CHAPTER 7

CONTROL AND ACCOUNTING INFORMATION SYSTEMS

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

7.1 Answer the following questions about the audit of Springer’s Lumber & Supply

a. What deficiencies existed in the internal environment at Springer’s?

The "internal environment" refers to the tone or culture of a company and helps
determine how risk consciousness employees are. It is the foundation for all other
ERM components, providing discipline and structure. It is essentially the same thing
as the control environment in the internal control framework.

The internal environment also refers to management's attitude toward internal control,
and to how that attitude is reflected in the organization's control policies and
procedures. At Springer's, several deficiencies in the control environment are
apparent:

1. Management authority is concentrated in three family members, so there are

few, if any, checks and balances on their behavior. In addition, several other
relatives and friends of the family are on the payroll.
2. Since the company has a "near monopoly" on the business in the Bozeman area,
few competitive constraints restrain prices, wages, and other business practices.
3. Lines of authority and responsibility are loosely defined, which make it difficult
to identify who is responsible for problems or decisions.
4. Management may have engaged in "creative accounting" to make its financial
performance look better, which suggests a management philosophy that could
encourage unethical behavior among employees.

a. Do you agree with the decision to settle with the Springers rather than to
prosecute them for fraud and embezzlement? Why or why not?

Whether or not to settle with the Springers is a matter of opinion, with reasonable
arguments on both sides of the issue.

 The reasons for reaching a settlement are clearly stated: the difficulty of
obtaining convictions in court, and the possible adverse effects on the
company's market position.
 On the other hand, the evidence of fraud here seems strong. If this kind of
behavior is not penalized, then the perpetrators may be encouraged to do it
again, with future adverse consequences to society.
b. Should the company have told Jason and Maria the results of the high-level audit?
Why or why not?

Whether or not Jason and Maria should have been told the results of the high-level
audit is also a matter of opinion. The investigative team is apparently trying to keep
its agreement to maintain silence by telling as few people as possible what really
happened. On the other hand, Jason and Maria were the ones who first recognized
the problems; it seems only right that they be told about the outcome.

Many lessons may be drawn from this story.

1. Auditors should view the condition of an organization's control environment as

an important indicator of potential internal control problems.
2. Fraud is more easily perpetrated and concealed when many perpetrators are
involved, and especially when management is involved.
3. Purchasing and payroll are two areas that are particularly vulnerable to fraud.
4. Determining whether fraud has actually occurred is sometimes quite difficult,
and proving that it has occurred is even more difficult.
5. Frauds do occur, so auditors must always be alert to the possibility of fraud.
6. Auditors should not accept management's explanations for questionable
transactions at face value, but should do additional investigative work to
corroborate such explanations.
7.2 Effective segregation of duties is sometimes not economically feasible in a small
business. What internal control elements do you think can help compensate for this
threat?

Small companies can do the following things to compensate for their inability to implement
an adequate segregation of duties:

 Effective supervision and independent checks performed by the owner/manager may

be the most important element of control in situations where separation of functions
cannot be fully achieved. In very small businesses, the owner-manager may find it
necessary to supervise quite extensively. For example, the manager could reconcile
the bank account, examine invoices, etc.
 Fidelity bonding is a second form of internal control that is critical for persons
holding positions of trust that are not entirely controlled by separation of functions.
 Document design and related procedures are also important to internal control in this
situation. Documents should be required with customer returns to encourage
customer audit.
 Document design should include sequential prenumbering to facilitate subsequent
review.
 Where appropriate, employees should be required to sign documents to acknowledge
responsibility for transactions or inventories.
 In small organizations, management can use computers to perform some of the
control functions that humans perform in manual systems. For example, the
computer can:

 Check all customer numbers to make sure they are valid

 Automatically generate purchase orders and have a member of management or a
designated buyer authorize them.
7.1 One function of the AIS is to provide adequate controls to ensure the safety of
organizational assets, including data. However, many people view control procedures
as “red tape.” They also believe that, instead of producing tangible benefits, business
controls create resentment and loss of company morale. Discuss this position.

Well-designed controls should not be viewed as “red tape” because they can actually
improve both efficiency and effectiveness. The benefits of business controls are evident if
one considers the losses that frequently occur due to the absence of controls.

Consider a control procedure mandating weekly backup of critical files. Regular

performance of this control prevents the need to spend a huge amount of time and money
recreating files that are lost when the system crashes, if it is even possible to recreate the
files at all. Similarly, control procedures that require workers to design structured
spreadsheets can help ensure that the spreadsheet decision aids are auditable and that they
are documented well enough so that other workers can use them.

It is probably impossible to eliminate resentment or loss of morale among all employees,

but these factors may be minimized if controls are administered fairly and courteously.

Of course, there is a cost-benefit tradeoff in implementing internal controls. If an

organization has too many controls, this may justifiably generate resentment and loss of
morale among employees. Controls having only marginal economic benefit may be
rejected for this reason.

Another factor is the obtrusiveness of the controls. When the user sees no clear need or
purpose to a control it can appear to be there only to control them and little more than that.
When the user does not understand their purpose, controls can often provoke resentment.
7.4 In recent years, Supersmurf’s external auditors have given clean opinions on its
financial statements and favorable evaluations of its internal control systems. Discuss
whether it is necessary for this corporation to take any further action to comply with
the Sarbanes–Oxley Act.

The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their
auditors and was intended to prevent financial statement fraud, make financial reports more
transparent, provide protection to investors, strengthen the internal controls at public
companies, and punish executives who perpetrate fraud.

SOX has had a material impact on the way boards of directors, management, and
accountants of publicly held companies operate. It has also had a dramatic impact on
CPAs of publicly held companies and the audits of those companies.

As a result of SOX, Supersmurf’s management and their audit committee must take a more
active role in the financial disclosure process. Some of the more prominent roles include:

Audit Committee

 Audit committee members must be on the company’s board of directors and be

independent of the company. One member of the audit committee must be a financial
expert.

 Audit committees hire, compensate, and oversee any registered public accounting
firm that is employed
 Auditors report to the audit committee and not management
 Audit committees must pre-approve all audit and non-audit services provided by its
auditor

Management

 The CEO and CFO at companies with more than $1.2 billion in revenue must prepare
a statement certifying that their quarterly and annual financial statements and
disclosures are fairly presented, were reviewed by management, and are not
misleading.
 Management must prepare an annual internal control report that states
o Management is responsible for establishing and maintaining an adequate internal
control structure
o Management assessed the company’s internal controls and attests to their
accuracy, including notations of significant defects or material noncompliance
found during their internal control tests.
o Auditors were told about all material internal control weaknesses and fraud
o Significant changes to controls after management’s evaluation were disclosed and
corrected
  Management must base its evaluation on a recognized control framework, developed
using a due-process procedure that allows for public comment. The report must
contain a statement identifying the framework used by management to evaluate
internal control effectiveness. The most likely framework is one of those formulated
by COSO and discussed in the chapter.
 SOX also specifies that a company’s auditor must attest to as well as report on
management’s internal control assessment.

7.1 When you go to a movie theater, you buy a prenumbered ticket from the cashier.
This ticket is handed to another person at the entrance to the movie. What kinds of
irregularities is the theater trying to prevent? What controls is it using to prevent
these irregularities? What remaining risks or exposures can you identify?

There are two reasons for using tickets.

1. The theater is trying to prevent cashiers from stealing cash by providing greater control
over cash receipts. You cannot get into the theater without a ticket so you never give
cash to a cashier without insisting on a ticket. That makes it much harder for a
cashier to pocket cash.
2. Prenumbered tickets are also used so cashiers cannot give tickets to their friends. The
number of tickets sold at the cashier counter can be reconciled with the number of
tickets taken by the usher letting patrons into the theater.

Reconciling the cash in the register to the tickets sold and then reconciling the number of
tickets sold to the number collected by the ticket-taker helps prevent the theft of cash and
giving tickets away to friends.

Despite these controls, the following risks still exist:

 The ticket-taker can let friends into the theater without tickets.
 The ticket-taker may take money from theater patrons, pocketing the cash and letting
them enter without a ticket.
 The cashier and the ticket-taker may collude in selling admittances without issuing tickets
and then split the proceeds.
7.6 Some restaurants use customer checks with prenumbered sequence codes. Each food
server uses these checks to write up customer orders. Food servers are told not to
destroy any customer checks; if a mistake is made, they are to void that check and
write a new one. All voided checks are to be turned in to the manager daily. How
does this policy help the restaurant control cash receipts?

The fact that all documents are prenumbered provides a means for accounting for their use
and for detecting unrecorded transactions. Thus, a missing check indicates a meal for
which a customer did not pay. Since each server has his or her own set of checks, it is easy
to identify which server was responsible for that customer.

