  Chapter 

There are a few reasons why treats to accounting information systems are increasing. The first reason is that information available is to an unprecedented number of workers. Besides, information on distributed computer networks is hard to control. Information is often distributed among many systems and thousands of employees. Customers and suppliers have access to each other’s systems and data.

Any potential adverse occurrence is called a threat or an event. The potentially dollar loss from a threat is called the exposure or impact. The probability that it will happen is called the likelihood of the threat.

Internal control is the process implemented to provide reasonable assurance that the following control objectives are achieved. It is a process because it permeates an organization’s activities and is an integral part of management activities. Internal control provides reasonable assurances. Complete assurance is difficult to achieve and prohibitively expensive.

Internal control perform three important functions:

  1. Preventive controls deter problems before they arise.

  2. Detective controls discover problems that are not prevented.

  3. Corrective controls identify and correct problems as well as correct and recover from the resulting errors.

Internal controls are often segregated into two categories

  1. General controls. This type of control makes sure an organization’s control environment is stable and well managed.

  2. Application controls. This type of control makes sure transactions are processed correctly.

A Harvard business professor has espoused four levels of control to help management reconcile the conflict between creativity and controls.

  • Belief system. This system describes how the company creates value and helps the employees understand the management’s vision.

  • Boundary system. This system helps employees act ethically by setting boundaries on employee behavior.

  • Diagnostic control system. This type of system measures, monitors, and compares actual company progress to budgets and performance goals.

  • Interactive control system. This system helps managers to focus on key strategic issues and to be more involved in decisions.

The Foreign Corrupt Practices Act (FCPA) was passes to prevent companies from bribing foreign officials to obtain business. In the last 75 years, the SOX is the most important business-oriented legislation. After the SOX was passed, the SEC mandated that management must base its evaluation on a recognized control framework. They also must disclose all material internal control weaknesses and must conclude that a company does not have effective financial reporting internal controls if there are material weaknesses.

There are three frameworks used to develop internal control systems.

  • COBIT framework. The ISACA developed Control Objectives for Information and Related Technology (COBIT) framework. This framework addresses control from three vantage points.

    • Business objectives. This is to satisfy business objectives.

    • IT resources. These includes people, application systems, technology, facilities and data.

    • IT processes. These are broken in four domains: planning & organization, acquisition & implementation, delivery & support and monitoring & evaluation.

  • The Committee of Sponsoring Organizations (COSO) consist of a few organizations. The COSO issued internal control – integrated framework (IC), which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.

  • COSO developed another control framework to improve the risk management process. It’s called Enterprise Risk Management – Integrated Framework (ERM). ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess management risks, and provide reasonable assurances that the company achieves its objectives and goals.

The internal environment, or company culture, influences how organizations establish strategies and objectives and structure business activities. A weak or deficient internal environment often results in breakdowns in risk management and control. An internal environment control consists of the following:

  • Management’s philosophy, operating style, and risk appetite

  • The board of directors

  • Commitment to integrity, ethical values, and competence

  • Organizational structure

  • Methods of assigning authority and responsibility

  • Human resource standards

  • External influences

Companies have a risk appetite, which is the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, the risk appetite must be in alignment with company strategy. The more responsible management’s philosophy and operating style, the more clearly they are communicated, the more likely employees will behave responsibly.

An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions. Public companies has an audit committee of outside, independent directors. The audit committee is responsible for financial reporting, regulatory compliance, internal control and hiring and overseeing internal and external auditors.

The policy and procedures manual explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provide to carry out specific duties. The manual includes the chart of accounts and copies of forms and documents. It is a helpful tool for both current employees and new employees.

Employees should be hired based on educational background, experience, achievements, honesty and integrity, and meeting written job requirements. Sometimes there is a background check. A thorough background check includes talking to references, checking for a criminal record, examining credit records, and verifying educating and work experience.

One of the greatest control strengths is the honesty of the employees. Policies should convey the required level of expertise, competence, ethical behavior and integrity required. The following policies and procedures are important.

  • Hiring

  • Compensating, evaluating and promoting

  • Managing disgruntled employees

  • Discharging

  • Vacations and rotation of duties

  • Confidentiality agreements and fidelity bond insurance

  • Prosecute and incarcerate perpetrators

Objective setting is the second ERM component. Management determines what the company hopes to achieve, often referred to as the corporate vision or mission. The company determines what must go right to achieve the objectives and establishes performance measures to determine whether they are met.

  • Strategic objectives

  • Operation objectives

  • Reporting objectives

  • Compliance objectives

The risks of an identified event are assessed in several different ways.

Inherent risks exists before management takes any steps to control the likelihood or impact of an event.

