Romney ch06

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 315
C HAPTER 6
Control and Accounting
Information Systems

INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?

INTRODUCTION
• Why AIS threats are increasing
– Control risks have increased in the last few years
because:
• There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
• Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
• Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.

INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.

INTRODUCTION
• Some vocabulary terms for this chapter:
– A threat is any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
– The exposure or impact of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
– The likelihood is the probability that the
threat will occur.

INTRODUCTION
• Control and security are important
– Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security
policies.
• Making controls a part of the applications development
process.
• Moving sensitive data to more secure environments.

INTRODUCTION
• To use IT in achieving control objectives,
accountants must:
– Understand how to protect systems from
threats.
– Have a good understanding of IT and its
capabilities and risks.
• Achieving adequate security and control
over the information resources of an
organization should be a top management
priority.

INTRODUCTION
• Control objectives are the same regardless of
the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because:
– Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
– Segregation of duties must be achieved differently in
an AIS.
– Computers provide opportunities for enhancement of
some internal controls.

INTRODUCTION
• One of the primary objectives of an AIS is to
control a business organization.
– Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
• Management expects accountants to be control
consultants by:
– Taking a proactive approach to eliminating system
threats; and
– Detecting, correcting, and recovering from threats
when they do occur.

INTRODUCTION
• It is much easier to build controls into a
system during the initial stage than to add
them after the fact.
• Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.

OVERVIEW OF CONTROL CONCEPTS
• In today’s dynamic business environment,
companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization;
and
• Implement process improvements.
• At the same time, the company needs control
systems so they are not exposed to excessive
risks or behaviors that could harm their
reputation for honesty and integrity.

• Internal control is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
– Assets (including data) are safeguarded.
• This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.

– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.
• This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors’ authorizations.

– Adherence to prescribed managerial policies is encouraged.

– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and
regulations.

• Internal control is a process because:
– It permeates an organization’s operating activities.
– It is an integral part of basic management activities.
• Internal control provides reasonable, rather than
absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.

• Internal control systems have inherent
limitations, including:
– They are susceptible to errors and poor decisions.
– They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds with
each other.
– EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.

• Internal controls perform three important
functions:
– Preventive controls
• Deter problems before they arise.

functions:
– Detective controls
• Discover problems quickly when they do arise.

functions:
– Detective controls
– Corrective controls
• Remedy problems that have occurred by:
– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.

• Internal controls are often classified as:
– General controls
• Those designed to make sure an
organization’s control environment is stable
and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.

• Internal controls are often classified as:
– General controls
– Application controls
• Prevent, detect, and correct transaction errors
and fraud.
• Concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.

• An effective system of internal controls
should exist in all organizations to:
– Help them achieve their missions and goals.
– Minimize surprises.

SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
– The resulting internal control improvements weren’t sufficient.

PRACTICES ACT
• In the late 1990s and early 2000s, a series
of multi-million-dollar accounting frauds
made headlines.
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002
(aka, SOX).
• Applies to publicly held companies and their
auditors.

PRACTICES ACT
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-held
companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the
way boards of directors, management,
and accountants operate.

PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
• Has five members, three of whom cannot be
CPAs.
• Charges fees to firms to fund the PCAOB.
• Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
• Currently recognizes FASB statements as
being generally accepted.

PRACTICES ACT
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
• They must report specific information to the company’s audit
committee, such as:
– Critical accounting policies and practices
– Alternative GAAP treatments
– Auditor-management disagreements
• Audit partners must be rotated periodically.

PRACTICES ACT
• Auditors cannot perform certain non-audit services, such as:
– Bookkeeping
– Information systems design and implementation
– Internal audit outsourcing services
– Management functions
– Human resource services

PRACTICES ACT
• Permissible non-audit services must be approved by the
board of directors and disclosed to investors.
• Cannot audit a company if a member of top management was
employed by the auditor and worked on the company’s audit
in the past 12 months.

PRACTICES ACT
– New rules for audit committees
• Members must be on the company’s board
of directors and must otherwise be
independent of the company.
• One member must be a financial expert.
• The committee hires, compensates, and
oversees the auditors, and the auditors
report directly to the committee.

