SLIDE 1
October 25, 2000
- Dr. Peter R Gillett
1
October 25, 2000
- Dr. Peter R Gillett
2
A.I.S. Class 15: Outline I Questions relating to REA I Learning - - PowerPoint PPT Presentation
A.I.S. Class 15: Outline I Questions relating to REA I Learning - - PowerPoint PPT Presentation
A.I.S. Class 15: Outline I Questions relating to REA I Learning Objectives for Chapter 10 I Controls I Misstatements I Internal Control Structure I Control Objectives and Audit Objectives I COBIT I Group Work for Chapter 10 Dr. Peter R Gillett
SLIDE 2
SLIDE 3
October 25, 2000
- Dr. Peter R Gillett
3
Mid-Term Review
I How many people would plan to attend a
Mid-Term Review at
F 7:40 – 9:30 p.m. F Thursday, October 26 F Beck Auditorium F Covering flowcharts, REA, Chapters 8 & 9
?
SLIDE 4
October 25, 2000
- Dr. Peter R Gillett
4
Learning Objectives for Chapter 10
I After studying this chapter you should be able to:
N provide a definition of controls N explain the concepts of exposure and reasonable
assurance as they relate to controls
N explain the difference between preventive, detective, and
corrective controls
N describe and discuss a number of risks that could be
found in computer based systems
N discuss Statement on Auditing Standards (SAS) No. 55
and its implications for controls in information systems
N provide a basic distinction between general and
application controls as categories of controls
SLIDE 5
October 25, 2000
- Dr. Peter R Gillett
5
Learning Objectives for Chapter 10
N describe general control procedures for database
- riented systems environments
N describe application controls that can be incorporated
into a database AIS
N indicate some control procedures that can be instituted
- nly in on line database systems
N explain how entity integrity and referential integrity
contribute to better control in a database AIS
N explain the hierarchical nature of the relationship
between the control environment, the accounting system, general and application control procedures
N briefly describe the COBIT control framework released
by the Information Systems Audit and Control Association
SLIDE 6
October 25, 2000
- Dr. Peter R Gillett
6
Controls
I Controls are mechanisms to prevent or detect
errors and irregularities
I Risk is the likelihood that an information system
will experience errors or irregularities
I Exposure is the amount of loss that could occur
if a risk is realized
I Controls are designed to provide reasonable
assurance that data are error free
SLIDE 7
October 25, 2000
- Dr. Peter R Gillett
7
Controls
I Preventive v. detective I Manual v. programmed I General v. application I Key controls I Compensating controls
SLIDE 8
October 25, 2000
- Dr. Peter R Gillett
8
Misstatements
I Errors
F unintentional mistakes
I Irregularities
F intentional alteration or misstatement of data
I Fraud (defalcation) I Management fraud
SLIDE 9
October 25, 2000
- Dr. Peter R Gillett
9
Exposures and Risks
I Exposures
N Erroneous record keeping N Unacceptable accounting N Business interruption N Erroneous management decisions N Fraud and embezzlement N Statutory sanctions N Excessive costs N Loss or destruction of assets N Competitive disadvantage
SLIDE 10
October 25, 2000
- Dr. Peter R Gillett
10
Exposures and Risks
I Risks
NErrors in data NIrregularities in data NLoss of data NNatural disasters NComputer crime
SLIDE 11
October 25, 2000
- Dr. Peter R Gillett
11
General Systems Model
I Every system has
F Inputs F Processes F Outputs F Boundary F Environment
I Control systems
F Sensors F Standards F Control comparisons F Activating units
SLIDE 12
October 25, 2000
- Dr. Peter R Gillett
12
Internal Control Structure
I SAS 55, COSO, SAS 78
F Internal Control is a process effected by an entity’s
board of directors, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
N effectiveness and efficiency of operations N reliability of financial reporting N compliance with applicable laws and regulations
SLIDE 13
October 25, 2000
- Dr. Peter R Gillett
13
Internal Control Structure
I SAS 55, COSO, SAS 78
F Control Environment F Risk Assessment F Information System and Communication F Control Activities F Monitoring
SLIDE 14
October 25, 2000
- Dr. Peter R Gillett
14
Control Environment
I Integrity and ethical values I Commitment to competence I Board of directors or audit committee I Management’s philosophy and operating
style
I Organizational structure I Assignment of authority and responsibility I Human resource policies and practices
SLIDE 15
October 25, 2000
- Dr. Peter R Gillett
15
Risk Assessment
I Risk assessment for financial reporting is
the identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP
SLIDE 16
October 25, 2000
- Dr. Peter R Gillett
16
Risk Assessment
I Risks may arise from
N Changes in the operating environment N New personnel N New or revamped information systems N Rapid growth N New technology N New lines, products or activities N Corporate restructuring N Foreign operations N Accounting pronouncements
SLIDE 17
October 25, 2000
- Dr. Peter R Gillett
17
Information System
I Procedures aimed at identifying,
assembling, analyzing, classifying recording and reporting an entity’s transactions
I Maintain accountability for the related
assets and liabilities
SLIDE 18
October 25, 2000
- Dr. Peter R Gillett
18
Control Activities
I Policies and guidelines that management has
established to provide reasonable assurance that specific entity objectives will be met
F Adequate separation of duties F Proper authorization of transactions F Adequate documents and records F Physical control over assets and records F Independent checks on performance
SLIDE 19
October 25, 2000
- Dr. Peter R Gillett
19
Control Activities
I General control procedures
F Organizational controls F Systems development and amendment F Hardware and systems software controls F Security and access controls F Operations controls F Data backup and recovery
SLIDE 20
October 25, 2000
- Dr. Peter R Gillett
20
Control Activities
I Application control procedures
F Input controls
N field tests N range tests N length tests N validity tests N valid combinations tests N closed loop verification N completeness tests N prompting N system generated data N entity integrity N referential integrity
SLIDE 21
October 25, 2000
- Dr. Peter R Gillett
21
Control Activities
I Application control procedures
F Processing controls
Ninternal label tests Nsequence checks Ncontrol total verification
F Output controls F User control procedures
SLIDE 22
October 25, 2000
- Dr. Peter R Gillett
22
Control Objectives
I Validity I Completeness I Timeliness I Authorization I Valuation I Classification I Posting and summarization
SLIDE 23
October 25, 2000
- Dr. Peter R Gillett
23
Audit Objectives
I Validity I Completeness I Cutoff I Ownership I Valuation I Classification I Detail tie-in I Mechanical accuracy I Disclosure
SLIDE 24
October 25, 2000
- Dr. Peter R Gillett
24
Management Assertions
I SAS 31 - five categories of assertions
F Existence or occurrence F Completeness F Rights and obligations F Valuation or allocation F Presentation and disclosure
SLIDE 25
October 25, 2000
- Dr. Peter R Gillett
25
Monitoring
I A process that assesses the quality of
internal control over time
I It involves assessment by appropriate
personnel of the design and operation of controls on a timely basis and the taking of necessary action
SLIDE 26
October 25, 2000
- Dr. Peter R Gillett
26
COBIT
I Control Objectives for Information and related
Technology
I Information Systems Audit and Control Association I Management “best practices” I 34 high level control objectives I IT processes in four domains
F Planning & organization F Acquisition & implementation F Delivery & support F Monitoring
SLIDE 27
October 25, 2000
- Dr. Peter R Gillett
27