7/27/2019 Ais10 Ab Az Ch06
1/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314
C HAPTER 6
Control and AccountingInformation Systems
7/27/2019 Ais10 Ab Az Ch06
2/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 314
INTRODUCTION
Questions to be addressed in this chapter: What are the basic internal control concepts, and why are
computer control and security important? What is the difference between the COBIT, COSO, and ERM
control frameworks?
What are the major elements in the internal environment of acompany? What are the four types of control objectives that companies
need to set? What events affect uncertainty, and how can they be identified? How is the Enterprise Risk Management model used to assess
and respond to risk? What control activities are commonly used in companies? How do organizations communicate information and monitor
control processes?
7/27/2019 Ais10 Ab Az Ch06
3/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 314
INTRODUCTION
Why AIS Threats Are Increasing
Control risks have increased in the last few yearsbecause:
There are computers and servers everywhere, andinformation is available to an unprecedented number ofworkers.
Distributed computer networks make data available to manyusers, and these networks are harder to control than
centralized mainframe systems. Wide area networks are giving customers and suppliers
access to each others systems and data, making
confidentiality a major concern.
7/27/2019 Ais10 Ab Az Ch06
4/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 314
INTRODUCTION
Historically, many organizations have not adequatelyprotected their data due to one or more of the followingreasons: Computer control problems are often underestimated and
downplayed. Control implications of moving from centralized, host-basedcomputer systems to those of a networked system or Internet-based system are not always fully understood.
Companies have not realized that data is a strategic resourceand that data security must be a strategic requirement.
Productivity and cost pressures may motivate management toforego time-consuming control measures.
7/27/2019 Ais10 Ab Az Ch06
5/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 314
INTRODUCTION
Some vocabulary terms for this chapter:
A threatis any potential adverse occurrenceor unwanted event that could injure the AIS or
the organization. The exposureor impactof the threat is the
potential dollar loss that would occur if the
threat becomes a reality. The l ikel ihoodis the probability that the
threat will occur.
7/27/2019 Ais10 Ab Az Ch06
6/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 314
INTRODUCTION
Control and Security are Important
Companies are now recognizing the problems andtaking positive steps to achieve better control,
including: Devoting full-time staff to security and control concerns. Educating employees about control measures.
Establishing and enforcing formal information securitypolicies.
Making controls a part of the applications developmentprocess.
Moving sensitive data to more secure environments.
7/27/2019 Ais10 Ab Az Ch06
7/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 314
INTRODUCTION
To use IT in achieving control objectives,accountants must: Understand how to protect systems from
threats. Have a good understanding of IT and its
capabilities and risks.
Achieving adequate security and controlover the information resources of anorganization should be a top managementpriority.
7/27/2019 Ais10 Ab Az Ch06
8/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 314
INTRODUCTION
Control objectives are the same regardless ofthe data processing method, but a computer-based AIS requires different internal control
policies and procedures because: Computer processing may reduce clerical errors but
increase risks of unauthorized access or modificationof data files.
Segregation of duties must be achieved differently inan AIS.
Computers provide opportunities for enhancement ofsome internal controls.
7/27/2019 Ais10 Ab Az Ch06
9/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 314
INTRODUCTION
One of the primary objectives of an AIS is tocontrol a business organization.
Accountants must help by designing effective control
systems and auditing or reviewing control systemsalready in place to ensure their effectiveness.
Management expects accountants to be controlconsultants by:
Taking a proactive approach to eliminating systemthreats; and
Detecting, correcting, and recovering from threatswhen they do occur.
7/27/2019 Ais10 Ab Az Ch06
10/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 314
INTRODUCTION
It is much easier to build controls into asystem during the initial stage than to addthem after the fact.
Consequently, accountants and controlexperts should be members of the teamsthat develop or modify information
systems.
7/27/2019 Ais10 Ab Az Ch06
11/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 314
OVERVIEW OF CONTROL CONCEPTS
In todays dynamic business environment,companies must react quickly to changingconditions and markets, including steps to: Hire creative and innovative employees.
Give these employees power and flexibility to: Satisfy changing customer demands; Pursue new opportunities to add value to the organization;
and Implement process improvements.
At the same time, the company needs controlsystems so they are not exposed to excessiverisks or behaviors that could harm theirreputation for honesty and integrity.
7/27/2019 Ais10 Ab Az Ch06
12/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. This objective includes prevention or timely
detection of unauthorized acquisition, use, ordisposal of material company assets.
7/27/2019 Ais10 Ab Az Ch06
13/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
7/27/2019 Ais10 Ab Az Ch06
14/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
7/27/2019 Ais10 Ab Az Ch06
15/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
7/27/2019 Ais10 Ab Az Ch06
16/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP. Operational efficiency is promoted and improved.
This objective includes ensuring that companyreceipts and expenditures are made in accordancewith management and directors authorizations.
7/27/2019 Ais10 Ab Az Ch06
17/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP. Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
7/27/2019 Ais10 Ab Az Ch06
18/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP. Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws andregulations.
7/27/2019 Ais10 Ab Az Ch06
19/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal control is a processbecause: It permeates an organizations operating activities.
It is an integral part of basic management activities.
Internal control provides reasonable, ratherthan absolute, assurance, because completeassurance is difficult or impossible to achieveand prohibitively expensive.
