requisitions are missing for several items that had been authorized by Bill Springer, purchasing v.p.

Prices charged for some items seem unusually high.

Springer’s is the largest supplier in the area and has a near monopoly.

Management authority is concentrated in the company president, Joe Springer, and his sons Bill, the purchasing v.p., and Ted, the controller.

Maria feels that Ted may have engaged in “creative accounting.”



Introduction

Jason ponders the following issues:

Should he describe the unusual transactions in his report?

Is a violation of proper control procedures acceptable if it has been authorized by management?

Regarding Jason’s assignment, does he have a professional or ethical responsibility to get involved?



Learning Objective

Describe the threats to an AIS and

discuss why these threats are

growing.



Threats to Accounting

Information Systems

What are examples of natural and

political disasters?

– fire or excessive heat

– floods

– earthquakes

– high winds

– war




Information Systems

What are examples of unintentional acts?

– accidents caused by human carelessness

– innocent errors of omissions

– lost or misplaced data

– logic errors

– systems that do not meet company needs




Information Systems

What are examples of software errors

and equipment malfunctions?

– hardware failures

– power outages and fluctuations

– undetected data transmission errors




Information Systems

What are examples of intentional

acts?

– sabotage

– computer fraud

– embezzlement



Why are AIS Threats

Increasing?

Increasing numbers of client/server systems mean that information is available to an unprecedented number of workers.

Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.

WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.



BASIC CONCEPT -

CONTROL

Explain the basic concepts

of control as applied to

business organizations.



Overview of Control

Concepts

What is the traditional definition of internal

control?

Internal control is the plan of organization

and the methods a business uses to

safeguard assets, provide accurate and

reliable information, promote and improve

operational efficiency, and encourage

adherence to prescribed managerial

policies.



Overview of Control

Concepts

What is management control?

Management control encompasses the following three features:

1 It is an integral part of management responsibilities.

2 It is designed to reduce errors, irregularities, and achieve organizational goals.

3 It is personnel-oriented and seeks to help employees attain company goals.



Internal Control

Classifications

The specific control procedures used in the

internal control and management control

systems may be classified using the

following four internal control classifications:

1 Preventive, detective, and corrective controls

2 General and application controls

3 Administrative and accounting controls

4 Input, processing, and output controls



The Foreign Corrupt

Practices Act

In 1977, Congress incorporated language

from an AICPA pronouncement into the

Foreign Corrupt Practices Act.

The primary purpose of the act was to

prevent the bribery of foreign officials in

order to obtain business.

A significant effect of the act was to require

corporations to maintain good systems of

internal accounting control.



Committee of Sponsoring

Organizations

The Committee of Sponsoring

Organizations (COSO) is a private sector

group consisting of five organizations:

1 American Accounting Association

2 American Institute of Certified Public

Accountants

3 Institute of Internal Auditors

4 Institute of Management Accountants

5 Financial Executives Institute




Organizations

In 1992, COSO issued the results of a

study to develop a definition of

internal controls and to provide

guidance for evaluating internal

control systems.

The report has been widely accepted

as the authority on internal controls.




Organizations

The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:

– effectiveness and efficiency of operations

– reliability of financial reporting

– compliance with applicable laws and regulations




Organizations

COSO’s internal control model has

five crucial components:

1 Control environment

2 Control activities

3 Risk assessment

4 Information and communication

5 Monitoring



Information Systems Audit

and Control Foundation

The Information Systems Audit and Control

Foundation (ISACF) recently developed the

Control Objectives for Information and

related Technology (COBIT).

COBIT consolidates standards from 36

different sources into a single framework.

The framework addresses the issue of

control from three vantage points, or

dimensions:



ELEMENT OF INTERNAL

CONTROL

Describe the major

elements in the control

environment of a

business organization.



The Control Environment

The first component of COSO’s internal

control model is the control environment.

The control environment consists of many

factors, including the following:

1 Commitment to integrity and ethical values

2 Management’s philosophy and operating

style

3 Organizational structure



The Control Environment

4 The audit committee of the board of

directors

5 Methods of assigning authority and

responsibility

6 Human resources policies and

practices

7 External influences



Learning Objective 4

Describe control

policies and procedures

commonly used in

business organizations.



Control Activities

The second component of COSO’s

internal control model is control

activities.

Generally, control procedures fall into

one of five categories:

1 Proper authorization of transactions

and activities

2 Segregation of duties



Control Activities

3 Design and use of adequate

documents and records

4 Adequate safeguards of assets and

records

5 Independent checks on performance



Proper Authorization of

Transactions and Activities

Authorization is the empowerment management gives employees to perform activities and make decisions.

Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.

Specific authorization is the granting of authorization by management for certain activities or transactions.



