Page 157 - Accounting Information Systems
P. 157
128 PART I Overview of Accounting Information Systems
to the fraud picture. To fully appreciate these complexities requires an awareness of technology and
internal control issues that are discussed in subsequent chapters. Computer fraud is therefore deferred to
Chapter 15, wherein we examine a number of related topics.
Internal Control Concepts and Techniques
With a backdrop of ethics and fraud in place, let’s now examine internal control concepts and techniques
for dealing with these problems. The internal control system comprises policies, practices, and proce-
dures employed by the organization to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures. 16
Modifying Assumptions
Inherent in these control objectives are four modifying assumptions that guide designers and auditors of
internal controls. 17
MANAGEMENT RESPONSIBILITY. This concept holds that the establishment and maintenance
of a system of internal control is a management responsibility. This point is made eminent in SOX
legislation.
REASONABLE ASSURANCE. The internal control system should provide reasonable assurance
that the four broad objectives of internal control are met in a cost-effective manner. This means that no
system of internal control is perfect and the cost of achieving improved control should not outweigh its
benefits.
METHODS OF DATA PROCESSING. Internal controls should achieve the four broad objectives
regardless of the data processing method used. The control techniques used to achieve these objectives
will, however, vary with different types of technology.
LIMITATIONS. Every system of internal control has limitations on its effectiveness. These include (1)
the possibility of error—no system is perfect, (2) circumvention—personnel may circumvent the system
through collusion or other means, (3) management override—management is in a position to override
control procedures by personally distorting transactions or by directing a subordinate to do so, and (4)
changing conditions—conditions may change over time so that existing controls may become ineffectual.
Exposures and Risk
Figure 3-2 portrays the internal control system as a shield that protects the firm’s assets from numerous
undesirable events that bombard the organization. These include attempts at unauthorized access to the
firm’s assets (including information); fraud perpetrated by persons both inside and outside the firm; errors
due to employee incompetence, faulty computer programs, and corrupted input data; and mischievous
acts, such as unauthorized access by computer hackers and threats from computer viruses that destroy
programs and databases.
16 American Institute of Certified Public Accountants, AICPA Professional Standards, vol. 1. AU Sec. 320.30–35 (New York:
AICPA, 1987).
17 American Institute of Certified Public Accountants, Committee on Auditing Procedure, Internal Control—Elements of a
Coordinated System and Its Importance to Management and the Independent Public Accountant, Statement on Auditing
Standards No. 1, Sec. 320 (New York: AICPA, 1973).