7/27/2019 Ais10 Ab Az Ch06
20/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal control systems have inherentlimitations, including: They are susceptible to errors and poor decisions.
They can be overridden by management or bycollusion of two or more employees.
Internal control objectives are often at odds witheach other. EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
7/27/2019 Ais10 Ab Az Ch06
21/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three importantfunctions:
Preventive controls
Deter problems before they arise.
7/27/2019 Ais10 Ab Az Ch06
22/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three importantfunctions:
Preventive controls
Detective controls Discover problems quickly when they do arise.
7/27/2019 Ais10 Ab Az Ch06
23/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three importantfunctions:
Preventive controls
Detective controls
Corrective controls
Remedy problems that have occurred by:
Identifying the cause; Correcting the resulting errors; and
Modifying the system to prevent futureproblems of this sort.
7/27/2019 Ais10 Ab Az Ch06
24/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as: General controls
Those designed to make sure an
organizations control environment is stableand well managed.
They apply to all sizes and types of systems.
Examples: Security management controls.
7/27/2019 Ais10 Ab Az Ch06
25/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as: General controls
Application controls
Prevent, detect, and correct transaction errorsand fraud.
Are concerned with accuracy, completeness,validity, and authorization of the data captured,entered into the system, processed, stored,
transmitted to other systems, and reported.
7/27/2019 Ais10 Ab Az Ch06
26/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 314
OVERVIEW OF CONTROL CONCEPTS
An effective system of internal controlsshould exist in all organizations to: Help them achieve their missions and goals
Minimize surprises
7/27/2019 Ais10 Ab Az Ch06
27/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
In 1977, Congress passed the Foreign CorruptPract ices Act, and to the surprise of the profession, thisact incorporated language from an AICPApronouncement.
The primary purpose of the act was to prevent thebribery of foreign officials to obtain business.
A significant effect was to require that corporationsmaintain good systems of internal accounting control.
Generated significant interest among management, accountants,and auditors in designing and evaluating internal controlsystems.
The resulting internal control improvements werent sufficient.
7/27/2019 Ais10 Ab Az Ch06
28/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
In the late 1990s and early 2000s, a seriesof multi-million-dollar accounting fraudsmade headlines.
The impact on financial markets wassubstantial, and Congress responded withpassage of the Sarbanes-Oxley Actof 2002
(aka, SOX). Applies to publicly held companies and theirauditors
7/27/2019 Ais10 Ab Az Ch06
29/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
The intent of SOX is to: Prevent financial statement fraud
Make financial reports more transparent
Protect investors Strengthen internal controls in publicly-held
companies
Punish executives who perpetrate fraud
SOX has had a material impact on the wayboards of directors, management, andaccountants operate.
7/27/2019 Ais10 Ab Az Ch06
30/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company AccountingOversight Board (PCAOB) to oversee the auditingprofession.
Has five members, three of whom cannot beCPAs.
Charges fees to firms to fund the PCAOB.
Sets and enforces auditing, quality control,
ethics, independence, and other standardsrelating to audit reports.
Currently recognizes FASB statements asbeing generally accepted.
7/27/2019 Ais10 Ab Az Ch06
31/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors
They must report specific information to the companys auditcommittee, such as:
Critical accounting policies and practices
Alternative GAAP treatments
Auditor-management disagreements
Audit partners must be rotated periodically.
7/27/2019 Ais10 Ab Az Ch06
32/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors
Auditors cannot perform certain non-audit services, such as:
Bookkeeping
Information systems design and implementation Internal audit outsourcing services
Management functions
Human resource services
7/27/2019 Ais10 Ab Az Ch06
33/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors
Permissible non-audit services must be approved by theboard of directors and disclosed to investors.
Cannot audit a company if a member of top management was
employed by the auditor and worked on the companys auditin the past 12 months.
7/27/2019 Ais10 Ab Az Ch06
34/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors New rules for audit committees
Members must be on the companys boardof directors and must otherwise be
independent of the company.
One member must be a financial expert.
The committee hires, compensates, andoversees the auditors, and the auditorsreport directly to the committee.
7/27/2019 Ais10 Ab Az Ch06
35/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors New rules for audit committees
New rules for management
The CEO and CFO must certify that:
The financial statements and disclosures are fairlypresented, were reviewed by management, and are notmisleading.
Management is responsible for internal controls.
The auditors were advised of any material internal control
weaknesses or fraud. Any significant changes to controls after managements
evaluation were disclosed and corrected.
7/27/2019 Ais10 Ab Az Ch06
36/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors New rules for audit committees
New rules for management
If management willfully and knowingly violates thecertification, they can be:
Imprisoned up to 20 years.
Fined up to $5 million.
Management and directors cannot receive loans that would not
be available to people outside the company. They must disclose on a rapid and current basis material
changes to their financial condition.
7/27/2019 Ais10 Ab Az Ch06
37/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors New rules for audit committees
New rules for management
New internal control requirements
New internal control requirements:
Section 404 of SOX requires companies to issue a
report accompanying the financial statements that:
States management is responsible forestablishing and maintaining an adequate internalcontrol structure and procedures.
Contains managements assessment of thecompanys internal controls.
Attests to the accuracy of the internal controls,including disclosures of significant defects ormaterial noncompliance found during the tests.
