Sim Acc 325

UNIVERSITY OF MINDANAO
College of Accounting Education
Program: BSA, BSIA, BSMA, BSAIS
Physically Distanced but Academically Engaged
Self-Instructional Manual (SIM) for

Self-Directed Learning (SDL)
Course/Subject: ACC 325

Governance, Business Ethics, Risk Management, and Internal
Control
Name of Author: JENNYLEN D. POSAS/ PHOEBELYN V. ACDOG
THIS SIM/SDL MANUAL IS A DRAFT VERSION ONLY; NOT FOR REPRODUCTION

AND DISTRIBUTION OUTSIDE OF ITS INTENDED USE. THIS IS INTENDED ONLY
FOR THE USE OF THE STUDENTS WHO ARE OFFICIALLY ENROLLED IN THE
COURSE/SUBJECT.
EXPECT REVISIONS OF THE MANUAL.
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Table of Contents
BUSINESS ETHICS
Week 1-3 : Big Picture in Focus: ............................................................................. 5
ULO a. Explain the concept of business ethics. .................................................... 5
Metalanguage........................................................................................................................ 5
Essential Knowledge .............................................................................................................. 5
Self-Help:............................................................................................................................. 12
Let's Check........................................................................................................................... 12
Let's Analyze ........................................................................................................................ 14
In a Nutshell ........................................................................................................................ 17
Question & Answer .............................................................................................................. 18
Keywords Index ................................................................................................................... 18
Big Picture in Focus: ULOb (Theory). Discuss the Information Systems Audit
Standards, Guidelines and Code of Ethics .......................................................... 19
Metalanguage...................................................................................................................... 19
Essential Knowledge ............................................................................................................ 20
Self-Help: You can also refer to the sources below to help you further understand the lesson:
...................................................................................................................................... 29
Let’s Check........................................................................................................................... 29
Let’s Analyze........................................................................................................................ 30
In A Nutshell ........................................................................................................................ 30
Question & Answer .............................................................................................................. 31
Keywords Index ................................................................................................................... 31
COURSE SCHEDULE ............................................................................................. 31
Week 4-5 Big Picture in Focus: ............................................................................. 32
ULO a. Analyze the Information Systems Auditing Processes .......................... 32
Metalanguage...................................................................................................................... 32
Self-Help:............................................................................................................................. 37
Let’s Check........................................................................................................................... 38
Let’s Analyze........................................................................................................................ 38
2
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell ........................................................................................................................ 39
Question & Answer .............................................................................................................. 40
Keywords Index ................................................................................................................... 40
Big Picture in Focus: ............................................................................................. 41
ULO B. Discuss the types of Business Process Applications, its controls and
what are the roles of an IS Auditor on each applications. .................................. 41
Metalanguage...................................................................................................................... 41
Self-Help:............................................................................................................................. 55
Let’s Check........................................................................................................................... 56
In a Nutshell ........................................................................................................................ 57
Keywords Index ................................................................................................................... 58
COURSE SCHEDULE ............................................................................................. 58
Week 6-7: Big Picture in Focus: ............................................................................ 59
ULO a. Discuss the internal controls in a business ruled by Information
Systems. ................................................................................................................. 59
Metalanguage...................................................................................................................... 59
ULO b. Explain the types of audits and the process of assessments ............... 64
Metalanguage and Essential Knowledge ............................................................................... 64
Self-Help............................................................................................................................ 65
Let’s Check – ULO A and B .................................................................................................... 66
Let’s Analyze – ULO A and B ................................................................................................. 67
ULO c. Discuss the concept of Corporate Governance and understand the
different roles in relation to corporate governance ............................................ 68
Metalanguage...................................................................................................................... 68
Self-Help.............................................................................................................................. 78
Let’s Analyze – ULO C ........................................................................................................... 78
In a Nutshell ........................................................................................................................ 79
Question & Answer .............................................................................................................. 79
3
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Keywords Index ................................................................................................................... 79

COURSE SCHEDULE ............................................................................................. 80
Week 8-9 Big Picture in Focus: ............................................................................. 81
ULO a. Discuss the concept of Internal Control Framework and introduction to
Risk Management, its phases and process. ........................................................ 81
Metalanguage...................................................................................................................... 81
Self-Help:............................................................................................................................. 89
ULO b. Discuss thoroughly the ERM Framework and how the enterprise risk
management is implemented. ............................................................................... 90
Metalanguage...................................................................................................................... 90
Self-Help.............................................................................................................................. 99
Let’s Check......................................................................................................................... 100
Let’s Analyze...................................................................................................................... 101
In a Nutshell ...................................................................................................................... 102
Question & Answer ............................................................................................................ 103
Keywords Index ................................................................................................................. 103
COURSE SCHEDULE ........................................................................................... 103
Online Code of Conduct ...................................................................................... 104
4
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 1-3: Unit Learning Outcomes (ULO): at the end of the unit, you are expected to
A. Explain the concept of business ethics.
B. Discuss the Information Systems Audit Standards, Guidelines and Code of Ethics
Week 1-3 : Big Picture in Focus:

ULO a. Explain the concept of business ethics.
Metalanguage
The ability to foresee and deal with ethical issues has become an essential
topic in the world of business. You will encounter the following terminologies as you
a. Business ethics comprises organizational principles, values, and norms that
may originate from individuals, corporate statements, or from the legal system
that primarily guide individual and group behavior in business.
b. Ethical Issues
c. Ethical Dilemma
d. Morals refer to a person's personal philosophies about what is right or wrong.
e. Principles are specific and pervasive boundaries for behavior that should not
be violated.
f. Values are enduring beliefs and ideals that are socially enforced.
Essential Knowledge
Business Ethics
In recent years, several so-called corporate scandals bombarded the business
community. The deceits and frauds made by no less than the top management of the
companies create public outrage and distrust in business. As a result, the public
demanded improved business ethics, greater corporate responsibility, and laws to
protect the financially innocent.
Business decisions must be integrated with ethical considerations. Business
ethical issues can make or break a business. Not including it in every decision-making
process may destroy the trust of the public. Making the right ethical decisions is very
essential to business success. It is as vital as learning management, marketing,
finance, and accounting. Decisions with a moral component are an everyday
occurrence requiring people to identify issues and make quick decisions
The terms of morals, principles, values, and ethics often have the same usage
in business. Morals pertain to an individual person's philosophies or values of right
and wrong. On the other hand, principles are sometimes the source of rules, like
5
Matina, Davao City
Phone No.: (082)300-5456 Local 137
human rights and freedom of speech. Meanwhile, the best practices of the company
frequently define the company values. The company's stakeholders frequently
determine whether an action or standard is ethical or unethical. Teamwork, trust, and
integrity are the standard of ethical values practiced by an organization today.
Why Study Business Ethics?

Business ethics has become a significant concern in business today. Business
ethics mirrors the business standards of business practices when conducting
transactions. It adds a line of defense to protect the company, enable company growth,
save money, and allow people to avoid specific legal implications. Relevant networks
that companies need to build will become harder to establish. Businesses will want to
be associated with a company that adopts a policy of weak business ethics. Poor
business ethics will look bad for business. It will cost a lot to erase the lousy publicity
suffered by the company. A good relationship with stakeholders will begin to melt, and
the company will start to spend on a more robust advertising campaign to clean up
any public relations crisis.
One of the best reasons for studying business ethics is to know how to defend
yourself. Knowledge of business ethics is one of the reliable controls of the company.
By already establishing what business ethics your company is going to adopt, this is
the best control against bad publicity. Besides, there are specific legal regulations
placed on every organization. If there is a violation, then indictments, trials, and long
prison sentences may be the only options for those unethical owners and employees.
Recent studies have shown that the public no longer accepts the idea that business is
amoral, and that people now hold companies to some standard of social responsibility.
Listed below are the reasons for studying business ethics
1. Business ethics is more than an extension of an individual's own personal
ethics.
2. Professionals in any field, including business, must deal with individuals'
personal moral dilemmas because such dilemmas affect everyone's ability
to function on the job.
3. Just being a good person and having sound personal values may not be
sufficient to handle the ethical issues that arise in a business organization.
4. Some approaches to business ethics assume ethics training is for people
whose personal moral development is unacceptable.
5. Many people with limited business experience suddenly find themselves
making decisions about product quality, advertising, pricing, sales
techniques, hiring practices, and pollution control.
6. Studying business ethics will help you begin to identify ethical issues when
they arise and recognize the approaches available for resolving them.
6
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The Benefits of Business Ethics

Issues on business ethics continues to transform quickly as more business
organizations acknowledge its importance in business growth. Both research and
examples from the business world demonstrate that building an ethical reputation
among employees, customers, and the general public pays off. Figure 1 provides an
overview of the relationship between business ethics and organizational performance.
Figure 1 The Role of Organzational Ethics in Performance

(Source: Ferrell, Fraedrich, and Ferrell, 2019)
According to Ferrell, Fraedrich, and Ferrell (2019) ethics contributes to the

following:
1. Employee Commitment
Employee will give their commitment to the organization if they believe that their
future is tied to that organization. Especially if the employer is dedicated to
taking care of its employees. Issues that foster the development of an ethical
culture for employees include the absence of abusive behavior, a safe work
environment, competitive salaries, and the fulfillment of all contractual
obligations toward employees. An ethics and compliance program can support
values and appropriate conduct. Social programs improving the ethical culture
range from work–family programs to stock ownership plans to community
service.
2. Investor Loyalty
Ethical conduct results in shareholder loyalty and contributes to success that

supports even broader social causes and concerns. Investors today are
increasingly concerned about the ethics and social responsibility that creates
the reputation of companies in which they invest, and various socially
7
Matina, Davao City
Phone No.: (082)300-5456 Local 137
responsible mutual funds and asset management firms help investors purchase
stock in ethical companies. Investors also recognize that an ethical culture
provides a foundation for efficiency, productivity, and profits. Investors know,
too, that negative publicity, lawsuits, and fines can lower stock prices, diminish
customer loyalty, and threaten a company's long-term viability. Many
companies accused of misconduct experienced dramatic declines in the value
of their stock when concerned investors divested.
3. Customer Satisfaction
It is generally accepted that customer satisfaction is one of the most important
factors in a successful business strategy. Although a company continues to
develop and adapt products to keep pace with customers' changing desires and
preferences, it must also develop long-term relationships with its customers and
stakeholders. As mentioned earlier, high levels of perceived corporate
misconduct decrease customer trust. On the other hand, companies viewed as
socially responsible increase customer trust and satisfaction.
For most businesses, both repeat purchases and an enduring relationship of

mutual respect and cooperation with customers are essential for success. By
focusing on customer satisfaction, a company continually deepens the
customer's dependence on the company, and as the customer's confidence
grows, the firm gains a better understanding of how to serve the customer so
the relationship may endure. Successful businesses provide an opportunity for
customer feedback that engages the customer in cooperative problem solving.
As is often pointed out, a happy customer will come back, but disgruntled
customers will tell others about their dissatisfaction with a company and
discourage friends from dealing with it.
4. Profit
A company cannot nurture and develop an ethical culture unless it has achieved
adequate financial performance in terms of profits. Businesses with greater
resources—regardless of their staff size—have the means to be ethical and
practice social responsibility while serving their customers, valuing their
employees, and contributing to society. Ethical conduct toward customers
builds a strong competitive position shown to positively affect business
performance and product innovation. Some dimensions of ethical culture have
been found to create innovativeness that is directly related to performance.
Recognizing Ethical Issues
Every business situations and relationships could generate ethical issues. However,
the challenge is ethical issues are hard to recognized, which provide great danger in
any organization. Some issues are difficult to recognize because they are gray areas
that are hard to navigate. For example, does accepting small gift from supplier
unethical? Employees may engage in questionable behaviors because they are trying
to achieve firm objectives related to sales or earnings. Our personal or moral issues
are easier to define and control. The complexity of the work environment, however,
8
Matina, Davao City
Phone No.: (082)300-5456 Local 137
makes it harder to become aware of, define, and reduce ethical issues. Table 2 defines
specific ethical issues identified by employees in the National Business Ethics Survey
(NBES).
Table 2 Specific Types of Observed Misconduct
Foundation Values for Identifying Ethical Issues
Almost any organization decisions ethical issues will always arise. These issues can
be evaluated by understanding the foundational values. These values are integrity,
honesty, and fairness. It is just as important to emphasize appropriate conduct
associated with these values as it is to discover inappropriate conduct.
1. Integrity
Integrity is one of the most important and oft-cited elements of virtue and also
the most confusing. It refers to being whole, sound, and in a perfect condition.
While it is sometimes used virtually in connection with 'moral,' there are times
that a person acting morally may in fact act immoral. Besides there are people
did not know that they are acting immorally. Thus, one may acknowledge a
person to have integrity even though that person may hold what one thinks are
importantly mistaken moral views.
9
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Integrity relates to product quality, open communication, transparency, and

relationships. All activities must consider the value of integrity not just business.
Management practices are the underlying foundation for organizational
integrity. Whether it is a commitment to good customer service or fair
employment practices, a businesses' reputation can be tarnished by unresolved
service or product issues.
2. Honesty
Running a business that takes pride in being ethical and socially responsible is
a challenge, and many companies end up cutting more than a few corners in
the name of profit. If you dig deeper into those companies, you'll probably find
that honesty isn't prized as an important characteristic. However, it's nearly
impossible for a business to build trust if honesty isn't a guiding principle in how
that company handles every aspect of its work process. In business, honesty
isn't only about doing things the right way, it's also about expressing the values
in which a company is founded.
Honesty refers to truthfulness or trustworthiness. To be honest is to tell the truth

to the best of your knowledge without hiding anything. Honesty is a key
characteristic of a business because it sets the tone for the kind of work culture
that you want to create, provides consistency in workplace behavior, and builds
loyalty and trust in customers and prospects.
Issues related to honesty also arise because business is sometimes regarded

as a game governed by its own rules rather than those of society as a whole.
Author Eric Beversluis suggests honesty is a problem because people often
reason along these lines:
1. Business relationships are a subset of human relationships governed by

their own rules that in a market society involve competition, profit
maximization, and personal advancement within the organization.
2. Business can therefore be considered a game people play, comparable in
certain respects to competitive sports such as basketball or boxing.
3. Ordinary ethics rules and morality do not hold in games like basketball or
boxing. (What if a basketball player did unto others as he would have them
do unto him? What if a boxer decided it was wrong to try to injure another
person?)
4. Logically, then, if business is a game like basketball or boxing, ordinary
ethical rules do not apply.
3. Fairness
Fairness is the quality of being just, equitable, and impartial. Fairness clearly
overlaps with the concepts of justice, equity, and equality. Three fundamental
elements motivate people to be fair: equality, reciprocity, and optimization. In
the context of business firms, fairness is the application of the same rules,
10
Matina, Davao City
Phone No.: (082)300-5456 Local 137
standards, and criteria in similar situations. The purpose is to minimize biases

in making decisions.
Ethical Issues and Dilemmas in Business
Ferrell et al. (2019) define the ethical issue as a problem, situation, or opportunity that
requires an individual or organization to select among several actions that must be
evaluated as right or wrong, ethical or unethical. For example, is giving a gift to the
government official ethical or not?
On the other hand, an ethical dilemma is a problem, situation, or opportunity that

requires an individual, group, or organization to choose among several actions that
have adverse outcomes. There are not right or ethical choices in a dilemma, only less
unethical or illegal choices as perceived by all stakeholders. For instance, to provide
food to his family, an employee needs to choose whether to use company resources
to conduct personal business or receive a bribe from the company suppliers.
• Misuse of Company Time and Resources

1. Late arrival
2. Going out early
3. Using the company's computer for personal business
4. Excessive socializing with fellow employees
• Lying
1. Commission Lying
Commission lying happens when someone tells you not true. Basically, when
someone tells a lie of commission, they take the truth and twist it to create a
version of something that happened.
2. Omission Lying
Lying by omission is when a person leaves out important information or fails
to correct a pre-existing misconception to hide the truth from others. The best
example is when the company intentionally not disclose the hidden defect to
their customer.
• Conflicts of Interest
A conflict of interest arises when the interest of a person is not the best interest of
another person or organization. It exists when an individual or organization must
choose whether to advance their own interests or those of some other group. For
example, the management conceal company's losses to maintain the market
value of their stocks.
A conflict of interest can also exist when a person will report to two or more
different individuals or organization whose needs are at odds with each other. In
this case, serving one individual or group will injure the other.
• Bribery
11
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In the business world, bribery is a common thing you will hear. Bribery happens
when a person gives money or gifts to someone to convince them to make
favorable and biased decisions for business gains. The key issue regarding
whether something is considered bribery is whether it is used to gain an advantage
in a relationship.
Related to the ethics of bribery is the concept of active corruption or active bribery,
meaning the person who promises or gives the bribe commits the offense. Passive
bribery is an offense committed by the official who receives the bribe. It is not an
offense, however, if the advantage was permitted or required by the written law or
regulation of the foreign public official's country, including case law.
Types of Bribery
1. Lubrication
Giving a small amount of cash given a low-ranking person to speed-up the
execution of a task.
2. Subornation
Subornation generally involved giving large sums of money – frequently not
properly accounted for. It is designed to entice an official to commit an illegal act
on behalf of the one offering the bribe.
3. Extortion
Involves using threats to get bribes or money.
o Sexual Harassment
o Fraud
o Consumer Fraud
o Financial Misconduct
o Insider Trading
o Intellectual Property Rights
o Privacy Issues
Self-Help:
Ferrell, O.C., Fraedrich, J., and Ferrell, W. (2019). Business ethics: Ethical
decision and Cases. Cengage Learning
Stanberry, K. and Byars, S. (2018). Business Ethics.
Let's Check
After learning the metalanguage and essential knowledge, I need to evaluate
your learnings by answering the following:
Activity 1. Select the best answer
12
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1. The study of business ethics is important to better understand all of the

following except
A) that a person's own moral of philosophies and decision-making experience
may not be sufficient to guide him in the business world
B) how and why people make ethical and unethical decisions
C) that business ethics is merely an extension of an individual's own personal
ethics
D) how to identify ethical issues arising in the business world
2. Which of the following is not generally considered a business ethics issue?

A) Inside trading
B) Abortion
C) Employee theft
D) Corruption
3. Andy, a purchase manager, received an SUV vehicle from his friend Sony who
is an owner of auto spare parts business. Later, Andy approved the application
of Sony company to become their major supplier of spare parts. This case is an
example of:
A) Lubrication
B) Extortion
C) Subornation
D) Deception
4. Individuals' personal ethics plays a major role in the evaluation of business
ethics decision only when their preferences of value
A) Differ from those of their employer
B) Are unethical
C) Are ethical
D) Result in negative publicity for their employer
5. An ethical dilemma can be defined as:

A) a problem, situation or opportunity that requires an individual, group or
organization to choose among several actions that must be evaluated as right
or wrong
B) when a hostile workplace environment is created in which employees feel
bullied or threatened
C) what steps a company should take to repair its reputation through strategic
philanthropy after receiving negative publicity
D) a problem, situation or opportunity that requires an individual, group or
organization to choose among several wrong or unethical actions
6. Mr. Sony Delims, a manager of a dog food company, awarded the supplier
contract in favor to the company of his friend Frank. Sony knew it from the start
that the Frank's raw materials has the lowest quality compare to other bidder.
This case is an ethical issue of
A) Honesty
13
Matina, Davao City
Phone No.: (082)300-5456 Local 137
B) Integrity
C) Fairness
D) Lying
7. What is one of the reasons is can be difficult to determine what is an ethical

issue (versus something that is simply a problem)?
A) Everyone has their own personal ethics
B) Laws define what is ethical and unethical.
C) It is impossible to determine ethical issues
D) Problems can turn into ethical issues over time as societal values change
8. Optimization is the tradeoff between equity and:

A) efficiency.
B) discrimination.
C) honesty
D) reciprocity
9. _____________ are specific and pervasive boundaries for behavior that should
not be violated.
A) Moral
B) Values
C) Principles
D) Ethics
E)
10. Debby leaves out major defects about the products she sale is an example of
A) Integrity
B) Omission lying
C) Commission lying
D) Fairness
Let's Analyze
Activity 1. Kindly answer the questions with a minimum of 5 sentences.
1. How does business ethics contribute to customer satisfaction? Give example.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
14
Matina, Davao City
Phone No.: (082)300-5456 Local 137
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
2. Why is it important to business people study business ethics?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
3.How does business ethics contribute to employee commitment? Give example.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
15
Matina, Davao City
Phone No.: (082)300-5456 Local 137
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_________________________________________________________
16
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell
After studying the concepts and terminologies of ULOa, you would synthesize your
learnings about business ethics. The first two are done for you.
1. Recent incidents of unethical activity in business underscore the widespread need
for a better understanding of the factors that contribute to ethical and unethical
decisions.
2. Studying business ethics helps you begin to identify ethical issues and recognize
the approaches available to resolve them.
Your turn
3. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
4. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
5. ________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
17
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Question & Answer

Do you have any questions or clarifications?
Questions/Issues Answers
1.
2.
3.
4.
5.
Keywords Index
• Business ethics • Morals • Bribery
• Ethical Issue • Principles • Fraud
• Ethical Dilemma • Values • Honesty
• Integrity • Lying
18
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Big Picture in Focus: ULOb (Theory). Discuss the Information

Systems Audit Standards, Guidelines and Code of Ethics
Metalanguage
Being an Information Systems Auditor requires to comply with the professional Code
of ethics. Thus, it is necessary to read the following terminologies as you go over with
the discussion proper.
1. Integrity – to be straightforward and honest in all professional and business
relationships.
2. Objectivity – to not allow bias, conflict of interest or undue influence of others
to override professional or business judgments.
3. Professional Competence and Due Care – to maintain professional
knowledge and skill at the level required to ensure that a client or employer
receives competent professional services based on current developments in
practice, legislation and techniques and act diligently and following applicable
technical and professional standards.
4. Confidentiality – to respect the confidentiality of information acquired as a
result of professional and business relationships and, therefore, not disclose
any such information to third parties without proper and specific authority,
unless there is a legal or professional right or duty to disclose, nor use the
information for the personal advantage of the professional accountant or third
parties.
5. Professional Behavior – to comply with relevant laws and regulations and
avoid any action that discredits the profession.
6. Information Systems (IS) – a combination of strategic, managerial and
operational activities and related processes involved in gathering, processing,
storing, distributing and using information its related technology.
7. International Ethics Standards Board for Accountants (IESBA) – an
independent standard-setting body that develops an internationally
appropriate Code of Ethics for Professional Accounts (the Code).
8. Information Technology (IT) – the hardware, software, communication and
other facilities used to input, store, process, transmit and output data in
whatever form.
9. Information Systems Audit and Control Association (ISACA) – an
international professional association focused on IT (Information Technology)
governance.
10. Information Technology Assurance Framework (ITAF) – is a
comprehensive and good-practice-setting model that establishes standards
19
Matina, Davao City
Phone No.: (082)300-5456 Local 137
that address IT audit and assurance professional roles and responsibilities;

knowledge and skills; and diligence, conduct and reporting requirements.
Essential Knowledge
A.) FOR PROFESSIONAL ACCOUNTANTS
IFAC Code of Professional Ethics
The objective of the IESBA, as outlined in its Terms of Reference, is to serve
the public interest by setting high-quality ethics standards for professional
accountants. The IESBA's long-term objective is the convergence of the Code's ethical
standards for professional accountants, including auditor independence standards,
with those issued by regulators and national standard setters. Convergence to a single
set of rules can enhance the quality and consistency of services provided by
professional accountants throughout the world. It can improve the efficiency of global
capital markets.
The Code is divided into three sections.
1. Part – A General Application of the Code
Part A establishes the fundamental principles of professional ethics for
professional accountants and provides a conceptual framework that
professional accountants shall apply to:
(a) Identify threats to compliance with the fundamental principles;
(b) Evaluate the significance of the threats identified; and
(c) Apply safeguards, when necessary, to eliminate the threats or reduce

them to an acceptable level. Safeguards are required when the professional
accountant determines that the threats are not at the level at which a
reasonable and informed third party is likely to end, taking into account all
the specific facts and circumstances available to the professional
accountant at that time, adherence to the basic principles was not
compromised.
A professional accountant shall use professional judgment in applying this

conceptual framework.
2. Professional Accountants in Public Practice

Describe how the conceptual framework applies to situations applicable to
professional accountants engaged in public practice.
3. Professional Accountants in Business
20
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Describe how the conceptual framework applies to situations applicable to

professional accountants other than those who are engaged in public
practice.
The General Application of the Code

→ Fundamental Principles
A professional accountant shall comply with the following fundamental
principles:
1. Integrity (Section 110) – imposes an obligation on all professional accountants to
be straightforward and be honest in all professional and business relationships.
Integfity also implies fair dealing and truthfulness.
2. Objectivity (Section 120) – professional accountants should not compromise their
professional or business judgment because of bias, conflict of interest, or the
undue influence of others.
3. Professional Competence and Due Care (Section 130) – professional
accountants should (1) maintain professional knowledge and skills at the level
required to ensure that clients or employers receive competent professional service
and (2) to act diligently in accordance with applicable technical and professional
standards when providing professional services.
4. Confidentiality (Section 140) – professional accountants should refrain from:
4.1. Disclosing to outside the firm or employing organization confidential
information acquired during the conduct of engagement/ function without
proper and specific authority, unless there is a legal or professional right or
duty to disclose
4.2. Using that confidential information acquired because of professional and
business relationships to their personal advantage or the advantage of third
parties.
5. Professional Behavior (Section 150) – professional accountants should comply
with relevant laws and regulations. They should be honest and truthful and not (1)
make exaggerated claims or qualifications they possess/ experience they have
gained or (2) make disparaging references or false comparisons to the work of
others.
→ Conceptual Framework Approach
Threats to compliance with the fundamental principles are unique in every situation in
which professional accountants operates. The problem is, it is difficult to define every
situation that creates threats to follow the basic principles and the appropriate action
to be taken. It is because the nature of the engagement is different in each event.
Therefore, professional accounts are required to identify, evaluate, and address
threats to compliance by applying fundamental principles. The conceptual framework
21
Matina, Davao City
Phone No.: (082)300-5456 Local 137
approach guides the professional accountants in complying with the ethical

requirements of this Code and meeting their responsibility to act in the public interest.
It places many variations on circumstances that create threats to adhere to
fundamental principles. Also, it can prevent a professional accountant from concluding
that a situation is permissible if it is not specifically prohibited.
→ Threats and Safeguards
Threats may be formed by a wide range of relationships and circumstances.

When a relationship or event results in a threat, such a threat could compromise or
could be perceived to compromise, a professional accountant's compliance with the
fundamental principles. A circumstance or relationship may create more than one
threat, and a threat may affect compliance with more than one fundamental principle.
Threats fall into one or more of the following categories:
a. Self-interest threat – it refers to the threat that a financial or other interest will
inappropriately influence the professional accountant's judgment or behavior.
A member of the audit team has direct ownership of the client.

b. Self-review threat – it refers to the threat that a professional accountant will
not appropriately evaluate the results of a previous judgment made or service
performed by the professional accountant or by another individual within the
professional accountant's firm or employing organization, on which the
accountant will rely when forming a judgment as part of providing a current
service.
For example, a member of the audit team is a former employee by the audit
client in a position that exerts significant influence over the department under
review.
c. Advocacy threat – it refers to the threat that a professional accountant will

promote a client's or employer's position to the point that the professional
accountant's objectivity is compromised.
The audit firm is promoting the stocks of the audit client.
d. Familiarity threat ─ it refers to the threat that due to a long or close relationship
with a client or employer, a professional accountant will be too sympathetic to
their interests or too accepting of their work.
A member of the audit team has an immediate family member who is an officer
of the audit client.
e. Intimidation threat – it refers to the threat that a professional accountant will

be deterred from acting objectively because of actual or perceived pressures,
including attempts to exercise undue influence over the professional
accountant.
22
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The audit firm being threatened by the audit client with litigation.
On the other hand, Safeguards are actions or other measures that may eliminate
threats or reduce them to an acceptable level. They fall into two broad categories:
a. Safeguards created by the profession, legislation, or regulation.
b. Safeguards in the work environment.
For example, the policies and procedures of the audit firm to implement and
monitor the quality of the engagement.
B.) FOR PROFESSIONAL INFORMATION SYSTEMS AUDITORS

ISACA Information System Audit and Assurance Standards
→ These define mandatory requirements for IS auditing and reporting and inform a
variety of audiences of critical information. Audiences for these standards are the (1)
IS auditors, (2) company’s management and other interested parties, and (3) holders
of CISA designation.
These standards has multiple levels of documents:
• Standards define mandatory requirements for IS audit and assurance and
reporting.
• Guidelines which provides guidance in applying IS audit and assurance
standards. These should be considered in determining how to achieve
implementation of the standards mentioned above, use professional judgment
in their application and justification of any departure from the standards.
• Tools and techniques provides information on how to meet the standards
when completing IS auditing work, but these do not set requirements.
23
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The IS Audit and Assurance Standards are divided into three categories:
• General – provides guiding principles under the IS assurance profession
operates. This applies to IS auditor’s ethics, independence, objectivity and due
care, knowledge, competency and skills.
• Performance – refers to the actual process, from planning, scoping, risk and
materiality, resource mobilization, supervision and assignment management,
audit and assurance evidence, and the exercising of professional judgment and
due care.
• Reporting – types of reports, means of communication and the information
communicated.
PART A : GENERAL
1001 Audit Charter Documentation of audit function indicating the purpose,
responsibility, authority and accountability
Audit Charter is agreed upon and approved at an
appropriate level within the enterprise.
1002 Organizational IS audit and assurance function shall be independent of
Independence the area of activity being reviewed.
1003 Professional The professionals shall be independent and objective in
Independence both attitude and appearance in all matters related to the
audit and assurance engagements.
1004 Reasonable There is a reasonable expectation that the engagement
Expectation can be completed in accordance with the standards, and
will result in a professional opinion or conclusion.
The scope of the engagement enables conclusion on the
subject matter and addresses any restrictions.
There is reasonable expectation that management
understands its obligations and responsibilities with
respect to the provision of appropriate, relevant and timely
information required to perform the engagement.
1005 Due The professional shall exercise due professional care,
Professional including observance of applicable professional audit
Care standards, in planning, performing and reporting on the
results of engagements.
1006 Proficiency The professional possesses adequate skills and
proficiency in conducting IS audit and assurance
engagements, and professionally competent to perform
the work required.
24
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The professional has adequate knowledge of the subject

matter.
The professional maintains competence through
appropriate continuing professional education and
training.
1007 Assertions The professional shall review and assertions against
which the subject matter will be assessed to determine
that such assertions are capable of being audited and that
the assertions are sufficient, valid and relevant.
1008 Criteria The professional shall select criteria, against which the
subject matter will be assessed, that are objective,
complete, relevant, measurable, understandable, widely
recognized, authoritative and understood by, or available
to, all readers and users of the IS audit and assurance
report.
The professional shall consider the source of the criteria
and focus on those issued by relevant authoritative bodies
before accepting lesser-known criteria.
PART B : PERFORMANCE
1201 Engagement The professional shall plan each IS audit and assurance
Planning engagement to address:
- Objectives, scope, timeline and deliverables
- Compliance with applicable laws and professional
auditing standards
- Use of risk-based approach, where appropriate
- Engagement-specific issues
- Documentation and reporting requirements
The professional shall develop and document a project

plan describing the:
- Engagement nature, objectives, timeline and resource
requirements
- Timing and extent of audit procedures to complete the
engagement
25
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1202 Risk The IS audit and assurance function shall use an

Assessment in appropriate risk assessment approach and supporting
Planning methodology to develop the overall IS audit plan and
determine priorities for the effective allocation of IS audit
resources.
The professional shall identify and assess risk relevant to
the area under review, when planning individual
engagements.
The professional shall consider subject matter risk, audit
risk and related exposure to the enterprise.
1203 Performance The professional shall conduct the work in accordance
and Supervision with the approved IS audit plan to cover identified risk and
within the agreed-on schedule.
Provide supervision to IS audit staff whom they have
supervisory responsibility.
He/she should accept only tasks that are within their
knowledge and skills or for which they have reasonable
expectation of either acquiring the skills during the
engagement or achieving the task under supervision.
He/She should obtain sufficient and appropriate evidence
to achieve the audit objectives. The audit findings and
conclusions shall be supported by appropriate analysis
and interpretations of this evidence.
The professional shall document the audit process,
describing the audit work and the audit evidence that
supports findings and conclusions.
The professional shall identify and conclude on findings.
1204 Materiality The IS audit and assurance professional shall consider

potential weaknesses or absences of controls while
planning an engagement, and whether such weaknesses
or absences of controls could result in a significant
deficiency or a material weakness.
He/she shall consider materiality and its relationship to
audit risk while determining the nature, timing and extent
of audit procedures.
26
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Cumulative effect of minor control deficiencies/

weaknesses and whether the absence of controls
translates into a significant deficiency or a material
weakness should be considered.
Disclosed in the report are the following:
- Absence or ineffective controls
- Significance of the control deficiency
- Probability of these weaknesses resulting in a
significant deficiency or material weakness
1205 Evidence The IS audit and assurance professional shall obtain
sufficient and appropriate evidence to draw reasonable
conclusions on which to base the engagement results.
Evaluate the sufficiency of evidence obtained to support
conclusions and achieve engagement objectives.
1206 Using the Work Consider using the work of other experts for the
of Other Experts engagement, where appropriate.
Assess and approve the adequacy of the other experts’
professional qualifications, competencies, relevant
experience, resources, independence and quality control
processes prior to the engagement.
Assess, review and evaluate the work of other experts as
part of the engagement and document the conclusion on
the extent of use and reliance on their work.
Determine whether the work of other experts, who are not
part of the engagement team, is adequate and complete
to conclude on the current engagement objectives, and
clearly document the conclusion.
Determine whether the work of other experts will be relied
on and incorporated directly or referred to separately in
the report.
Apply additional test procedures to gain sufficient and
appropriate evidence in circumstances where the work of
other experts does not provide sufficient and appropriate
evidence.
Provide an appropriate audit opinion or conclusion and
include any scope limitation where required evidence is
not obtained through additional test procedures.
27
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1207 Irregularity and Consider the risk of irregularities and illegal acts during
Illegal Acts the engagement.
Maintain an attitude of professional skepticism during the
engagement.
Document and communicate any material irregularities or
illegal act to the appropriate party in a timely manner.
PART C : REPORTING
1401 Reporting The IS audit and assurance professional shall provide a
report to communicate the results upon completion of the
engagement including:
- Identification of the enterprise, the intended recipients
and any restrictions on content and circulation
- Scope, engagement objectives, period of coverage and
the nature, timing and extent of the work performed
- The findings conclusions and recommendations
- Any qualifications or limitations in scope that the IS
audit and assurance professional has with respect to
the engagement
- Signature, date and distribution according to the terms
of the audit charter or engagement letter.
- Ensure that the audit findings in the audit report are
supported by sufficient and appropriate evidence.
1402 Follow-up Monitor relevant information to conclude whether

Activities management has planned/ taken appropriate, timely
action to address reported audit findings and
recommendations.
IS Audit and Assurance Guidelines

This provides guidance and additional information on how to comply with the ISACA
IS Audit and Assurance Standards. These should be considered by the Information
Systems Auditor to implement ISACA Audit and Assurance Standards, to use
professional judgment in applying them to audits, and be able to justify to any
departure from the ISACA Audit and Assurance Standards.
Code of Professional Ethics

The Information Systems auditor, ISACA members and certification holders shall:
28
Matina, Davao City
Phone No.: (082)300-5456 Local 137
1. Support the implementation of and encourage compliance with appropriate

standards and procedures for the effective governance and management of
enterprise information systems and technology, including audit, control,
security and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in
accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining
high standards of conduct and character, and not discrediting their profession
or the Association.
4. Maintain the privacy and confidentiality of information obtained in the course
of their activities unless disclosure is required by legal authority. Such
information shall not be used for personal benefit or released to inappropriate
parties.
5. Maintain competency in their respective fields and agree to undertake only
those activities they can reasonably expect to complete with the necessary
skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed, including the
disclosure of all significant facts known to them that, if not disclosed, may
distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their
understanding of the governance and management of enterprise information
systems and technology, including audit, control, security and risk
management.
Self-Help: You can also refer to the sources below to help you further understand the
lesson:
ISACA 27TH Edition – Certified Information Systems Auditor (CISA) Review Manual
IESBA (2013). Handbook of the Code of Ethics for Professional Accountants 2013
edition. IFAC.
Let’s Check
Identify the correct answer.
__________ 1. To maintain professional knowledge and skill at the level required to ensure that a
client or employer receives competent professional services based on current developments in
practice, legislation and techniques and act diligently and following applicable technical and
professional standards.
__________ 2. To not allow bias, conflict of interest or undue influence of others to override
professional or business judgments.
29
Matina, Davao City
Phone No.: (082)300-5456 Local 137
__________ 3. To respect the confidentiality of information acquired as a result of professional and

business relationships and, therefore, not disclose any such information to third parties without
proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use
the information for the personal advantage of the professional accountant or third parties.
__________ 4. to be straightforward and honest in all professional and business relationships.
__________ 5. to comply with relevant laws and regulations and avoid any action that discredits the
profession.
Let’s Analyze
Research an ethical dilemma case relating to Information Systems. Create a case
study and discuss the factors of the case. Kindly provide recommendation for the
case. Please follow the formal format of a case study. It will be provided in LMS.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________
In A Nutshell
Kindly read “Whatever happened to Information Systems Ethics? Caught between
devil and the Deep Blue Sea” by Francis Bell and Alison Adam. You can access the
reading via this link: https://link.springer.com/content/pdf/10.1007/1-4020-8095-
6_10.pdf
After reading the material, create a three-paragraph reflection paper.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_____________________
30
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Question & Answer

Do you have any questions or clarifications?
Questions/Issues Answers
1.
2.
3.
4.
5.
Keywords Index
• Integrity • Professional Behavior • Information Technology
• Objectivity • Information Systems • Information System Audit
• Professional • International Ethics and Control Association
Competence and Due Standards Board for (ISACA)
Care Accountants (IESBA) • Information Technology
• Confidentiality Assurance Framework
(ITAF)
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO PASS
Week 1-3: ULOa – Let’s Check BlackBoard LMS
Week 1-3: ULOa – Let’s BlackBoard LMS

Analyze
Week 1-3: ULOa – In A Nutshell BlackBoard LMS
Week 1-3: ULOb – Let’s Check BlackBoard LMS
Week 1-3: ULOb – Let’s BlackBoard LMS

Analyze
Week 1-3: ULOb – In A BlackBoard LMS

Nutshell
FIRST FORMATIVE January 29, 2021 BlackBoard LMS

ASSESSMENT
31
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 4 - 5: Unit Learning Outcomes (ULO): at the end of the unit, you are expected
to
A. Analyze the Information Systems Auditing Processes
B. Discuss the types of Business Process Applications, its Controls and what are the roles of
an IS Auditor on each applications
Week 4-5 Big Picture in Focus:

ULO a. Analyze the Information Systems Auditing Processes
Metalanguage
In the previous topics, you have learned the business ethics, types of business issues
and the code of professional ethics, both for professional Accountants and Information
Systems Auditor. In this section, you will learn more about the Information Systems
Auditing processes. Additionally, this section is being aligned with the ISACA’s CISA
requirements, thus, this will help you in your foundation with the IS Auditing.
The terms below will help you understand the discussion within this section.
Information – refers to data that have a meaning within a context. It could be raw data
or data manipulated through addition, subtraction, division, or any other operations
that leads to greater understanding of a situation.
Information System – the combination of strategic, managerial and operational
activities involved in gathering, processing, storing, distributing and using information
and its related technologies.
Information Technology – refers to technologies that collectively facilitate
construction and maintenance of information systems.
Information Systems Audit – it refers to the examination of the management controls
within an Information technology (IT) infrastructure, policies and operations.
Information Systems Auditor – refers to a person who is responsible in performing

the IS audit.
Certified Information Systems Auditor (CISA) – refers to a person who is
responsible in performing the IS audit. It refers to a designation issued by the
Information Systems Audit and Control Association (ISACA). The designation
is the global standard for professionals who have a career in information
systems, in particular, auditing, control, and security. CISA holders demonstrate
to employers that they have the knowledge, technical skills, and proficiency to
meet the dynamic challenges facing modern organizations.
32
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Essential Knowledge
An information is considered as an asset of an organization, and thus needs to be
always secured by the organization whether it is at rest or in transit.
Aside from the responsibility of the management to ensure the security of information,
an IS auditor also helps through evaluation of the controls in place with the IT
infrastructure management, including its respective policies and operations.
THE IS INTERNAL AUDIT FUNCTION

The audit charter that is approved by the board of directors and the audit committee
(senior management, if there is no audit committee), documents the role of the IS
internal audit function.
Audit Charter – an overarching document that should cover the entire scope of audit
activities in an entity should clearly state the management’s responsibility and
objectives for, and delegation of authority to, the IS audit function. It should contain
the responsibility, authority and accountability of the IS audit function.
The audit charter differs with the engagement letter wherein the latter is more focused
on a particular audit exercise that is sought to be initiated in an organization with a
specific objective in mind.
An IS audit can be a part of internal audit – an independent group, or be integrated
within a financial and operational audit to provide IT-related control assurance to the
financial or management auditors. Please note the IS audit function should be
independent and reports to an audit committee.
MANAGEMENT OF THE IS AUDIT FUNCTION

An IS audit function should be well managed to ensure that diverse tasks performed
and achieved by the audit team will fulfill audit function objectives, while preserving
audit independence and competence. It should also be value-adding to the senior
management in the efficient management of IT and achievement of business
objectives.
IS Audit Resource Management
It is important that an IS auditors maintain their competency through updating
existing skills and obtaining trainings toward new audit techniques and technological
areas.
The IS auditor must be technically competent, having the skills and knowledge
necessary to perform audit work. When planning audit and assigning staff, skills and
knowledge should be considered.
33
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Best practice is to draw up staff training plan for the year based on the organization’s
direction in terms of technology and related risk that needs to be addressed. The IS
audit management should also provide the necessary IT resources to properly
perform IS audits of highly specialized nature – e.g., tools, methodology, work
programs.
AUDIT PLANNING
This is conducted at the beginning of the audit process to establish the overall audit
strategy and detail the specific procedures to be carried out to implement the
strategy and complete the audit.
An audit universe ideally composes or lists all of the processes (or auditable units)
that may be considered for audit. Each of the auditable units are assessed based on
their risk factors. The risk factor are those that influence the frequency and/or
business impact of risk scenarios. The business process owners help in identifying
risk factors. The topic on risk management will be discussed in the succeeding
weeks.
To evaluate the risk factors, its objective criteria are to be identified. Each of the risk
factors are rated, for example:
34
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Risk Rating Criteria

High The risk identified will be rated high if the impact of the risk
will result to damage to the reputation of the organization
that will take more than six months to recover.
Medium/ Moderate If the impact may result to the reputation of the
organization that will take less than six months but more
than three months to recover.
Low The impact will result to damage to the reputation of the
organization that will take less than three months to
recover
The criteria above is an example of time frame criteria, but this should be defined by
the organization. It is also ideally be quantified in terms of the range of loss should
the risk will materialized.
The audit plan should be constructed for areas/ processes that are rated “high”. But
in actual, there are insufficient resources to execute the plan. Thus, this analysis will
help the top management in deciding whether to augment the existing audit
resources or to accept the risk that there are areas that will not be audited.
Individual Audit Assignments
Aside from the overall annual planning discussed above, each individual audit
assignments must be adequately planned. There are periodic risk assessments
done, changes in the application of technology, and evolving privacy issues and
regulatory requirements, that may impact the audit approach along the way.
When performing audit execution, the IS auditor must understand the overall
environment under review. This includes the types of information, information
systems and technology supporting the activity. Regulatory environments also in
which the business operates should also be considered.
EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING

The industry regulations can impact the way data are being processed, transmitted
and stored, and there are requirements to comply such as implementation of controls
with the use of data, storage and its security.
There are two major areas of concern:
1. Legal requirements (i.e., laws, regulatory and contractual agreements) placed
on audit or IS audit
35
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2. Legal requirements placed on the auditee and its systems, data management,
reporting, etc.
The legal issues also impact the organization’s business operations in terms of
compliance with ergonomic regulations.
The IS auditor should perform the following:
 Identify those government or other relevant external requirements dealing
with:
o Electronic data, personal data, copyrights, ecommerce, esignatures,
etc.
o IS practices and controls
o The manner in which computers, programs and data are stored
o The organization or the activities of information technology services
o IS audits
 Document applicable laws and regulations
 Assess if the management and IT function have considered the relevant
external requirements in making plans, and in setting policies, standards and
procedures as well as business application features.
 Review internal IT department/function/activity documents that address
adherence to laws applicable to the industry.
 Determine adherence to established procedures that address these
requirements.
 Determine if there are procedures in place to ensure contracts or agreements
with external IT services providers reflect any legal requirements related to
responsibilities.
USING THE SERVICES OF OTHER AUDITORS AND EXPERTS

Due to scarcity of IS auditors and the need for IT security specialists and other
subject matter experts, the auditors entrusted with providing assurance may require
the services of other auditors or experts. Outsourcing of IS assurance and security
services is increasingly becoming a common practice.
External experts in specific technologies such as networking, ATMs, wireless,
system integration and digital forensics or subject matter experts like banking,
securities trading, insurance or law.
The following should be considered when there is a proposal to outsource a part or
all of IS audit services:
 Restrictions on outsourcing of audit/security services provided by laws and
regulations
36
Matina, Davao City
Phone No.: (082)300-5456 Local 137
 Audit charter or contractual stipulations

 Impact on overall and specific IS audit objectives
 Impact on IS audit risk and professional liability
 Independence and objectivity of other auditors and experts
 Professional competence, qualifications and experience
 Scope of work proposed to be outsourced and approach
 Supervisory and audit management controls
 Method and modalities of communication of results of audit work
 Compliance with legal and regulatory stipulations
 Compliance with applicable professional standards.
Based on the nature of assignment, the following may also require special
consideration:
 Testimonials/references and background checks
 Access to systems, premises and records
 Confidentiality restrictions to protect customer-related information
 Use of computer-assisted auditing techniques (CAATs) and other tools to be
used by the external audit service provider
 Standards and methodologies for performance of work and documentation
 Nondisclosure agreements
Although audit work may be delegated to an external service provider, the related
professional liability is not necessarily delegated. When employing services of
external service providers, the following should be done:
 Clear communication of the audit objectives, scope and methodology through
a formal engagement letter.
 Establish monitor process for regular review of the work done by external
service provider.
 Assess the usefulness and appropriateness of reports of such external
providers and assess the impact of significant findings on the overall audit
objectives.

Self-Help: Reference used for this topic is the CISA (Certified Information
Systems Auditor) Review Manual : 27th Edition – Domain 1 – Information
System Auditing Processing
37
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Indicate the correct answer in the space provided for each item.
1. It is the documentation of the specific auditable unit/ process with a specific
objective in mind. _______________
2. Give one reason why there is a need to review an audit plan in a periodic
interval. _______________________
3. It outlines the overall authority to perform an IS audit. ________________
4. __________ refers to evaluation/ examination of the management controls within
an Information technology (IT) infrastructure, policies and operations.
5. When conducting an IS audit, the regulations related were the business belongs
should cover: ____________________.
Let’s Analyze
Activity:
1. Why do you think is there a need for the company to establish their criteria of
when the risk is rated high, medium or low?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
2. Information is considered as an asset of the company. Explain.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
38
Matina, Davao City
Phone No.: (082)300-5456 Local 137
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
3. Elaborate in your own words, the reason for using another auditor or experts
work.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
In a Nutshell
Do you see yourself becoming an Information Systems Auditor?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
39
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Question & Answer

Questions / Issues Answers
1.
2.
3.
Keywords Index
Information Information Systems Audit Information Technology
Information System (IS) Information Systems Auditor Certified Information Systems

Auditor (CISA)
40
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Big Picture in Focus:

ULO B. Discuss the types of Business Process Applications, its
controls and what are the roles of an IS Auditor on each
applications.
Metalanguage
Application – A computer program or set of programs that performs the processing of
records for a specific function.
Business Process Application – is an application used to support the inter-related set of

cross-functional activities or events that result in the delivery of a specific business process
product or service to a customer.
Server – a hardware that provides data to other computers, through a local area
network (LAN) or wide area network (WAN) over the internet. Types of servers are
web servers, mail servers, file servers, among others.
Architecture – description of the fundamental underlying design of the components of the

business system, or of one element of the business system (e.g., technology), the
relationships among them, and the architecture manner in which they support enterprise
objectives.
Legacy Systems – it refers to an old method, technology, computer system, or

application program, but is still being used.
Middleware – an independent software and services that distributed business

applications use to share computing resources across heterogeneous technologies.
Essential Knowledge
Now, let’s learn the different types of business process or environments that are being
adapted in organizations, and the controls needed for each type of process
applications. By knowing the types of business process applications and what are the
minimum requirements in securing, will help you in governing well the organization,
and to ensure that the business values and strategic goals of the business will be
achieved. You have to understand the business structure and the current types of
environment where transactions are happening, for you to know what to protect, and
what to protect.
A business process control assurance involves evaluating controls at the process and
activity levels. These controls may be a combination of management, programmed
and manual controls. In addition to evaluating general controls that affect the
processes, business process owner-specific controls—such as establishing proper (1)
41
Matina, Davao City
Phone No.: (082)300-5456 Local 137
segregation of duties, (2) period review and approval of access, and (3) application
controls within the business process –are evaluated.
TYPES OF ENVIRONMENTS WHERE APPLICATION SYSTEMS MAY RESIDE
ECOMMERCE
It is the buying and selling of goods online. Typically, a buyer purchases goods and
services from a website and provides delivery and payment details, including transfers
or payment orders. Website then gathers details about customers (like address, phone
number, name, etc.) and offer other items that may be of interest.
The ecommerce uses technology to enhance the processes of commercial

transactions among a company, its customers and business partners. Technology
being used is internet, multimedia, web browsers, proprietary networks, ATMs and
home banking and the traditional approach to electronic data interchange (EDI).
Types of Ecommerce:
1. Business-to-business (B-to-B) – conducted between organizations
2. Business-to-consumer (B-to-C) – conducted between an organization and its
customers.
3. Consumer-to-consumer (C-to-C)– conducted between customers, primary
using a third-party platform.
4. Consumer-to-business (C-to-B) – between consumer and a business.
Consumers sell their products or services to a business.
5. Business-to-government (B-to-G) – between an organization and a public
administration where the governmental organization promotes awareness and
growth of ecommerce. In addition to public procurement, administrations may
also offer the option of electronic interchange for such transactions as VAT
returns and the payment of corporate taxes.
6. Consumer-to-government (C-to-G) – conducted between consumer and a
public administration or government. An example is electronic tax filing.
With this type of business environment, the following are the typical ecommerce
architectures:
• Single-tier architecture is a client-based application running on a single
computer.
• Two-tier architecture is composed of the client and a server
42
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• Three-tier architecture
o Presentation tier displays information that users can access directly such
as a web page or an operating system’s (OS’s) graphical user interface.
This user interface is often a graphical one accessible through a web
browser or web-based application and which displays content and
information useful to an end user. Usually built on HTML5, JavaScript,
CSS or popular web development frameworks and communicates with
other layers through API calls.
o The application tier (business logic/applications) controls an
application’s functionality by performing detailed processing. It drives the
application’s core capabilities. This is often written in Java, .NET, C#,
Python, C++, among others.
o Data tier – comprises the database/ data storage system and data
access layer. These systems are MySQL, Oracle, PostgreSQL,
Microsoft SQL Server, MongoDB, etc. The data stored in here are
accessed by the application layer through API calls.
43
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Due to diverse technologies that are currently deployed in different types of

businesses and application systems, there is now a need for a middleware
infrastructure (like Application Programming Interface) based around an application
server.
There are also components models that are widely used and fall under the grouping
of “mobile code”, which means can be transferred between networks and executed
on a local system using cross-platform code without explicit installation by the recipient
computer (e.g., Adobe® Flash®, Shockwave®, Java applets, VBScripts, Active X).
The use of this mobile code, however, spread malware (malicious software) through
email, malicious websites and mobile device applications.
The B-to-C system includes marketing, sales and customer service components (e.g.,
personalization, membership, product catalog, customer ordering, invoicing, shipping,
inventory replacement, online training and problem notification). The application
servers supports component model and provide services (like data management,
security and transaction management) either directly or through connection to another
service or middleware product.
The ecommerce system may involve connections to the in-house accounting,

inventory management or an enterprise resource planning (ERP) system—or
business partner systems.
Note, customer data should not be stored on web servers, that are exposed
directly to the internet.
The Extensible Markup Language (XML) is another important part of an organization’s

overall ecommerce architecture. This is used as a medium that could store and
enclose any kind of structured information, so it could be passed between different
computing systems. It emerged as a key means of exchanging a wide variety of data
on the web.
• Extensible Stylesheet Language (XSL) – it defines how an XML document is
to be presented on a web page.
• XML query (XQuery)—deals with querying XML format data
• XML encryption—deals with encrypting, decrypting and digitally signing XML
documents.
ECOMMERCE RISK
• Confidentiality—possible theft of credit card information from unknown
vendors. Also, connecting to the internet via a browser requires running
software on the computer that has been developed by someone unknown to
the organization.
• Integrity—data could be susceptible to unauthorized alteration or deletion (i.e.,
hacking or the ebusiness system itself could have design or configuration
problems).
44
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• Availability—24/7 business in an internet. System failure will become apparent

to customers or business partners.
• Authentication and nonrepudiation—parties should be in a known and
trusted business relationship, which requires that they prove their respective
identities before executing the transaction to prevent man-in-the-middle
attacks.
• Power shift to customers—organizations in ebusiness needs to make offers
attractive and seamless in delivering their services. The back-end support
processes need to be as efficient as possible, to avoid losing competitive
advantage of doing business online, organizations need to enhance their
services, differentiate from the competition and build additional value.
ECOMMERCE REQUIREMENTS
• Build a business case
• Clear business purpose
• Use technology to improve costs
• The business case revolves around customers, costs, competitors and
capabilities
• Top level commitment – ecommerce cannot succeed without a clear vision and
strong commitment from the top of an organization.
• Business process reconfiguration – think outside the box
• Links to legacy systems – to accelerate response time, provide real interaction
to customers and customize responses to individual customers.
INFORMATION SYSTEMS AUDIT’S ROLE IN THE ECOMMERCE

Review:
▪ Interconnection agreement to engage in an ecommerce. Definition of terms and
conditions before ecommerce interconnections are established.
▪ Security mechanisms (i.e., firewalls, public key infrastructure, encryption, etc.)
▪ Unique transaction identifier
▪ Ecommerce application logs, monitored by responsible personnel.
▪ Methods and procedures to recognize security breaches when they occur.
▪ Protection to ensure data collected from an individual are not disclosed without
consent.
▪ Confidential data communication between customers and vendors.
▪ Support private networks from viruses and its propagation to customers and
vendor’s computers.
▪ Resiliency of the ecommerce architecture and its components.
▪ Plans and procedures to continue ecommerce activities in the event of
extended outage of required resources for normal processing.
▪ Procedures that defines management’s intention for the security of ecommerce.
▪ Shared responsibilities within an organization for ecommerce security.
▪ Communications from vendors to customers about level of security in the
architecture.
▪ Regular audit and security assessment.
45
Matina, Davao City
Phone No.: (082)300-5456 Local 137
B. ELECTRONIC DATA INTERCHANGE (EDI)

This is a mechanism wherein there is an exchange of business documents between
computers in a standard electronic format among business partners.
An EDI system requires communications software, translation software and access to

standards. Communications software moves data from one point to another, flags the
start and end of an EDI transmission, and determines how acknowledgments are
transmitted and reconciled. Translation software helps build a map and shows how
the data fields from the application correspond to elements of an EDI standard. Later,
it uses this map to convert data back and forth between the application and EDI
formats.
To build a map, an EDI standard appropriate for the kind of EDI data to be transmitted
is selected (e.g., specific standards for medical claims, patient records, invoices,
purchase orders, advance shipping notices). The final step is to write a partner profile
that tells the system where to send each transaction and how to handle errors and
exceptions.
EDI system software includes transmission, translation and storage of transactions

initiated by or destined for application processing. EDI is also an application system in
that the functions it performs are based on business needs and activities The
applications, transactions and trading partners supported will change over time, and
the intermixing of transactions, purchase orders, shipping notices, invoices and
payments in the EDI process makes it necessary to include application processing
procedures and controls in the EDI process.
Figure 1 – Purchasing process without EDI
https://www.edictsystems.com/company/what-is-electronic-data-interchange-edi/
TWO APPROACHES RELATED TO EDI

1. Traditional EDI
Moving data in a batch transmission process through the traditional EDI process
generally involves three functions within each trading partners computer systems:
1.A Communications handler—process for transmitting and receiving
electronic documents between trading partners via dial-up lines, public-
switched network, multiple dedicated lines or a value-added network (VAN).
46
Matina, Davao City
Phone No.: (082)300-5456 Local 137
This VAN uses computerized message switching and storage capabilities to

provide electronic mailbox services similar to a post office. It receives all the
outbound transactions from an organization, sorts them by destination and
passes them to recipients when they log on to check their mailbox and
receive transmission. EDI applications provide technical support, help desk
and troubleshooting assistance for EDI and telecommunications problems.
1.B EDI interface – interface function that manipulates and routes data
between the application system and the communications handler. It consists
the following components:
• EDI translator – a device that translates data between the
standard format and a trading partner’s proprietary format.
• Application interface—this interface moves electronic
transactions to or from application systems and performs data
mapping. The EDI interface may generate and send functional
acknowledgments, verify the identity of partners and check the
validity of transactions by checking transmission information
against a trading partner master file.
1.C Application System – the programs that process the data sent to, or
received from, the trading partner. Although new controls should be
developed for the EDI interface, the controls for existing applications, if left
unchanged, are usually unaffected.
Figure 2 – Purchasing process with Traditional EDI
2. Web-based EDI
Figure 3 – Purchasing process through Web-based EDI
47
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Using the web was used due to the following:

• Using VAN services has a proprietary network, while internet service
providers (ISPs) offers generic network for all computers. Web-based thus
reduces cost to EDI applications.
• Attracts new partners to exchange information, take orders, and link the
website to back-end order processing and financial systems via EDI.
• New security products are available to address issues of confidentiality,
authentication, data integrity, and nonrepudiation of origin and return.
• Improvements in X12 EDI formatting standard web-based EDI trading
techniques aim to improve the interchange of information between trading
partners, suppliers and customers by bringing down the boundaries that
restrict how they interact and do business with each other.
48
Matina, Davao City
Phone No.: (082)300-5456 Local 137
EDI RISKS and CONTROLS
RISK CONTROLS
Transaction authorization is the biggest To protect both parties, any agreements
EDI risk. Computerized data can look the is codified legally in a trading partner
same as there is no human element or agreement.
signature.
Loss of Business Continuity. Standards should be set to indicate that

Corruption of EDI applications, whether the message format and content are
done innocently or deliberately, could valid to avoid transmission errors.
affect every EDI transactions undertaken
by a company. Controls should be in place to ensure
that standard transmissions are properly
converted for the application software by
the translation application.
Unauthorized access to electronic - The receiving organization must have
transactions. controls in place to test the
Deletion or manipulation of transactions reasonableness of messages
prior to or after establishment of received. This should be based on a
application controls trading partner’s transaction history or
documentation received that
substantiates special situations.
- Controls should be established to

guard against manipulation of data in
active transactions, files and archives.
Attempts to change records should be
recorded by the system for
management review and attention.
- Procedures should be established to

determine messages are only from
authorized parties and transmissions
are properly authorized.
- Data should be encrypted using

algorithms agreed on by the parties
involved
- Electronic signatures should be in the

transmissions to identify the source
and destination.
Loss or duplication of EDI transmissions Message authentication codes should

exist to ensure that what is sent is
received.
49
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Loss of confidentiality and improper Direct or dedicated transmission

distribution of EDI transactions while in channels among the parties should exist
the possession of third parties to reduce the risk of tapping into the
transmission lines.
INFORMATION SYSTEMS AUDIT’S ROLE IN THE EDI
An IS auditor must evaluate EDI to ensure that all inbound EDI transactions are
received and translated accurately, passed to an application, and processed only
once.
C. ELECTRONIC BANKING
Remote delivery of electronic services to consumers and businesses from financial
institutions.
The risk associated with electronic banking activities includes strategic, reputational,
operational, credit price, foreign exchange, interest rate and liquidity.
Risk Management Challenges

- Speed of change relating to technological and service innovation in ebanking
increases the challenge to ensure that adequate strategic assessment, risk
analysis and security reviews are conducted prior to implementing new
ebanking applications.
- Increased dependence on sound system design and architecture as well as
system interoperability and operational scalability.
- Heavy dependence on information technology, increasing technical
complexity of many operational and security issues.
Risk Management Controls for Ebanking

- Board and management oversight
- Security controls
- Legal and reputational risk management
ELECTRONIC FUNDS TRANSFER

It refers to electronic transfer of funds between a buyer, a seller and their respective
financial institutions. EFT transactions function via an internal bank transfer from one
party’s account to another or via a clearing house network.
IS Auditor’s Role in the EFT Business Process

IS auditor should review the physical security of unissued plastic cards, the
procedures used to generate PINs, the procedures used to issue cards and PINs
and the conditions under which the consumer uses the access devices.
50
Matina, Davao City
Phone No.: (082)300-5456 Local 137
An IS auditor should also ensure that reasonable authentication methods are

required for access to EFT systems. He/ she should also consider the EFT switch
involved in the network used for the EFT. The interface also between the EFT
system and the application systems that process the accounts from which funds are
transferred. Check also the audit trails that are available.
D. INTEGRATED MANUFACTURING SYSTEMS
Examples of these systems are bill of materials (BOM), BOM processing (BOMP),
manufacturing resources planning (MRP), computer-assisted design (CAD),
computer-integrated manufacturing (CIM), and manufacturing accounting and
production (MAP).
Evolution toward further integration with other business functions (e.g., recording of
raw materials, work-in-process and finished goods transactions, inventory
adjustments, purchases, supplier management, sales, accounts payable, accounts
receivables, goods received, inspection, invoices, cost accounting, maintenance) led
to MRP, which is a family of widely used standards and standard-based packages.
MRP is a typical module of most ERP packages such as SAP or Oracle Financials
and is usually integrated in modern customer relationship management (CRM) and
supply chain management (SCM) systems.
F. PURCHASING ACCOUNTING SYSTEM

This system processes the data for purchases and payments. Because purchases
automatically lead to payments, if purchases are properly contracted, partial control
over payments exists. Additional controls over payments are also required to ensure
that each payment was made for goods and services received, that the same
purchase was not paid for twice, and that they were paid. Most purchasing
accounting systems have three basic accounting functions:
1. Accounts payable processing—record transactions in accounts payable
records
2. Goods received processing—details of goods received but not yet invoiced
3. Order processing—records goods ordered but not yet received
G. IMAGE PROCESSING
An imaging system stores, retrieves and processes graphic data such as pictures,
charts and graphs, instead of or in addition to text data. The storage capacities must
be enormous, and most image systems include optical disk storage. In addition to
optical disks, the systems include high-speed scanning, high-resolution displays,
rapid and powerful compression, communications functions and laser printing. The
systems include techniques that can identify levels of shades and colors that cannot
be differentiated by the human eye. These systems are expensive, and companies
do not invest in them lightly.
51
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Most businesses that perform image processing obtain benefits from using the
imaging system, such as:
• Item processing (e.g., signature storage and retrieval)
• Immediate retrieval via a secure optical storage medium
• Increased productivity
• Improved control over paper files
• Reduced deterioration due to handling
• Enhanced disaster recovery procedures
The replacement of paper documents with electronic images can have a significant
impact on the way an organization does business. Controls must be developed and
designed into the automated process to ensure that information image files cannot
be altered, erased or lost.
Risk Areas in Image Processing Systems
→ Planning – lack of planning can result in selecting and converting paper systems
to document imaging systems to document imaging systems can
result in excessive installation costs, the destruction of original
documents and the failure to achieve expected benefits.
→ Audit – imaging systems may change or eliminate the traditional controls as well
as the checks and balances inherent in paper-based systems. Audit
procedures may have to be redesigned and new controls designed
into the automated process.
→ Redesign of workflow – redesign or reengineer workflow to benefit from imaging
technology
→Scanning devices – these devices are entry point for image documents and a
significant risk area in imaging systems. This disrupts workflow if the
scanning equipment is not adequate to handle the volume of
documents or the equipment breaks down. Absence of controls over
the scanning process can result in poor quality images, improper
indexing, and incomplete or forged documents being entered into the
system.
→ Software Security – this protects institutions and customer information from
unauthorized access and modifications. The integrity and reliability of
the imaging system database are related directly to the quality of
controls over access to the system.
→ Training – inadequate training of personnel scanning the documents can result in
poor-quality document images and indexes, and the early destruction
of original documents.
H. INDUSTRIAL CONTROL SYSTEMS (ICS)
ICS is a general term that encompasses several types of control systems, including
supervisory control and data acquisition (SCADA) systems, distributed control
52
Matina, Davao City
Phone No.: (082)300-5456 Local 137
systems (DCS), and other control system configurations such as programmable logic
controllers (PLC), often found in the industrial sectors and critical infrastructures.
Figure 4 – A High-level overview of typical ICS Operations
Source: NIST; NIST SP 800-82:Guide to Industrial Control Systems (ICS) Security, USA, 2011
Risk Factors that IS Audit should consider:
→ blocked or delayed flow of information through ICS network, which could disrupt
ICS operation
→ unauthorized changes to instructions, commands or alarm thresholds, which
could damage, disable or shut down equipment, create environmental impacts,
and/or endanger human life.
→ inaccurate information sent to system operators, either to disguise unauthorized
changes or to cause the operators to initiate inappropriate actions which could have
various negative effects.
→ ICS software or configuration settings modified, or ICS software infected with
malware, which could have various negative effects.
→ Interference with the operation of safety systems, which could endanger human
life.
Typical Controls
→ Restrict logical access to the ICS network and network activity. Network topology
of ICS should use multiple layers, with the most critical communications occurring in
the most secure and reliable layer.
→ Restrict physical access to the ICS network and devices, like using locks, card
readers and or guards.
→ Protect individual ICS components from exploitation.
→ Maintain functionality during adverse conditions. It involves designing the ICS
wherein each component has a redundant counterpart.
→ Restoring the system after an incident.
I. ARTIFICIAL INTELLIGENCE AND EXPERT SYSTEMS

This refers to the study and application of the principles by which:
53
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• Knowledge is acquired and used.

• Goals are generated and achieved.
• Information is communicated.
• Collaboration is achieved.
• Concepts are formed.
• Languages are developed.
AI includes the following:

o Expert systems
o Natural and artificial (such as programming) Languages
o Neutral networks
o Intelligent text management
o Theorem proving
o Abstract reasoning
o Pattern recognition
o Voice recognition
o Problem solving
o Machine translation of foreign languages.
For the expert systems, it allows the user to specify certain basic assumptions or
formulas and then uses these assumptions or formulas to analyze arbitrary events.
Based on the information used as input to the system, a conclusion is produced.
Benefits that can be obtained from expert systems:

◼ Capturing the knowledge and experience of individuals
◼ Sharing knowledge and experience
◼ Enhancing personnel productivity and performance
◼ Automating highly repetitive tasks (help desk, score credits, etc.)
◼ Operating in environments where a human expert is not available.
The key to the system is knowledge base, which contains specific information or
fact patterns associated with particular subject matter and the rules for interpreting
these facts. Knowledge base can be expressed in the following:
- Decision trees—use of questionnaires to lead the user through a series of
choices, until a conclusion is reached.
- Rules—expression of declarative knowledge through the use of if-then
relationships.
- Semantic nets—use of a graph in which the nodes represent physical or
conceptual objects, and the arcs describe the relationship between the nodes.
This includes the following components:
o Knowledge interface – inclusion of knowledge from an expert into the
system without the traditional mediation of a software engineer.
o Data interface – collection of data from nonhuman sources through an
expert system, such as measurement instruments in a power plant.
54
Matina, Davao City
Phone No.: (082)300-5456 Local 137
IS AUDITOR’S ROLE IN EXPERT SYSTEMS

An IS auditor should be knowledgeable about the various AI and expert system
applications used within the organization. Perform the following activities:
- Understand the purpose and functionality of the system.
- Assess the system’s significance to the organization
- Review adherence of the system to corporate policies and procedures.
- Review the decision logic built into the system
- Review procedures for updating information in the knowledge base.
- Review security access over the system, specifically the knowledge base
- Review procedures to ensure that qualified resources are available for
maintenance and upgrading.
J. SUPPLY CHAIN MANAGEMENT (SCM)
SCM refers to the linking of business processes between the related entities such as
a buyer and the seller. The link is provided to all the connected areas such as
managing logistics and the exchange of information, services and goods among
supplier, consumer, warehouse, wholesale/retail distributors and manufacturer of
goods.
K. CUSTOMER RELATIONSHIP MANAGEMENT (CRM)

CRM has become a strategic success factor for all types of business, and its
proficiency has a significant impact on profitability.
The CRM process emphasize the customer, rather than marketing, sales or any
other function in order to meet customer expectations. It includes integration of
telephony, web and database technologies, and interenterprise integration
capabilities. In this model, other business partners can share information,
communicate and collaborate with the organization with the seamless integration of
web-enabled applications and without changing their local network and other
configurations.
Self-Help: Reference used for this topic
• CISA (Certified Information Systems Auditor) Review Manual : 27th Edition – Domain 1 –
Information System Auditing Processing
• Logi Report : 3-Tier Architecture (https://www.jinfonet.com/resources/bi-defined/3-tier-

architecture-complete-overview/)
• EDI Basics (source: https://www.edibasics.com/what-is-edi/)
55
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Select the best answers on each question below:
1) It refers to the software in the EDI that moves data from one point to another, flags
the start and end of an EDI transmission, and determines how acknowledgments are
transmitted and reconciled.
a. Ecommerce
b. Enterprise Resource Planning
c. Supply Chain Management
d. Communication Software
2) The emphasis is on the customer, rather than marketing, sales or any other
function in order to meet customer expectations.
a. Ecommerce
b. Customer Relationship Management
c. Expert Systems
d. Electronic Data Interchange (EDI)
3) It encompasses several types of controls systems and associated instrumentation

used to control industrial processes.
a. Industrial Control System
b. Artificial Intelligence
c. Customer Relationship Management
d. SCADA
4) It records the details of goods received not yet invoiced.

a. Image Processing
b. Ordering Processing
c. Goods Received Processing
d. Purchasing Accounting System
5) The following are the benefits of an imaging system except:
a. Easy retrieval of records stored.
b) It controls the system configurations
c) Supports the disaster recovery
d) Hard copy files will be managed
6) The remote delivery of financial transactions between customers and businesses.

a) Electronic Fund Transfer
b) Electronic Data Interchange
c) Ecommerce
d) Purchasing Accounting System
7) An organization wanted to improve the support they are rendering to various

countries to immediately resolve the issues that were encountered with the use of
their platform. The management wanted to employ a mechanism to automatically
56
Matina, Davao City
Phone No.: (082)300-5456 Local 137
translate the reported concerns from different language to the standard English
language. The organization should:
a) Business Intelligence
b) Voice Recognition
c) Artificial Intelligence and Expert Systems
d) Supply Chain Management
8) LMN Electronics, develops and produces consumer electronics and information

technology hardware for businesses. The company uses SCADA system
architecture in the manufacturing process. Their management wanted to review
patterns of their customer business to streamline their orders, shipping and the
payment procedures. The management also recognized that there are a lot of
negative feedback from their clients in terms of the hardware their producing, for
instance the heavy and huge devices they were producing. The management should
employ which of the following system:
a. Industrial Control Systems
b. Electronic Data Interchange
c. Artificial Intelligence and Expert Systems
d. Customer Relationship Management
9) The following are the risk of an Ecommerce environment, except:

a. Hard to authenticate the parties involved in the transactions
b. Higher chance of modified transactions
c. Longer processing time to complete transactions
d. Information are exposed to unknown people
10) It is a layer of the three-tier architecture that instructs the displays in a user
interface.
a. Presentation Tier
b. Application Tier
c. Data Tier
d. Single tier
In a Nutshell
Do you think there is a best business application that fits with any kind of industry? Explain
your answer.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
57
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Keywords Index
• Systems • Interface • Computer Language
• Risk and Controls • Server • Internet/ Web
• Business Environment • Transmission • Architecture
• Authentication • Security • Business Process
• Nonrepudiation • Processing Application
• Software/ • Transaction • Legacy Systems
Applications • Middleware
COURSE SCHEDULE
ACTIVITY DUE DATE WHERE TO SUBMIT
Week 4-5: ULOa – Let’s Check BlackBoard LMS
Week 4-5: ULOa – Let’s BlackBoard LMS

Analyze
Week 4-5: ULOa – In A Nutshell BlackBoard LMS
Week 4-5: ULOb – Let’s Check BlackBoard LMS
Week 4-5: ULOb – In A BlackBoard LMS

Nutshell
SECOND FORMATIVE February 12, 2021 BlackBoard LMS

ASSESSMENT
58
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 6 - 7: Unit Learning Outcomes (ULO): at the end of the unit, you are expected to
A. Discuss the internal controls in a business ruled by information systems.
B. Explain the types of audits and the process of assessments
C. Discuss the concept of Corporate Governance and understand the different roles in
relation to corporate governance
Week 6-7: Big Picture in Focus:

ULO a. Discuss the internal controls in a business ruled by
Information Systems.
Metalanguage
Control–the means of managing risk, including policies, procedures, guidelines,
practices or organizational structures, which can be of an administrative, technical,
management, or legal nature. Also used as a synonym for safeguard or
countermeasure.
Control Objective–a statement of the desired result or purpose to be achieved by

implementing control procedures in a Control objective particular process.
Control Measure—is defined as an activity contributing to the fulfillment of a control

objectives.
Control Weakness—a deficiency in the design or operation of a control procedure.

Control weaknesses can potentially result in risk relevant to the area of activity not
being reduced to an acceptable level (relevant risk threatens achievement of the
objectives relevant to the area of activity being examined). Control weaknesses can
be material when the design or operation of one or more control procedures does not
reduce to a relatively low level the risk that misstatements caused by illegal acts or
irregularities may occur and not be detected by the related control procedures.
Policy–generally, a document that records a high-level principle or course of action

that has been decided on. The intended purpose is to influence and guide both present
and future decision making to be in line with the philosophy, objectives and strategic
plans established by the enterprise’s management teams. In addition to policy content,
policies need to describe the consequences of failing to comply with the policy, the
means for handling exceptions, and the manner in which compliance with the policy
will be checked and measured. Overall intention and direction as formally expressed
by management.
59
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Procedure–a document containing a detailed description of the steps necessary to

perform specific operations in conformance with applicable standards. Procedures are
defined as part of processes.
Control Practices–key control mechanism that supports the achievement of control

objectives through responsible use of resources, appropriate management of risk and
alignment of IT with business.
Essential Knowledge
Every organization has controls in place. An effective control is one that prevents,
detects and/or contains an incident and enables recovery from a risk event.
Organizations design, develop, implement and monitor information systems through
policies, procedures, practices and organizational structures to address these types
of risk.
Controls normally composed of policies, procedures, practices and organizational

structures that are implemented to reduce risk to the organization. The internal
controls are developed to provide reasonable assurance to management that the
organization’s business objectives will be achieved, and risk events will be prevented,
or detected and corrected. Internal control activities and supporting processes are
either manual or automated. It should operate at all levels within an organization to
mitigate its exposures to risk that potentially could prevent it from achieving its
business objectives. It is the responsibility of the board of directors and senior
management to establish the appropriate culture to facilitate an effective and efficient
internal control system and for continuously monitor the effectiveness of the internal
control system, although each individual within an organization must take part in this
process.
Internal controls address business/ operational objectives and should also address
undesired events through prevention, detection and correction. Elements of controls
that should be considered when evaluating control strength are classified as
preventive, detective or corrective in nature.
CONTROL OBJECTIVES AND CONTROL MEASURES
A control objective is such a goal that is explicitly related to the strategy of the
company. Take the table below as example:
60
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Control Classifications
Class Function Examples
Preventive - Detect problems before they arise. - Employing only qualified personnel
- Monitor both operation and inputs. - Segregation of duties
- Attempt to predict potential - Controlling access to physical facilities
problems before they occur and - Well-designed documents to prevent
make adjustments errors
- Prevent an error, omission or - Suitable procedures for authorization of
malicious act from occurring transactions
- Programmed edit checks
- Use of access control software that
allows only authorized personnel to
access sensitive files
- Use of encryption software to prevent
unauthorized disclosure of data.
Detective - Use controls that detect and report - Hash totals
the occurrence of an error, - Check points in production jobs
omission or malicious act. - Echo controls in telecommunications
- Error messages over tape labels
- Duplicate checking of calculations
- Periodic performance reporting with
variances
- Past-due account reports
- Internal audit functions
- Review of activity logs to detect
unauthorized access attempts
- Secure code reviews
- Software quality assurance
Corrective - Minimize the impact of a threat - Contingency / continuity of operations
- Remedy problems discovered by planning
detective controls - Disaster recovery planning
- Identify the cause of a problem - Incident response planning
- Correct errors arising from a - Backup procedures
problem - System break/fix service level
- Modify the processing system(s) to agreements
minimize future occurrences of the
problem
The control objectives apply to all controls, whether they are manual, automated or a
combination. Control objectives in an IS environment do not differ from those in a
manual environment; however, the way these controls are implemented may be
different. Thus, control objectives need to be addressed relevant to specific IS-related
processes.
Both the control objective and control measure serve the decomposition of the
strategic-level goals into such lower-level goals and activities that can be assigned as
tasks to the staff. This assignment can take the form of a role description in a job
description.
INFORMATION SYSTEMS (IS) CONTROL OBJECTIVES

The following are the IS control objectives:
- Statements of the desired result or purpose to be achieved by implementing
controls around information systems processes.
61
Matina, Davao City
Phone No.: (082)300-5456 Local 137
- Comprised of policies, procedures, practices and organizational structures.

- Designed to provide reasonable assurance that business objectives will be
achieved and undesired events will be prevented, or detected and corrected
Organizational management needs to make choices relative to these control

objectives by doing the following
- Selecting those that are applicable
- Deciding on those that will be implemented
- Choosing how to implement them (frequency, span, automation, etc.)
- Accepting the risk of not implementing those that may apply.
Specific IS control objectives include the following:

- Safeguarding assets: information on automated systems being up to date and
secure from improper access.
- Ensuring system development life cycle (SDLC) processes are established, in
place and operating effectively to provide reasonable assurance that business,
financial and/or industrial software systems and applications are developed in
a repeatable and reliable manner to assure business objectives are met.
- Ensuring integrity of general OS environment, including network management
and operations
- Ensuring integrity of sensitive and critical application system environments,
including accounting/financial and management information (information
objectives) and customer data, through:
o Authorization of the input. Each transaction is authorized and entered
only one.
o Validation of the input. Each input is validated and will not cause
negative impact to the processing of transactions.
o Accuracy and completeness of processing of transactions. All
transactions are recorded accurately and entered into the system for the
proper period.
o Reliability of overall information processing activities
o Accuracy, completeness and security of the output
o Database confidentiality, integrity and availability.
- Ensuring appropriate identification and authentication of users of IS resources
(end users as well as infrastructure support)
- Ensuring the efficiency and effectiveness of operations (operational objectives)
- Complying with users’ requirements, organizational policies and procedures,
and applicable laws and regulations (compliance objectives)
- Ensuring availability of IT services by developing efficient business continuity
plans (BCPs) and disaster recovery plans (DRPs) that include backup and
recovery processes.
- Enhancing protection of data and systems by developing an incident response
plan.
- Ensuring integrity and reliability of systems by implementing effective change
management procedures
- Ensuring that outsourced IS processes and services have clearly defined
service level agreements (SLAs) and contract terms and conditions to ensure
62
Matina, Davao City
Phone No.: (082)300-5456 Local 137
the organization’s assets are properly protected and meet business goals and
objectives.
GENERAL CONTROLS
→ It refers to controls that applies to all areas of an organization, including the
following:
▪ Internal accounting controls that are primarily directed at accounting
operations—controls about safeguarding assets and reliability of financial
records
▪ Operations controls that concern day-to-day operations, functions and
activities, and ensure that the operation is meeting the business objectives.
▪ Administrative controls that concern operational efficiency in a functional area
and adherence to management policies (administrative controls rupport the
operational controls)
▪ Organizational security policies and procedures to ensure proper usage of
assets
▪ Overall policies for the design and use of adequate documents and records
(manual/ automated) to help ensure proper recording of transactions—
transactional audit trail
▪ Procedures and practices to ensure adequate safeguards over access to and
use of assets and facilities.
▪ Physical and logical security policies for all facilities, data centers and IT
resources.
IS-SPECIFIC CONTROLS
Each general control can be translated into an IS-specific control. A well-designed
information system should have controls built in for all its sensitive or critical functions.
For example, the general procedure to ensure that adequate safeguards over access
to assets and facilities can be translated into an IS-related set of control procedures,
covering access safeguards over computer programs, data and equipment.
IS control procedures include:

▪ Strategy and direction of the IT function
▪ General organization and management of the IT function
▪ Access to IT resources, including data and programs
▪ Systems programming and technical support functions
▪ Quality assurance (QA) procedures
▪ Physical access controls
▪ BCP/ DRP
▪ Networks and communication technology (e.g., local area networks, wide area
networks, wireless)
▪ Database administration
▪ Protection and detective mechanisms against internal and external attacks.
63
Matina, Davao City
Phone No.: (082)300-5456 Local 137

ULO b. Explain the types of audits and the process of
assessments
Metalanguage and Essential Knowledge

As a future IS auditor, you should understand the various types of audits that can be
performed, internally or externally, and the basic audit procedures associated with
each.
1.) IS Audit – designed to collect and evaluate evident to determine whether an

information system and related resources are adequately safeguarded and
protected; maintain data and system integrity and availability; provide relevant
and reliable information; achieve organizational goals effectively; consume
resources efficiently; and have, in effect, internal controls that provide
reasonable assurance that business, operational, and control objectives will be
met and undesired events will be prevented, or detected and corrected, in a
timely manner.
2.) Compliance audit – includes specific test of controls to demonstrate

adherence to specific regulatory or industry-specific standards or practices.
These audits often overlap other types of audits but may focus on particular
systems or data.
3.) Financial audit – an audit that assesses the accuracy of financial reporting. A
financial audit will often involve detailed, substantive testing, although IS
auditors are increasingly placing more emphasis on a risk- and control-based
audit approach. This kind of audit relates to financial information integrity and
reliability.
4.) Operational audit – it is designed to evaluate the internal control structure in

a given process or area. An IS audit of application controls or logical security
systems are examples of an operational audit.
5.) Integrated audit – it typically combines financial and operational audit steps
and may or may not include the use of an IS auditor. This type of audit will also
perform an assessment with the overall objectives within the organization,
related to financial information and assets’ safeguarding, efficiency and
compliance. It could be performed by external or internal auditors and would
include compliance tests of internal controls and substantive audit steps.
6.) Administrative audit – this is designed to assess issues related to the

efficiency of operational productivity within an organization.
64
Matina, Davao City
Phone No.: (082)300-5456 Local 137
7.) Specialized audit – specialized reviews may examine areas such as fraud or
services performed by third parties.
a. Third party service audit – this addresses the audit of outsourced

financial and business processes to third-party service providers, which
may operate in different jurisdictions. A third-party service audit issues
an opinion on a service organization’s description of controls through a
service auditor’s report, which then can be used by the IS auditor of the
entity that uses the services of the service organization.
b. Fraud audit – designed to discover fraudulent activity. Auditors often
use specific tools and data analysis techniques to discover fraud
schemes and business irregularities.
c. Forensic audit – to discover, disclose and follow up on fraud and crime.
The primary purpose of such an audit is the development of evidence for
review by law enforcement and judicial authorities.
8.) Computer forensic audit – is an investigation that includes the analysis of

electronic devices such as computers, smartphones, disks, switches, routers
and hubs. An IS auditor possessing the necessary skills cn assist an
information security manager or forensic specialist in performing forensic
investigations and conduct an audit of the system to ensure compliance with
the evidence collection procedures for forensic investigation.
9.) Functional audit – it provides an independent evaluation of software products,
verifying that its configuration items’ actual functionality and performance are
consistent with the requirement specifications. Specifically, this audit is held
prior to the software delivery or after implementation.
Self-Help: You can also refer to the sources below to help you
further understand the lesson:
ISACA 27th Edition – Certified Information Systems Auditor

(CISA) Review Manual
65
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check – ULO A and B

Based on the discussed topic, select the best answer from the pool of terms that is
being referred by each items.
Detective Controls Compliance Audit

Control Objectives Policies
General Controls IS-Specific Controls
Administrative Audit Fraud Audit
Controls Computer Forensic Audit
1) It contains description of the consequences of failing to comply with the policy, the means
for handling exceptions, and the manner in which compliance with the policy will be checked
and measured. ______________
2) This control includes review of activity logs to check if there are unauthorized access
attempts to the system. _________________
3) An audit designed to discover fraud schemes. __________________
4) This a way to manage risk, which may include policies, procedures, guidelines, practices
or organizational structures. _____________________
5) Type of control that applies to all areas of an organization. __________________
6) Refers to the analysis of electronic devices such as computers, smartphones, disks,

switches, routers and hubs. _____________________
7) This type of control includes the database administration. ________________
8) A test of controls to assess adherence to specific regulatory or industry-specific

standards or practices. __________________
9) Refers to the desired result or purpose to be achieved by implementing control

procedures in a Control objective particular process. _____________ ___
10) A type of audit that assesses issues related to the efficiency of operational productivity
within an organization. _______________________
66
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Analyze – ULO A and B
Identify the controls and its type, i.e., whether it is a preventive, detective or
corrective controls, in the case below.
The comptrollership’s Subsidiary Ledger for the Accounts Receivable (SLAR)

application system requires a user ID and password to be encoded before the
employees can login to the application and process transactions. All logins and
activities of the users are logged or recorded in the audit logs/ audit trails. Before the
transactions can be successfully posted, an officer ID should approve the transaction
through the system through signing in his/ her password to the system. On month-
end, a reconciliation is done to check for any floating items or discrepancies
processed in the system. Should there be discrepancies noted, an approved officer
creates the adjusting entries to effect the adjustments.
CONTROLS IDENTIFIED TYPE OF CONTROL

1 _____________________________ - Preventive Control
2 _____________________________ - Detective Control
3 _____________________________ - Preventive Control
4 _____________________________ - Detective Control
5 _____________________________ - Corrective Control
67
Matina, Davao City
Phone No.: (082)300-5456 Local 137

ULO c. Discuss the concept of Corporate Governance and
understand the different roles in relation to corporate
governance
Metalanguage
Governance - the act or process of governing or overseeing the control and direction
of something such as an organization.
Corporate Governance – the system by which enterprises are directed and

controlled. The board of directors is responsible for the governance of their enterprise.
It consists of the leadership and organizational structures and processes that ensure
the enterprise sustains and extends strategies and objectives.
Stakeholders - is a party that has an interest in a company and can either affect or
be affected by the business. The primary stakeholders in a typical corporation are its
investors, employees, customers, and suppliers, and is extended to extended to
include communities, governments, and trade associations.
Organization for Economic Cooperation and Development (OECD) - is an

intergovernmental economic organization with 37 member countries, founded in 1961
to stimulate economic progress and world trade.
Essential Knowledge
There is no single definition of corporate governance that can be applied to all

situations and jurisdictions. The various definitions that exist today largely depend on
the institution or author, country and legal tradition.
IFC defines corporate governance as “the structures and processes for the direction
and control of companies.” The Organization for Economic Cooperation and
Development (OECD), which in 1999 published its Principles of Corporate
Governance, offers a more detailed definition of corporate governance as:
“The internal means by which corporations are operated and controlled [...], which
involve a set of relationships between a company’s management, its board, its
shareholders and other stakeholders. Corporate governance also provides the
structure through which the objectives of the company are set, and the means of
attaining those objectives and monitoring performance are determined. Good
corporate governance should provide proper incentives for the board and
management to pursue objectives that are in the interests of the company and
68
Matina, Davao City
Phone No.: (082)300-5456 Local 137
shareholders, and should facilitate effective monitoring, thereby encouraging firms to

use resources more efficiently.”3
There are certain elements in common despite the variations of company definitions
of what corporate governance is.
(1) Corporate governance is a system of relationships, defined by structures

and processes. For example, the relationship between shareholders and
management consists of the former providing capital to the latter to achieve a
return on their (shareholders’) investment. Managers in turn are to provide
shareholders with financial and operational reports on a regular basis and in a
transparent manner. Shareholders also elect a supervisory body, often referred
to as the Board of Directors or Supervisory Board, to represent their interests.
This body essentially provides strategic direction to, and control over, the
company’s managers. Managers are accountable to this supervisory body,
which in turn is accountable to shareholders through the General Meeting of
Shareholders (GMS). The structures and processes that define these
relationships typically center on various performance management and
reporting mechanisms.
(2) These relationships may involve parties with different and sometimes
contrasting interests: Differing interests may exist between the main
governing bodies of the company, i.e. the GMS, the Board of Directors, and/or
the General Director (or other executive bodies). Contrasting interests exist
most typically between owners and managers, and are commonly referred to
as the principal-agent problem.4 Conflicts may also exist within each governing
body, such as between shareholders (majority vs. minority, controlling vs. non-
controlling, individual vs. institutional) and directors (executive vs. non-
executive, outside vs. inside, independent vs. dependent). Each of these
contrasting interests needs to be carefully observed and balanced.
(3) All parties are involved in the direction and control of the company: The
GMS, representing shareholders, takes fundamental decisions, for example the
distribution of profits and losses. The Board of Directors is generally responsible
for guidance and oversight, setting company strategy and controlling
managers. Executives, finally, run the day-to-day operations, such as
implementing strategy, drafting business plans, managing human resources,
developing marketing and sales strategies, and managing assets.
(4) All this is done to properly distribute rights and responsibilities and thus
increase long-term shareholder value: For example, how outside, minority
shareholders can prevent a controlling shareholder from gaining benefits
through related party transactions, tunneling or similar means.
The figure below illustrates the basic corporate governance system and the
relationships between the governing bodies.
69
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Source: IFC, March 2004
The external aspect of corporate governance, on the other hand, concentrates on

relationships between the company and its stakeholders. Stakeholders are those
individuals or institutions that have an interest in the company. Such an interest
may arise through legislation or contract, or by way of social or geographic
relationships. Stakeholders include investors, but also employees, creditors, suppliers,
consumers, regulatory bodies and state agencies, and the local community in which a
company operates. Some commentators also include consideration of the
environment as an important entry on the list of stakeholders.
The Role of Stakeholders
The role of stakeholders in governance has been debated in the past, with some
arguing that stakeholders have no claim on the enterprise other than those specifically
set forth in law or contract. Others have argued that companies fulfill an important
social function, have a societal impact and, accordingly, must act in the broad interests
of society. This view recognizes that companies should, at times, act at the expense
of shareholders. Interestingly, there is a consensus that modern companies cannot
effectively conduct their businesses while ignoring the concerns of stakeholder groups.
However, there is also agreement that companies which consistently place other
stakeholder interests before those of shareholders cannot remain competitive over the
long run.
History of Corporate Governance
The first well-documented failure of governance was the South Sea Bubble in the
1700s, which revolutionized business laws and practices in England. Similarly, much
of the securities law in the U.S. was put in place following the stock market crash of
1929.
The history of corporate governance has also been punctuated by a series of well-
known company failures. The early 1990s saw the Maxwell Group raid the pension
fund of the Mirror Group of newspapers and witnessed the collapse of Barings Bank.
The new century likewise opened with a bang, with the spectacular collapse of Enron
in the U.S., the near-bankruptcy of Vivendi Universal in France, the scandal at
Parmalat in Italy, the trading fraud which hit Société Générale and the most recent
Madoff multi-billion dollar ponzi scheme, make other scandals pale in comparison.
70
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Each of these corporate failures, often occurring as a result of incompetence or

outright fraud, was swiftly met by new governance frameworks, most notably the many
national corporate governance codes, the Sarbanes-Oxley Act and the current trend
towards imposing stricter regulatory oversight on banking and financial activities in
various countries.
It is fair to say that, although there is still plenty of room for improvement, the legal and
regulatory framework on corporate governance has changed and improved
dramatically in recent years. As a result of the events in the past, the following are the
example laws and regulations that took effect:
(i) the Law on Foreign Investment in 1987, its amendments in 2000 and its
later unification with the Law on Enterprises and the Law on Investment in
2005,
(ii) the Law on Enterprises in 1999, and its amendments in 2005,
(iii) the Law on State Bank8 in 1997; the Law on Credit Institutions of 1997 and
the amendments to both laws in 2003 and 2004, respectively and the
replacements of both laws in June 2010,
(iv) the Law on Insurance Business in 2000,
(v) the Competition Law11 in 2004
(vi) (vi) the Law on Securities12 in 2006, are but some examples of the many
positive changes to the legal and regulatory framework.
THE INTERNATIONAL SCOPE OF GOOD CORPORATE GOVERNANCE
Numerous codes of best practices and corporate governance principles have been
developed over the last 10 years. Worldwide, more than 200 codes have been written
in some 72 countries and regions.19 Most of these codes focus on the role of the
Supervisory Board or Board of Directors in a company. A handful are international in
scope.
Among these, only the OECD Principles address both policymakers and businesses,
and focus on the entire governance framework (shareholder rights, stakeholders,
disclosure and board practices). The OECD Principles have gained worldwide
acceptance as a framework and reference point for corporate governance. Published
in 1999 and revised in 2004, they were developed to provide principle-based guidance
on good governance.
The OECD corporate governance framework is built on four core values:
• Fairness: The corporate governance framework should protect shareholder
rights and ensure the equitable treatment of all shareholders, including minority
and foreign shareholders. All shareholders should have the opportunity to
obtain effective redress for violations of their rights.
• Responsibility: The corporate governance framework should recognize the
rights of stakeholders as established by law, and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs, and the
sustainability of financially sound enterprises.
71
Matina, Davao City
Phone No.: (082)300-5456 Local 137
• Transparency: The corporate governance framework should ensure that

timely and accurate disclosure is made on all material matters regarding the
company, including its financial situation, governance structure, performance
and ownership.
• Accountability: The corporate governance framework should ensure the
strategic guidance of the company, the effective monitoring of management by
the Board, and the Board’s accountability to the company and shareholders.
Many national corporate governance codes have been developed based on the OECD
Principles. For instance, the CG Regulations state that (i) they were developed to “. .
. help ensuring the sustainable development of the securities market and contributing
to a cleaner and healthier economy”, that (ii) “[The] regulations set out the basic rules
of corporate governance with a view to protecting legitimate rights and obligations of
shareholders, establishing standards for professional acts and morality of the
directors, the Board of Directors, the Supervisory Board and the managers of the listed
company”, and that (iii) “the regulations also serve as the basis for assessing the
implementation of corporate governance of a listed company”.
Although they represent a good start in the right direction, the CG Regulations are
much simpler in form in comparison to other national codes of corporate governance.
The OECD Principles can serve as an excellent reference point for international
practices and are recommended reading for those interested in understanding some
of the principles that underlie national standards.
THE BUSINESS CASE FOR CORPORATE GOVERNANCE
Good corporate governance is important on a number of different levels. At the

company level, well-governed companies tend to have better and cheaper access to
capital, and tend to outperform their poorly governed peers over the long-term.
Companies that insist upon the highest standards of governance reduce many of the
risks inherent to an investment in a company. Companies that actively promote robust
corporate governance practices need key employees who are willing and able to
devise and implement good corporate governance policies. These companies will
generally value and compensate such employees more than their competitors that are
unaware of, or ignore, the benefits of these policies and practices. Such companies,
in turn, tend to attract more investors who are willing to provide capital at lower cost.
Generally, well-governed companies are better contributors to the national economy

and society. They tend to be healthier companies that add more value to shareholders,
workers, communities, and countries in contrast with poorly governed companies that
may cause job and pension losses, and even undermine confidence in securities
markets.
72
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Levels and Potential Benefits of Good Corporate Governance
Source: IFC, March 2004
1.) Stimulating Performance and Improving Operational Efficiency
There are several ways in which good corporate governance can improve
performance and operational efficiency. An improvement in the company’s
governance practices leads to an improvement in the accountability system,
minimizing the risk of fraud or self-dealing by the company’s officers. Accountable
behavior, combined with effective risk management and internal controls, can bring
potential problems to the forefront before a full-blown crisis occurs. Corporate
governance improves the management and oversight of executive performance, for
example by linking executive remuneration to the company’s financial results. This
creates favorable conditions not only for planning the smooth succession and
continuity of the company’s executives, but also for sustaining the company’s long-
term development.
Adherence to good corporate governance standards also helps to improve the

decision-making process. For example, managers, directors and shareholders are all
likely to make more informed, quicker and better decisions when the company’s
governance structure allows them to clearly understand their respective roles and
responsibilities, as well as when communication processes are regulated in an
effective manner. This, in turn, should significantly enhance the efficiency of the
financial and business operations of the company at all levels. High quality corporate
governance streamlines all the company’s business processes, and this leads to better
operating performance and lower capital expenditures,21 which, in turn, may
contribute to the growth of sales and profits with a simultaneous decrease in capital
expenditures and requirements.
An effective system of governance practices should ensure compliance with applicable

laws, standards, rules, rights, and duties of all interested parties. Furthermore, it
should allow companies to avoid costly litigation, including costs related to shareholder
claims and other disputes resulting from fraud, conflicts of interest, corruption and
bribery, and insider trading. A good system of corporate governance will facilitate the
73
Matina, Davao City
Phone No.: (082)300-5456 Local 137
resolution of corporate conflicts between minority and controlling shareholders,

executives and shareholders, and between shareholders and stakeholders. Also,
company officers will be able to minimize the risk of personal liability.
2.) Improving Access to Capital Markets
Corporate governance practices can determine the ease with which companies are
able to access capital markets. Well-governed firms are perceived as investor friendly,
providing greater confidence in their ability to generate returns without violating
shareholder rights.
Good corporate governance is based on the principles of accessibility, accuracy,

completeness, efficiency, timeliness and transparency of information at all levels. With
the enhancement of transparency in a company, investors benefit from being provided
with an opportunity to gain insight into the company’s business operations and
financial data. Even if the information disclosed by the company is negative,
shareholders will benefit from the decreased risk of uncertainty.
Of particular note is the observable, if recent trends among investors to include

corporate governance practices as a key decision-making criterion in investment
decisions. The better the corporate governance structure and practices, the more likely
that assets are being used in the interest of shareholders and not being tunneled or
otherwise misused by managers.
3.) Lowering the Company’s Cost of Capital and Raising the Value of Assets
Companies committed to high standards of corporate governance are typically

successful in obtaining reduced costs when incurring debt and financing for
operations. As a result, they are able to decrease their capital costs. The cost of capital
depends upon the level of risk assigned to the company by investors - the higher the
risk, the higher the cost of capital. These risks include investor rights violations. If
investor rights are adequately protected, the cost of equity and debt capital may
decrease. It should be noted that investors providing debt capital, i.e. creditors, have
recently tended to include a company’s corporate governance practices (for example,
a transparent ownership structure and appropriate financial reporting) as a key
criterion in their investment decision- making process. Thus, the implementation of a
good corporate governance system should ultimately result in the company paying
lower interest rates and receiving longer maturity on loans and credits.
The level of risk and cost of capital also depend on a country’s economic or political
situation, institutional framework and enforcement mechanisms. Corporate
governance at a particular company thus plays a crucial role in emerging markets,
which often do not have as good a system of enforcing investors’ rights as countries
with developed market economies.
74
Matina, Davao City
Phone No.: (082)300-5456 Local 137
4. Building a Better Reputation
In today’s business environment, reputation has become a key element of a

company’s goodwill. A company’s reputation and image effectively constitute an
integral, if intangible, part of its assets. Good corporate governance practices
contribute to and improve a company’s reputation. Thus, those companies that respect
the rights of shareholders and creditors, and ensure financial transparency and
accountability, will be regarded as being an ardent advocate of investors’ interests. As
a result, such companies will enjoy more public confidence and goodwill.
This public confidence and goodwill can lead to greater trust in the company and its
products, which in turn may lead to higher sales and, ultimately, profits. A company’s
positive image or goodwill is known to play a significant role in the valuation of a
company. Goodwill in accounting terms is the amount that the purchase price exceeds
the fair value of the acquired company’s assets. It is the premium one company pays
to buy another.
THE GOVERNANCE STRUCTURE
Mandatory and Voluntary Governing and other Bodies
Source: Corporate Governance Manual (2nd Edition)

The General Meeting of Shareholders (GMS)
The GMS of a joint stock company is the highest decision-making body in the
company. All ordinary shareholders have the right to participate in the GMS and have
the number of votes corresponding to the respective ordinary shares held by them.
The GMS normally makes decisions only on major issues affecting the company. The
GMS approves nominations for the Board of Directors and Supervisory Board
75
Matina, Davao City
Phone No.: (082)300-5456 Local 137
membership. In addition, it approves the annual report and the financial statements,
the distribution of profits and losses (including the payment of dividends), amended
charter capital, amendments of the charter, re-organization and dissolution, and
extraordinary transactions.
The Board of Directors

The Board of Directors plays a central role in the corporate governance framework.
The Board of Directors is responsible for guiding and setting the company’s strategy
and business priorities, including the annual financial and business plan, as well as
guiding and controlling managerial performance. It acts in the interests of the
company, protects the rights of all shareholders, oversees the work of the General
Director and the Executive Board, as well as financial control systems. An effective,
professional, and independent Board of Directors is essential for the implementation
of good corporate governance practices.
The Executive Bodies

a) The General Director
Every company must have a General Director (or director) who is responsible for day-
to-day management of the company. The General Director is the legal representative
of the company unless the company charter appoints the Chairman of the Board of
Directors to this position. The General Director is accountable to the Board of
Directors. Legislation, the charter and internal regulations, and the contract signed
between the General Director and the company regulate the authority and election of
the General Director, as well as relations with other governing bodies.
b) The Executive Board
The Executive Board is composed of the General Director and the top executives of
the company. It may be referred to as a “board of management”, “managerial board”,
“executive team”, “directorate” or “collective executive body” among other terms. A
listed joint stock company is required to establish an Executive Board. The Executive
Board is responsible for the day-to-day management of the company and carries out
the decisions set by the Board of Directors.
Board Committees
Board Committees are provided for by CG Regulations which are applicable to listed
companies. CG Regulations recommend the establishment of certain Board
Committees such as an Audit Committee, Development Policy Committee, Human
Resources Committee and Remuneration Committee. The primary task of these
committees is to assist the Board of Directors’ functions. The discussion in this Manual
76
Matina, Davao City
Phone No.: (082)300-5456 Local 137
as to the authority, composition, and functions of individual Board Committees is

mostly based on recommendations of the CG Regulations and best practices.
The External Auditor
For listed companies, the External Auditor is a separate body of the company, elected
by the GMS within the list of auditors authorized by the MOF to conduct the audit of
financial statements of listed companies, prepare the report of the auditor and submit
to the Board of Directors. The External Auditor is permitted to attend all shareholder
meetings, receive notices and information in relation to the shareholder meetings and
speak at the shareholder meetings regarding the related-audit matters.
The Supervisory Board

Non-listed joint stock companies with more than 11 shareholders or one institutional
shareholder holding more than a 50% shareholding and listed companies are
obligated to establish a Supervisory Board, the purpose of which is to carry out internal
control procedures on a daily basis. The Supervisory Body should be independent of
the Board of Directors and Executive Board. The Supervisory Body reports directly to
the GMS.
The Internal Auditor

The role of Internal Auditing is increasingly becoming more important in strengthening
corporate governance of many public and listed companies. An effective Internal Audit
function plays a key role in assisting the Board (or equivalent body) to discharge its
governance responsibilities.
The Corporate Secretary

It is mandatory for a listed company to appoint one (or more) Corporate Secretary.50
The main task of the Corporate Secretary is to organize the meetings of the GMS,
Board of Directors and Supervisory Board and will ensure Board of Directors’
resolutions are in compliance with law. The Corporate Secretary is responsible for
keeping the book of shareholders, the preparation and recording minutes of all
meetings of shareholders, Board of Directors, and Supervisory Board, keeping
minutes of all meetings of these corporate bodies and other documents in accordance
with the law and the charter of the company as permanent records. The Corporate
Secretary is required to keep confidential all information of the company.
77
Matina, Davao City
Phone No.: (082)300-5456 Local 137

• Corporate Governance Manual (Second Edition)
Let’s Analyze – ULO C
Group Activity: The class will be divided into six groups, and will be assigned with the
certain cases to research, identify, answer and discuss the following:
(1) The background of the case you will be handling, such as the type of business or
industry, the location, who were involved and the sequence of events.
(2) Explain what happened, and site the inappropriate actions/ decisions that were made
by the management that have resulted in the reputational damage and bankruptcy of
the case you have studied.
(3) How was the case discovered?
(4) If you were the management, what should have been the done to avoid the
unfavorable events from happening?
(5) Were there any law/ regulations that were established because of what happened? If
none, was there any violation with the existing law that the organization’s
management violated?
The cases, which were mentioned in the essential knowledge, are as follows:
(1) South Sea Company in 1700s
(2) 1929 US Stock Market Crash
(3) Maxwell Group and Mirror Group in 1990s
(4) Vivendi Universal in France
(5) Parmalat Scandal
(6) Trading Fraud in Société Généralé
Perform the following:

A. Do research and answer as a group and organize your answers in a word file
containing what you have gathered and your analysis as a group.
B. Present and discuss your research and answers by preparing a powerpoint
presentation. Have each slide of the presentation material contain your main point
only and make it brief and concise.
C. Submit both the word file and the powerpoint presentation through LMS.
78
Matina, Davao City
Phone No.: (082)300-5456 Local 137
In a Nutshell
Discuss what have you learned of why corporate governance is important in an organization?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Question & Answer
1.
2.
3.
Keywords Index
Control Audit Computer Forensic Audit
Control Objectives Compliance Audit Functional Audit
Control Measures Financial Audit Governance
Control Weakness Operational Audit Corporate Governance
Policy Integrated Audit Stakeholders
Procedure Administrative Audit Organization for Economic

Cooperation and Development
Control Practices Specialized Audit
(OECD)
79
Matina, Davao City
Phone No.: (082)300-5456 Local 137
COURSE SCHEDULE
Week 6-7: ULOa&b – Let’s BlackBoard LMS

Check
Week 6-7: ULOa&b – Let’s BlackBoard LMS

Analyze
Week 6-7: ULOc – Let’s BlackBoard LMS

Analyze
Week 6-7: ULOc – In A Nutshell BlackBoard LMS
THIRD FORMATIVE February 26, 2021 BlackBoard LMS

ASSESSMENT
80
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Week 8 - 9: Unit Learning Outcomes (ULO): at the end of the unit, you are expected
to
A. Discuss the concept of Internal Control Framework and introduction to risk management,
its phases and process.
B. Discuss thoroughly the ERM Framework and how the enterprise risk management is
implemented.
Week 8-9 Big Picture in Focus:

ULO a. Discuss the concept of Internal Control Framework
and introduction to Risk Management, its phases and
process.
Metalanguage
Committee of Sponsoring Organizations of the Treadway Commission (COSO) – is a
joint initiative of the five private sector organizations (i.e., AICPA, IIA, FEI, AAA and IMA) and
is dedicated to providing thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control and fraud deterrence.
Treadway Commission Report – issued in 1987 includes the recommendations to

management, board of directors, the public accounting profession, and others.
Internal Control – a process, affected by an entity’s board of directors, management, and

other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
Sox (Sarbanes-Oxley Act) – also known as the SOX Act of 2002 and the Corporate
Responsibility Act of 2002. a federal law that established sweeping auditing and financial
regulations for public companies.
Risk Assessment – a process used to identify and evaluate risk and its potential effects
Essential Knowledge
History of COSO
Back in the days – 1970s, wherein several major corporations suffered a financial
collapse even though their recent published audited financial reports showed
adequate earnings and good financial health. Some of their failures were caused by
fraudulent financial reporting, but most turned out to be victims of the high inflation and
resultant high interest rates during that period. It was not uncommon for many
companies that failed to have issued fairly positive annual reports despite the bad
news about to come. A private professional group called National Commission on
Fraudulent Financial Reporting was formed to study the issue. Five U.S. professional
81
Matina, Davao City
Phone No.: (082)300-5456 Local 137
financial organizations sponsored this National Commission: the American Institute of

Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the
Financial Executives Institute (FEI), the American Accounting Association (AAA), and
the Institute of Management Accountants (IMA). Named after its chair, SEC
Commissioner James C. Treadway, the authority adopted as its official name The
Committee of Sponsoring Organizations of the Treadway Commission. Today, that
group has become known by its acronym name, COSO.
The Treadway Commission Report, COSO’s first report released in 1987, emphasized
the key elements of an effective system of internal controls, including a strong control
environment, a code of conduct, a competent and involved audit committee, and a
strong management function.
THE COSO INTERNAL CONTROL FRAMEWORK

1. Control Environment - An enterprise’s control environment influences how business
activities are structured and risks assessed in an enterprise. It serves as a foundation for all
other components of internal control and has an influence on each of the three internal control
objectives and all activities. The control environment reflects the overall attitude, awareness,
and actions by the board of directors, management, and others regarding the importance of
internal controls in the enterprise.
The control environment factors are as follows:
a. Integrity and Ethical Values – the essential elements of control environment and is
often defined and communicated through senior management ‘‘tone at the top’’
messages
b. Commitment to Competence - specify required competence levels for its job tasks
and translate those requirements into necessary levels of knowledge and skill.
c. Board of Directors and the Audit Committee – SOx requirement of audit committees
to consist of independent, outside directors.
d. Management’s Philosophy and Operating Style – this are all part of the enterprise
control environment. Managers and others responsible for assessing internal controls
should understand these factors and take them into consideration when installing and
establishing an effective system of internal controls.
e. Organization Structure – provide a framework for planning, executing, controlling,
and monitoring activities for achieving overall objectives.
f. Assignment of Authority and Responsibility – assignment of authority is essentially
the way responsibilities are defined in terms of job descriptions and structured in terms
of enterprise charts.
g. Human Resources Policies and Practices – cover such areas as hiring, orientation,
training, valuating, counseling, promoting, compensating, and taking appropriate
remedial actions.
2. Control Risk Assessment -- risk-assessment process can be either a formal quantitative

risk-assessment process or less formal approaches, here should be at least a minimum
understanding of the risk assessment process. This risk-assessment process should be
82
Matina, Davao City
Phone No.: (082)300-5456 Local 137
performed at all levels and for virtually all activities within the enterprise. The COSO internal
controls framework describes risk assessment as a three-step process:
• Estimate the significance of the risk.

• Assess the likelihood or frequency of the risk occurring.
• Consider how the risk should be managed and assess what actions must be taken.
3. Other COSO Internal Control Components and Activities – the other internal elements
of control activities, information and communications, and monitoring also are very important
for understanding the overall COSO internal control framework.
Internal controls and enterprise risk management each take a different perspective to
understanding and evaluating activities in an enterprise. While COSO internal controls focus
on an enterprise’s daily activities, enterprise risk management focuses on activities that an
enterprise and its managers may or may not do.
GOVERNANCE, RISK AND COMPLIANCE (GRC)

The GRC Concept
Source: COSO Enterprise Risk Management Establishing Effective, Governance, Risk and Compliance,
To differentiate, the corporate governance previously discussed, it is focused more on the

manner of relationships among the many stakeholders involved in the enterprise and the goals
for which the enterprise is governed. As also discussed and defined previously, the principal
stakeholders are the shareholders, the board of directors, employees, customers, creditors,
suppliers, and the community at large.
Enterprise governance is a multifaceted subject, with an important theme to ensure the
accountability of certain individuals in an enterprise through mechanisms that try to reduce or
83
Matina, Davao City
Phone No.: (082)300-5456 Local 137
eliminate the conflicts that will exist between their overall goals and individual stakeholders’
self-interest. In many enterprise activities, there is a continuing need to focus any governance
system on economic efficiency along with a strong emphasis on shareholder and stakeholder
welfare.
Currently, enterprises need to establish policies to effectively handle its governance issues as
well as a culture to allow it to build an effective system of governance.
The last component of GRC, which is compliance, is either a state of being in accordance with
some established guidelines, specifications, or legislation or the process of becoming so.
The RISK MANAGEMENT FUNDAMENTALS

Enterprises and individuals today face a wide variety of risks and need some help and tools
to help sort through all of these in order to make some more rational cost and risk-related
decisions. This is the process of risk management. While many in business today just
informally assess an area as high, medium, or low risk and then make quick insurance or risk
protection decisions based on those options, others use more sophisticated qualitative or
quantitative tools to help them understand and evaluate risks.
This risk management process should be enterprise-wide, involving people at all levels and in
all enterprise units. While a larger enterprise may want to organize a specialized team of risk
management professionals, smaller enterprises also should designate people to be
responsible for managing their enterprise-wide risk assessment process. Whether a formal
risk management function or an ad hoc risk management effort, enterprise risk management
should involve a wide range of people at various organization levels.
There are four-step risk management process that should be implemented at all levels of the
enterprise and with the participation of many different people. Whether a smaller enterprise
with few facilities within a limited geographic area or a large global enterprise, common risk
management approaches should be developed.
1. Risk Identification
Management should endeavor to identify all possible risks that may impact the success
of their enterprise, ranging from the larger or more significant risks to the overall business
down to less major risks associated with individual projects or smaller business units.
A good way to launch an enterprise-wide risk identification process is to begin with a high-
level enterprise chart that lists corporate-level facilities as well as operating units. Each of
those units may have facilities in multiple global locations and also may consist of multiple
and different types of operations. Each separate facility will then have its own departments
or functions. Some of these separate facilities may be closely connected to one another
while others represent little more than corporate investments. A difficult and sometimes
complicated task, an enterprise-wide initiative should be launched to identify all potentially
significant risks in various individual areas. This type of exercise can gain interesting
and/or even troubling results. For example, the corporate-level may be aware of some
product liability risks, but a front-line supervisor in an operating unit may look at the same
risks with an entirely different perspective.
84
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The management may opt to identify people at all levels of the enterprise who would be
asked to serve as risk assessors. Within each significant operating unit, key people should
be identified from operations, finance/ accounting, IT, and unit management. Their goal
would be to identify and then help assess risks in their units built around a risk
identification model framework. This is the type of initiative that can be led by an
enterprise-wide risk management group, if one exists, or an internal controls assessment
function such as internal audit.
An effective approach here is to outline some high-level ‘‘straw man’’ risk areas that may
impact various operating units. Knowledgeable people can then look at these hypothetical
risks and expand or modify them as appropriate.
Sample types of Enterprise Business Risks
The ERM team should review all of the risks identified from the group brainstorming session
and then subsequently designated as core risks. Because of the ongoing discussion and
analysis associated with this process, there may have been some changes to the original set
of risks as identified. This final set of identified enterprise risks by the overall enterprise and
by specific operating units should be shared with responsible operating and financial
management as well as with the teams that participated in the brainstorming sessions. Any
corrections should be made as appropriate prior to assessing them.
85
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The results of the risk identification brainstorming sessions should then be shared with other
units who did not have the opportunity to participate in the original sessions. The results of
the identified risks should be expanded throughout the enterprise.
2. Quantitative or Qualitative Assessment of Risks
Having identified the significant risks impacting the enterprise at various levels, a next step is
to assess them for their likelihood and relative significance. This is particularly important for
risks identified through quick-response brainstorming techniques. What sounded good in a
quick-response group session may not appear as serious when reduced to a relative
significance type of analysis. A variety of approaches can be used here ranging from a
relatively quick best-guess qualitative assessment to some detailed, very mathematical
quantitative approaches. The whole idea here is to help management to better decide which
of a series of potentially risky events should give the most to worry about.
One simple approach to assess the risk is to ask the participants the following questions on
each of the risks:
- What is the likelihood of this risk occurring over the next one-year period? Using a
score of 1 to 9, assign a best-guess single-digit score as follows:
o Score 1 if you see almost no chance of that risk happening during the period.
o Score 9 if you feel the event will almost certainly happen during the period.
o Score 2 through 8 depending on how you feel the likelihood will fall between
these two ranges.
- What is the significance of the risk, in terms of cost to the enterprise?
Questionnaires for this simplified approach should be independently circulated to

knowledgeable people to rate or score each of the identified risks per these two measures. As
an example, assume that an enterprise has identified six risks, R-1 through R-6. For each of
these risks, a team of four people could be asked to separately evaluate each risk in terms of
likelihood and significance. These scores are then averaged by both factors and are plotted
on a risk assessment analysis chart as shown below.
86
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Risk Assessment Analysis Chart
Probability and Uncertainty

Risks essentially never have a zero chance or 100 percent chance of occurring. The joint
probability of two independent events, for example, is the product of separate probabilities.
Probability (Risk #1) x Probability (Risk #2) = Probability (Both Risks)
So if the risk #1 has 0.75 probability, while risk #2 has 0.55, the combined probability of both
events is (0.75) x (0.55) = 0.4125.
This means that with the estimated percentage of these two risks will occur, and the impact
also are the same with the probability, there is a 41.25% chance that both risks will be
achieved.
Risk Interdependencies
The risk independencies must be considered and evaluated throughout the enterprise
structure. Any entity should be concerned about risks at all levels of the enterprise but only
really has control over the risks within its own sphere. Each operating unit is responsible for
managing its own risks but may be subject to the consequences of risk events on units above
or below in the enterprise structure. Every operating unit of an enterprise should realize that
whatever risks that local unit is accepting may impact other units in the enterprise.
3.) Risk Prioritization and Response Planning

The enterprise should establish significance and likelihood estimate, calculate risk rankings,
and identify the most significant risks across the entity reviewed.
Risk Score = Probability x Likelihood

The risk score of each item are then ranked from highest risk score to the lowest. As we can
see in the formula above, there are two risk drivers which will be the basis also when plotting
in the risk analysis chart.
Quantitative Risk Analysis : Expected Values and Response Planning
87
Matina, Davao City
Phone No.: (082)300-5456 Local 137
The idea is to estimate the cost impact of incurring some identified risk and then to apply that
cost to the risk factor probability of the risk to derive an expected value of the risk. This is also
an important time to identify each risk owner, the person or entity responsible for recognizing
and monitoring the status of a specific risk. These should be made by knowledgeable people
with a general understanding of the risk areas. Expected costs also should be performed by
front-line involved people at various levels of the enterprise who would be expected to have a
good level of knowledge of the area or risk implications.
For example, typical risks and ways to think about replacement costs includes the following:
• Risk A: Loss of up to x percent market share due to changing consumer tastes.

o What will be the reduction in sales and loss of profits due to the x percent drop?
o How much will it cost to begin to restore market position?
• Risk B: Temporary loss of major Florida-based manufacturing facility for up to x days
due to hurricane.
o What are best- and worst-case estimates to get the plant temporarily repaired
and back in operation within x days?
o What will be the extra labor and material costs incurred during the interim?
• Risk C: Loss of total information system for two days due to pernicious computer
system virus.
o How much business and profitability will be lost during the down period?
o What will be the cost to transfer operations to the business continuity site over
the period?
The answers to these questions may not be precise but are only estimated costs. there often
is no need to perform detailed, time-consuming analyses here but to ask knowledgeable
people who understand the risk area to give some estimates. It is suggested to use four
estimates as a starting point to get some idea of the ranges of costs in various people’s
thinking. However, one best-guess estimate should be selected from the four estimates—
usually something between estimates 2 and 3. These estimates and supporting work should
be documented, and the selected cost estimate should be entered as the cost impact on the
risk-response planning.
Sample table of risk score and expected value of cost computation.
Identified Probability Likelihood Risk Ranking Cost Expected

Risk Percentage Score Impact Value of
Cost (Cost
Impact x
Risk Score)
C 0.88 0.24 0.21 1 Php 12,650 Php 2,671.68
A 0.66 0.20 0.13 2 Php 88,760 Php

11,538.80
B 0.12 0.88 0.11 3 Php 98,660 Php

10,852.60
88
Matina, Davao City
Phone No.: (082)300-5456 Local 137
4.) Risk Monitoring

Tools and facilities should be in place to monitor for the identified risks possibly occurring. A
smoke detector fire alarm is an example, although most risk-related monitoring requires a wide
series of special reports, established and measurable standards, and a diligent human
resources function. The idea is to keep ahead and to reenter these prior risk management
steps as necessary.
• COSO Enterprise Risk Management (Establishing Effective Governance, Risk and Compliance
Process) 2nd Edition – Robert R. Moeller (John Wiley & Sons, Inc.
89
Matina, Davao City
Phone No.: (082)300-5456 Local 137

ULO b. Discuss thoroughly the ERM Framework and how the
enterprise risk management is implemented.
Metalanguage
Enterprise Risk Management – a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting and across
the enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
Risk Analysis – A process by which frequency and magnitude of IT risk scenarios

are estimated, and is the initial steps of risk management: analyzing the value of
assets to the business, identifying threats to those assets and evaluating how
vulnerable each asset is to those threats
Risk Treatment/ Risk Response – the process of selection and implementation of

measures to modify risk.
Risk Mitigation – the management of risk through the use of countermeasures and
controls
Risk Transfer /Sharing – the process of assigning risk to another enterprise, usually
through the purchase of an insurance policy or by outsourcing the service
Risk appetite – the amount of risk, on a broad level, that an enterprise and its
individual managers are willing to accept in their pursuit of value. Risk appetite can
be measured in a qualitative sense by looking at risks in such categories as high,
medium, or low; alternatively, it can be defined in a quantitative manner.
Essential Knowledge
COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK
COSO ERM is framework that will help enterprises to have a consistent definition of
what is meant by enterprise-level risk that will consider those risks across an entire
enterprise in a consistent manner. An advisory council of members from the
sponsoring enterprises was formed and Pricewaterhouse Coopers (PwC) was
contracted to develop and draft the framework description. A draft version of the ERM
framework was released for comment in mid-2003 with the final version published in
September 2004. We will discuss in this topic some of the concept in the ERM
90
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Framework. A full copy of COSO ERM can either be downloaded or purchased

through the AICPA or the COSO website (www.coso.org)
The COSO ERM includes the following:
• ERM is a process, not a static procedure, but rather a more flexible
arrangement. An enterprise often cannot define its risk management rules
through a small, tightly organized rule book. Rather, there should be a series
of documented steps to review and evaluate potential risks and to take action
based on a wide range of factors across the entire enterprise.
• ERM processes are implemented by people in the enterprise.
• ERM is applied by setting strategies across the overall enterprise. An
effective ERM should play a major role in helping to establish those
alternative strategies.
• Concepts of risk appetite must be considered.
• ERM provides only reasonable, not positive assurance on objective
achievements.
• It is designed to help attain the achievement of objectives, in terms of achieving
and maintaining a positive reputation within an enterprise’s business and
consumer communities, providing reliable financial reporting to all
stakeholders, and operating in compliance with laws and regulations.
The COSO ERM Framework
The illustration above shows the three-dimensional cube of COSO ERM Framework
components. Basically, the four vertical columns that represent the strategic objectives
of enterprise risk. The eight horizontal rows or risk components, while the other side
91
Matina, Davao City
Phone No.: (082)300-5456 Local 137
are the multiple levels of the enterprise. We will be discussing here the horizontal
components of the ERM Framework.
A. Internal Environment
Unlike the previous discussion on the COSO Internal Control Framework, the Internal
Environment here is placed at the top of the components in framework. While the
control environment for COSO internal controls focused on current practices in place,
such as human resource policies and procedures, ERM takes these same areas and
looks at them in a more future philosophy–oriented approach. The ERM internal
foundation component consists of the following elements:
1. Risk Management Philosophy -- a set of shared attitudes and beliefs that will
tend to characterize how the enterprise considers risk in everything it does.
2. Risk Appetite
3. Board of Director’s Attitudes -- has a very important role in overseeing and
guiding an enterprise's risk environment. The independent, outside directors
in particular should closely review management actions, ask appropriate
questions, and serve as a check and balance control for the enterprise.
4. Integrity and Ethical Values -- There should be a strong corporate culture
here that guides the enterprise at all levels in helping to make risk-based
decisions.
5. Commitment to Competence
6. Organizational Structure – a poorly constructed enterprise structure makes it
difficult to plan, execute, control, and monitor activities.
7. Assignments of Authority and Responsibility
8. Human Resource Standards
B. Objective Setting
It outlines some necessary preconditions that must be established before
management can establish an effective enterprise risk management process. It also
states that enterprise must establish a series of strategic objectives covering its
operations, reporting, and compliance activities. These strategic objectives are high-
level goals that should be aligned with an enterprise’s mission or vision. The COSO
ERM also suggests to formally define goals with a direct linkage to its mission
statement.
C. Event Identification
92
Matina, Davao City
Phone No.: (082)300-5456 Local 137
It refers to incidents or occurrences, external or external to an enterprise, that affect

the implementation of the ERM strategy or the achievement of its objectives. There
are factors to be considered in event identification component.
1. External Economic Events – external events are also needed to be monitored
in order to help achieve an enterprise’s ERM objectives.
2. Natural Environmental Events – it could be flood or earthquakes that can
become identified as incidents in ERM risk identification. Impacts here may
include loss of access to some key raw material, damage to physical facilities,
or unavailability of personnel.
3. Political Events – new laws and regulations as well as the results of
elections can have significant risk event-related impacts on enterprises.
4. Social Factors – these include demographic changes, social mores, and
other events that may impact an enterprise and its customers over time.
5. Internal Infrastructure Events – enterprises often make benign changes that
trigger other risk-related events. For example, a change in customer service
arrangements can cause major complaints and a drop in customer
satisfaction.
6. Internal Process-related Events – changes in key processes can trigger a
wide range of risk identification events.
7. External and Internal Technological Events
D. Risk Assessment
The risk assessment component is described as being in the center of the framework
and represents the core of COSO ERM. Risk assessment allows an enterprise to
consider the extent of the impact of potential risk-related events on an enterprise’s
achievement of its objectives. We have already discussed in the previous topic the risk
management fundamentals. In addition to that, the risk assessment process should
also consider both the inherent and residual risks.
• Inherent Risk. It is the ‘‘potential for waste, loss, unauthorized use, or mis-
appropriation due to the nature of an activity itself.’’ Major factors that affect the
inherent risk of any activity within an enterprise are the size of its budget, the
strength and sophistication of the group’s management, and just the very nature
of its activities. Inherent risk is outside the control of management and usually
stems from external factors.
• Residual Risk. This is the risk that remains after management responses to
risk threats and countermeasures have been applied. There will always be
some level of residual risk.
E. Risk Response
93
Matina, Davao City
Phone No.: (082)300-5456 Local 137
After identification and assessment of risk, the next step is to determine how to
respond to these various identified risks. These risk responses can be handled
following any of these four basic approaches:
1. Avoidance – this is a strategy of walking away from the risk—such as selling
a business unit that gives rise to the risk, exiting from a geographic area of
concern, or dropping a product line.
2. Reduction – product line diversification may reduce the risk of too strong a
reliance on one key product line. Splitting an IT operations server center into
two geographically separate locations will reduce the risk of some catastrophic
failures.
3. Sharing – example for financial transactions, an enterprise can engage in
hedging operations to protect against possible price fluctuations. A common
example of hedging is the investor’s use of put or call options to cover
unexpected stockholding price movements.
4. Acceptance – the strategy is not to act on it.
A strategy to manage each risks may use one or mixed of these four general
strategies. Costs versus benefits should be considered in response to potential risk.
F. Control Activities
It is defined as the policies and procedures necessary to ensure that identified risk
responses are carried out. With the selected appropriate risk responses, enterprise
management should select the control activities necessary to ensure that those risk
responses are executed in a timely and efficient manner.
We have previously mentioned the SOx requirement. The major difference between
COSO Internal control procedures under SOx rules and COSO ERM is that an
enterprise is legally required to comply with SOx procedures in order to assert the
adequacy of their internal controls to their external auditors as part of the SEC financial
reporting requirements. There are no such legal requirements with COSO ERM at this
time. Although there is no accepted or standard set of enterprise risk management
control activities at this time, the COSO ERM documentation suggests several areas
as follows:
1. Top-Level Reviews – regular top-level reviews of the status of identified risks
as well as the progress of risk responses.
2. Direct Functional or Activity Management – functional and direct unit managers
should have a key role in risk control activity monitoring.
3. Information Processing
4. Physical controls
5. Performance Indicators
94
Matina, Davao City
Phone No.: (082)300-5456 Local 137
6. Segregation of duties – the concept is, a person who initiates certain actions
should not be the same person who authorizes or approves those actions.
G. Information and Communication

This refers to the process or unit of the framework that links together each of the other
components.
Illustrated below the information flow across the COSO ERM components.
Information and Communication Flows
95
Matina, Davao City
Phone No.: (082)300-5456 Local 137
H. Monitoring
It is necessary to determine that all components of an installed ERM continue to work
effectively. Ongoing and continuous monitoring processes can be an effective method
to flag exceptions or violations in some aspect of the overall ERM process. There are
mechanisms and tools available that acts like a dashboard to monitor the status of
certain enterprise risk controls and send warning when necessary. The following tools
might be used:
→ Process Flowcharting – this illustrates documentation prepared for a
process, determine if the documentation is correct given current conditions,
and updating the process flowcharts as appropriate. This update should look
to see if those identified risks still appear appropriate and if identified risks
have been identified appropriately.
→ Reviews of Risk and Control Materials – ERM process often results in a
large volume of guidance materials, documented procedures, report formats,
and the like. There should be performance of review on these materials.
→ Benchmarking – the term benchmarking here is the process of looking at
other enterprises’ ERM functions to assess their operations and to develop an
approach based on the best practices of others.
→ Questionnaires – can be sent out to designated stakeholders with a
request for specific information. This is a valuable technique for monitoring
when the respondents are scattered geographically, such as a risk-monitoring
survey of employees in a nationwide retail enterprise.
→ Facilitated Sessions -- Valuable information can often be gathered by
asking selected people to participate in a focus group session led by a skilled
conference leader.
The purpose of this monitoring process is to assess how well the ERM framework is
functioning in an enterprise. Deficiencies should be regularly reported to the mangers
responsible for enterprise risks in the specific area monitored as well as to the ERM
or risk management office.
96
Matina, Davao City
Phone No.: (082)300-5456 Local 137
IMPLEMENTING ERM IN THE ENTERPRISE

In the past years, the enterprise risk management was structure as a lower level
department which often was primarily responsible for purchasing insurance and
implementing routine loss prevention programs for certain high-frequency exposures.
That risk management function usually did not receive the respect it should deserve
in today’s era of COSO ERM. An effective risk management function here would be
headed by a chief risk officer (CRO), an executive whose responsibility is to ascertain
that enterprise risks are properly understood and translated into meaningful business
requirements, objectives, and metrics.
Roles and Responsibilities of ERM Function

The responsibilities of today’s enterprise risk function have been broadened and
deepened to include regulations, capital markets concerns, financial reporting, the
many issues surrounding globalization, intellectual capital, and, of course, all aspects
of IT.
An enterprise will certainly not have a need for separate risk management functions
for the risk management objectives, risk components and entity and unit level
components. For a public corporation, an enterprise risk management function should
be a senior-level operating unit with authority covering the entire enterprise. For a
larger enterprise with multiple and differing business operations, there may be a need
for separate multiple risk management units, but all should report to a single
responsible risk function headed by a CRO. An enterprise with some very different
business units, such as for consumer lending or legal document processing, may see
some significant risk exposure differences across these two lines of business and may
want to have separate risk management groups to monitor and control the separate
exposures in each. However, each of these groups may follow some similar
procedures and should report up to a central, corporate risk management department
typically led by a CRO.
CRO Responsibilities
Enterprise risk management is usually the responsibility of a CRO, a designated senior
enterprise officer responsible for administering and monitoring the overall enterprise
ERM function.
The major responsibility of the CRO is to manage the process of assessing risks
throughout the enterprise, to implement appropriate corrective actions, and to
communicate risk issues and events to all levels of the enterprise. The CRO should
be responsible for the overall risk management function in an enterprise and should
direct and manage a supporting risk management function. An effective CRO and the
supporting risk management function are similar to the internal audit function. Just as
97
Matina, Davao City
Phone No.: (082)300-5456 Local 137
internal audit has a staff of specialists to review all levels of internal controls and
provide recommendations for corrective actions, an enterprise risk function should
operate in a similar manner. It should monitor the overall risk environment in the
enterprise as well as make recommendations for corrective actions as appropriate.
While an enterprise risk management function may look similar to an internal audit
department, there are some key differences. Internal auditors review internal controls
and make recommendations for improvement but usually take no active role in helping
to implement those recommended changes, unless specifically engaged as internal
consultants. The effective enterprise risk management group, however, should take a
more proactive role in helping to implement the necessary corrective actions. This
often can be a challenging set of roles and tasks for enterprise risk analysts in an
enterprise.
RISK MANAGEMENT POLICIES, STANDARDS, AND STRATEGIES
The ERM function must be managed and communicated to a wide group of

responsible persons throughout the enterprise. he enterprise risk management
function, under leadership by the CRO, needs to develop some risk management
policies and standards that are followed by units in the enterprise, following a
consistent strategy. Designated managers throughout the enterprise should be trained
on these risk management policies and then charged with their implementation.
Stake- holders at all levels need to be aware of some of the risks that the enterprise
is facing, the consequences of those risk exposures, and some of the steps they can
put in place to limit those risks. The following helps in building and implementing an
effective risk management culture in an enterprise:
o Building a Risk-Awareness Culture – the “tone at the top” messages of senior

executives to others in the enterprise are very important. an enterprise can
develop and circulate some risk awareness documents that target either certain
functions in enterprise operations or external threat risks. Example is creating
an information security protection policy/ guidance to various organization
levels.
o Creating the Enterprise-Wide Risk management organization – it is

important to build an effective ERM function or group to support that CRO. An
effective risk group should cover all aspects of the enterprise in terms of
specialized facilities and locations of operations. An effective ERM function
should be covered by staff professionals with a good understanding of the risks
impacting the enterprise in that given area as well techniques for limiting risk
exposures. All enterprise locations should also be covered by the enterprise
risk group.
o Enterprise Risk Management Policies and Standards – a series of risk

management policies and standards should be developed and communicated
98
Matina, Davao City
Phone No.: (082)300-5456 Local 137
throughout. Risk assessment policies and standards should be developed that

call for all members of the enterprise to consider enterprise concerns and
considerations.
RISK MANAGEMENT REVIEWS AND CORRECTIVE ACTION PRACTICES
Although the ERM group operates in a manner very similar to internal auditors,
however, they should identify significant areas in the enterprise with high levels of
likelihood of occurrence. They review the risk area and make some recommendations
to lessen the risk and improve surrounding internal controls. Their major responsibility
is to create the risk management review reports.
This group may also perform the risk assessment reviews (RARs) which is also a
technique used by internal auditors. These reviews should examine key areas in the
enterprise and make recommendations for both improving internal controls and
reducing risk likelihoods. This type of review is not designed to compete with internal
audit review activities but to improve the risk environment and enhance internal
controls.
The RAR process should proceed in a manner similar to the process of planning,
performing, and reporting the results of internal audits. The RAR Report which is the
result of the review contains much like the audit report released by internal audit, with
audit findings and recommendations.
• COSO Enterprise Risk Management (Establishing Effective Governance, Risk and Compliance
Process) 2nd Edition – Robert R. Moeller (John Wiley & Sons, Inc.)
99
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Let’s Check
Select the best answer from the choices provided.
1.) Which of the following is a designated senior officer responsible in administering

and monitoring the overall enterprise ERM function?
A) Chief Executive Officer (CEO)
B) Chief Information Systems Officer (CISO)
C) Chief Audit Executive (CAE)
D) Chief Risk Officer (CRO)
2.) The following are the components in the event identification, except
A) Political Events
B) Social Factors
C) Organizational Structure
D) Natural Environmental Events
3.) One of the risk responses in the ERM Components is the risk acceptance, which
means
A) To do nothing
B) Taking up insurance policy
C) Split up the IT operations server center into two separate locations
D) To close a product line of business that produces the risk
4) The risk of data leakage in an industrial company is 75% most likely to happen, but
the impact of the data leakage is estimated to be around 35%. The risk score for this
specific risk is
A) 214%
B) 26.25%
C) 110%
D) 40%
5) The risk that remains even after employing controls or countermeasures

A) Risk Tolerance
B) Inherent Risk
C) Residual Risk
D) Risk Acceptance
6) It is the establishment of policies and procedures necessary to ensure that identified

risk responses are carried out.
A) Control Environment
B) Risk Assessment
C) Monitoring
D) Control Activities
7) Defined as a process, effected by an entity’s board of directors, management and

other personnel, applied in a strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its risk
100
Matina, Davao City
Phone No.: (082)300-5456 Local 137
appetite, to provide reasonable assurance regarding the achievement of entity

objectives.
A) Internal Control
B) Enterprise Risk Management
C) COSO Treadway Report
D) Control Environment
8) It is designed to provide reasonable assurance regarding the achievement of

objectives in the operations effectiveness and efficiency, reliable financial reporting
and compliance with laws and regulations
A) Enterprise Risk Management
B) Internal Control
C) COSO
D) Internal Audit
9) One of the risk management phases is risk prioritization and response planning.
Which of the following most likely the objective of this phase?
A) It aims to estimate the cost of the risk to come up with the risk remediation
decisions.
B) List all of the risks that may be encountered by the enterprise.
C) To check if controls to mitigate the risks are effective.
D) Compute the risk score based on its impact and likelihood.
10) It refers to the amount of risk that is acceptable to the enterprise.

A) Risk Management
B) Enterprise Risk Management
C) Risk Appetite
D) Risk Avoidance
Let’s Analyze
1.) Briefly discuss the differences between the COSO Internal Control and COSO
Enterprise Risk Management.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
101
Matina, Davao City
Phone No.: (082)300-5456 Local 137
2.) Although internal audit and ERM group works on a similar approach, there are still
differences with the scope of their work and function. List down the differences
between these two functions.
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
___________________________________________________________________
___________________________________________________________________
______
In a Nutshell
Create a table that highlights your top learnings from Business Ethics, Corporate
Governance, Internal Control and Risk Management. See the template below.
Corporate
Business Ethics Internal Control Risk Management
Governance
102
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Question & Answer
1.
2.
3.
Keywords Index
Committee of Sponsoring Sarbanes-Oxley Act (SOX Act) Risk Treatment/Risk Response
Organizations of the Treadway
Risk Assessment Risk Mitigation
Commission (COSO)
Enterprise Risk Management Risk Transfer/Sharing
Treadway Commission Report
Risk Analysis Risk Appetite
Internal Control
COURSE SCHEDULE
Week 8-9: Let’s Check BlackBoard LMS
Week 8-9: Let’s Analyze BlackBoard LMS
Week 8-9: In A Nutshell BlackBoard LMS
FINAL FORMATIVE March 10-11, 2021 BlackBoard LMS

ASSESSMENT
103
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Online Code of Conduct
1. Students are expected to abide by and honor code of conduct, and thus
everyone and all are exhorted to exercise self-management and self-
regulation.
2. All students are guided by professional conduct as learners in attending On-

Line Blended Delivery (OBD) course. Any breach and violation shall be dealt
with properly under existing guidelines, specifically in Section 7 (Student
Discipline) in the Student Handbook.
3. Professional conduct refers to the embodiment and exercise of the

University’s Core Values, specifically in the adherence to intellectual honesty
and integrity; academic excellence by giving due diligence in virtual class
participation in all lectures and activities, as well as fidelity in doing and
submitting performance tasks and assignments; personal discipline in
complying with all deadlines; and observance of data privacy.
4. Plagiarism is a serious intellectual crime and shall be dealt with accordingly.

The University shall institute monitoring mechanisms online to detect and
penalize plagiarism.
5. Students shall independently and honestly take examinations and do

assignments, unless collaboration is clearly required or permitted. Students
shall not resort to dishonesty to improve the result of their assessments (e.g.
examinations, assignments).
6. Students shall not allow anyone else to access their personal LMS account.
Students shall not post or share their answers, assignment or examinations to
others to further academic fraudulence online.
7. By enrolling in OBD course, students agree and abide by all the provisions of
the Online Code of Conduct, as well as all the requirements and protocols in
handling online courses.
104
Matina, Davao City
Phone No.: (082)300-5456 Local 137
Course prepared by:
JENNYLEN D. POSAS/PHOEBELYN V. ACDOG

Authors
Course reviewed by:
DEVZON U. PORRAS JADE D. SOLAÑA

PH-BSAIS/BSIA PH-BSA/BSMA
MARY GRACE S. SOMBILON

AD
Approved by:
LORD EDDIE I. AGUILAR

Dean
105

Sim Acc 325

Uploaded by

Copyright:

Available Formats

You might also like

Sim Acc 325

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sim Acc 325

Uploaded by

Copyright:

Available Formats

UNIVERSITY OF MINDANAO

College of Accounting Education

Program: BSA, BSIA, BSMA, BSAIS

Physically Distanced but Academically Engaged

Self-Instructional Manual (SIM) for

Course/Subject: ACC 325

Name of Author: JENNYLEN D. POSAS/ PHOEBELYN V. ACDOG

THIS SIM/SDL MANUAL IS A DRAFT VERSION ONLY; NOT FOR REPRODUCTION

Keywords Index ................................................................................................................... 79

Week 1-3 : Big Picture in Focus:

Why Study Business Ethics?

The Benefits of Business Ethics

Figure 1 The Role of Organzational Ethics in Performance

According to Ferrell, Fraedrich, and Ferrell (2019) ethics contributes to the

Ethical conduct results in shareholder loyalty and contributes to success that

For most businesses, both repeat purchases and an enduring relationship of

Table 2 Specific Types of Observed Misconduct

Foundation Values for Identifying Ethical Issues

Integrity relates to product quality, open communication, transparency, and

Honesty refers to truthfulness or trustworthiness. To be honest is to tell the truth

Issues related to honesty also arise because business is sometimes regarded

1. Business relationships are a subset of human relationships governed by

standards, and criteria in similar situations. The purpose is to minimize biases

Ethical Issues and Dilemmas in Business

On the other hand, an ethical dilemma is a problem, situation, or opportunity that

• Misuse of Company Time and Resources

Activity 1. Select the best answer

1. The study of business ethics is important to better understand all of the

2. Which of the following is not generally considered a business ethics issue?

5. An ethical dilemma can be defined as:

7. What is one of the reasons is can be difficult to determine what is an ethical

8. Optimization is the tradeoff between equity and:

Question & Answer

Big Picture in Focus: ULOb (Theory). Discuss the Information

that address IT audit and assurance professional roles and responsibilities;

(a) Identify threats to compliance with the fundamental principles;

(b) Evaluate the significance of the threats identified; and

(c) Apply safeguards, when necessary, to eliminate the threats or reduce

A professional accountant shall use professional judgment in applying this

2. Professional Accountants in Public Practice

3. Professional Accountants in Business

Describe how the conceptual framework applies to situations applicable to

The General Application of the Code

→ Conceptual Framework Approach

approach guides the professional accountants in complying with the ethical

→ Threats and Safeguards

Threats may be formed by a wide range of relationships and circumstances.

A member of the audit team has direct ownership of the client.

c. Advocacy threat – it refers to the threat that a professional accountant will

The audit firm is promoting the stocks of the audit client.

e. Intimidation threat – it refers to the threat that a professional accountant will

b. Safeguards in the work environment.

B.) FOR PROFESSIONAL INFORMATION SYSTEMS AUDITORS

The professional has adequate knowledge of the subject

The professional shall develop and document a project

1202 Risk The IS audit and assurance function shall use an

1204 Materiality The IS audit and assurance professional shall consider

Cumulative effect of minor control deficiencies/