Professional Documents
Culture Documents
Sim Acc 325
Sim Acc 325
Sim Acc 325
Table of Contents
BUSINESS ETHICS
Week 1-3 : Big Picture in Focus: ............................................................................. 5
ULO a. Explain the concept of business ethics. .................................................... 5
Metalanguage........................................................................................................................ 5
Essential Knowledge .............................................................................................................. 5
Self-Help:............................................................................................................................. 12
Let's Check........................................................................................................................... 12
Let's Analyze ........................................................................................................................ 14
In a Nutshell ........................................................................................................................ 17
Question & Answer .............................................................................................................. 18
Keywords Index ................................................................................................................... 18
Big Picture in Focus: ULOb (Theory). Discuss the Information Systems Audit
Standards, Guidelines and Code of Ethics .......................................................... 19
Metalanguage...................................................................................................................... 19
Essential Knowledge ............................................................................................................ 20
Self-Help: You can also refer to the sources below to help you further understand the lesson:
...................................................................................................................................... 29
Let’s Check........................................................................................................................... 29
Let’s Analyze........................................................................................................................ 30
In A Nutshell ........................................................................................................................ 30
Question & Answer .............................................................................................................. 31
Keywords Index ................................................................................................................... 31
COURSE SCHEDULE ............................................................................................. 31
Week 4-5 Big Picture in Focus: ............................................................................. 32
ULO a. Analyze the Information Systems Auditing Processes .......................... 32
Metalanguage...................................................................................................................... 32
Essential Knowledge ............................................................................................................ 33
Self-Help:............................................................................................................................. 37
Let’s Check........................................................................................................................... 38
Let’s Analyze........................................................................................................................ 38
2
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell ........................................................................................................................ 39
Question & Answer .............................................................................................................. 40
Keywords Index ................................................................................................................... 40
Big Picture in Focus: ............................................................................................. 41
ULO B. Discuss the types of Business Process Applications, its controls and
what are the roles of an IS Auditor on each applications. .................................. 41
Metalanguage...................................................................................................................... 41
Essential Knowledge ............................................................................................................ 41
Self-Help:............................................................................................................................. 55
Let’s Check........................................................................................................................... 56
In a Nutshell ........................................................................................................................ 57
Keywords Index ................................................................................................................... 58
COURSE SCHEDULE ............................................................................................. 58
Week 6-7: Big Picture in Focus: ............................................................................ 59
ULO a. Discuss the internal controls in a business ruled by Information
Systems. ................................................................................................................. 59
Metalanguage...................................................................................................................... 59
Essential Knowledge ............................................................................................................ 60
Big Picture in Focus: ............................................................................................. 64
ULO b. Explain the types of audits and the process of assessments ............... 64
Metalanguage and Essential Knowledge ............................................................................... 64
Self-Help............................................................................................................................ 65
Let’s Check – ULO A and B .................................................................................................... 66
Let’s Analyze – ULO A and B ................................................................................................. 67
Big Picture in Focus: ............................................................................................. 68
ULO c. Discuss the concept of Corporate Governance and understand the
different roles in relation to corporate governance ............................................ 68
Metalanguage...................................................................................................................... 68
Essential Knowledge ............................................................................................................ 68
Self-Help.............................................................................................................................. 78
Let’s Analyze – ULO C ........................................................................................................... 78
In a Nutshell ........................................................................................................................ 79
Question & Answer .............................................................................................................. 79
3
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
4
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 1-3: Unit Learning Outcomes (ULO): at the end of the unit, you are expected to
A. Explain the concept of business ethics.
B. Discuss the Information Systems Audit Standards, Guidelines and Code of Ethics
Metalanguage
The ability to foresee and deal with ethical issues has become an essential
topic in the world of business. You will encounter the following terminologies as you
a. Business ethics comprises organizational principles, values, and norms that
may originate from individuals, corporate statements, or from the legal system
that primarily guide individual and group behavior in business.
b. Ethical Issues
c. Ethical Dilemma
d. Morals refer to a person's personal philosophies about what is right or wrong.
e. Principles are specific and pervasive boundaries for behavior that should not
be violated.
f. Values are enduring beliefs and ideals that are socially enforced.
Essential Knowledge
Business Ethics
In recent years, several so-called corporate scandals bombarded the business
community. The deceits and frauds made by no less than the top management of the
companies create public outrage and distrust in business. As a result, the public
demanded improved business ethics, greater corporate responsibility, and laws to
protect the financially innocent.
Business decisions must be integrated with ethical considerations. Business
ethical issues can make or break a business. Not including it in every decision-making
process may destroy the trust of the public. Making the right ethical decisions is very
essential to business success. It is as vital as learning management, marketing,
finance, and accounting. Decisions with a moral component are an everyday
occurrence requiring people to identify issues and make quick decisions
The terms of morals, principles, values, and ethics often have the same usage
in business. Morals pertain to an individual person's philosophies or values of right
and wrong. On the other hand, principles are sometimes the source of rules, like
5
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
human rights and freedom of speech. Meanwhile, the best practices of the company
frequently define the company values. The company's stakeholders frequently
determine whether an action or standard is ethical or unethical. Teamwork, trust, and
integrity are the standard of ethical values practiced by an organization today.
6
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Employee will give their commitment to the organization if they believe that their
future is tied to that organization. Especially if the employer is dedicated to
taking care of its employees. Issues that foster the development of an ethical
culture for employees include the absence of abusive behavior, a safe work
environment, competitive salaries, and the fulfillment of all contractual
obligations toward employees. An ethics and compliance program can support
values and appropriate conduct. Social programs improving the ethical culture
range from work–family programs to stock ownership plans to community
service.
2. Investor Loyalty
7
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
responsible mutual funds and asset management firms help investors purchase
stock in ethical companies. Investors also recognize that an ethical culture
provides a foundation for efficiency, productivity, and profits. Investors know,
too, that negative publicity, lawsuits, and fines can lower stock prices, diminish
customer loyalty, and threaten a company's long-term viability. Many
companies accused of misconduct experienced dramatic declines in the value
of their stock when concerned investors divested.
3. Customer Satisfaction
It is generally accepted that customer satisfaction is one of the most important
factors in a successful business strategy. Although a company continues to
develop and adapt products to keep pace with customers' changing desires and
preferences, it must also develop long-term relationships with its customers and
stakeholders. As mentioned earlier, high levels of perceived corporate
misconduct decrease customer trust. On the other hand, companies viewed as
socially responsible increase customer trust and satisfaction.
4. Profit
A company cannot nurture and develop an ethical culture unless it has achieved
adequate financial performance in terms of profits. Businesses with greater
resources—regardless of their staff size—have the means to be ethical and
practice social responsibility while serving their customers, valuing their
employees, and contributing to society. Ethical conduct toward customers
builds a strong competitive position shown to positively affect business
performance and product innovation. Some dimensions of ethical culture have
been found to create innovativeness that is directly related to performance.
Recognizing Ethical Issues
Every business situations and relationships could generate ethical issues. However,
the challenge is ethical issues are hard to recognized, which provide great danger in
any organization. Some issues are difficult to recognize because they are gray areas
that are hard to navigate. For example, does accepting small gift from supplier
unethical? Employees may engage in questionable behaviors because they are trying
to achieve firm objectives related to sales or earnings. Our personal or moral issues
are easier to define and control. The complexity of the work environment, however,
8
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
makes it harder to become aware of, define, and reduce ethical issues. Table 2 defines
specific ethical issues identified by employees in the National Business Ethics Survey
(NBES).
Almost any organization decisions ethical issues will always arise. These issues can
be evaluated by understanding the foundational values. These values are integrity,
honesty, and fairness. It is just as important to emphasize appropriate conduct
associated with these values as it is to discover inappropriate conduct.
1. Integrity
Integrity is one of the most important and oft-cited elements of virtue and also
the most confusing. It refers to being whole, sound, and in a perfect condition.
While it is sometimes used virtually in connection with 'moral,' there are times
that a person acting morally may in fact act immoral. Besides there are people
did not know that they are acting immorally. Thus, one may acknowledge a
person to have integrity even though that person may hold what one thinks are
importantly mistaken moral views.
9
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2. Honesty
Running a business that takes pride in being ethical and socially responsible is
a challenge, and many companies end up cutting more than a few corners in
the name of profit. If you dig deeper into those companies, you'll probably find
that honesty isn't prized as an important characteristic. However, it's nearly
impossible for a business to build trust if honesty isn't a guiding principle in how
that company handles every aspect of its work process. In business, honesty
isn't only about doing things the right way, it's also about expressing the values
in which a company is founded.
3. Fairness
Fairness is the quality of being just, equitable, and impartial. Fairness clearly
overlaps with the concepts of justice, equity, and equality. Three fundamental
elements motivate people to be fair: equality, reciprocity, and optimization. In
the context of business firms, fairness is the application of the same rules,
10
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Ferrell et al. (2019) define the ethical issue as a problem, situation, or opportunity that
requires an individual or organization to select among several actions that must be
evaluated as right or wrong, ethical or unethical. For example, is giving a gift to the
government official ethical or not?