The residual risk is what remains after management implements internal controls or some other response to risk. Companies should assess inherent risk, develop a response, and then assess residual risk.

Management can respond to risk in one of four ways

  • Reduce the likelihood and impact of risk by implementing internal controls

  • Accept the likelihood and impact of the risk

  • Share risk or transfer it to someone else

  • Avoid risk by not engaging in the activity that produces the risk

Accountants and systems designers help management design effective control systems to reduce inherent risk. They also evaluate internal control systems to ensure that they are operating effectively.

One way to estimate the value of the internal controls involves the expected loss, the mathematical product of impact and likelihood.

Expected loss = impact x likelihood

The value of a control procedure is the difference between the expected loss with the control procedure and the expected loss without it.

Control activities are policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out. It is management’s responsibility to develop a secure and adequately controlled system.

Controls are much more effective when placed in the system as it is built, rather than as an afterthought. Managers need to involve systems analysts, designers, and end users when designing computer-based control systems.

Control procedures fall into the following categories

  • Proper authorization of transactions and activities

  • Segregation of duties

  • Project development and acquisition controls

  • Change management controls

  • Design and use of documents and records

  • Safeguarding assets, records and data

  • Independent checks on performance

Because management lacks the time and resources to supervise each company activity and decision, it establish policies for employees to follow and then empowers them. This empowerment, called authorization, is an important control procedure. Authorization are often documented by signing, initializing, or entering an authorization code on a document.

Computer systems can record a digital signature, a means of signing a document with data that cannot be forged.

Certain activities or transactions may be of such consequence that management grants specific authorization for them to occur. In contrast, there is a procedure known as general authorization. This is without special approval.

Good internal control requires that no single employee be given too much responsibility over business transactions and processes. An employee should not be in a position to commit and conceal fraud. Segregation of duties is discussed in two separate sections: segregation of accounting duties and segregation of system duties.

Effective segregation of accounting duties is achieved when the following functions are separated (see also figure 7.3 on page 217).

  • Authorization: approving transactions and decisions

  • Recording: preparing source documents

  • Custody: handling cash, tools, inventory, or fixed assets

With Segegration of system duties, authority and responsibility should be divided clearly among the following functions

  • Systems administration: make sure all information system components operate smoothly and efficiently.

  • Network management: ensure that devices are linked to the organization’s internal and external networks.

  • Security management: makes sure that systems are secured and protected from internal and external threats.

  • Change management: is the process of making sure that changes are made smoothly and efficiently.

  • Users: record transactions, authorize data to be processed and use system output.

  • Programming: take the analyst’ design and create a system

  • Computer operations: run the software on the company’s computers.

  • Information system library: maintains custody of corporate databases, files and programs in a separate storage area.

  • Data control

Important system development controls are the following

  1. A steering committee. This committee guides and oversees systems development and acquisition.

  2. A strategic masterplan. This is a plan developed and updated every year to align an organization’s information system with its business strategies.

  3. A project development plan. This is a plan that shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones.

  4. A data processing schedule. This schedule shows when each task should be performed.

  5. System performance measurements. These are established to evaluate the system. Measurements include throughput, utilization and response time.

  6. A post-implementation review. This review is performed after a development project is completed to determine whether the anticipated benefits were achieved.

Some companies hire a systems integrator to manage a systems development effort involving its own personnel, its client, and other vendors. Companies using systems integrators should use the same project management processes and controls as internal projects. They should develop clear specifications and monitor the project.

Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately. They include the following:

  • Top level reviews.

  • The management should monitor company results and periodically compare actual company performance to a planned, prior period or competitor’s performance.

  • Analytical reviews.

  • This is an examination of the relationship between different sets of data.

  • Reconciliation of independently maintained records.

  • Records should be reconciled to documents or records with the same balance.

  • Comparison of actual quantities with recorded amounts.

  • Significant assets are periodically counted and reconciled to company records.

  • Double-entry accounting.

  • The maximum that debits equal credits provides numerous opportunities for independent checks.

  • Independent review.

  • After a transaction is processes, a second person reviews the work of the first, checking for proper authorization etc.

Information and communication constitute the seventh component of the ERM and is also a very important component in the accounting information system. This relates directly to the primary purpose of an AIS, which is to gather, record, process, store, summarize, and communicate information about an organization.

An audit trail allows transactions to be traced back and forth between their origination and de financial statements.

Accounting systems generally consists of seven subsystems, each designed to process a particular type of transaction using the same sequence of procedures, called accounting circles.

ERM processes must be continuously monitored and modified as needed, and deficiencies must be reported to management. Key methods of monitoring performance include the following:

  • Perform ERM evaluations.

  • The effectiveness is measured using a formal or a self-assessment ERM evaluation.

