Page 160 - Accounting Information Systems
P. 160

CHAPTE R 3         Ethics, Fraud, and Internal Control  131

                       attention to the problem. For example, assume a clerk entered the following data on a customer sales
                       order:
                                            Quantity           Price           Total
                                               10              $10             $1,000
                         Before processing this transaction and posting to the accounts, a detective control should recalculate
                       the total value using the price and quantity. Thus, the error in total price would be detected.

                       CORRECTIVE CONTROLS. Corrective controls are actions taken to reverse the effects of errors
                       detected in the previous step. There is an important distinction between detective controls and corrective
                       controls. Detective controls identify anomalies and draw attention to them; corrective controls actually
                       fix the problem. For any detected error, however, there may be more than one feasible corrective action,
                       but the best course of action may not always be obvious. For example, in viewing the error above, your
                       first inclination may have been to change the total value from $1,000 to $100 to correct the problem. This
                       presumes that the quantity and price values on the document are correct; they may not be. At this point,
                       we cannot determine the real cause of the problem; we know only that one exists.
                         Linking a corrective action to a detected error, as an automatic response, may result in an incorrect
                       action that causes a worse problem than the original error. For this reason, error correction should be
                       viewed as a separate control step that should be taken cautiously.
                         The PDC control model is conceptually pleasing but offers little practical guidance for designing spe-
                       cific controls. For this, we need a more precise framework. The current authoritative document for speci-
                       fying internal control objectives and techniques is Statement on Auditing Standards (SAS) No. 78, 18
                       which is based on the COSO framework. We discuss the key elements of these documents in the follow-
                       ing section.


                       Sarbanes-Oxley and Internal Control
                       Sarbanes-Oxley legislation requires management of public companies to implement an adequate system
                       of internal controls over their financial reporting process. This includes controls over transaction process-
                       ing systems that feed data to the financial reporting systems. Management’s responsibilities for this are
                       codified in Sections 302 and 404 of SOX. Section 302 requires that corporate management (including the
                       CEO) certify their organization’s internal controls on a quarterly and annual basis. In addition, Section
                       404 requires the management of public companies to assess the effectiveness of their organization’s inter-
                       nal controls. This entails providing an annual report addressing the following points: (1) a statement of
                       management’s responsibility for establishing and maintaining adequate internal control; (2) an assessment
                       of the effectiveness of the company’s internal controls over financial reporting; (3) a statement that the
                       organization’s external auditors have issued an attestation report on management’s assessment of the
                       company’s internal controls; (4) an explicit written conclusion as to the effectiveness of internal control
                                         19
                       over financial reporting ; and (5) a statement identifying the framework used in their assessment of inter-
                       nal controls.
                         Regarding the control framework to be used, both the PCAOB and the SEC have endorsed the frame-
                       work put forward by the Committee of Sponsoring Organizations of the Treadway Commission
                       (COSO). Further, they require that any other framework used should encompass all of COSO’s general
                       themes. 20  The COSO framework was the basis for SAS 78, but was designed as a management tool rather
                       than an audit tool. SAS 78, on the other hand, was developed for auditors and describes the complex rela-
                       tionship between the firm’s internal controls, the auditor’s assessment of risk, and the planning of audit


                       18 American Institute of Certified Public Accountants, SAS No. 78—Consideration of Internal Control in a Financial Statement
                         Audit: An Amendment to SAS No. 55 (New York: AICPA, 1995).
                       19 Management may not conclude that internal controls are effective if one or more material weaknesses exist. In addition,
                         management must disclose all material weaknesses that exist as of the end of the most recent fiscal year.
                       20 A popular competing control framework is Control Objectives for Information and related Technology (COBIT¤) published by
                         the IT Governance Institute (ITGI). This framework maps into COSO’s general themes.
   155   156   157   158   159   160   161   162   163   164   165