Professional Documents
Culture Documents
Control and Accounting Information Systems
Control and Accounting Information Systems
INFORMATION SYSTEMS
Lecture 8
Learning Objectives
Explain basic control concepts and explain why
computer control and security are important.
Compare and contrast the COBIT, COSO, and
ERM control frameworks. Describe the major
elements in the internal environment of a
company
Describe the four types of control objectives that
companies need to set.
Describe the events that affect uncertainty and
the techniques used to identify them.
Learning Objectives
Explain how to assess and respond to risk using
Internal Control
System to provide reasonable assurance that
Internal Control
Functions
Preventive
Deter problems
Detective
Discover problems
Corrective
Correct problems
Categories
General
Overall IC system
and processes
Application
Transactions are
processed correctly
framework.
Disclose all material internal control weaknesses.
Technology (COBIT)
Business objectives
IT resources
IT processes
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
Internal Control
Enterprise Risk Management Model
Risk-based vs. control-based
COSO elements +
Setting objectives
Event identification
Risk assessment
Can be controlled but also
Accepted
Diversified
Shared
Transferred
Control Environment
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
ERMObjective Setting
Strategic
High-level goals aligned with corporate mission
Operational
Effectiveness and efficiency of operations
Reporting
Complete and reliable
Improve decision making
Compliance
Laws and regulations are followed
ERMEvent Identification
an incident or occurrence emanating from internal or
Risk Assessment
Identify Risk
Identify likelihood of risk
Identify positive or negative impact
Types of Risk
Inherent
Risk that exists before any plans are made to control it
Residual
Remaining risk after controls are in place to reduce it
ERMRisk Response
Reduce
Implement effective internal control
Accept
Do nothing, accept likelihood of risk
Share
Buy insurance, outsource, hedge
Avoid
Do not engage in activity that produces risk
Event/Risk/Response Model
Control Activities
Policies and procedures to provide reasonable assurance
Monitoring
Monitoring can be accomplished with a series of ongoing