Therefore, it is easy to lead to project failure. In addition, consulting and implementation enterprises also need to pay attention to the viewpoint of not attaching importance to the monitoring and supervision of the ERP system by consulting and implementing staff because it can affect the communication of the importance of system monitoring to the enterprise during the analysis and training of enterprise staff.
Teaching accounting information systems or ERP systems also needs to pay attention to the content of information system control, information system management policy issues for accounting students because like other groups, the accounting group in enterprises pays little attention to policy and control issues.
The audit plan needs to pay attention to the contents related to factors affecting the quality of accounting information, especially data quality factors and ERP system security.
Maybe you are interested!
-
Identifying and controlling factors affecting the quality of accounting information in the environment of applying enterprise resource planning system ERP in Vietnamese enterprises - 12 -
Research on factors affecting the quality of accounting information systems in Vietnamese traffic construction enterprises - 26 -
Factors affecting the disclosure of environmental accounting information in Vietnamese aquaculture enterprises - 22 -
The Impact of Accounting Information System Quality on Operational Performance -
Some Factors Affecting the Quality of Short-Term Loan Services for Business Customers of Commercial Banks
CHAPTER 3. CONTROL OF FACTORS AFFECTING THE QUALITY OF ACCOUNTING INFORMATION IN THE ERP APPLICATION ENVIRONMENT AT VIETNAMESE ENTERPRISES.
3.1. INTERNAL CONTROL AND CONTROL MODEL
5
6
There is no single definition for the term control. In management terms, control or internal control is a tool that provides a reasonable assurance to help an organization achieve its objectives as well as respond effectively to risks that occur in the management process (Gelinas and Dull, 2008). The definition of internal control is stated differently. For example, COSO P4F P defines “Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting;
(3) Compliance with laws and regulations”. Meanwhile, CobiT P5F P defines “Controls are the policies, procedures, practices and organizational structures, designed to
5 COSO (the Committee of Sponsoring Organizations of Treadway Commission) is a committee of the National Commission on Financial Reporting (also known as Treadway Commission). The COSO Committee was established in 1985 with the purpose of researching internal control and was sponsored by 5 professional organizations: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executive Institute (FEI), Institute of Management Accountants (IMA), Institute of Internal Auditors (IIA).
In 1992, COSO issued the Internal Control-Integrated Framework, which includes five components: control environment, risk assessment, control activities, information and communication, and monitoring. This report was quickly widely accepted as the standard for internal control and was used to establish policies and principles for control activities.
In 2004, COSO issued the second report Enterprise Risk Management: Integrated Framework with the definition of 8 components: internal business environment, objective setting, event identification, risk assessment, risk response, control activities, communication and monitoring. However, this is only a detail for the 1992 report and is not intended to replace this report.
In 2006, COSO released “Internal Control over Financial Reporting – guidance for small Public companies”. :internal control over financial reporting – guidance for small public companies
(Department of Auditing, University of Economics - Internal Control)
6 COBIT – Control Objectives for Information and related Technology- issued by the IT Governmence Institute of the Information System Audit and Control Association (ISACA) in 1996.
designed to provide reasonable assurance that enterprise objectives will be achieved and that undesirable events are prevented or detected and corrected (Gelinas and Dull, 2008).
Depending on the different scope of objectives and different control objects, control tools have different implementation methods. To help relevant people in any organization to use effective control tools, professional organizations have issued standards, guidelines, regulations and best practices, methods of measuring objectives and implementation, and thus form different control models.
A control model – a term used in many official documents of organizations that issue control guidelines – describes a control framework related to control objectives and control practices. It provides guidance on responsibilities for controls; Provides guidance on techniques for evaluating control objectives, for designing, developing and implementing controls; Provides guidance and tools for monitoring and evaluating controls.
A control model to be valuable must be built on solid and logical principles; be applicable and flexible in application; be easy to understand; and importantly, be widely accepted and used for related professional activities.
There are many different control models depending on the goals, scope and objects of control.
7
Regarding the control of the entire enterprise towards financial reporting and management, control models such as COSO (issued 1992, 2004, 2006) in the US; or Turnbull (UK), CoCo P6F P of Canada; or King in South America. Regarding the control of the information technology sector alone, there is the “Security Code of Conduct” of the Department of Trade and Industry- (Department of Trade and Industry).
7 CoCo ( Criteria of Control) was released in 1995 by the Canadian Institute of Chartered Accountants on the basis of COSO to guide the design, evaluation and reporting of corporate controls. CoCo's control framework defines internal control as having 4 components: Purpose; capability; commitment; and monitoring and learning.
Industry - DTI) - of the UK; Or the Information Technology Control Guidelines of the Canadian Institute of Chartered Accountants (CICA), etc. Or related to product quality control, technical quality, there are Sys Trust (Principles and Crireria for Systems reliability); ITIL (IT infrastructure Library); ITCG (Information Technology Control Guidelines) or ISO, ISO 9000, etc.
To bridge the gap between enterprise business control and information technology (IT) control, the CobiT control model is built on the basis of COSO's framework, CMMI (Capability Maturity Model Integration) measurement tools, in line with many other detailed standards such as ITIL, PMBOK, ISO/IEC. CobiT is a widely accepted control model in the field of information technology management; is a highly general framework so it can be linked and used in combination with other standards, other best practice guidelines such as ITIL for service management, IT infrastructure; combined with ISO 17799 for information security management (IT Governance Institute, 2007b).