7/27/2019 Ais10 Ab Az Ch06
38/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.
New rules for auditors New rules for audit committees
New rules for management
New internal control requirements
SOX also requires that the auditor attests to and reportson managements internal control assessment.
Each audit report must describe the scope of theauditors internal control tests.
7/27/2019 Ais10 Ab Az Ch06
39/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
After the passage of SOX, the SEC furthermandated that: Management must base its evaluation on a
recognized control framework, developed using adue-process procedure that allows for publiccomment. The most likely framework is the COSOmodel discussed later in the chapter.
The report must contain a statement identifying theframework used.
Management must disclose any and all materialinternal control weaknesses.
Management cannot conclude that the company haseffective internal control if there are any materialweaknesses.
7/27/2019 Ais10 Ab Az Ch06
40/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Levers of Control
Many people feel there is a basic conflictbetween creativity and controls.
Robert Simons has espoused four levers ofcontrols to help companies reconcile thisconflict:
A concise belief system
Communicates company core values to employees andinspires them to live by them.
Draws attention to how the organization creates value. Helps employees understand managements intended
direction.
Must be broad enough to appeal to all levels.
7/27/2019 Ais10 Ab Az Ch06
41/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Levers of Control
Many people feel there is a basic conflictbetween creativity and controls.
Robert Simons has espoused four levers ofcontrols to help companies reconcile thisconflict:
A concise belief system
A boundary system
Helps employees act ethically by setting limits beyond
which they must not pass. Does not create rules and standard operating
procedures that can stifle creativity.
Encourages employees to think and act creatively tosolve problems and meet customer needs as long as
they operate within limits such as: Meeting minimum standards of performance
Shunning off-limits activities
Avoiding actions that could damage the companysreputation.
7/27/2019 Ais10 Ab Az Ch06
42/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Levers of Control
Many people feel there is a basic conflictbetween creativity and controls.
Robert Simons has espoused four levers ofcontrols to help companies reconcile thisconflict:
A concise belief system
A boundary system
A diagnostic control system
Ensures efficient and effective achievement of importantcontrols.
This system measures company progress by comparingactual to planned performance.
Helps managers track critical performance outcomesand monitor performance of individuals, departments,and locations.
Provides feedback to enable management to adjust andfine-tune.
7/27/2019 Ais10 Ab Az Ch06
43/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 43 of 314
SOX AND THE FOREIGN CORRUPTPRACTICES ACT
Levers of Control
Many people feel there is a basic conflictbetween creativity and controls.
Robert Simons has espoused four levers ofcontrols to help companies reconcile thisconflict:
A concise belief system
A boundary system
A diagnostic control system
An interactive control system
Helps top-level managers with high-level activities thatdemand frequent and regular attention. Examples:
Developing company strategy.
Setting company objectives.
Understanding and assessing threats and risks.
Monitoring changes in competitive conditions andemerging technologies.
Developing responses and action plans toproactively deal with these high-level issues.
Also helps managers focus the attention of subordinateson key strategic issues and to be more involved in their
decisions. Data from this system are best interpreted and
discussed in face-to-face meetings.
7/27/2019 Ais10 Ab Az Ch06
44/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 314
CONTROL FRAMEWORKS
A number of frameworks have beendeveloped to help companies developgood internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
7/27/2019 Ais10 Ab Az Ch06
45/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 314
CONTROL FRAMEWORKS
A number of frameworks have beendeveloped to help companies developgood internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
7/27/2019 Ais10 Ab Az Ch06
46/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 314
CONTROL FRAMEWORKS
COBIT Framework
Also know as the Control Objectives forInformation and Related Technology
framework. Developed by the Information Systems Audit
and Control Foundation (ISACF).
A framework of generally applicableinformation systems security and controlpractices for IT control.
7/27/2019 Ais10 Ab Az Ch06
47/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 314
CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security andcontrol practices of IT environments.
Users of IT services to be assured thatadequate security and control exists.
Auditors to substantiate their opinions on
internal control and advise on IT security andcontrol matters.
7/27/2019 Ais10 Ab Az Ch06
48/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 314
CONTROL FRAMEWORKS
The framework addresses the issue ofcontrol from three vantage points ordimensions:
Business objectives
To satisfy business objectives,information must conform tocertain criteria referred to as
business requirements forinformation.
The criteria are divided intoseven distinct yet overlappingcategories that map into COSOobjectives:
Effectiveness (relevant,pertinent, and timely)
Efficiency
Confidentiality
Integrity Availability
Compliance with legalrequirements
Reliability
7/27/2019 Ais10 Ab Az Ch06
49/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 314
CONTROL FRAMEWORKS
The framework addresses the issue ofcontrol from three vantage points ordimensions:
Business objectives
IT resources Includes: People
Application systems
Technology Facilities
Data
7/27/2019 Ais10 Ab Az Ch06
50/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 314
CONTROL FRAMEWORKS
The framework addresses the issue ofcontrol from three vantage points ordimensions:
Business objectives
IT resources
IT processes Broken into four domains
Planning and organization Acquisition and implementation
Delivery and support
Monitoring
7/27/2019 Ais10 Ab Az Ch06
51/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 314
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 differentsources into a single framework.
It is having a big impact on the IS profession.
Helps managers to learn how to balance risk andcontrol investment in an IS environment.