PRACTICES ACT
– New rules for management
• The CEO and CFO must certify that:
– The financial statements and disclosures are fairly
presented, were reviewed by management, and are not
misleading.
– Management is responsible for internal controls.
– The auditors were advised of any material internal control
weaknesses or fraud.
– Any significant changes to controls after management’s
evaluation were disclosed and corrected.

PRACTICES ACT
• If management willfully and knowingly violates the
certification, they can be:
– Imprisoned up to 20 years
– Fined up to $5 million
• Management and directors cannot receive loans that would not
be available to people outside the company.
• They must disclose on a rapid and current basis material
changes to their financial condition.

PRACTICES ACT
– New internal control requirements
• New internal control requirements:
– Section 404 of SOX requires companies to issue a
report accompanying the financial statements that:
• States management is responsible for
establishing and maintaining an adequate internal
control structure and procedures.
• Contains management’s assessment of the
company’s internal controls.
• Attests to the accuracy of the internal controls,
including disclosures of significant defects or
material noncompliance found during the tests.

PRACTICES ACT
– New internal control requirements
• SOX also requires that the auditor attests to and reports
on management’s internal control assessment.
• Each audit report must describe the scope of the
auditor’s internal control tests.

PRACTICES ACT
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying the
framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.

PRACTICES ACT
• Levers of control
– Many people feel there is a basic conflict
between creativity and controls.
– Robert Simons has espoused four levers of
controls to help companies reconcile this
conflict:
• A concise belief system
• Communicates company core values to employees and
inspires them to live by those values.
• Draws attention to how the organization creates value.
• Helps employees understand management’s intended
direction.
• Must be broad enough to appeal to all levels.

PRACTICES ACT
• Levers of Control
conflict:
• A boundary system
• Helps employees act ethically by setting limits beyond
which they must not pass.
• Does not create rules and standard operating
procedures that can stifle creativity.
• Encourages employees to think and act creatively to
solve problems and meet customer needs as long as
they operate within limits such as:
– Meeting minimum standards of performance
– Shunning off-limits activities
– Avoiding actions that could damage the company’s
reputation.

PRACTICES ACT
• Levers of control
conflict:
• A diagnostic control system
• Ensures efficient and effective achievement of important
controls.
• This system measures company progress by comparing
actual to planned performance.
• Helps managers track critical performance outcomes
and monitor performance of individuals, departments,
and locations.
• Provides feedback to enable management to adjust and
fine-tune.

PRACTICES ACT
• Levers of Control
conflict:
• A diagnostic control system
• An interactive control system
• Helps top-level managers with high-level activities that
demand frequent and regular attention. Examples:
– Developing company strategy.
– Setting company objectives.
– Understanding and assessing threats and risks.
– Monitoring changes in competitive conditions and
emerging technologies.
– Developing responses and action plans to
proactively deal with these high-level issues.
• Also helps managers focus the attention of
subordinates on key strategic issues and to be more
involved in their decisions.
• Data from this system are best interpreted and
discussed in face-to-face meetings.

CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
–The COBIT framework
–The COSO internal control framework
–COSO’s Enterprise Risk Management
framework (ERM)

CONTROL FRAMEWORKS
framework (ERM)

CONTROL FRAMEWORKS
• COBIT framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.

CONTROL FRAMEWORKS
• The COBIT framework allows:
– Management to benchmark security and
control practices of IT environments.
– Users of IT services to be assured that
adequate security and control exists.
– Auditors to substantiate their opinions on
internal control and advise on IT security and
control matters.

CONTROL FRAMEWORKS
• The framework addresses the issue of
control from three vantage points or
dimensions:
– Business objectives
• To satisfy business objectives,
information must conform to
certain criteria referred to as
“business requirements for
information.”
• The criteria are divided into
seven distinct yet overlapping
categories that map into COSO
objectives:
– Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability

CONTROL FRAMEWORKS
dimensions:
– IT resources • Includes:
• People
• Application systems
• Technology
• Facilities
• Data

CONTROL FRAMEWORKS
dimensions:
– IT resources
– IT processes • Broken into four domains:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring

CONTROL FRAMEWORKS
• COBIT consolidates standards from 36 different
sources into a single framework.
• It is having a big impact on the IS profession.
– Helps managers to learn how to balance risk and
control investment in an IS environment.
– Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate.
– Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.