Among the control models, the COSO model has established a very basic theoretical basis for internal control (Department of Auditing, University of Economics, Ho Chi Minh City, 2010), it creates the basis for the control definitions of other international control models such as "Cadbury Report", CoCo, CobiT, King, etc. (Gelinas and Dull, 2008).
COSO was issued with the aim of increasing corporate control by defining an integrated internal control system throughout the enterprise, helping senior management achieve its tasks and objectives (IT Governance Institute, 2006a). The control objectives according to COSO are (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; (3) Compliance with laws and regulations. An internal control system according to the COSO model consists of 5 closely related components:
Control environment: Is the foundation of consciousness, the culture of the organization that affects the control consciousness of all members in the organization and it is the foundation
for the remaining four components. It is expressed through discipline, organizational structure, ethical values, integrity, management philosophy and operating style.
Risk assessment is understood as the activity of identifying, analyzing and managing risks that threaten the organization's objectives.
Control activities are policies and procedures to ensure that management directives are carried out to achieve the organization's goals.
Communication information. Is information that needs to be identified, communicated and processed to convey information between members of the enterprise, between the enterprise and relevant parties outside the enterprise so that they all understand the components of the internal control system.
Monitoring is the process of assessing the quality of the internal control system to overcome the limitations and promote the strengths of this internal control system.
When building an internal control system, the first issue is that the business management and departments need to clearly define the organization's operational objectives. From here, the business identifies and analyzes risks related to the objectives and builds appropriate control and monitoring procedures. All of these activities are based on the foundation of the control environment and the support of communication information.
COSO is the most comprehensive study of internal control. It is applicable to the following objectives (IT Governance Institute, 2006a):
A structured approach to defining an internal control system
Increase the effectiveness of internal control
Evaluation of internal controls
Building internal control structure
Guidance for reporting to external parties in compliance with the US Sarbanes-Oxley Act
3.2. INFORMATION TECHNOLOGY MANAGEMENT AND COBIT
3.2.1. Information technology management
Global level control
business and the entire information system
Executive Management
Establishing the tone and culture of the enterprise. Information system-wide level controls are part of the control environment of the
business
Application control associated with the processing subsystem
business
Information technology services (software, data, communication networks...)
Business Processing (Finance)
Business processing (production)
Business processing (transportation)
Business processing (…..)
In any organization that uses information technology, the business management and processing activities of the enterprise are also closely linked to the management of information systems or information technology activities of the enterprise. They are related to each other through the following diagram (IT Governance Institute, 2006b):
General control of information technology
Figure 3.1. IT control and management
Source: excerpted from “IT Control Objective for Sarbanes –Oxley” Including the following contents:
Operational management is the activities of establishing and linking strategies to each business activity. At the enterprise level, business goals and policies are established, decisions are made to manage the organization's resources. Regarding information technology, operational management is the development of strategies and policies for developing information systems applying information technology to be consistent with the strategy and policies for developing and managing the enterprise and communicated throughout the unit. Controls at the level
This level includes planning and strategy development; developing policies and procedures, risk assessment, training, and internal audit supervision.
Business processing is the activities that perform specific business activities to create value delivered to relevant users. This business processing is integrated with the information processing of the information technology system in the ERP environment. Controls related to business processing activities are application controls associated with business processing and business information processing to ensure completeness, accuracy, authorization and disclosure of control objectives.
Information technology services. Information technology services are understood as information technology resources (such as data, technology, telecommunications networks, processing software, etc.) serving all areas of business operations. Controls in this area are general controls associated with information technology processing to create a reliable information technology operating environment to support application control activities. General controls include system development control, application program change control, access control, computer and communication equipment system control.
The system organization level describes the level or scope of influence on the entire information technology system in all aspects of operations (policies, policy implementation) and cultural issues.
Operational level describes the level or scope of influence on each functional unit in the IT system regarding policy, operations and monitoring issues.
There are five areas to focus on in IT management. These are:
Strategic alignment . IT management needs to ensure the appropriate link between business and IT planning. It defines the IT plan, ensures the maintenance and implementation of the plan to ensure that IT operations are aligned with business operations.
Value delivery . IT management aims to ensure that the implementation of information provision services and IT services meet the quality commitments according to the set strategy, to ensure the optimization of costs of using IT resources for creating this information or service.
Resource management . IT management aims to ensure optimal management of investments in IT resources (application software, information, infrastructure and people).
Risk management . IT management aims to ensure that risks are identified by management levels, clearly understand the enterprise's risk control objectives, identify and understand the requirements for implementing risk control, and integrate risk control into the enterprise's operational processes.
Implementation measurement . IT management aims to identify and implement monitoring and control strategies through measurement and evaluation according to the standards established in the IT development strategy section.
Regarding IT management, there are many models or standards depending on the purpose and scope of control. For example:
ITIL (IT Infracstructure Library) is published and copyrighted by the Central Computer & Telecommunication Agency (CCTA), now the British Office of Government Commerce (OGC). Its main purpose is for IT service management, focusing mainly on (1) Determining the service delivery process in the IT organization; (2) Determining and increasing service quality; (3) Determining and implementing customer support services. The main users of ITIL are those responsible for IT service management in businesses of all sizes.
ISO/IEC 17799: 2005 Code of Practice for Information Security Management. This is an international standard for information security management. It is issued by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) - hence the common name