This policy may help to deter theft (e.g., serving friends and not requiring them to pay for
the meal, or pocketing the customer’s payment and destroying the check) because a
reconciliation of all checks will reveal that one or more are missing.

7.1 Compare and contrast the following three frameworks: COBIT, COSO Integrated
Control, and ERM.

The COBIT Framework consolidates systems security and control standards into a single
framework. This allows management to benchmark security and control practices of IT
environments, users to be assured that adequate IT security and control exist, and auditors
to substantiate their internal control opinions and to advise on IT security and control
matters. The framework addresses control from three vantage points:

1. Business objectives, to ensure information conforms to and maps into business objectives.

2. IT resources, including people, application systems, technology, facilities, and data.

3. planning and organization, acquisition and implementation,

IT processes, including
delivery and support, and monitoring and evaluation.

COSO’s Internal Control Framework is widely accepted as the authority on internal

controls and is incorporated into policies and regulations that control business activities.
However, it examines controls without looking at the purposes and risks of business
processes and provides little context for evaluating the results. It makes it hard to know
which control systems are most important, whether they adequately deal with risk, and
whether important controls are missing. In addition, it does not adequately address
Information Technology issues.

It has five components:

1. Control environment, which are the individual attributes, (integrity, ethical values,
competence, etc.) of the people in the organization and and the environment in which
they operate.
 2. Control activities, which are control policies and procedures that help ensure that the
organization addresses risks and effectively achieves its objectives.

3. Risk assessment, which is the process of identifying, analyzing, and managing

organizational risk

4. Information and communication, which is the system that captures and exchanges the
information needed to conduct, manage, and control organizational operations.

5. Monitoring company processes and controls, so modifications and changes can be

made as conditions warrant.

COSO’s Enterprise Risk Management Frameworkis a new and improved version of the
Integrated Control Framework. It is the process the board of directors and management use
to set strategy, identify events that may affect the entity, assess and manage risk, and
provide reasonable assurance that the company achieves its objectives and goals. The basic
principles behind ERM are:

 Companies are formed to create value for their owners.

 Management must decide how much uncertainty it will accept as it creates value.

 Uncertainty results in risk and opportunity, which are the possibilities that something
negatively or positively affects the company’s ability to create or preserve value.

 The ERM framework can manage uncertainty as well as create and preserve value.

ERM adds three additional elements to COSO’s IC framework:

1. Setting objectives

2. Identifying events that may affect the company

3. Developing a response to assessed risk.

The ERM framework takes a risk-based rather than a controls-based approach. As a result,
controls are flexible and relevant because they are linked to current organizational
objectives. The ERM model also recognizes that risk, in addition to being controlled, can
be accepted, avoided, diversified, shared, or transferred.

Because the ERM model is more comprehensive than the Internal Control framework, it
will likely become the most widely adopted of the two models.
7.8 Explain what an event is. Using the Internet as a resource, create a list of some of the
many internal and external factors that COSO indicated could influence events and
affect a company’s ability to implement its strategy and achieve its objectives.

An event is “an incident or occurrence emanating from internal or external sources that
affects implementation of strategy or achievement of objectives.” An event can have a
positive or a negative impact.

By their nature, events represent uncertainty. An event may or may not occur. If it does
occur, it is hard to know when it will occur. Until it occurs, it may be difficult to determine
its impact on the company. When it occurs, it may trigger another event.

Events may occur individually or concurrently. Therefore, management must anticipate all
possible events, whether positive or negative, that might affect the company. It must also
determine which events are most and least likely to occur, and it must understand the
interrelationship of events.

The following table lists some of the many internal and external factors that COSO indicated
could influence events and affect a company’s ability to implement its strategy and achieve its
objectives. Lists like these help management identify factors, evaluate their importance, and
examine those that can affect objectives. Identifying events at the activity and entity levels
allows companies to focus their risk assessment on major business units or functions and
helps align the company’s risk tolerance and risk appetite.