CONTROL FRAMEWORKS
good internal control systems. Three of
the most important are:
framework (ERM)

CONTROL FRAMEWORKS
• COSO’s internal control framework
– The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute

CONTROL FRAMEWORKS
• In 1992, COSO issued the Internal
Control Integrated Framework:
– Defines internal controls.
– Provides guidance for evaluating and
enhancing internal control systems.
– Widely accepted as the authority on internal
controls.
– Incorporated into policies, rules, and
regulations used to control business activities.

CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
• The core of any business is its people.
• Their integrity, ethical values, and competence make
up the foundation on which everything else rests.

CONTROL FRAMEWORKS
crucial components:
- Control activities
• Policies and procedures must be established and
executed to ensure that actions identified by
management as necessary to address risks are, in
fact, carried out.

CONTROL FRAMEWORKS
crucial components:
- Risk assessment
• The organization must be aware of and deal with the
risks it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and
manage the related risks.

CONTROL FRAMEWORKS
crucial components:
- Risk assessment
- Information and communication
• Information and communications systems surround the
control activities.
• They enable the organization’s people to capture and
exchange information needed to conduct, manage, and
control its operations.

CONTROL FRAMEWORKS
crucial components:
- Risk assessment
- Information and communication
- Monitoring
• The entire process must be monitored and modified
as necessary.

CONTROL FRAMEWORKS
framework (ERM)

CONTROL FRAMEWORKS
• Nine years after COSO issued the preceding
framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated
Framework (ERM)
– An enhanced corporate governance document.
– Expands on elements of preceding framework.
– Provides a focus on the broader subject of enterprise
risk management.

CONTROL FRAMEWORKS
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
– Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
– Avoid adverse publicity and damage to the entity’s
reputation.

CONTROL FRAMEWORKS
• ERM defines risk management as:
– A process effected by an entity’s board of
directors, management, and other personnel.
– Applied in strategy setting and across the
enterprise.
– To identify potential events that may affect the
entity.
– And manage risk to be within its risk appetite.
– In order to provide reasonable assurance of
the achievement of entity objectives.

CONTROL FRAMEWORKS
• Basic principles behind ERM:
– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• The possibility that something will happen to:
– Adversely affect the ability to create value; or
– Erode existing value.

CONTROL FRAMEWORKS
• Basic principles behind ERM:
– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• Opportunity
• The possibility that something will happen to
positively affect the ability to create or preserve
value.

CONTROL FRAMEWORKS
– The framework should help management
manage uncertainty and its associated risk to
build and preserve value.
– To maximize value, a company must balance
its growth and return objectives and risks with
efficient and effective use of company
resources.

CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.

CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support
the company’s mission.

CONTROL FRAMEWORKS
objectives that
– Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and
profitability goals
– Safeguarding assets

CONTROL FRAMEWORKS
objectives that
– Reporting objectives
• Reporting objectives help
ensure the accuracy,
completeness, and reliability of
internal and external company
reports of both a financial and
non-financial nature.
• Improve decision-making and
monitor company activities and
performance more efficiently.

CONTROL FRAMEWORKS
objectives that
– Reporting objectives
– Compliance objectives
• Compliance objectives help the
company comply with
applicable laws and
regulations.
– External parties often set
the compliance rules.
– Companies in the same
industry often have similar
concerns in this area.

CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.

CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company

CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division

CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit

CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary

CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
• The tone or culture of the
company.
• Provides discipline and structure
and is the foundation for all
other components.
• Essentially, the same as control
environment in the COSO
internal control framework.

CONTROL FRAMEWORKS
control components,
including:
– Objective setting
• Ensures that management implements a process to formulate
strategic, operations, reporting, and compliance objectives that
support the company’s mission and are consistent with the company’s
tolerance for risk.
• Strategic objectives are set first as a foundation for the other three.
• The objectives provide guidance to companies as they identify risk-
creating events and assess and respond to those risks.

CONTROL FRAMEWORKS
control components,
including:
– Event identification
• Requires management to identify events that may affect the company’s
ability to implement its strategy and achieve its objectives.
• Management must then determine whether these events represent:
– Risks (negative-impact events requiring assessment and
response); or
– Opportunities (positive-impact events that influence strategy and
objective-setting processes).

CONTROL FRAMEWORKS
control components,
including:
– Risk assessment
• Identified risks are assessed to
determine how to manage them
and how they affect the
company’s ability to achieve its
objectives.
• Qualitative and quantitative
methods are used to assess
risks individually and by
category in terms of:
– Likelihood
– Positive and negative
impact
– Effect on other
organizational units
• Risks are analyzed on an
inherent and a residual basis.
• Corresponds to the risk
assessment element in COSO’s

CONTROL FRAMEWORKS
control components,
including:
– Risk assessment
– Risk response
• Management aligns identified risks
with the company’s tolerance for
risk by choosing to:
– Avoid
– Reduce
– Share
– Accept
• Management takes an entity-wide
or portfolio view of risks in
assessing the likelihood of the
risks, their potential impact, and
costs-benefits of alternate
responses.

CONTROL FRAMEWORKS
control components,
including:
– Risk assessment
– Risk response
– Control activities
• To implement management’s
risk responses, control policies
and procedures are established
and implemented throughout
the various levels and
functions of the organization.
• Corresponds to the control
activities element in the COSO

CONTROL FRAMEWORKS
control components,
including:
– Risk assessment
– Risk response
– Information and
communication
• Information about the company
and ERM components must be
identified, captured, and
communicated so employees
can fulfill their responsibilities.
• Information must be able to
flow through all levels and
functions in the company as
well as flowing to and from
external parties.
• Employees should understand
their role and importance in
ERM and how these
responsibilities relate to those
of others.
• Has a corresponding element
in the COSO internal control
framework.

CONTROL FRAMEWORKS
control components,
including:
– Risk assessment
– Risk response
– Information and
communication
– Monitoring
• ERM processes must be
monitored on an ongoing basis
and modified as needed.
• Accomplished with ongoing
management activities and
separate evaluations.
• Deficiencies are reported to
management.
• Corresponding module in
COSO internal control
framework.

CONTROL FRAMEWORKS
• The ERM model is
three-dimensional.
• Means that each of
the eight risk and
control elements are
applied to the four
objectives in the
entire company
and/or one of its
subunits.

CONTROL FRAMEWORKS
• ERM Framework Vs. the Internal
Control Framework
– The internal control framework has been
widely adopted as the principal way to
evaluate internal controls as required by SOX.
However, there are issues with it.
• It has too narrow of a focus.
• Examining controls without first examining purposes and
risks of business processes provides little context for
evaluating the results.
• Makes it difficult to know:
– Which control systems are most important.
– Whether they adequately deal with risk.
– Whether important control systems are missing.

CONTROL FRAMEWORKS
• ERM framework vs. the internal control
framework
– The internal control framework has been
widely adopted as the principal way to
evaluate internal controls as required by SOX.
However, there are issues with it.
• It has too narrow of a focus.
• Focusing on controls first has an inherent bias
toward past problems and concerns.
• May contribute to systems with
many controls to protect
against risks that are no longer
important.

CONTROL FRAMEWORKS
• These issues led to COSO’s development of the
ERM framework.
– Takes a risk-based, rather than controls-based,
approach to the organization.
– Oriented toward future and constant change.
– Incorporates rather than replaces COSO’s internal
control framework and contains three additional
elements:
• Setting objectives.
• Identifying positive and negative events that may affect the
company’s ability to implement strategy and achieve
objectives.
• Developing a response to assessed risk.

CONTROL FRAMEWORKS
– Controls are flexible and relevant because
they are linked to current organizational
objectives.
– ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.

CONTROL FRAMEWORKS
• Over time, ERM will probably become the
most widely adopted risk and control
model.
• Consequently, its eight components are
the topic of the remainder of the chapter.

INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.

• Internal environment consists of the following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences

– Management’s philosophy, operating style, and
risk appetite
competence

• Management’s philosophy, operating style,
and risk appetite
– An organization’s management has shared beliefs
and attitudes about risk.
– That philosophy affects everything the organization
does, long- and short-term, and affects their
communications.
– Companies also have a risk appetite, which is the
amount of risk a company is willing to accept to
achieve its goals and objectives.
– That appetite needs to be in alignment with company
strategy.

– The more responsible management’s
philosophy and operating style, the more
likely employees will behave responsibly.
– This philosophy must be clearly
communicated to all employees; it is not
enough to give lip service.
– Management must back up words with
actions; if they show little concern for internal
controls, then neither will employees.

– This component can be assessed by asking
questions such as:
• Does management take undue business risks or
assess potential risks and rewards before acting?
• Does management attempt to manipulate
performance measures such as net income?
• Does management pressure employees to achieve
results regardless of methods or do they demand
ethical behavior?

appetite
competence

• The board of directors
– An active and involved board of directors
plays an important role in internal control.
– They should:
• Oversee management
• Scrutinize management’s plans, performance, and
activities
• Approve company strategy
• Review financial results
• Annually review the company’s security policy
• Interact with internal and external auditors

• Directors should possess management,
technical, or other expertise, knowledge,
or experience, as well as a willingness to
advocate for shareholders.
• At least a majority should be independent,
outside directors not affiliated with the
company or any of its subsidiaries.

• Public companies must have an audit
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process; and
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and practices to
the audit committee.
– Provides an independent review of management’s
actions.

appetite
competence

• Commitment to integrity, ethical
values, and competence
– Management must create an organizational
culture that stresses integrity and commitment
to both ethical values and competence.
• Ethical standards of behavior make for good
business.
• Tone at the top is everything.
• Employees will watch the actions of the CEO, and
the message of those actions (good or bad) will
tend to permeate the organization.

• Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important than
favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives, or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.

• Management should not assume that employees
would always act honestly.
– Consistently reward and encourage honesty.
– Give verbal labels to honest and dishonest acts.
– The combination of these two will produce more
consistent moral behavior.

• Management should develop clearly stated
policies that explicitly describe honest and
dishonest behaviors, often in the form of a
written code of conduct.
– In particular, such a code would cover issues that are
uncertain or unclear.
– Dishonesty often appears when situations are gray
and employees rationalize the most expedient action
as opposed to making a right vs. wrong choice.

• SOX only requires a code of ethics for senior
financial management. However, the ACFE
suggests that companies create a code of
conduct for all employees:
– Should be written at a fifth-grade level.
– Should be reviewed annually with employees and
signed.
– This approach helps employees keep themselves out
of trouble.
– Helps the company if they need to take legal action
against the employee.

• Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge, experience,
training, and skills.

• The levers of control, particularly beliefs
and boundaries systems, can be used to
create the kind of commitment to integrity
an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.

• Management should require employees to
report dishonest, illegal, or unethical
behavior and discipline employees who
knowingly fail to report.
– Reports of dishonest acts should be
thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when
possible, so that other employees are clear
about consequences.

• Companies must make a commitment to
competence.
– Begins with having competent employees.
– Varies with each job but is a function of
knowledge, experience, training, and skills.

• The levers of control, particularly beliefs
and boundary systems, can be used to
create the kind of commitment to integrity
an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.

appetite
competence

• Organizational structure
– A company’s organizational structure defines
its lines of authority, responsibility, and
reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.

• Important aspects or organizational structure:
– Degree of centralization or decentralization.
– Assignment of responsibility for specific tasks.
– Direct-reporting relationships or matrix structure.
– Organization by industry, product, geographic
location, marketing network.
– How the responsibility allocation affects
management’s information needs.
– Organization of accounting and IS functions.
– Size and nature of company activities.

• Statistically, fraud occurs more frequently
in organizations with complex structures.
– The structures may unintentionally impede
communication and clear assignment of
responsibility, making fraud easier to commit
and conceal; or
– The structure may be intentionally complex to
facilitate the fraud.

• In today’s business world, the hierarchical
organizations with many layers of management
are giving way to flatter organizations with self-
directed work teams.
– Team members are empowered to make decisions
without multiple layers of approvals.
– Emphasis is on continuous improvement rather than
on regular evaluations.
– These changes have a significant impact on the
nature and type of controls needed.

appetite
competence

• Methods of assigning authority and
responsibility
– Management should make sure:
• Employees understand the entity’s objectives.
• Authority and responsibility for business objectives is
assigned to specific departments and individuals.
– Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS security
policy.
• Should monitor results so decisions can be reviewed and, if
necessary, overruled.

• Authority and responsibility are assigned through:
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job reference
and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization’s chart of accounts
• Sample copies of forms and documents

appetite
competence

• Human resources standards
– Employees are both the company’s greatest control
strength and the greatest control weakness.
– Organizations can implement human resource
policies and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
– Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency
and loyalty and reduce the organization’s
vulnerability.

• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds