INFORMATION RISK AND IT-ENHANCED INTERNAL CONTROL (STUDY OBJECTIVE 3)

As business environments become more complex, the possibility of receiving unreliable information increases. Information risk is the chance that information used by decision makers may be inaccurate. Following are some causes of information risk:

• The remoteness of information. Decision makers are typically forced to rely on others for information. When the source of the information is removed from the decision maker, the information stands a greater chance of being misstated. A decision maker may become detached from the source of important information due to geographic distances, organizational layers, or other factors that are often associated with a company's growth.
• The volume and complexity of the underlying data. As a business grows, the volume and complexity of its transactions increase. This tends to increase the chance that misstated information may exist undetected.
• The motive of the preparer. Those who prepare information may have goals different from those of the decision maker. As a result, the information may be slanted in favor of a particular viewpoint or incentive, which impacts its presentation and decision-making usefulness.

The most common way for decision makers to reduce information risk is to rely upon information that has been audited by an independent party. Because information users generally do not have the time or ability to verify information for themselves, they depend on auditors for accurate and unbiased judgments. Even if decision makers wanted to verify the information, it may be difficult to do so when the financial information is contained in computerized accounting systems. These are the main reasons that a discussion of information-based processing and the related audit function are included in the study of accounting information systems.

Various risks are created by the existence of IT-based business processes. For example, because the details of transactions are often entered directly into the computer system, there may be no paper documentation maintained to support the transactions. This is often referred to as the loss of audit trail visibility because there is a lack of physical evidence to visibly view. There is also a greater likelihood that data may be lost or altered due to system failure, database destruction, unauthorized access, or environmental damage. In addition, IT systems do many tasks that previously were manually performed by humans. Since IT systems, rather than humans, do these tasks, there are increased internal control risks, such as a lack of segregated duties and fewer opportunities to authorize and review transactions.

Despite the risks, there are important advantages to using IT-based systems. Internal controls can actually be enhanced if care is exercised in implementing these systems. Computer controls can compensate for the lack of manual controls. In addition, if programs are tested properly before being activated, the risk of human error (such as a mathematical and/or classification mistake) is virtually eliminated because computers process all information consistently.

In addition to internal control enhancements, IT-based processes provide higher quality information to management. Information is higher quality when it is supplied in a timely manner and administered effectively. When high-quality information is used to make decisions, the result is more effective management.