Control and the Accounting Information System

Control and the AIS

Control and the Accounting Information System

This paper discusses the process of integrating controls into the accounting information system (AIS) using enterprise risk management (ERM) components. ERM is defined as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (Committee of Sponsoring Organizations of the Treadway Commission, COSO, 2004, p.2).

According to COSO, ERM encompasses:

Aligning risk appetite and strategy

Enhancing risk response decisions

Reducing operational surprises and losses

Identifying and managing multiple and cross-enterprise risks

Seizing opportunities

Improving deployment of capital (COSO, 2004, p. 7).

ERM integrates concepts of internal control and the Sarbanes-Oxley Act. Internal controls of accounting systems are intended to protect a company from fraud, abuse, and inaccurate data recording, as well as to help organizations keep track of essential financial activities. The Sarbanes-Oxley Act created new standards for corporate accountability along with new penalties for wrongdoing that violated corporate disclosure requirements.

COSO ( 2004, pp. 3-4) developed an integrated framework for ERM that consists of eight components:

Internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring

The internal environment comprises factors such as the risk appetite, ethics and values of an organization; it establishes a basis for how risk is viewed and addressed by management and staff, their risk management philosophy and the environment in which they operate.

Objective setting describes the next step in the process, defining the risk related objectives of the organization and related strategic goals. Objectives must exist prior to management identifying potential events affecting their achievement. ERM ensures that management has a process in place for setting objectives, and that the selected objectives support and align with the mission's entity, and are consistent with the entity's risk appetite.

Event identification focuses on internal and external events that affect achievement of an entity's objectives, distinguishing between risks and opportunities. The next step in the process is to understand the impact of the identified events on the objective, as a basis for determining how they should be managed. Opportunities are channeled back to objective-setting processes or management's strategy.

During risk assessment risks are analyzed, likelihood and impact are considered, as a basis for determining how they should be managed. Risk assessment is performed on an inherent and a residual basis.

The risk response component consists of evaluating responses and assigning them ratings on the scale of risk tolerance. These ratings must factor in a cost-benefit analysis. Management does this by selecting risk responses -- avoiding, accepting, reducing, or sharing risk -- and developing a set of actions to align risks with the entity's risk appetite and risk tolerance.

COSO (2004, p.11) points out that the eight ERM components will not function identically in every entity; that an application in small and mid-size entities, for example, may be less formal and less structured. Nevertheless, small entities still may have effective enterprise management, as long as each component is present and functioning properly.