COSO’s Nine ERM Event Categories

EVENT CATEGORIES
External Factors Internal Factors
ECONOMIC INFRASTRUCTURE
• Availability of capital; lower or higher costs • Inadequate access to or poor allocation of
of capital capital
• Rising or declining unemployment rates • Availability and capability of company
assets
• Price movements upward or downward • Complexity of systems
• Ability to issue credit and possibility of
default
• Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or
currency fluctuations
• Lower barriers to competitive entry,
resulting in new competitors
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal
legal liability
NATURAL ENVIRONMENT PERSONNEL
• Natural disasters such as fires, floods, or • Workplace accidents, health or safety
earthquakes concerns
• Emissions and waste • Employees acting dishonestly or unethically
• Energy restrictions or shortages • Employee skills and capability
• Restrictions limiting development • Strikes or expiration of labor agreements
POLITICAL PROCESS
• Election of government officials with new • Process modification without proper change
political agendas management procedures
• New laws and regulations • Process execution errors
• Public policy, including higher or lower • Poorly designed processes
taxes
• Regulation affecting the company’s ability • Suppliers cannot deliver quality goods on
to compete time

SOCIAL TECHNOLOGY
• Privacy • Insufficient capacity to handle peak IT
usages
• Terrorism • Data or system unavailability
• Corporate citizenship • Poor systems selection/development
• Human resource issues causing production • Inadequately maintained systems
shortages or stoppages
• Changing demographics, social mores, • Security breaches
family structures, and work/life priorities
• Consumer behavior that changes products • Inadequate data integrity
and services demand or creates buying
opportunity
TECHNOLOGICAL
• New e-business technologies that lower
infrastructure costs or increase demand for
IT-based services
• Emerging technology
• Increased or decreased availability of data
• Interruptions or downtime caused by
external parties
7.9 Explain what is meant by objective setting and describe the four types of objectives
used in ERM.

Objective setting, the second ERM component, is determining what the company hopes to
achieve. It is often referred to as the corporate vision or mission. The four types of
objectives used in ERM are:

1. Strategic objectives are high-level goals that align with the company’s mission,
support it, and create shareholder value. Management should identify alternative
ways of accomplishing the strategic objectives, identify and assess the risks and
implications of each alternative, and formulate a corporate strategy.

2. Operations objectives deal with the effectiveness and efficiency of company

operations and determine how to allocate resources. They reflect management
preferences, judgments, and style and are a key factor in corporate success. They
vary significantly - one company decides to be an early adopter of technology,
another adopts technology when it is proven, and a third adopts it only after it is
generally accepted.

3. Reporting objectives help ensure the accuracy, completeness, and reliability of

company reports; improve decision-making; and monitor company activities and
performance.

4. Compliance objectives help the company comply with all applicable laws and
regulations.

Most compliance and many reporting objectives are imposed by external entities due
to laws or regulations. ERM provides reasonable assurance that reporting and
compliance objectives are achieved because companies have control over them.
However, the only reasonable assurance ERM can provide about strategic and
operations objectives is that management and directors are informed on a timely basis
of the progress the company is making in achieving them.
7.10 Discuss several ways that ERM processes can be continuously monitored and
modified so that deficiencies are reported to management.

1. Have a special team or internal auditing perform a formal or a self-assessment ERM

evaluation.

2. Supervise effectively, including training and assisting employees, correcting errors,

and overseeing employees who have access to assets.

3. Use Responsibility Accounting Systems such as budgets, quotas, schedules, standard

costs, and quality standards; reports comparing actual and planned performance; and
procedures for investigating and correcting significant variances.

4. Use risk analysis and management software packages to review computer and
network security measures, detect illegal access, test for weaknesses and
vulnerabilities, report weaknesses found, and suggest improvements.

5. Track purchased software to comply with copyrights and protect against software
piracy lawsuits. Companies should periodically conduct software audits. Employees
should be informed of the consequences of using unlicensed software. Track and
monitor mobile devices, as their loss could represent a substantial exposure. Also,
track who has them, what tasks they perform, the security features installed, and what
software is needed to maintain adequate system and network security.

6. Have periodic external, internal, and network security audits to assess and monitor
risk as well as detect fraud and errors.

7. Have a chief security officer (CSO), who is independent of the information system
function, be in charge of system security and report to the chief operating officer
(COO) or the CEO. Have a chief compliance officer (CCO), who reports to the same
people, be responsible for all compliance issues
8.

9. Use forensic investigators, who specialize in fraud detection and investigation, help
with the financial reporting and corporate governance process. Most forensic
investigators received specialized training with the FBI, IRS, or other law
enforcement agencies. Investigators with the computer skills to ferret out fraud
perpetrators are in great demand.

10. Install fraud detection software to help ferret out fraud, such as illegal credit card use,
and notify forensic investigators when it is found.

11. Use a fraud hotline so people witnessing fraudulent behavior can report it
anonymously.