  • Implement effective supervision.

This involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets.

  • Use responsibility accounting systems.

  • This systems include budgets, quotas, schedules, standard costs, and quality standards.

  • Monitor system activities.

  • For example risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found and suggests also improvements. The software also monitors and combats viruses, spyware, adware, spam etc.

  • Track purchased software and mobile devices

The business software alliance (BSA) tracks down and fines companies that violate software license agreements. The increasing number of mobile devices should be tracked and monitored, because their loss could represent a substantial exposure.

  • Conduct periodic audits.

  • External, internal and network securities audits can assets and monitor risk as well as detect fraud and errors. Informing employees of audits helps resolve privacy issues, deters fraud, and reduces erros. Auditors should regularly test susyem controls and periodically browse system usage files looking voor suspicious activities.

  • Employee a computer security officer and a chief compliance officer.

  • A computer security officer (CSO) is in charge of system security, independent of the information system function and reports to the chief operating officer (COO) of the CEO.

  • Engage forensic specialists

Forensic investigators who specialize in fraud are a fast-growing group in the accounting profession. Computer forensics specialists discover, extract, safeguard and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.

  • Install fraud detection software

  • Neural networks are programs with learning capabilities. These networks can accurately identify fraud.

  • Implement a fraud hotline.

  • A fraud hotline is an effective way to comply with the law and resolve whistle-blower conflict.

Voor toegang tot deze pagina kan je inloggen


Aansluiten en inloggen

Sluit je aan en word JoHo donateur (vanaf 5 euro per jaar)


    Aansluiten en online toegang tot alle webpagina's 

Sluit je aan word JoHo abonnee


Als donateur een JoHo abonnement toevoegen

Upgraden met JoHo abonnement (+ 10 euro per jaar)



Inloggen als donateur of abonnee


Hoe werkt het

Om online toegang te krijgen kun je JoHo donateur worden  en een abonnement afsluiten

Vervolgens ontvang je de link naar je online account en heb je online toegang

Lees hieronder meer over JoHo donateur en abonnee worden

Ben je al JoHo donateur? maar heb je geen toegang? Check hier  

Korte advieswijzer voor de mogelijkheden om je aan te sluiten bij JoHo

JoHo donateur

  • €5,- voor wie JoHo WorldSupporter en Smokey Tours wil steunen - voor wie korting op zijn JoHo abonnement wil - voor wie van de basiskortingen in de JoHo support centers gebruik wil maken of wie op zoek is naar de organisatie achter een vacature - voor wie toegang wil tot de op JoHo WorldSupporter gedeelde samenvattingen en studiehulp

JoHo abonnees

  • €20,- Voor wie online volledig gebruik wil maken van alle JoHo's en boeksamenvattingen voor alle fases van een studie, met toegang tot alle online HBO & WO boeksamenvattingen en andere studiehulp - Voor wie gebruik wil maken van de vacatureservice en bijbehorende keuzehulp & advieswijzers - Voor wie gebruik wil maken van keuzehulp en advies bij werk in het buitenland, lange reizen, vrijwilligerswerk, stages en studie in het buitenland - Voor wie gebruik wil maken van de emigratie- en expatservice

JoHo donateur met doorlopende reisverzekering

  • Sluit je via JoHo een jaarlijks doorlopende verzekering af dan kan je gedurende de looptijd van je verzekering gebruik maken van de voordelen van het JoHo abonnement: hoge kortingen + volledig online toegang + alle extra services. Lees meer

Abonnementen-advieswijzers voor JoHo services:

Abonnementen-advieswijzers voor JoHo services

  • Check hier de advieswijzers voor samenvattingen en stages - vacatures en sollicitaties - reizen en backpacken - vrijwilligerswerk en duurzaamheid - emigratie en lang verblijf in het buitenland - samenwerken met JoHo

Steun JoHo en steun jezelf


Sluit je ook aan bij JoHo!


 Steun JoHo door donateur te worden

en steun jezelf door ook een abonnement af te sluiten




  • Crossroads lead you through the JoHo web of knowledge, inspiration & association
  • Use the crossroads to follow a connected direction


Footprint toevoegen
Hoe werkt een JoHo Chapter?

 JoHo chapters

Eigen aantekeningen maken?

Zichtbaar voor jezelf en bewaren zolang jij wil

Flexibele parttime bijbanen bij JoHo

    Memberservice: Make personal notes

    Ben je JoHo abonnee dan kun je je eigen notities maken, die vervolgens in het notitieveld  worden getoond. Deze notities zijn en blijven alleen zichtbaar voor jouzelf. Je kunt dus aantekeningen maken of bijvoorbeeld je eigen antwoorden geven op vragen