• Lying
1. Commission Lying
Commission lying happens when someone tells you not true. Basically, when
someone tells a lie of commission, they take the truth and twist it to create a
version of something that happened.
2. Omission Lying
Lying by omission is when a person leaves out important information or fails
to correct a pre-existing misconception to hide the truth from others. The best
example is when the company intentionally not disclose the hidden defect to
their customer.
• Conflicts of Interest
A conflict of interest arises when the interest of a person is not the best interest of
another person or organization. It exists when an individual or organization must
choose whether to advance their own interests or those of some other group. For
example, the management conceal company's losses to maintain the market
value of their stocks.
A conflict of interest can also exist when a person will report to two or more
different individuals or organization whose needs are at odds with each other. In
this case, serving one individual or group will injure the other.
• Bribery
11
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In the business world, bribery is a common thing you will hear. Bribery happens
when a person gives money or gifts to someone to convince them to make
favorable and biased decisions for business gains. The key issue regarding
whether something is considered bribery is whether it is used to gain an advantage
in a relationship.
Related to the ethics of bribery is the concept of active corruption or active bribery,
meaning the person who promises or gives the bribe commits the offense. Passive
bribery is an offense committed by the official who receives the bribe. It is not an
offense, however, if the advantage was permitted or required by the written law or
regulation of the foreign public official's country, including case law.
Types of Bribery
1. Lubrication
Giving a small amount of cash given a low-ranking person to speed-up the
execution of a task.
2. Subornation
Subornation generally involved giving large sums of money – frequently not
properly accounted for. It is designed to entice an official to commit an illegal act
on behalf of the one offering the bribe.
3. Extortion
Involves using threats to get bribes or money.
o Sexual Harassment
o Fraud
o Consumer Fraud
o Financial Misconduct
o Insider Trading
o Intellectual Property Rights
o Privacy Issues
Self-Help:
Ferrell, O.C., Fraedrich, J., and Ferrell, W. (2019). Business ethics: Ethical
decision and Cases. Cengage Learning
Stanberry, K. and Byars, S. (2018). Business Ethics.
Let's Check
After learning the metalanguage and essential knowledge, I need to evaluate
your learnings by answering the following:
12
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
3. Andy, a purchase manager, received an SUV vehicle from his friend Sony who
is an owner of auto spare parts business. Later, Andy approved the application
of Sony company to become their major supplier of spare parts. This case is an
example of:
A) Lubrication
B) Extortion
C) Subornation
D) Deception
4. Individuals' personal ethics plays a major role in the evaluation of business
ethics decision only when their preferences of value
A) Differ from those of their employer
B) Are unethical
C) Are ethical
D) Result in negative publicity for their employer
6. Mr. Sony Delims, a manager of a dog food company, awarded the supplier
contract in favor to the company of his friend Frank. Sony knew it from the start
that the Frank's raw materials has the lowest quality compare to other bidder.
This case is an ethical issue of
A) Honesty
13
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
B) Integrity
C) Fairness
D) Lying
9. _____________ are specific and pervasive boundaries for behavior that should
not be violated.
A) Moral
B) Values
C) Principles
D) Ethics
E)
10. Debby leaves out major defects about the products she sale is an example of
A) Integrity
B) Omission lying
C) Commission lying
D) Fairness
Let's Analyze
Activity 1. Kindly answer the questions with a minimum of 5 sentences.
1. How does business ethics contribute to customer satisfaction? Give example.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
14
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
2. Why is it important to business people study business ethics?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
3.How does business ethics contribute to employee commitment? Give example.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
15
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_________________________________________________________
16
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell
After studying the concepts and terminologies of ULOa, you would synthesize your
learnings about business ethics. The first two are done for you.
1. Recent incidents of unethical activity in business underscore the widespread need
for a better understanding of the factors that contribute to ethical and unethical
decisions.
2. Studying business ethics helps you begin to identify ethical issues and recognize
the approaches available to resolve them.
Your turn
3. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
4. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
5. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
17
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2.
3.
4.
5.
Keywords Index
• Business ethics • Morals • Bribery
• Ethical Issue • Principles • Fraud
• Ethical Dilemma • Values • Honesty
• Integrity • Lying
18
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Metalanguage
Being an Information Systems Auditor requires to comply with the professional Code
of ethics. Thus, it is necessary to read the following terminologies as you go over with
the discussion proper.
1. Integrity – to be straightforward and honest in all professional and business
relationships.
2. Objectivity – to not allow bias, conflict of interest or undue influence of others
to override professional or business judgments.
3. Professional Competence and Due Care – to maintain professional
knowledge and skill at the level required to ensure that a client or employer
receives competent professional services based on current developments in
practice, legislation and techniques and act diligently and following applicable
technical and professional standards.
4. Confidentiality – to respect the confidentiality of information acquired as a
result of professional and business relationships and, therefore, not disclose
any such information to third parties without proper and specific authority,
unless there is a legal or professional right or duty to disclose, nor use the
information for the personal advantage of the professional accountant or third
parties.
5. Professional Behavior – to comply with relevant laws and regulations and
avoid any action that discredits the profession.
6. Information Systems (IS) – a combination of strategic, managerial and
operational activities and related processes involved in gathering, processing,
storing, distributing and using information its related technology.
7. International Ethics Standards Board for Accountants (IESBA) – an
independent standard-setting body that develops an internationally
appropriate Code of Ethics for Professional Accounts (the Code).
8. Information Technology (IT) – the hardware, software, communication and
other facilities used to input, store, process, transmit and output data in
whatever form.
9. Information Systems Audit and Control Association (ISACA) – an
international professional association focused on IT (Information Technology)
governance.
10. Information Technology Assurance Framework (ITAF) – is a
comprehensive and good-practice-setting model that establishes standards
19
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Essential Knowledge
A.) FOR PROFESSIONAL ACCOUNTANTS
IFAC Code of Professional Ethics
The objective of the IESBA, as outlined in its Terms of Reference, is to serve
the public interest by setting high-quality ethics standards for professional
accountants. The IESBA's long-term objective is the convergence of the Code's ethical
standards for professional accountants, including auditor independence standards,
with those issued by regulators and national standard setters. Convergence to a single
set of rules can enhance the quality and consistency of services provided by
professional accountants throughout the world. It can improve the efficiency of global
capital markets.
The Code is divided into three sections.
1. Part – A General Application of the Code
Part A establishes the fundamental principles of professional ethics for
professional accountants and provides a conceptual framework that
professional accountants shall apply to:
20
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Threats to compliance with the fundamental principles are unique in every situation in
which professional accountants operates. The problem is, it is difficult to define every
situation that creates threats to follow the basic principles and the appropriate action
to be taken. It is because the nature of the engagement is different in each event.
Therefore, professional accounts are required to identify, evaluate, and address
threats to compliance by applying fundamental principles. The conceptual framework
21
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
a. Self-interest threat – it refers to the threat that a financial or other interest will
inappropriately influence the professional accountant's judgment or behavior.
For example, a member of the audit team is a former employee by the audit
client in a position that exerts significant influence over the department under
review.
d. Familiarity threat ─ it refers to the threat that due to a long or close relationship
with a client or employer, a professional accountant will be too sympathetic to
their interests or too accepting of their work.
A member of the audit team has an immediate family member who is an officer
of the audit client.
22
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The audit firm being threatened by the audit client with litigation.
On the other hand, Safeguards are actions or other measures that may eliminate
threats or reduce them to an acceptable level. They fall into two broad categories:
a. Safeguards created by the profession, legislation, or regulation.
For example, the policies and procedures of the audit firm to implement and
monitor the quality of the engagement.
23
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The IS Audit and Assurance Standards are divided into three categories:
• General – provides guiding principles under the IS assurance profession
operates. This applies to IS auditor’s ethics, independence, objectivity and due
care, knowledge, competency and skills.
• Performance – refers to the actual process, from planning, scoping, risk and
materiality, resource mobilization, supervision and assignment management,
audit and assurance evidence, and the exercising of professional judgment and
due care.
• Reporting – types of reports, means of communication and the information
communicated.
PART A : GENERAL
1001 Audit Charter Documentation of audit function indicating the purpose,
responsibility, authority and accountability
Audit Charter is agreed upon and approved at an
appropriate level within the enterprise.
1002 Organizational IS audit and assurance function shall be independent of
Independence the area of activity being reviewed.
1003 Professional The professionals shall be independent and objective in
Independence both attitude and appearance in all matters related to the
audit and assurance engagements.
1004 Reasonable There is a reasonable expectation that the engagement
Expectation can be completed in accordance with the standards, and
will result in a professional opinion or conclusion.
The scope of the engagement enables conclusion on the
subject matter and addresses any restrictions.
There is reasonable expectation that management
understands its obligations and responsibilities with
respect to the provision of appropriate, relevant and timely
information required to perform the engagement.
1005 Due The professional shall exercise due professional care,
Professional including observance of applicable professional audit
Care standards, in planning, performing and reporting on the
results of engagements.
1006 Proficiency The professional possesses adequate skills and
proficiency in conducting IS audit and assurance
engagements, and professionally competent to perform
the work required.