Provides users with greater assurance that securityand IT controls provided by internal and third parties
are adequate. Guides auditors as they substantiate their opinions
and provide advice to management on internalcontrols.
7/27/2019 Ais10 Ab Az Ch06
52/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 314
CONTROL FRAMEWORKS
A number of frameworks have beendeveloped to help companies developgood internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
7/27/2019 Ais10 Ab Az Ch06
53/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 314
CONTROL FRAMEWORKS
COSOs Internal Control Framework
The Committee of Sponsoring Organizations(COSO) is a private sector group consisting
of: The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
7/27/2019 Ais10 Ab Az Ch06
54/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 314
CONTROL FRAMEWORKS
In 1992, COSO issued the InternalCon trol Integrated Framework:
Defines internal controls.
Provides guidance for evaluating andenhancing internal control systems.
Widely accepted as the authority on internal
controls. Incorporated into policies, rules, and
regulations used to control business activities.
7/27/2019 Ais10 Ab Az Ch06
55/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
The core of any business is its people.
Their integrity, ethical values, and competence makeup the foundation on which everything else rests.
7/27/2019 Ais10 Ab Az Ch06
56/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities Policies and procedures must be established and
executed to ensure that actions identified bymanagement as necessary to address risks are, in
fact, carried out.
7/27/2019 Ais10 Ab Az Ch06
57/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment The organization must be aware of and deal with the
risks it faces.
It must set objectives for its diverse activities andestablish mechanisms to identify, analyze, andmanage the related risks.
7/27/2019 Ais10 Ab Az Ch06
58/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
Information and communications systems surround thecontrol activities.
They enable the organizations people to capture andexchange information needed to conduct, manage, andcontrol its operations.
7/27/2019 Ais10 Ab Az Ch06
59/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring The entire process must be monitored and modified
as necessary.
7/27/2019 Ais10 Ab Az Ch06
60/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 314
CONTROL FRAMEWORKS
A number of frameworks have beendeveloped to help companies developgood internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
7/27/2019 Ais10 Ab Az Ch06
61/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 314
CONTROL FRAMEWORKS
Nine years after COSO issued the precedingframework, it began investigating how toeffectively identify, assess, and manage risk soorganizations could improve the risk
management process. Result: Enterprise Risk Manage Integrated
Framework (ERM) An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterpriserisk management.
7/27/2019 Ais10 Ab Az Ch06
62/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 314
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of theinternal control framework and help theorganization: Provide reasonable assurance that company
objectives and goals are achieved and problems andsurprises are minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigaterisk.
Avoid adverse publicity and damage to the entitysreputation.
7/27/2019 Ais10 Ab Az Ch06
63/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 314
CONTROL FRAMEWORKS
ERM defines risk management as: A process effected by an entitys board of
directors, management, and other personnel
Applied in strategy setting and across theenterprise
To identify potential events that may affect theentity
And manage risk to be within its risk appetite In order to provide reasonable assurance of
the achievement of entity objectives.
7/27/2019 Ais10 Ab Az Ch06
64/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 314
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value forowners.
Management must decide how muchuncertainty they will accept.
Uncertainty can result in:
Risk The possibility that something will happen to:
Adversely affect the ability to create value; or
Erode existing value.
7/27/2019 Ais10 Ab Az Ch06
65/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 314
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value forowners.
Management must decide how muchuncertainty they will accept.
Uncertainty can result in:
Risk Opportunity
The possibility that something will happen topositively affect the ability to create or preservevalue.
7/27/2019 Ais10 Ab Az Ch06
66/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 314
CONTROL FRAMEWORKS
The framework should help managementmanage uncertainty and its associated risk tobuild and preserve value.
To maximize value, a company must balanceits growth and return objectives and risks withefficient and effective use of companyresources.
7/27/2019 Ais10 Ab Az Ch06
67/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 314
CONTROL FRAMEWORKS
COSO developed amodel to illustratethe elements of
ERM.
7/27/2019 Ais10 Ab Az Ch06
68/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 314
CONTROL FRAMEWORKS
Columns at the toprepresent the four types ofobject ivesthatmanagement must meet to
achieve company goals. Strategic objectives
Strategic objectives arehigh-level goals that arealigned with and support
the companys mission.
7/27/2019 Ais10 Ab Az Ch06
69/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 314
CONTROL FRAMEWORKS
Columns at the toprepresent the four types ofobject ivesthatmanagement must meet to
achieve company goals. Strategic objectives
Operations objectives
Operations objectives deal witheffectiveness and efficiency ofcompany operations, such as:
Performance andprofitability goals
Safeguarding assets
7/27/2019 Ais10 Ab Az Ch06
70/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 314
CONTROL FRAMEWORKS
Columns at the toprepresent the four types ofobject ivesthatmanagement must meet to
achieve company goals. Strategic objectives
Operations objectives
Reporting objectives
Reporting objectives helpensure the accuracy,
completeness, and reliability ofinternal and external companyreports of both a financial andnon-financial nature.
Improve decision-making and
monitor company activities andperformance more efficiently.
7/27/2019 Ais10 Ab Az Ch06
71/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 314
CONTROL FRAMEWORKS
Columns at the toprepresent the four types ofobject ivesthatmanagement must meet to
achieve company goals. Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Compliance objectives help thecompany comply withapplicable laws andregulations.