Segregation of Duties

Good internal control demands that no

single employee be given too much

responsibility.

An employee should not be in a

position to perpetrate and conceal

fraud or unintentional errors.




Recording Functions

Preparing source documents

Maintaining journals

Preparing reconciliations

Preparing performance reports

Custodial Functions

Handling cash

Handling assets

Writing checks

Receiving checks in mail Authorization Functions

Authorization of

transactions




If two of these three functions are the

responsibility of a single person, problems

can arise.

Segregation of duties prevents employees

from falsifying records in order to conceal

theft of assets entrusted to them.

Prevent authorization of a fictitious or

inaccurate transaction as a means of

concealing asset thefts.




Segregation of duties prevents an

employee from falsifying records to

cover up an inaccurate or false

transaction that was inappropriately

authorized.



Design and Use of Adequate

Documents and Records

The proper design and use of

documents and records helps ensure

the accurate and complete recording

of all relevant transaction data.

Documents that initiate a transaction

should contain a space for

authorization.



Design and Use of Adequate

Documents and Records

The following procedures safeguard assets from theft, unauthorized use, and vandalism:

– effectively supervising and segregating duties

– maintaining accurate records of assets, including information

– restricting physical access to cash and paper assets

– having restricted storage areas



Adequate Safeguards of

Assets and Records

What can be used to safeguard assets?

– cash registers

– safes, lockboxes

– safety deposit boxes

– restricted and fireproof storage areas

– controlling the environment

– restricted access to computer rooms, computer files, and information



Independent Checks

on Performance

Independent checks ensure that

transactions are processed accurately are

another important control element.



Independent Checks

on Performance

What are various types of

independent checks?

– reconciliation of two independently

maintained sets of records

– comparison of actual quantities with

recorded amounts

– double-entry accounting

– batch totals



Independent Checks

on Performance

Five batch totals are used in computer

systems:

1 A financial total is the sum of a dollar

field.

2 A hash total is the sum of a field that

would usually not be added.



Independent Checks

on Performance

3 A record count is the number of

documents processed.

4 A line count is the number of lines of

data entered.

5 A cross-footing balance test compares

the grand total of all the rows with the

grand total of all the columns to check

that they are equal.




Evaluate a system of

internal accounting

control, identify its

deficiencies, and prescribe

modifications to remedy

those deficiencies.



Risk Assessment

The third component of COSO’s internal

control model is risk assessment.

Companies must identify the threats they

face:

– strategic — doing the wrong thing

– financial — having financial resources lost,

wasted, or stolen

– information — faulty or irrelevant information,

or unreliable systems



Risk Assessment

Companies that implement electronic

data interchange (EDI) must identify

the threats the system will face, such

as:

1 Choosing an inappropriate technology

2 Unauthorized system access

3 Tapping into data transmissions

4 Loss of data integrity



Risk Assessment

5 Incomplete transactions

6 System failures

7 Incompatible systems



Risk Assessment

Some threats pose a greater risk

because the probability of their

occurrence is more likely. For

example:

A company is more likely to be the

victim of a computer fraud rather than

a terrorist attack.

Risk and exposure must be

considered together.




Conduct a cost-benefit

analysis for particular

threats, exposures,

risks, and controls.



Estimate Cost and Benefits

No internal control system can provide

foolproof protection against all internal

control threats.

The cost of a foolproof system would

be prohibitively high.

One way to calculate benefits involves

calculating expected loss.



Expected loss = risk × exposure

Estimate Cost and Benefits

The benefit of a control procedure is

the difference between the expected

loss with the control procedure(s) and

the expected loss without it.



Information and

Communication

The fourth component of COSO’s

internal control model is information

and communication.



Information and

Communication

Accountants must understand the following:

1 How transactions are initiated

2 How data are captured in machine-readable form or converted from source documents

3 How computer files are accessed and updated

4 How data are processed to prepare information

5 How information is reported

6 How transactions are initiated



Information and

Communication

All of these items make it possible for the system to have an audit trail.

An audit trail exists when individual company transactions can be traced through the system.



Monitoring Performance

The fifth component of COSO’s

internal control model is monitoring.

What are the key methods of

monitoring performance?

– effective supervision

– responsibility accounting

– internal auditing



Case Conclusion

What happened to Jason’s report?

A high-level internal audit team was dispatched to Montana.

The team discovered that the problems identified by Jason occurred almost exclusively in transactions with three large vendors from whom Springer’s had purchased several million dollars of inventory.



Case Conclusion

One of the Springers held a significant

ownership interest in each of these three

companies.

They also found evidence that several of

Springer’s employees were paid for more

hours than documented by timekeeping,

and that inventories were overstated.

Northwest settled the case with the

Springers.

internal control system (sistem informasi akuntansi)

Education