24
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
PART B : PERFORMANCE
1201 Engagement The professional shall plan each IS audit and assurance
Planning engagement to address:
- Objectives, scope, timeline and deliverables
- Compliance with applicable laws and professional
auditing standards
- Use of risk-based approach, where appropriate
- Engagement-specific issues
- Documentation and reporting requirements
25
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
26
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
27
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1207 Irregularity and Consider the risk of irregularities and illegal acts during
Illegal Acts the engagement.
Maintain an attitude of professional skepticism during the
engagement.
Document and communicate any material irregularities or
illegal act to the appropriate party in a timely manner.
PART C : REPORTING
1401 Reporting The IS audit and assurance professional shall provide a
report to communicate the results upon completion of the
engagement including:
- Identification of the enterprise, the intended recipients
and any restrictions on content and circulation
- Scope, engagement objectives, period of coverage and
the nature, timing and extent of the work performed
- The findings conclusions and recommendations
- Any qualifications or limitations in scope that the IS
audit and assurance professional has with respect to
the engagement
- Signature, date and distribution according to the terms
of the audit charter or engagement letter.
- Ensure that the audit findings in the audit report are
supported by sufficient and appropriate evidence.
28
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Self-Help: You can also refer to the sources below to help you further understand the
lesson:
ISACA 27TH Edition – Certified Information Systems Auditor (CISA) Review Manual
IESBA (2013). Handbook of the Code of Ethics for Professional Accountants 2013
edition. IFAC.
Let’s Check
Identify the correct answer.
__________ 1. To maintain professional knowledge and skill at the level required to ensure that a
client or employer receives competent professional services based on current developments in
practice, legislation and techniques and act diligently and following applicable technical and
professional standards.
__________ 2. To not allow bias, conflict of interest or undue influence of others to override
professional or business judgments.
29
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
__________ 5. to comply with relevant laws and regulations and avoid any action that discredits the
profession.
Let’s Analyze
Research an ethical dilemma case relating to Information Systems. Create a case
study and discuss the factors of the case. Kindly provide recommendation for the
case. Please follow the formal format of a case study. It will be provided in LMS.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________
In A Nutshell
Kindly read “Whatever happened to Information Systems Ethics? Caught between
devil and the Deep Blue Sea” by Francis Bell and Alison Adam. You can access the
reading via this link: https://link.springer.com/content/pdf/10.1007/1-4020-8095-
6_10.pdf
After reading the material, create a three-paragraph reflection paper.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_____________________
30
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Keywords Index
• Integrity • Professional Behavior • Information Technology
• Objectivity • Information Systems • Information System Audit
• Professional • International Ethics and Control Association
Competence and Due Standards Board for (ISACA)
Care Accountants (IESBA) • Information Technology
• Confidentiality Assurance Framework
(ITAF)
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO PASS
31
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 4 - 5: Unit Learning Outcomes (ULO): at the end of the unit, you are expected
to
A. Analyze the Information Systems Auditing Processes
B. Discuss the types of Business Process Applications, its Controls and what are the roles of
an IS Auditor on each applications
Metalanguage
In the previous topics, you have learned the business ethics, types of business issues
and the code of professional ethics, both for professional Accountants and Information
Systems Auditor. In this section, you will learn more about the Information Systems
Auditing processes. Additionally, this section is being aligned with the ISACA’s CISA
requirements, thus, this will help you in your foundation with the IS Auditing.
The terms below will help you understand the discussion within this section.
Information – refers to data that have a meaning within a context. It could be raw data
or data manipulated through addition, subtraction, division, or any other operations
that leads to greater understanding of a situation.
Information System – the combination of strategic, managerial and operational
activities involved in gathering, processing, storing, distributing and using information
and its related technologies.
Information Technology – refers to technologies that collectively facilitate
construction and maintenance of information systems.
Information Systems Audit – it refers to the examination of the management controls
within an Information technology (IT) infrastructure, policies and operations.
32
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Essential Knowledge
An information is considered as an asset of an organization, and thus needs to be
always secured by the organization whether it is at rest or in transit.
Aside from the responsibility of the management to ensure the security of information,
an IS auditor also helps through evaluation of the controls in place with the IT
infrastructure management, including its respective policies and operations.
33
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Best practice is to draw up staff training plan for the year based on the organization’s
direction in terms of technology and related risk that needs to be addressed. The IS
audit management should also provide the necessary IT resources to properly
perform IS audits of highly specialized nature – e.g., tools, methodology, work
programs.
AUDIT PLANNING
This is conducted at the beginning of the audit process to establish the overall audit
strategy and detail the specific procedures to be carried out to implement the
strategy and complete the audit.
An audit universe ideally composes or lists all of the processes (or auditable units)
that may be considered for audit. Each of the auditable units are assessed based on
their risk factors. The risk factor are those that influence the frequency and/or
business impact of risk scenarios. The business process owners help in identifying
risk factors. The topic on risk management will be discussed in the succeeding
weeks.
To evaluate the risk factors, its objective criteria are to be identified. Each of the risk
factors are rated, for example:
34
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The criteria above is an example of time frame criteria, but this should be defined by
the organization. It is also ideally be quantified in terms of the range of loss should
the risk will materialized.
The audit plan should be constructed for areas/ processes that are rated “high”. But
in actual, there are insufficient resources to execute the plan. Thus, this analysis will
help the top management in deciding whether to augment the existing audit
resources or to accept the risk that there are areas that will not be audited.
Individual Audit Assignments
Aside from the overall annual planning discussed above, each individual audit
assignments must be adequately planned. There are periodic risk assessments
done, changes in the application of technology, and evolving privacy issues and
regulatory requirements, that may impact the audit approach along the way.
When performing audit execution, the IS auditor must understand the overall
environment under review. This includes the types of information, information
systems and technology supporting the activity. Regulatory environments also in
which the business operates should also be considered.
35
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2. Legal requirements placed on the auditee and its systems, data management,
reporting, etc.
The legal issues also impact the organization’s business operations in terms of
compliance with ergonomic regulations.
The IS auditor should perform the following:
Identify those government or other relevant external requirements dealing
with:
o Electronic data, personal data, copyrights, ecommerce, esignatures,
etc.
o IS practices and controls
o The manner in which computers, programs and data are stored
o The organization or the activities of information technology services
o IS audits
Document applicable laws and regulations
Assess if the management and IT function have considered the relevant
external requirements in making plans, and in setting policies, standards and
procedures as well as business application features.
Review internal IT department/function/activity documents that address
adherence to laws applicable to the industry.
Determine adherence to established procedures that address these
requirements.
Determine if there are procedures in place to ensure contracts or agreements
with external IT services providers reflect any legal requirements related to
responsibilities.
36
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Based on the nature of assignment, the following may also require special
consideration:
Testimonials/references and background checks
Access to systems, premises and records
Confidentiality restrictions to protect customer-related information
Use of computer-assisted auditing techniques (CAATs) and other tools to be
used by the external audit service provider
Standards and methodologies for performance of work and documentation
Nondisclosure agreements
Although audit work may be delegated to an external service provider, the related
professional liability is not necessarily delegated. When employing services of
external service providers, the following should be done:
Clear communication of the audit objectives, scope and methodology through
a formal engagement letter.
Establish monitor process for regular review of the work done by external
service provider.
Assess the usefulness and appropriateness of reports of such external
providers and assess the impact of significant findings on the overall audit
objectives.
Self-Help: Reference used for this topic is the CISA (Certified Information
Systems Auditor) Review Manual : 27th Edition – Domain 1 – Information
System Auditing Processing
37
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Indicate the correct answer in the space provided for each item.
1. It is the documentation of the specific auditable unit/ process with a specific
objective in mind. _______________
2. Give one reason why there is a need to review an audit plan in a periodic
interval. _______________________
3. It outlines the overall authority to perform an IS audit. ________________
4. __________ refers to evaluation/ examination of the management controls within
an Information technology (IT) infrastructure, policies and operations.
5. When conducting an IS audit, the regulations related were the business belongs
should cover: ____________________.
Let’s Analyze
Activity:
1. Why do you think is there a need for the company to establish their criteria of
when the risk is rated high, medium or low?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
38
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
3. Elaborate in your own words, the reason for using another auditor or experts
work.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
In a Nutshell
Do you see yourself becoming an Information Systems Auditor?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
39
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1.
2.
3.
Keywords Index
Information Information Systems Audit Information Technology
40
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Metalanguage
Application – A computer program or set of programs that performs the processing of
records for a specific function.
Server – a hardware that provides data to other computers, through a local area
network (LAN) or wide area network (WAN) over the internet. Types of servers are
web servers, mail servers, file servers, among others.
Essential Knowledge
Now, let’s learn the different types of business process or environments that are being
adapted in organizations, and the controls needed for each type of process
applications. By knowing the types of business process applications and what are the
minimum requirements in securing, will help you in governing well the organization,
and to ensure that the business values and strategic goals of the business will be
achieved. You have to understand the business structure and the current types of
environment where transactions are happening, for you to know what to protect, and
what to protect.
A business process control assurance involves evaluating controls at the process and
activity levels. These controls may be a combination of management, programmed
and manual controls. In addition to evaluating general controls that affect the
processes, business process owner-specific controls—such as establishing proper (1)
41
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
segregation of duties, (2) period review and approval of access, and (3) application
controls within the business process –are evaluated.