External parties often set
the compliance rules.
Companies in the sameindustry often have similarconcerns in this area.
7/27/2019 Ais10 Ab Az Ch06
72/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 314
CONTROL FRAMEWORKS
ERM can provide reasonableassurance that reporting andcompliance objectives will beachieved because companieshave control over them.
However, strategic and
operations objectives aresometimes at the mercy ofexternal events that thecompany cant control.
Therefore, in these areas, theonly reasonable assurance theERM can provide is thatmanagement and directors areinformed on a timely basis of theprogress the company is makingin achieving them.
7/27/2019 Ais10 Ab Az Ch06
73/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 314
CONTROL FRAMEWORKS
Columns on theright represent thecompanys units:
Entire company
7/27/2019 Ais10 Ab Az Ch06
74/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 314
CONTROL FRAMEWORKS
Columns on theright represent thecompanys units:
Entire company Division
7/27/2019 Ais10 Ab Az Ch06
75/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 314
CONTROL FRAMEWORKS
Columns on theright represent thecompanys units:
Entire company Division
Business unit
7/27/2019 Ais10 Ab Az Ch06
76/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 314
CONTROL FRAMEWORKS
Columns on theright represent thecompanys units:
Entire company Division
Business unit
Subsidiary
7/27/2019 Ais10 Ab Az Ch06
77/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment
The tone or culture of thecompany.
Provides discipline andstructure and is the foundationfor all other components.
Essentially the same as contro lenvi ronmentin the COSOinternal control framework.
7/27/2019 Ais10 Ab Az Ch06
78/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 78 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Ensures that management implements a process to formulate
strategic, operations, reporting, and compliance objectives thatsupport the companys mission and are consistent with the companystolerance for risk.
Strategic objectives are set first as a foundation for the other three.
The objectives provide guidance to companies as they identify risk-
creating events and assess and respond to those risks.
7/27/2019 Ais10 Ab Az Ch06
79/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 79 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Requires management to identify events that may affect the companysability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment andresponse); or
Opportunities (positive-impact events that influence strategy and
objective-setting processes).
Identified risks are assessed todetermine how to manage them
7/27/2019 Ais10 Ab Az Ch06
80/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 80 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Risk assessment
and how they affect thecompanys ability to achieve itsobjectives.
Qualitative and quantitativemethods are used to assessrisks individually and bycategory in terms of:
Likelihood
Positive and negativeimpact
Effect on otherorganizational units
Risks are analyzed on aninherent and a residual basis.
Corresponds to the riskassessment element in COSOsinternal control framework.
Management aligns identified riskswith the companys tolerance for
7/27/2019 Ais10 Ab Az Ch06
81/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 81 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
with the company s tolerance forrisk by choosing to:
Avoid
Reduce Share
Accept
Management takes an entity-wideor portfolio view of risks in
assessing the likelihood of therisks, their potential impact, andcosts-benefits of alternateresponses.
CO O O S
7/27/2019 Ais10 Ab Az Ch06
82/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 82 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
Control activities
To implement managementsrisk responses, control policiesand procedures are establishedand implemented throughoutthe various levels and
functions of the organization. Corresponds to the control
activities element in the COSOinternal control framework.
CONTROL FRAMEWORKS
Information about the companyand ERM components must be
7/27/2019 Ais10 Ab Az Ch06
83/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 83 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information andcommunication
identified, captured, andcommunicated so employeescan fulfill their responsibilities.
Information must be able toflow through all levels andfunctions in the company aswell as flowing to and fromexternal parties.
Employees should understandtheir role and importance inERM and how theseresponsibilities relate to thoseof others.
Has a corresponding elementin the COSO internal controlframework.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
84/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 84 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk andcontrol components,including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information andcommunication
Monitoring
ERM processes must bemonitored on an ongoing basisand modified as needed.
Accomplished with ongoingmanagement activities andseparate evaluations.
Deficiencies are reported tomanagement.
Corresponding module inCOSO internal controlframework.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
85/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 85 of 314
CONTROL FRAMEWORKS
The ERM model isthree-dimensional.
Means that each of
the eight risk andcontrol elements areapplied to the fourobjectives in the
entire companyand/or one of itssubunits.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
86/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 86 of 314
CONTROL FRAMEWORKS
ERM Framework Vs. the InternalControl Framework
The internal control framework has been
widely adopted as the principal way toevaluate internal controls as required by SOX.However, there are issues with it.
It has too narrow of a focus.
Examining controls without first examining purposes andrisks of business processes provides little context forevaluating the results.
Makes it difficult to know:
Which control systems are most important. Whether they adequately deal with risk.
Whether important control systems are missing.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
87/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 87 of 314
CONTROL FRAMEWORKS
ERM Framework Vs. the InternalControl Framework
The internal control framework has been
widely adopted as the principal way toevaluate internal controls as required by SOX.However, there are issues with it.
It has too narrow of a focus.
Focusing on controls first has an inherent biastoward past problems and concerns.
May contribute to systems withmany controls to protectagainst risks that are no longerimportant.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
88/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 88 of 314
CONTROL FRAMEWORKS
These issues led to COSOs development of theERM framework. Takes a risk-based, rather than controls-based,
approach to the organization.
Oriented toward future and constant change. Incorporates rather than replaces COSOs internal
control framework and contains three additionalelements:
Setting objectives.
Identifying positive and negative events that may affect thecompanys ability to implement strategy and achieveobjectives.
Developing a response to assessed risk.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
89/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 89 of 314
CONTROL FRAMEWORKS
Controls are flexible and relevant becausethey are linked to current organizationalobjectives.
ERM also recognizes more options thansimply controlling risk, which includeaccepting it, avoiding it, diversifying it, sharingit, or transferring it.
CONTROL FRAMEWORKS
7/27/2019 Ais10 Ab Az Ch06
90/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 90 of 314
CONTROL FRAMEWORKS
Over time, ERM will probably become themost widely adopted risk and controlmodel.
Consequently, its eight components arethe topic of the remainder of the chapter.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
91/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 91 of 314
INTERNAL ENVIRONMENT
The most critical componentof the ERM and the internalcontrol framework.
Is the foundation on which theother seven components rest.
Influences how organizations: Establish strategies and
objectives Structure business activities Identify, access, and respond
to risk
A deficient internal controlenvironment often results inrisk management and controlbreakdowns.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
92/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 92 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
93/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 93 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and
risk appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
94/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 94 of 314
INTERNAL ENVIRONMENT
Managements Philosophy, Operating Style,and Risk Appetite An organizations management has shared beliefs
and attitudes about risk.
That philosophy affects everything the organizationdoes, long- and short-term, and affects theircommunications.
Companies also have a r isk appeti te, which is theamount of risk a company is willing to accept toachieve its goals and objectives.
That appetite needs to be in alignment with companystrategy.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
95/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 95 of 314
INTERNAL ENVIRONMENT
The more responsible managementsphilosophy and operating style, the morelikely employees will behave responsibly.
This philosophy must be clearlycommunicated to all employees; it is notenough to give lip service.
Management must back up words with
actions; if they show little concern for internalcontrols, then neither will employees.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
96/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 96 of 314
INTERNAL ENVIRONMENT
This component can be assessed by askingquestions such as:
Does management take undue business risks orassess potential risks and rewards before acting?
Does management attempt to manipulateperformance measures such as net income?
Does management pressure employees to achieveresults regardless of methods or do they demand
ethical behavior?
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
97/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 97 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
98/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 98 of 314
INTERNAL ENVIRONMENT
The Board of DirectorsAn active and involved board of directors
plays an important role in internal control.
They should: Oversee management
Scrutinize managements plans, performance, andactivities
Approve company strategy
Review financial results
Annually review the companys security policy
Interact with internal and external auditors
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
99/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 99 of 314
INTERNAL ENVIRONMENT
Directors should possess management,technical, or other expertise, knowledge,or experience, as well as a willingness to
advocate for shareholders. At least a majority should be independent,
outside directors not affiliated with the
company or any of its subsidiaries.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
100/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 100 of 314
INTERNAL ENVIRONMENT
Public companies must have an audi tcommi t tee, composed entirely of independent,outside directors. The audit committee oversees:
The companys internal control structure; Its financial reporting process; Its compliance with laws, regulations, and standards.
Works with the corporations external and internalauditors.
Hires, compensates, and oversees the auditors.
Auditors report all critical accounting policies and practices tothe audit committee.
Provides an independent review of managementsactions.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
101/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 101 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
102/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 102 of 314
INTERNAL ENVIRONMENT
Commitment to Integrity, EthicalValues, and Competence Management must create an organizational
culture that stresses integrity and commitmentto both ethical values and competence.
Ethical standards of behavior make for goodbusiness.
Tone at the top is everything.
Employees will watch the actions of the CEO, andthe message of those actions (good or bad) willtend to permeate the organization.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
103/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 103 of 314
INTERNAL ENVIRONMENT
Companies can endorse integrity as a basicoperating principle by actively teaching andrequiring it. Management should:
Make it clear that honest reports are more important than
favorable ones. Management should avoid:
Unrealistic expectations, incentives or temptations. Attitude of earnings or revenue at any price. Overly aggressive sales practices.
Unfair or unethical negotiation practices. Implied kickback offers. Excessive bonuses. Bonus plans with upper and lower cutoffs.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
104/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 104 of 314
INTERNAL ENVIRONMENT
Management should not assume that employeeswould always act honestly.
Consistently reward and encourage honesty.
Give verbal labels to honest and dishonest acts.
The combination of these two will produce moreconsistent moral behavior.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
105/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 105 of 314
INTERNAL ENVIRONMENT
Management should develop clearly statedpolicies that explicitly describe honest anddishonest behaviors, often in the form of awritten code of conduct.
In particular, such a code would cover issues that areuncertain or unclear.
Dishonesty often appears when situations are grayand employees rationalize the most expedient actionas opposed to making a right vs. wrong choice.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
106/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 106 of 314
INTERNAL ENVIRONMENT
SOX only requires a code of ethics for seniorfinancial management. However, the ACFEsuggests that companies create a code ofconduct for all employees:
Should be written at a fifth-grade level.
Should be reviewed annually with employees andsigned.
This approach helps employees keep themselves outof trouble.
Helps the company if they need to take legal actionagainst the employee.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
107/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 107 of 314
INTERNAL ENVIRONMENT
Management should require employees to reportdishonest, illegal, or unethical behavior and disciplineemployees who knowingly fail to report. Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that otheremployees are clear about consequences.
Companies must make a commitment to competence. Begins with having competent employees.
Varies with each job but is a function of knowledge, experience,training, and skills.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
108/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 108 of 314
INTERNAL ENVIRONMENT
The levers of control, particularly beliefsand boundaries systems, can be used tocreate the kind of commitment to integrityan organization wants. Requires more than lip service and signing
forms.
Must be sys temsin which top management
actively participates in order to: Demonstrate the importance of the system. Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
109/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 109 of 314
INTERNAL ENVIRONMENT
Management should require employees toreport dishonest, illegal, or unethicalbehavior and discipline employees whoknowingly fail to report. Reports of dishonest acts should be
thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken whenpossible, so that other employees are clearabout consequences.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
110/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 110 of 314
INTERNAL ENVIRONMENT
Companies must make a commitment tocompetence.
Begins with having competent employees.
Varies with each job but is a function ofknowledge, experience, training, and skills.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
111/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 111 of 314
INTERNAL ENVIRONMENT
The levers of control, particularly beliefsand boundary systems, can be used tocreate the kind of commitment to integrityan organization wants. Requires more than lip service and signing
forms.
Must be sys temsin which top management
actively participates in order to: Demonstrate the importance of the system. Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
112/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 112 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
113/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 113 of 314
INTERNAL ENVIRONMENT
Organizational Structure A companys organizational structure defines
its lines of authority, responsibility, and
reporting. Provides the overall framework for planning,
directing, executing, controlling, and monitoring itsoperations.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
114/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 114 of 314
INTERNAL ENVIRONMENT
Important aspects or organizational structure: Degree of centralization or decentralization.
Assignment of responsibility for specific tasks.
Direct-reporting relationships or matrix structure
Organization by industry, product, geographiclocation, marketing network
How the responsibility allocation affectsmanagements information needs
Organization of accounting and IS functions
Size and nature of company activities
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
115/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 115 of 314
INTERNAL ENVIRONMENT
Statistically fraud occurs more frequentlyin organizations with complex structures
The structures may unintentionally impede
communication and clear assignment ofresponsibility, making fraud easier to commitand conceal; or
The structure may be intentionally complex to
facilitate the fraud.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
116/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 116 of 314
INTERNAL ENVIRONMENT
In todays business world, the hierarchicalorganizations with many layers of managementare giving way to flatter organizations with self-directed work teams.
Team members are empowered to make decisionswithout multiple layers of approvals.
Emphasis is on continuous improvement rather thanon regular evaluations.
These changes have a significant impact on thenature and type of controls needed.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
117/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 117 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
118/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 118 of 314
INTERNAL ENVIRONMENT
Methods of Assigning Authority andResponsibility Management should make sure:
Employees understand the entitys objectives Authority and responsibility for business objectives is
assigned to specific departments and individuals Ownership of responsibility encourages employees to
take initiative in solving problems and holds themaccountable for achieving objectives.
Management:
Must be sure to identify who is responsible for the IS securitypolicy. Should monitor results so decisions can be reviewed and, if
necessary, overruled.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
119/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 119 of 314
INTERNAL ENVIRONMENT
Authority and responsibility are assigned through: Formal job descriptions
Employee training
Operating plans, schedules, and budgets
Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest Written policies and procedures manuals (a good job reference
and job training tool) which covers:
Proper business practices
Knowledge and experience needed by key personnel
Resources provided to carry out duties Policies and procedures for handling particular transactions
The organizations chart of accounts
Sample copies of forms and documents
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
120/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 120 of 314
INTERNAL ENVIRONMENT
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
121/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 121 of 314
Human Resources Standards Employees are both the companys greatest control
strength and the greatest control weakness.
Organizations can implement human resource
policies and practices with respect to hiring, training,compensating, evaluating, counseling, promoting, anddischarging employees that send messages about thelevel of competence and ethical behavior required.
Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiencyand loyalty and reduce the organizationsvulnerability.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
122/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 122 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
123/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 123 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
124/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 124 of 314
Hiring Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how wellcandidates meet written job requirements.
Employees should undergo a formal, in-depthemployment interview.
Resumes, reference letters, and thoroughbackground checks are critical.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
125/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 125 of 314
Background checks can involve: Verifying education and experience
Talking with references
Checking for criminal records, credit issues, and other
publicly available data. Note that you must have the employees or
candidates written permission to conduct abackground check, but that permission does not needto have an expiration date.
Background checks are important because recentstudies show that about 50% of resumes have beenfalsified or embellished.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
126/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 126 of 314
Sometimes professional firms are hired to do thebackground checks because applicants arebecoming more aggressive in their deceptions. Some get phony degrees from online diploma mills.
A Pennsylvania district attorney recently filed suit against a
Texas university for issuing an MBA to the DAs 6-year-oldblack cat.
Others actually hack (or hire someone to hack) intothe systems of universities to create or altertranscripts and other academic data.
Noemployee should be exempted frombackground checks. Anyone from the custodianto the company president is capable ofcommitting fraud, sabotage, etc
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
127/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 127 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
128/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 128 of 314
Compensating Employees should be paid a fair and
competitive wage.
Poorly compensated employees are morelikely to feel the resentment and financialpressures that lead to fraud.
Appropriate incentives can motivate and
reinforce outstanding performance.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
129/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 129 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
130/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 130 of 314
Policies on Training Training programs should familiarize new employees
with: Their responsibilities.
Expected performance and behavior. Company policies, procedures, history, culture, and operating
style.
Training needs to be ongoing, not just one-time.
Companies who shortchange training are more likelyto experience security breaches and fraud.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
131/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 131 of 314
Many believe employee training andeducation are the most important elements offraud prevention and security programs.
Fraud is less likely to occur when employeesbelieve security is everyones business.
An ideal corporate culture exists when:
Employees are proud of their company and
protective of its assets. They believe fraud hurts everyone and that they
therefore have a responsibility to report it.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
132/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 132 of 314
These cultures do not just happen. They mustbe created, taught, and practiced, and thefollowing training should be provided:
Fraud awareness Employees should be aware of frauds prevalence and
dangers, why people do it, and how to deter and detect it.
Ethical considerations The company should promote ethical standards in its practice
and its literature. Acceptable and unacceptable behavior should be defined
and labeled, leaving as little gray area as possible.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
133/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 133 of 314
Punishment for fraud and unethical behavior. Employees should know the consequences (e.g.,
reprimand, dismissal, prosecution) of badbehavior.
Should be disseminated as a consequence ratherthan a threat.
EXAMPLE: Using a computer to steal or commitfraud is a federal crime, and anyone doing sofaces immediate dismissal and/or prosecution.
The company should display notices of programand data ownership and advise employees of thepenalties of misuse.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
134/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 134 of 314
Training can take place through: Informal discussions
Formal meetings
Periodic memos Written guidelines
Codes of ethics
Circulating reports of unethical behavior and
its consequences Promoting security and fraud training
programs
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
135/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 135 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
136/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 136 of 314
Evaluating and promoting Do periodic performance appraisals to help
employees understand their strengths and
weaknesses. Base promotions on performance and
qualifications.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
137/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 137 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
138/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 138 of 314
Discharging Fired employees are disgruntled employees.
Disgruntled employees are more likely to
commit a sabotage or fraud against thecompany.
Employees who are terminated (whethervoluntary or involuntary) should be removed
from sensitive jobs immediately and deniedaccess to information systems.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
139/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 139 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
140/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 140 of 314
Managing disgruntled employees Disgruntled employees may be isolated and/or
unhappy, but are much likelier fraud candidates thansatisfied employees.
The organization can try to reduce the employeespressures through grievance channels andcounseling.
Difficult to do because many employees feel that seekingcounseling will stigmatize them in their jobs.
Disgruntled employees should not be allowed tocontinue in jobs where they could harm theorganization.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
141/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 141 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
142/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 142 of 314
Vacations and rotation of duties Some fraud schemes, such as lapping and
kiting, cannot continue without the constantattention of the perpetrator.
Mandatory vacations or rotation of duties canprevent these frauds or lead to earlydetection.
These measures will only be effective ifsomeone elseis doing the job while theusual employee is elsewhere.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
143/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 143 of 314
The following policies and procedures areimportant:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
144/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 144 of 314
Confidentiality agreements and fidelitybond insurance
Employees, suppliers, and contractors should
be required to sign and abide bynondisclosure or confidentiality agreements.
Key employees should have fidelity bondinsurance coverage to protect the company
against losses from fraudulent acts by thoseemployees.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
145/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 145 of 314
In addition to the preceding policies, thecompany should seek prosecution andincarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go
unreported. They are not prosecuted for severalreasons. Companies fear:
Public relations nightmares
Copycat attacks
But unreported fraud and intrusions create a falsesense of security.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
146/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 146 of 314
Law enforcement officials and courts are busy withviolent crimes and may regard teen hacking aschildish pranks.
Fraud is difficult, costly, and time-consuming to
investigate and prosecute. Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,prosecute, and evaluate computer crimes.
When cases are prosecuted and a convictionobtained, penalties are often very light. Judges oftenregard the perps as model citizens.
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
147/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 147 of 314
Internal environment consists of the following: Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, andcompetence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
INTERNAL ENVIRONMENT
7/27/2019 Ais10 Ab Az Ch06
148/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 148 of 314
External influences External influences that affect the control
environment include requirements imposedby:
FASB
PCAOB
SEC
Insurance commissions Regulatory agencies for banks, utilities, etc.
OBJECTIVE SETTING
7/27/2019 Ais10 Ab Az Ch06
149/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 149 of 314
Objective setting is thesecond ERMcomponent.
It must precede manyof the other sixcomponents.
For example, you mustset objectives beforeyou can define events
that affect your abilityto achieve objectives
OBJECTIVE SETTING
7/27/2019 Ais10 Ab Az Ch06
150/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 150 of 314
Top management, with board approval, mustarticulate why the company exists and what ithopes to achieve.
Often referred to as the corporate vision or mission.
Uses the mission statement as a base fromwhich to set corporate objectives.
The objectives:
Need to be easy to understand and measure. Should be prioritized.
Should be aligned with the companys risk appetite.
OBJECTIVE SETTING
7/27/2019 Ais10 Ab Az Ch06
151/314
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 151 of 314
Objectives set at the corporate level arelinked to and integrated with a cascadingseries of sub-objectives in the various sub-
units. For each set of objectives: