ACC 340 Accounting Information Systems I
ACC/340 Week Five
Information Systems and Auditing
Introduction
To be useful, information must be accurate and reliable. As businesses become more complex there is an increased risk that decision makers will make decisions based on inaccurate and unreliable information. To avoid making bad choices, decision makers need accurate, reliable information. The most common way for users to determine the accuracy and reliability of information is to evaluate whether the information properly reflects the economic events on which it is based. Many things go into assuring that the financial statements are accurate, including the internal controls, the audit function, and the accounting information system.
An organization’s system of internal controls is one of the most important concepts in the theory of assuring the integrity of the information about the corporation. In addition, the internal control system can assist the auditor during the review of the entity’s records. And perhaps, most importantly, assure the management themselves that the financial information is reliable and accurate. Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies, laws, and regulations. Companies establish these types of controls to help meet their goals. Internal control systems consist of many specific policies and procedures designed to provide management with reasonable assurance that the goals and objectives it believes important will be met.
Sarbanes-Oxley and Internal Controls
The Sarbanes-Oxley Act of 2002 not only requires corporations to implement and document their internal controls systems, but it requires these corporations to rigorously monitor and audit their internal controls. Much of the fraud uncovered in recent years can be blamed on a failure of the corporation’s internal controls.
Sections 302 and 404 of SOX specifically outline the responsibilities of management in regards to internal controls. The management is responsible for designing and implementing internal controls within their organization. They are required to monitor these internal controls and focus specifically on any changes since the last review by management and the auditors. They are required to disclose any deficiencies within their system. Further, auditors are now required to audit a corporation’s system of internal controls.
Almost all of the financial information tracked within a business is processed through the information systems of the company. With accounting processes predominantly automated, the need for strong controls over the IT systems cannot be understated. For the company, a multitude of questions must be asked and answered before the internal controls can be deemed adequate. There will not be a one-sized, fits all solution.
The IT system of internal controls includes general controls and application controls. The general controls include items such as disaster recovery plans, backup systems, security policies, and access control. These are keys to keeping unwanted and unauthorized intrusion into the system and recovery of data in an emergency. These controls are the foundations of the internal control for the IT system. We need to ask the following questions: Who should have access to the systems and who should control the access? How vulnerable is our system to external threats, and are we able to detect when our system has been subjected to unauthorized entry? Do we have the latest and greatest version of software and operating systems? How frequently should we back up our systems? Is our computer equipment secure? When the internal controls fail, how will these failures be addressed and corrected? This is only the beginning of the questions that we must ask ourselves when assessing the general controls of the system.
The application controls are more intuitive to accountants. These controls include items such as authorization of transactions, accuracy of the processing of information, separation of duties, and validation of the results. We must ask ourselves the following questions regarding application controls: Who authorized the transaction? Who can authorize the transaction? Does one person have too much control over a single transaction to allow for fraud or errors? Is the information processed through the IT system accurate? Who should have access to the information and reports? Do we limit access to the different modules of the accounting system? These again, are just a few of the questions we need to ask ourselves about the application controls of our IT systems.
Accounting information is processed within the IT system, often times with very little paper to highlight and document the transactions. It is imperative that the system is not vulnerable to manipulation and corruption. CEOs and CFOs will find themselves facing fines and prisons sentences for failure to comply with the Sarbanes-Oxley Act of 2002. Executives will not be allowed to plead ignorance when internal control systems fail and manipulation occurs within the financial reports. The accounting information systems must provide a sound and secure foundation for executives who are providing a certification on the financial information and the systems that provide this data.
Conclusion
Accountants play an important role in the process of controlling a business. Accountants design effective control systems as well as auditing and reviewing those already in place to ensure that they are operating effectively. Accounting information systems themselves do not provide a means of internal control, but are valuable resources requiring measures, policies, and procedures to ensure their own security. Businesses have become increasingly dependent on accounting information systems. These systems have grown increasingly complex to meet the escalating needs that businesses have for information. As the complexity and importance of these systems increase, companies face a growing risk that the capabilities of these systems may somehow be compromised. Ensuring a company’s ability to continue operations after a catastrophic event has become an imperative through the passage of the Sarbanes-Oxley Act.
Questions to Consider
1. Why are personal computers (PC) and networks of PCs particularly vulnerable to security risks? Can you think of control measures that a company can implement to mitigate PC and network security risks?
2. What are some examples of general controls and application controls employed by your organization? Are they effective?
3. What safeguards should management take to protect an accounting information system and provide for disaster recovery?
References
American Accounting Association (1973). A statement of basic auditing concepts. Committee on Basic Auditing Concepts. 2.
IT Governance Institute (2003). IT Control Objectives for Sarbanes-Oxley. www.itgi.org.
Page 1 acc340r4