ECOMMERCE
It is the buying and selling of goods online. Typically, a buyer purchases goods and
services from a website and provides delivery and payment details, including transfers
or payment orders. Website then gathers details about customers (like address, phone
number, name, etc.) and offer other items that may be of interest.
Types of Ecommerce:
1. Business-to-business (B-to-B) – conducted between organizations
2. Business-to-consumer (B-to-C) – conducted between an organization and its
customers.
3. Consumer-to-consumer (C-to-C)– conducted between customers, primary
using a third-party platform.
4. Consumer-to-business (C-to-B) – between consumer and a business.
Consumers sell their products or services to a business.
5. Business-to-government (B-to-G) – between an organization and a public
administration where the governmental organization promotes awareness and
growth of ecommerce. In addition to public procurement, administrations may
also offer the option of electronic interchange for such transactions as VAT
returns and the payment of corporate taxes.
6. Consumer-to-government (C-to-G) – conducted between consumer and a
public administration or government. An example is electronic tax filing.
With this type of business environment, the following are the typical ecommerce
architectures:
• Single-tier architecture is a client-based application running on a single
computer.
• Two-tier architecture is composed of the client and a server
42
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• Three-tier architecture
o Presentation tier displays information that users can access directly such
as a web page or an operating system’s (OS’s) graphical user interface.
This user interface is often a graphical one accessible through a web
browser or web-based application and which displays content and
information useful to an end user. Usually built on HTML5, JavaScript,
CSS or popular web development frameworks and communicates with
other layers through API calls.
o The application tier (business logic/applications) controls an
application’s functionality by performing detailed processing. It drives the
application’s core capabilities. This is often written in Java, .NET, C#,
Python, C++, among others.
o Data tier – comprises the database/ data storage system and data
access layer. These systems are MySQL, Oracle, PostgreSQL,
Microsoft SQL Server, MongoDB, etc. The data stored in here are
accessed by the application layer through API calls.
43
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
There are also components models that are widely used and fall under the grouping
of “mobile code”, which means can be transferred between networks and executed
on a local system using cross-platform code without explicit installation by the recipient
computer (e.g., Adobe® Flash®, Shockwave®, Java applets, VBScripts, Active X).
The use of this mobile code, however, spread malware (malicious software) through
email, malicious websites and mobile device applications.
The B-to-C system includes marketing, sales and customer service components (e.g.,
personalization, membership, product catalog, customer ordering, invoicing, shipping,
inventory replacement, online training and problem notification). The application
servers supports component model and provide services (like data management,
security and transaction management) either directly or through connection to another
service or middleware product.
Note, customer data should not be stored on web servers, that are exposed
directly to the internet.
ECOMMERCE RISK
• Confidentiality—possible theft of credit card information from unknown
vendors. Also, connecting to the internet via a browser requires running
software on the computer that has been developed by someone unknown to
the organization.
• Integrity—data could be susceptible to unauthorized alteration or deletion (i.e.,
hacking or the ebusiness system itself could have design or configuration
problems).
44
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
ECOMMERCE REQUIREMENTS
• Build a business case
• Clear business purpose
• Use technology to improve costs
• The business case revolves around customers, costs, competitors and
capabilities
• Top level commitment – ecommerce cannot succeed without a clear vision and
strong commitment from the top of an organization.
• Business process reconfiguration – think outside the box
• Links to legacy systems – to accelerate response time, provide real interaction
to customers and customize responses to individual customers.
45
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
To build a map, an EDI standard appropriate for the kind of EDI data to be transmitted
is selected (e.g., specific standards for medical claims, patient records, invoices,
purchase orders, advance shipping notices). The final step is to write a partner profile
that tells the system where to send each transaction and how to handle errors and
exceptions.
https://www.edictsystems.com/company/what-is-electronic-data-interchange-edi/
46
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1.B EDI interface – interface function that manipulates and routes data
between the application system and the communications handler. It consists
the following components:
• EDI translator – a device that translates data between the
standard format and a trading partner’s proprietary format.
• Application interface—this interface moves electronic
transactions to or from application systems and performs data
mapping. The EDI interface may generate and send functional
acknowledgments, verify the identity of partners and check the
validity of transactions by checking transmission information
against a trading partner master file.
1.C Application System – the programs that process the data sent to, or
received from, the trading partner. Although new controls should be
developed for the EDI interface, the controls for existing applications, if left
unchanged, are usually unaffected.
https://www.edictsystems.com/company/what-is-electronic-data-interchange-edi/
2. Web-based EDI
47
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
https://www.edictsystems.com/company/what-is-electronic-data-interchange-edi/
48
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
RISK CONTROLS
Transaction authorization is the biggest To protect both parties, any agreements
EDI risk. Computerized data can look the is codified legally in a trading partner
same as there is no human element or agreement.
signature.
49
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
An IS auditor must evaluate EDI to ensure that all inbound EDI transactions are
received and translated accurately, passed to an application, and processed only
once.
C. ELECTRONIC BANKING
Remote delivery of electronic services to consumers and businesses from financial
institutions.
The risk associated with electronic banking activities includes strategic, reputational,
operational, credit price, foreign exchange, interest rate and liquidity.
50
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Examples of these systems are bill of materials (BOM), BOM processing (BOMP),
manufacturing resources planning (MRP), computer-assisted design (CAD),
computer-integrated manufacturing (CIM), and manufacturing accounting and
production (MAP).
Evolution toward further integration with other business functions (e.g., recording of
raw materials, work-in-process and finished goods transactions, inventory
adjustments, purchases, supplier management, sales, accounts payable, accounts
receivables, goods received, inspection, invoices, cost accounting, maintenance) led
to MRP, which is a family of widely used standards and standard-based packages.
MRP is a typical module of most ERP packages such as SAP or Oracle Financials
and is usually integrated in modern customer relationship management (CRM) and
supply chain management (SCM) systems.
G. IMAGE PROCESSING
An imaging system stores, retrieves and processes graphic data such as pictures,
charts and graphs, instead of or in addition to text data. The storage capacities must
be enormous, and most image systems include optical disk storage. In addition to
optical disks, the systems include high-speed scanning, high-resolution displays,
rapid and powerful compression, communications functions and laser printing. The
systems include techniques that can identify levels of shades and colors that cannot
be differentiated by the human eye. These systems are expensive, and companies
do not invest in them lightly.
51
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Most businesses that perform image processing obtain benefits from using the
imaging system, such as:
• Item processing (e.g., signature storage and retrieval)
• Immediate retrieval via a secure optical storage medium
• Increased productivity
• Improved control over paper files
• Reduced deterioration due to handling
• Enhanced disaster recovery procedures
The replacement of paper documents with electronic images can have a significant
impact on the way an organization does business. Controls must be developed and
designed into the automated process to ensure that information image files cannot
be altered, erased or lost.
→ Planning – lack of planning can result in selecting and converting paper systems
to document imaging systems to document imaging systems can
result in excessive installation costs, the destruction of original
documents and the failure to achieve expected benefits.
→ Audit – imaging systems may change or eliminate the traditional controls as well
as the checks and balances inherent in paper-based systems. Audit
procedures may have to be redesigned and new controls designed
into the automated process.
→ Redesign of workflow – redesign or reengineer workflow to benefit from imaging
technology
→Scanning devices – these devices are entry point for image documents and a
significant risk area in imaging systems. This disrupts workflow if the
scanning equipment is not adequate to handle the volume of
documents or the equipment breaks down. Absence of controls over
the scanning process can result in poor quality images, improper
indexing, and incomplete or forged documents being entered into the
system.
→ Software Security – this protects institutions and customer information from
unauthorized access and modifications. The integrity and reliability of
the imaging system database are related directly to the quality of
controls over access to the system.
→ Training – inadequate training of personnel scanning the documents can result in
poor-quality document images and indexes, and the early destruction
of original documents.
ICS is a general term that encompasses several types of control systems, including
supervisory control and data acquisition (SCADA) systems, distributed control
52
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
systems (DCS), and other control system configurations such as programmable logic
controllers (PLC), often found in the industrial sectors and critical infrastructures.
Figure 4 – A High-level overview of typical ICS Operations
Source: NIST; NIST SP 800-82:Guide to Industrial Control Systems (ICS) Security, USA, 2011
Risk Factors that IS Audit should consider:
→ blocked or delayed flow of information through ICS network, which could disrupt
ICS operation
→ unauthorized changes to instructions, commands or alarm thresholds, which
could damage, disable or shut down equipment, create environmental impacts,
and/or endanger human life.
→ inaccurate information sent to system operators, either to disguise unauthorized
changes or to cause the operators to initiate inappropriate actions which could have
various negative effects.
→ ICS software or configuration settings modified, or ICS software infected with
malware, which could have various negative effects.
→ Interference with the operation of safety systems, which could endanger human
life.
Typical Controls
→ Restrict logical access to the ICS network and network activity. Network topology
of ICS should use multiple layers, with the most critical communications occurring in
the most secure and reliable layer.
→ Restrict physical access to the ICS network and devices, like using locks, card
readers and or guards.
→ Protect individual ICS components from exploitation.
→ Maintain functionality during adverse conditions. It involves designing the ICS
wherein each component has a redundant counterpart.
→ Restoring the system after an incident.
For the expert systems, it allows the user to specify certain basic assumptions or
formulas and then uses these assumptions or formulas to analyze arbitrary events.
Based on the information used as input to the system, a conclusion is produced.
The key to the system is knowledge base, which contains specific information or
fact patterns associated with particular subject matter and the rules for interpreting
these facts. Knowledge base can be expressed in the following:
- Decision trees—use of questionnaires to lead the user through a series of
choices, until a conclusion is reached.
- Rules—expression of declarative knowledge through the use of if-then
relationships.
- Semantic nets—use of a graph in which the nodes represent physical or
conceptual objects, and the arcs describe the relationship between the nodes.
This includes the following components:
o Knowledge interface – inclusion of knowledge from an expert into the
system without the traditional mediation of a software engineer.
o Data interface – collection of data from nonhuman sources through an
expert system, such as measurement instruments in a power plant.
54
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
SCM refers to the linking of business processes between the related entities such as
a buyer and the seller. The link is provided to all the connected areas such as
managing logistics and the exchange of information, services and goods among
supplier, consumer, warehouse, wholesale/retail distributors and manufacturer of
goods.
The CRM process emphasize the customer, rather than marketing, sales or any
other function in order to meet customer expectations. It includes integration of
telephony, web and database technologies, and interenterprise integration
capabilities. In this model, other business partners can share information,
communicate and collaborate with the organization with the seamless integration of
web-enabled applications and without changing their local network and other
configurations.
• CISA (Certified Information Systems Auditor) Review Manual : 27th Edition – Domain 1 –
Information System Auditing Processing
55
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Select the best answers on each question below:
1) It refers to the software in the EDI that moves data from one point to another, flags
the start and end of an EDI transmission, and determines how acknowledgments are
transmitted and reconciled.
a. Ecommerce
b. Enterprise Resource Planning
c. Supply Chain Management
d. Communication Software
2) The emphasis is on the customer, rather than marketing, sales or any other
function in order to meet customer expectations.
a. Ecommerce
b. Customer Relationship Management
c. Expert Systems
d. Electronic Data Interchange (EDI)
56
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
translate the reported concerns from different language to the standard English
language. The organization should:
a) Business Intelligence
b) Voice Recognition
c) Artificial Intelligence and Expert Systems
d) Supply Chain Management
10) It is a layer of the three-tier architecture that instructs the displays in a user
interface.
a. Presentation Tier
b. Application Tier
c. Data Tier
d. Single tier
In a Nutshell
Do you think there is a best business application that fits with any kind of industry? Explain
your answer.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
57
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Keywords Index
• Systems • Interface • Computer Language
• Risk and Controls • Server • Internet/ Web
• Business Environment • Transmission • Architecture
• Authentication • Security • Business Process
• Nonrepudiation • Processing Application
• Software/ • Transaction • Legacy Systems
Applications • Middleware
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO SUBMIT
58
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 6 - 7: Unit Learning Outcomes (ULO): at the end of the unit, you are expected to
A. Discuss the internal controls in a business ruled by information systems.
B. Explain the types of audits and the process of assessments
C. Discuss the concept of Corporate Governance and understand the different roles in
relation to corporate governance
Metalanguage
Control–the means of managing risk, including policies, procedures, guidelines,
practices or organizational structures, which can be of an administrative, technical,
management, or legal nature. Also used as a synonym for safeguard or
countermeasure.
59
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Essential Knowledge
Every organization has controls in place. An effective control is one that prevents,
detects and/or contains an incident and enables recovery from a risk event.
Organizations design, develop, implement and monitor information systems through
policies, procedures, practices and organizational structures to address these types
of risk.
Internal controls address business/ operational objectives and should also address
undesired events through prevention, detection and correction. Elements of controls
that should be considered when evaluating control strength are classified as
preventive, detective or corrective in nature.
A control objective is such a goal that is explicitly related to the strategy of the
company. Take the table below as example:
60
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Control Classifications
Class Function Examples
Preventive - Detect problems before they arise. - Employing only qualified personnel
- Monitor both operation and inputs. - Segregation of duties
- Attempt to predict potential - Controlling access to physical facilities
problems before they occur and - Well-designed documents to prevent
make adjustments errors
- Prevent an error, omission or - Suitable procedures for authorization of
malicious act from occurring transactions
- Programmed edit checks
- Use of access control software that
allows only authorized personnel to
access sensitive files
- Use of encryption software to prevent
unauthorized disclosure of data.
Detective - Use controls that detect and report - Hash totals
the occurrence of an error, - Check points in production jobs
omission or malicious act. - Echo controls in telecommunications
- Error messages over tape labels
- Duplicate checking of calculations
- Periodic performance reporting with
variances
- Past-due account reports
- Internal audit functions
- Review of activity logs to detect
unauthorized access attempts
- Secure code reviews
- Software quality assurance
Corrective - Minimize the impact of a threat - Contingency / continuity of operations
- Remedy problems discovered by planning
detective controls - Disaster recovery planning
- Identify the cause of a problem - Incident response planning
- Correct errors arising from a - Backup procedures
problem - System break/fix service level
- Modify the processing system(s) to agreements
minimize future occurrences of the
problem
The control objectives apply to all controls, whether they are manual, automated or a
combination. Control objectives in an IS environment do not differ from those in a
manual environment; however, the way these controls are implemented may be
different. Thus, control objectives need to be addressed relevant to specific IS-related
processes.
Both the control objective and control measure serve the decomposition of the
strategic-level goals into such lower-level goals and activities that can be assigned as
tasks to the staff. This assignment can take the form of a role description in a job
description.
61
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
62
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
the organization’s assets are properly protected and meet business goals and
objectives.
GENERAL CONTROLS
→ It refers to controls that applies to all areas of an organization, including the
following:
▪ Internal accounting controls that are primarily directed at accounting
operations—controls about safeguarding assets and reliability of financial
records
▪ Operations controls that concern day-to-day operations, functions and
activities, and ensure that the operation is meeting the business objectives.
▪ Administrative controls that concern operational efficiency in a functional area
and adherence to management policies (administrative controls rupport the
operational controls)
▪ Organizational security policies and procedures to ensure proper usage of
assets
▪ Overall policies for the design and use of adequate documents and records
(manual/ automated) to help ensure proper recording of transactions—
transactional audit trail
▪ Procedures and practices to ensure adequate safeguards over access to and
use of assets and facilities.
▪ Physical and logical security policies for all facilities, data centers and IT
resources.
IS-SPECIFIC CONTROLS
Each general control can be translated into an IS-specific control. A well-designed
information system should have controls built in for all its sensitive or critical functions.
For example, the general procedure to ensure that adequate safeguards over access
to assets and facilities can be translated into an IS-related set of control procedures,
covering access safeguards over computer programs, data and equipment.
63
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
3.) Financial audit – an audit that assesses the accuracy of financial reporting. A
financial audit will often involve detailed, substantive testing, although IS
auditors are increasingly placing more emphasis on a risk- and control-based
audit approach. This kind of audit relates to financial information integrity and
reliability.
5.) Integrated audit – it typically combines financial and operational audit steps
and may or may not include the use of an IS auditor. This type of audit will also
perform an assessment with the overall objectives within the organization,
related to financial information and assets’ safeguarding, efficiency and
compliance. It could be performed by external or internal auditors and would
include compliance tests of internal controls and substantive audit steps.
64
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
7.) Specialized audit – specialized reviews may examine areas such as fraud or
services performed by third parties.
Self-Help: You can also refer to the sources below to help you
further understand the lesson:
65
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1) It contains description of the consequences of failing to comply with the policy, the means
for handling exceptions, and the manner in which compliance with the policy will be checked
and measured. ______________
2) This control includes review of activity logs to check if there are unauthorized access
attempts to the system. _________________
4) This a way to manage risk, which may include policies, procedures, guidelines, practices
or organizational structures. _____________________
10) A type of audit that assesses issues related to the efficiency of operational productivity
within an organization. _______________________
66
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Identify the controls and its type, i.e., whether it is a preventive, detective or
corrective controls, in the case below.
67
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Metalanguage
Governance - the act or process of governing or overseeing the control and direction
of something such as an organization.
Stakeholders - is a party that has an interest in a company and can either affect or
be affected by the business. The primary stakeholders in a typical corporation are its
investors, employees, customers, and suppliers, and is extended to extended to
include communities, governments, and trade associations.
Essential Knowledge
IFC defines corporate governance as “the structures and processes for the direction
and control of companies.” The Organization for Economic Cooperation and
Development (OECD), which in 1999 published its Principles of Corporate
Governance, offers a more detailed definition of corporate governance as:
“The internal means by which corporations are operated and controlled [...], which
involve a set of relationships between a company’s management, its board, its
shareholders and other stakeholders. Corporate governance also provides the
structure through which the objectives of the company are set, and the means of
attaining those objectives and monitoring performance are determined. Good
corporate governance should provide proper incentives for the board and
management to pursue objectives that are in the interests of the company and
68
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
There are certain elements in common despite the variations of company definitions
of what corporate governance is.
(2) These relationships may involve parties with different and sometimes
contrasting interests: Differing interests may exist between the main
governing bodies of the company, i.e. the GMS, the Board of Directors, and/or
the General Director (or other executive bodies). Contrasting interests exist
most typically between owners and managers, and are commonly referred to
as the principal-agent problem.4 Conflicts may also exist within each governing
body, such as between shareholders (majority vs. minority, controlling vs. non-
controlling, individual vs. institutional) and directors (executive vs. non-
executive, outside vs. inside, independent vs. dependent). Each of these
contrasting interests needs to be carefully observed and balanced.
(3) All parties are involved in the direction and control of the company: The
GMS, representing shareholders, takes fundamental decisions, for example the
distribution of profits and losses. The Board of Directors is generally responsible
for guidance and oversight, setting company strategy and controlling
managers. Executives, finally, run the day-to-day operations, such as
implementing strategy, drafting business plans, managing human resources,
developing marketing and sales strategies, and managing assets.
(4) All this is done to properly distribute rights and responsibilities and thus
increase long-term shareholder value: For example, how outside, minority
shareholders can prevent a controlling shareholder from gaining benefits
through related party transactions, tunneling or similar means.
The figure below illustrates the basic corporate governance system and the
relationships between the governing bodies.
69
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The role of stakeholders in governance has been debated in the past, with some
arguing that stakeholders have no claim on the enterprise other than those specifically
set forth in law or contract. Others have argued that companies fulfill an important
social function, have a societal impact and, accordingly, must act in the broad interests
of society. This view recognizes that companies should, at times, act at the expense
of shareholders. Interestingly, there is a consensus that modern companies cannot
effectively conduct their businesses while ignoring the concerns of stakeholder groups.
However, there is also agreement that companies which consistently place other
stakeholder interests before those of shareholders cannot remain competitive over the
long run.
The first well-documented failure of governance was the South Sea Bubble in the
1700s, which revolutionized business laws and practices in England. Similarly, much
of the securities law in the U.S. was put in place following the stock market crash of
1929.
The history of corporate governance has also been punctuated by a series of well-
known company failures. The early 1990s saw the Maxwell Group raid the pension
fund of the Mirror Group of newspapers and witnessed the collapse of Barings Bank.
The new century likewise opened with a bang, with the spectacular collapse of Enron
in the U.S., the near-bankruptcy of Vivendi Universal in France, the scandal at
Parmalat in Italy, the trading fraud which hit Société Générale and the most recent
Madoff multi-billion dollar ponzi scheme, make other scandals pale in comparison.
70
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
It is fair to say that, although there is still plenty of room for improvement, the legal and
regulatory framework on corporate governance has changed and improved
dramatically in recent years. As a result of the events in the past, the following are the
example laws and regulations that took effect:
(i) the Law on Foreign Investment in 1987, its amendments in 2000 and its
later unification with the Law on Enterprises and the Law on Investment in
2005,
(ii) the Law on Enterprises in 1999, and its amendments in 2005,
(iii) the Law on State Bank8 in 1997; the Law on Credit Institutions of 1997 and
the amendments to both laws in 2003 and 2004, respectively and the
replacements of both laws in June 2010,
(iv) the Law on Insurance Business in 2000,
(v) the Competition Law11 in 2004
(vi) (vi) the Law on Securities12 in 2006, are but some examples of the many
positive changes to the legal and regulatory framework.
Numerous codes of best practices and corporate governance principles have been
developed over the last 10 years. Worldwide, more than 200 codes have been written
in some 72 countries and regions.19 Most of these codes focus on the role of the
Supervisory Board or Board of Directors in a company. A handful are international in
scope.
Among these, only the OECD Principles address both policymakers and businesses,
and focus on the entire governance framework (shareholder rights, stakeholders,
disclosure and board practices). The OECD Principles have gained worldwide
acceptance as a framework and reference point for corporate governance. Published
in 1999 and revised in 2004, they were developed to provide principle-based guidance
on good governance.
The OECD corporate governance framework is built on four core values:
• Fairness: The corporate governance framework should protect shareholder
rights and ensure the equitable treatment of all shareholders, including minority
and foreign shareholders. All shareholders should have the opportunity to
obtain effective redress for violations of their rights.
• Responsibility: The corporate governance framework should recognize the
rights of stakeholders as established by law, and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs, and the
sustainability of financially sound enterprises.
71
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Many national corporate governance codes have been developed based on the OECD
Principles. For instance, the CG Regulations state that (i) they were developed to “. .
. help ensuring the sustainable development of the securities market and contributing
to a cleaner and healthier economy”, that (ii) “[The] regulations set out the basic rules
of corporate governance with a view to protecting legitimate rights and obligations of
shareholders, establishing standards for professional acts and morality of the
directors, the Board of Directors, the Supervisory Board and the managers of the listed
company”, and that (iii) “the regulations also serve as the basis for assessing the
implementation of corporate governance of a listed company”.
Although they represent a good start in the right direction, the CG Regulations are
much simpler in form in comparison to other national codes of corporate governance.
The OECD Principles can serve as an excellent reference point for international
practices and are recommended reading for those interested in understanding some
of the principles that underlie national standards.
72
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
There are several ways in which good corporate governance can improve
performance and operational efficiency. An improvement in the company’s
governance practices leads to an improvement in the accountability system,
minimizing the risk of fraud or self-dealing by the company’s officers. Accountable
behavior, combined with effective risk management and internal controls, can bring
potential problems to the forefront before a full-blown crisis occurs. Corporate
governance improves the management and oversight of executive performance, for
example by linking executive remuneration to the company’s financial results. This
creates favorable conditions not only for planning the smooth succession and
continuity of the company’s executives, but also for sustaining the company’s long-
term development.
73
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Corporate governance practices can determine the ease with which companies are
able to access capital markets. Well-governed firms are perceived as investor friendly,
providing greater confidence in their ability to generate returns without violating
shareholder rights.
3.) Lowering the Company’s Cost of Capital and Raising the Value of Assets
The level of risk and cost of capital also depend on a country’s economic or political
situation, institutional framework and enforcement mechanisms. Corporate
governance at a particular company thus plays a crucial role in emerging markets,
which often do not have as good a system of enforcing investors’ rights as countries
with developed market economies.
74
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
This public confidence and goodwill can lead to greater trust in the company and its
products, which in turn may lead to higher sales and, ultimately, profits. A company’s
positive image or goodwill is known to play a significant role in the valuation of a
company. Goodwill in accounting terms is the amount that the purchase price exceeds
the fair value of the acquired company’s assets. It is the premium one company pays
to buy another.
75
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
membership. In addition, it approves the annual report and the financial statements,
the distribution of profits and losses (including the payment of dividends), amended
charter capital, amendments of the charter, re-organization and dissolution, and
extraordinary transactions.
76
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
77
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Group Activity: The class will be divided into six groups, and will be assigned with the
certain cases to research, identify, answer and discuss the following:
(1) The background of the case you will be handling, such as the type of business or
industry, the location, who were involved and the sequence of events.
(2) Explain what happened, and site the inappropriate actions/ decisions that were made
by the management that have resulted in the reputational damage and bankruptcy of
the case you have studied.
(3) How was the case discovered?
(4) If you were the management, what should have been the done to avoid the
unfavorable events from happening?
(5) Were there any law/ regulations that were established because of what happened? If
none, was there any violation with the existing law that the organization’s
management violated?
The cases, which were mentioned in the essential knowledge, are as follows:
(1) South Sea Company in 1700s
(2) 1929 US Stock Market Crash
(3) Maxwell Group and Mirror Group in 1990s
(4) Vivendi Universal in France
(5) Parmalat Scandal
(6) Trading Fraud in Société Généralé
78
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell
Discuss what have you learned of why corporate governance is important in an organization?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
1.
2.
3.
Keywords Index
Control Audit Computer Forensic Audit
79
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO PASS
80
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 8 - 9: Unit Learning Outcomes (ULO): at the end of the unit, you are expected
to
A. Discuss the concept of Internal Control Framework and introduction to risk management,
its phases and process.
B. Discuss thoroughly the ERM Framework and how the enterprise risk management is
implemented.
Metalanguage
Committee of Sponsoring Organizations of the Treadway Commission (COSO) – is a
joint initiative of the five private sector organizations (i.e., AICPA, IIA, FEI, AAA and IMA) and
is dedicated to providing thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control and fraud deterrence.
Sox (Sarbanes-Oxley Act) – also known as the SOX Act of 2002 and the Corporate
Responsibility Act of 2002. a federal law that established sweeping auditing and financial
regulations for public companies.
Risk Assessment – a process used to identify and evaluate risk and its potential effects
Essential Knowledge
History of COSO
Back in the days – 1970s, wherein several major corporations suffered a financial
collapse even though their recent published audited financial reports showed
adequate earnings and good financial health. Some of their failures were caused by
fraudulent financial reporting, but most turned out to be victims of the high inflation and
resultant high interest rates during that period. It was not uncommon for many
companies that failed to have issued fairly positive annual reports despite the bad
news about to come. A private professional group called National Commission on
Fraudulent Financial Reporting was formed to study the issue. Five U.S. professional
81
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
a. Integrity and Ethical Values – the essential elements of control environment and is
often defined and communicated through senior management ‘‘tone at the top’’
messages
b. Commitment to Competence - specify required competence levels for its job tasks
and translate those requirements into necessary levels of knowledge and skill.
c. Board of Directors and the Audit Committee – SOx requirement of audit committees
to consist of independent, outside directors.
d. Management’s Philosophy and Operating Style – this are all part of the enterprise
control environment. Managers and others responsible for assessing internal controls
should understand these factors and take them into consideration when installing and
establishing an effective system of internal controls.
e. Organization Structure – provide a framework for planning, executing, controlling,
and monitoring activities for achieving overall objectives.
f. Assignment of Authority and Responsibility – assignment of authority is essentially
the way responsibilities are defined in terms of job descriptions and structured in terms
of enterprise charts.
g. Human Resources Policies and Practices – cover such areas as hiring, orientation,
training, valuating, counseling, promoting, compensating, and taking appropriate
remedial actions.
82
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
performed at all levels and for virtually all activities within the enterprise. The COSO internal
controls framework describes risk assessment as a three-step process:
3. Other COSO Internal Control Components and Activities – the other internal elements
of control activities, information and communications, and monitoring also are very important
for understanding the overall COSO internal control framework.
Internal controls and enterprise risk management each take a different perspective to
understanding and evaluating activities in an enterprise. While COSO internal con- trols focus
on an enterprise’s daily activities, enterprise risk management focuses on activities that an
enterprise and its managers may or may not do.
Source: COSO Enterprise Risk Management Establishing Effective, Governance, Risk and Compliance,
83
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
eliminate the conflicts that will exist between their overall goals and individual stakeholders’
self-interest. In many enterprise activities, there is a continuing need to focus any governance
system on economic efficiency along with a strong emphasis on shareholder and stakeholder
welfare.
Currently, enterprises need to establish policies to effectively handle its governance issues as
well as a culture to allow it to build an effective system of governance.
The last component of GRC, which is compliance, is either a state of being in accordance with
some established guidelines, specifications, or legislation or the process of becoming so.
A good way to launch an enterprise-wide risk identification process is to begin with a high-
level enterprise chart that lists corporate-level facilities as well as operating units. Each of
those units may have facilities in multiple global locations and also may consist of multiple
and different types of operations. Each separate facility will then have its own departments
or functions. Some of these separate facilities may be closely connected to one another
while others represent little more than corporate investments. A difficult and sometimes
complicated task, an enterprise-wide initiative should be launched to identify all potentially
significant risks in various individual areas. This type of exercise can gain interesting
and/or even troubling results. For example, the corporate-level may be aware of some
product liability risks, but a front-line supervisor in an operating unit may look at the same
risks with an entirely different perspective.
84
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The management may opt to identify people at all levels of the enterprise who would be
asked to serve as risk assessors. Within each significant operating unit, key people should
be identified from operations, finance/ accounting, IT, and unit management. Their goal
would be to identify and then help assess risks in their units built around a risk
identification model framework. This is the type of initiative that can be led by an
enterprise-wide risk management group, if one exists, or an internal controls assessment
function such as internal audit.
An effective approach here is to outline some high-level ‘‘straw man’’ risk areas that may
impact various operating units. Knowledgeable people can then look at these hypothetical
risks and expand or modify them as appropriate.
The ERM team should review all of the risks identified from the group brainstorming session
and then subsequently designated as core risks. Because of the ongoing discussion and
analysis associated with this process, there may have been some changes to the original set
of risks as identified. This final set of identified enterprise risks by the overall enterprise and
by specific operating units should be shared with responsible operating and financial
management as well as with the teams that participated in the brainstorming sessions. Any
corrections should be made as appropriate prior to assessing them.
85
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The results of the risk identification brainstorming sessions should then be shared with other
units who did not have the opportunity to participate in the original sessions. The results of
the identified risks should be expanded throughout the enterprise.
2. Quantitative or Qualitative Assessment of Risks
Having identified the significant risks impacting the enterprise at various levels, a next step is
to assess them for their likelihood and relative significance. This is particularly important for
risks identified through quick-response brainstorming techniques. What sounded good in a
quick-response group session may not appear as serious when reduced to a relative
significance type of analysis. A variety of approaches can be used here ranging from a
relatively quick best-guess qualitative assessment to some detailed, very mathematical
quantitative approaches. The whole idea here is to help management to better decide which
of a series of potentially risky events should give the most to worry about.
One simple approach to assess the risk is to ask the participants the following questions on
each of the risks:
- What is the likelihood of this risk occurring over the next one-year period? Using a
score of 1 to 9, assign a best-guess single-digit score as follows:
o Score 1 if you see almost no chance of that risk happening during the period.
o Score 9 if you feel the event will almost certainly happen during the period.
o Score 2 through 8 depending on how you feel the likelihood will fall between
these two ranges.
86
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Risk Interdependencies
The risk independencies must be considered and evaluated throughout the enterprise
structure. Any entity should be concerned about risks at all levels of the enterprise but only
really has control over the risks within its own sphere. Each operating unit is responsible for
managing its own risks but may be subject to the consequences of risk events on units above
or below in the enterprise structure. Every operating unit of an enterprise should realize that
whatever risks that local unit is accepting may impact other units in the enterprise.
87
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The idea is to estimate the cost impact of incurring some identified risk and then to apply that
cost to the risk factor probability of the risk to derive an expected value of the risk. This is also
an important time to identify each risk owner, the person or entity responsible for recognizing
and monitoring the status of a specific risk. These should be made by knowledgeable people
with a general understanding of the risk areas. Expected costs also should be performed by
front-line involved people at various levels of the enterprise who would be expected to have a
good level of knowledge of the area or risk implications.
For example, typical risks and ways to think about replacement costs includes the following:
The answers to these questions may not be precise but are only estimated costs. there often
is no need to perform detailed, time-consuming analyses here but to ask knowledgeable
people who understand the risk area to give some estimates. It is suggested to use four
estimates as a starting point to get some idea of the ranges of costs in various people’s
thinking. However, one best-guess estimate should be selected from the four estimates—
usually something between estimates 2 and 3. These estimates and supporting work should
be documented, and the selected cost estimate should be entered as the cost impact on the
risk-response planning.
Sample table of risk score and expected value of cost computation.
88
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• COSO Enterprise Risk Management (Establishing Effective Governance, Risk and Compliance
Process) 2nd Edition – Robert R. Moeller (John Wiley & Sons, Inc.
89
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Metalanguage
Enterprise Risk Management – a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting and across
the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
Risk Mitigation – the management of risk through the use of countermeasures and
controls
Risk Transfer /Sharing – the process of assigning risk to another enterprise, usually
through the purchase of an insurance policy or by outsourcing the service
Risk appetite – the amount of risk, on a broad level, that an enterprise and its
individual managers are willing to accept in their pursuit of value. Risk appetite can
be measured in a qualitative sense by looking at risks in such categories as high,
medium, or low; alternatively, it can be defined in a quantitative manner.
Essential Knowledge
COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK
COSO ERM is framework that will help enterprises to have a consistent definition of
what is meant by enterprise-level risk that will consider those risks across an entire
enterprise in a consistent manner. An advisory council of members from the
sponsoring enterprises was formed and Pricewaterhouse Coopers (PwC) was
contracted to develop and draft the framework description. A draft version of the ERM
framework was released for comment in mid-2003 with the final version published in
September 2004. We will discuss in this topic some of the concept in the ERM
90
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The illustration above shows the three-dimensional cube of COSO ERM Framework
components. Basically, the four vertical columns that represent the strategic objectives
of enterprise risk. The eight horizontal rows or risk components, while the other side
91
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
are the multiple levels of the enterprise. We will be discussing here the horizontal
components of the ERM Framework.
A. Internal Environment
Unlike the previous discussion on the COSO Internal Control Framework, the Internal
Environment here is placed at the top of the components in framework. While the
control environment for COSO internal controls focused on current practices in place,
such as human resource policies and procedures, ERM takes these same areas and
looks at them in a more future philosophy–oriented approach. The ERM internal
foundation component consists of the following elements:
1. Risk Management Philosophy -- a set of shared attitudes and beliefs that will
tend to characterize how the enterprise considers risk in everything it does.
2. Risk Appetite
3. Board of Director’s Attitudes -- has a very important role in overseeing and
guiding an enterprise's risk environment. The independent, outside directors
in particular should closely review management actions, ask appropriate
questions, and serve as a check and balance control for the enterprise.
4. Integrity and Ethical Values -- There should be a strong corporate culture
here that guides the enterprise at all levels in helping to make risk-based
decisions.
5. Commitment to Competence
6. Organizational Structure – a poorly constructed enterprise structure makes it
difficult to plan, execute, control, and monitor activities.
7. Assignments of Authority and Responsibility
8. Human Resource Standards
B. Objective Setting
It outlines some necessary preconditions that must be established before
management can establish an effective enterprise risk management process. It also
states that enterprise must establish a series of strategic objectives covering its
operations, reporting, and compliance activities. These strategic objectives are high-
level goals that should be aligned with an enterprise’s mission or vision. The COSO
ERM also suggests to formally define goals with a direct linkage to its mission
statement.
C. Event Identification
92
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
D. Risk Assessment
The risk assessment component is described as being in the center of the framework
and represents the core of COSO ERM. Risk assessment allows an enterprise to
consider the extent of the impact of potential risk-related events on an enterprise’s
achievement of its objectives. We have already discussed in the previous topic the risk
management fundamentals. In addition to that, the risk assessment process should
also consider both the inherent and residual risks.
• Inherent Risk. It is the ‘‘potential for waste, loss, unauthorized use, or mis-
appropriation due to the nature of an activity itself.’’ Major factors that affect the
inherent risk of any activity within an enterprise are the size of its budget, the
strength and sophistication of the group’s management, and just the very nature
of its activities. Inherent risk is outside the control of management and usually
stems from external factors.
• Residual Risk. This is the risk that remains after management responses to
risk threats and countermeasures have been applied. There will always be
some level of residual risk.
E. Risk Response
93
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
After identification and assessment of risk, the next step is to determine how to
respond to these various identified risks. These risk responses can be handled
following any of these four basic approaches:
1. Avoidance – this is a strategy of walking away from the risk—such as selling
a business unit that gives rise to the risk, exiting from a geographic area of
concern, or dropping a product line.
2. Reduction – product line diversification may reduce the risk of too strong a
reliance on one key product line. Splitting an IT operations server center into
two geographically separate locations will reduce the risk of some catastrophic
failures.
3. Sharing – example for financial transactions, an enterprise can engage in
hedging operations to protect against possible price fluctuations. A common
example of hedging is the investor’s use of put or call options to cover
unexpected stockholding price movements.
4. Acceptance – the strategy is not to act on it.
A strategy to manage each risks may use one or mixed of these four general
strategies. Costs versus benefits should be considered in response to potential risk.
F. Control Activities
It is defined as the policies and procedures necessary to ensure that identified risk
responses are carried out. With the selected appropriate risk responses, enterprise
management should select the control activities necessary to ensure that those risk
responses are executed in a timely and efficient manner.
We have previously mentioned the SOx requirement. The major difference between
COSO Internal control procedures under SOx rules and COSO ERM is that an
enterprise is legally required to comply with SOx procedures in order to assert the
adequacy of their internal controls to their external auditors as part of the SEC financial
reporting requirements. There are no such legal requirements with COSO ERM at this
time. Although there is no accepted or standard set of enterprise risk management
control activities at this time, the COSO ERM documentation suggests several areas
as follows:
1. Top-Level Reviews – regular top-level reviews of the status of identified risks
as well as the progress of risk responses.
2. Direct Functional or Activity Management – functional and direct unit managers
should have a key role in risk control activity monitoring.
3. Information Processing
4. Physical controls
5. Performance Indicators
94
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
6. Segregation of duties – the concept is, a person who initiates certain actions
should not be the same person who authorizes or approves those actions.
95
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
H. Monitoring
It is necessary to determine that all components of an installed ERM continue to work
effectively. Ongoing and continuous monitoring processes can be an effective method
to flag exceptions or violations in some aspect of the overall ERM process. There are
mechanisms and tools available that acts like a dashboard to monitor the status of
certain enterprise risk controls and send warning when necessary. The following tools
might be used:
→ Process Flowcharting – this illustrates documentation prepared for a
process, determine if the documentation is correct given current conditions,
and updating the process flowcharts as appropriate. This update should look
to see if those identified risks still appear appropriate and if identified risks
have been identified appropriately.
→ Reviews of Risk and Control Materials – ERM process often results in a
large volume of guidance materials, documented procedures, report formats,
and the like. There should be performance of review on these materials.
→ Benchmarking – the term benchmarking here is the process of looking at
other enterprises’ ERM functions to assess their operations and to develop an
approach based on the best practices of others.
→ Questionnaires – can be sent out to designated stakeholders with a
request for specific information. This is a valuable technique for monitoring
when the respondents are scattered geographically, such as a risk-monitoring
survey of employees in a nationwide retail enterprise.
→ Facilitated Sessions -- Valuable information can often be gathered by
asking selected people to participate in a focus group session led by a skilled
conference leader.
The purpose of this monitoring process is to assess how well the ERM framework is
functioning in an enterprise. Deficiencies should be regularly reported to the mangers
responsible for enterprise risks in the specific area monitored as well as to the ERM
or risk management office.
96
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
CRO Responsibilities
Enterprise risk management is usually the responsibility of a CRO, a designated senior
enterprise officer responsible for administering and monitoring the overall enterprise
ERM function.
The major responsibility of the CRO is to manage the process of assessing risks
throughout the enterprise, to implement appropriate corrective actions, and to
communicate risk issues and events to all levels of the enterprise. The CRO should
be responsible for the overall risk management function in an enterprise and should
direct and manage a supporting risk management function. An effective CRO and the
supporting risk management function are similar to the internal audit function. Just as
97
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
internal audit has a staff of specialists to review all levels of internal controls and
provide recommendations for corrective actions, an enterprise risk function should
operate in a similar manner. It should monitor the overall risk environment in the
enterprise as well as make recommendations for corrective actions as appropriate.
While an enterprise risk management function may look similar to an internal audit
department, there are some key differences. Internal auditors review internal controls
and make recommendations for improvement but usually take no active role in helping
to implement those recommended changes, unless specifically engaged as internal
consultants. The effective enterprise risk management group, however, should take a
more proactive role in helping to implement the necessary corrective actions. This
often can be a challenging set of roles and tasks for enterprise risk analysts in an
enterprise.
Stake- holders at all levels need to be aware of some of the risks that the enterprise
is facing, the consequences of those risk exposures, and some of the steps they can
put in place to limit those risks. The following helps in building and implementing an
effective risk management culture in an enterprise:
98
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Although the ERM group operates in a manner very similar to internal auditors,
however, they should identify significant areas in the enterprise with high levels of
likelihood of occurrence. They review the risk area and make some recommendations
to lessen the risk and improve surrounding internal controls. Their major responsibility
is to create the risk management review reports.
This group may also perform the risk assessment reviews (RARs) which is also a
technique used by internal auditors. These reviews should examine key areas in the
enterprise and make recommendations for both improving internal controls and
reducing risk likelihoods. This type of review is not designed to compete with internal
audit review activities but to improve the risk environment and enhance internal
controls.
The RAR process should proceed in a manner similar to the process of planning,
performing, and reporting the results of internal audits. The RAR Report which is the
result of the review contains much like the audit report released by internal audit, with
audit findings and recommendations.
• COSO Enterprise Risk Management (Establishing Effective Governance, Risk and Compliance
Process) 2nd Edition – Robert R. Moeller (John Wiley & Sons, Inc.)
99
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Select the best answer from the choices provided.
2.) The following are the components in the event identification, except
A) Political Events
B) Social Factors
C) Organizational Structure
D) Natural Environmental Events
3.) One of the risk responses in the ERM Components is the risk acceptance, which
means
A) To do nothing
B) Taking up insurance policy
C) Split up the IT operations server center into two separate locations
D) To close a product line of business that produces the risk
4) The risk of data leakage in an industrial company is 75% most likely to happen, but
the impact of the data leakage is estimated to be around 35%. The risk score for this
specific risk is
A) 214%
B) 26.25%
C) 110%
D) 40%
100
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
9) One of the risk management phases is risk prioritization and response planning.
Which of the following most likely the objective of this phase?
A) It aims to estimate the cost of the risk to come up with the risk remediation
decisions.
B) List all of the risks that may be encountered by the enterprise.
C) To check if controls to mitigate the risks are effective.
D) Compute the risk score based on its impact and likelihood.
Let’s Analyze
1.) Briefly discuss the differences between the COSO Internal Control and COSO
Enterprise Risk Management.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
101
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2.) Although internal audit and ERM group works on a similar approach, there are still
differences with the scope of their work and function. List down the differences
between these two functions.
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
In a Nutshell
Create a table that highlights your top learnings from Business Ethics, Corporate
Governance, Internal Control and Risk Management. See the template below.
Corporate
Business Ethics Internal Control Risk Management
Governance
102
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1.
2.
3.
Keywords Index
Committee of Sponsoring Sarbanes-Oxley Act (SOX Act) Risk Treatment/Risk Response
Organizations of the Treadway
Risk Assessment Risk Mitigation
Commission (COSO)
Enterprise Risk Management Risk Transfer/Sharing
Treadway Commission Report
Risk Analysis Risk Appetite
Internal Control
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO PASS
103
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1. Students are expected to abide by and honor code of conduct, and thus
everyone and all are exhorted to exercise self-management and self-
regulation.
6. Students shall not allow anyone else to access their personal LMS account.
Students shall not post or share their answers, assignment or examinations to
others to further academic fraudulence online.
7. By enrolling in OBD course, students agree and abide by all the provisions of
the Online Code of Conduct, as well as all the requirements and protocols in
handling online courses.
104
College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Approved by:
105