Why AIS Threats Are Increasing: Control Risks Have Increased in The Last Few Years Because

INTRODUCTION
Why AIS threats are increasing
Control risks have increased in the last few years

because:
There are computers and servers everywhere, and information

is available to an unprecedented number of workers.
Distributed computer networks make data available to many
users, and these networks are harder to control than centralized
mainframe systems.
Wide area networks are giving customers and suppliers access
to each others systems and data, making confidentiality a major
concern.
2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
INTRODUCTION
Historically, many organizations have not adequately
protected their data due to one or more of the following

reasons:
Computer control problems are often underestimated and

downplayed.
Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internetbased system are not always fully understood.
Companies have not realized that data is a strategic resource and
that data security must be a strategic requirement.
Productivity and cost pressures may motivate management to
forego time-consuming control measures.
Romney/Steinbart
INTRODUCTION
Some vocabulary terms for this chapter:
A threat is any potential adverse occurrence or unwanted

event that could injure the AIS or the organization.
The exposure or impact of the threat is the potential loss
that would occur if the threat becomes a reality.
The likelihood is the probability that the threat will occur.
Romney/Steinbart
INTRODUCTION
Control and security are important
Companies are now recognizing the problems and

taking positive steps to achieve better control,
including:
Devoting full-time staff to security and control concerns.

Educating employees about control measures.
Establishing and enforcing formal information security policies.
Making controls a part of the applications development process.
Moving sensitive data to more secure environments.
Romney/Steinbart
INTRODUCTION
To use IT in achieving control objectives,
accountants must:
Understand how to protect systems from threats.

Have a good understanding of IT and its capabilities and
risks.
Achieving adequate security and control over the
information resources of an organization should be

a top management priority.
Romney/Steinbart
INTRODUCTION
Control objectives are the same regardless of the
data processing method, but a computer-based

AIS requires different internal control policies
and procedures because:
Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification of
data files.
Segregation of duties must be achieved differently in an
AIS.
Computers provide opportunities for enhancement of
some internal controls.
Romney/Steinbart
INTRODUCTION
One of the primary objectives of an AIS is to
control a business organization.
Accountants must help by designing effective control

systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
Management expects accountants to be control
consultants by:
Taking a proactive approach to eliminating system
threats; and
Detecting, correcting, and recovering from threats
when they do occur.
Romney/Steinbart
INTRODUCTION
It is much easier to build controls into a system
during the initial stage than to add them after the

fact.
Consequently, accountants and control experts
should be members of the teams that develop or
modify information systems.
Romney/Steinbart
OVERVIEW OF CONTROL CONCEPTS

In todays dynamic business environment,
companies must react quickly to changing

conditions and markets, including steps to:
Hire creative and innovative employees.
Give these employees power and flexibility to:
Satisfy changing customer demands;

Pursue new opportunities to add value to the organization; and
Implement process improvements.
At the same time, the company needs control
systems so they are not exposed to excessive risks

or behaviors that could harm their reputation for
honesty and integrity.
Romney/Steinbart

Internal control is the process implemented by the
board of directors, management, and those under their

direction to provide reasonable assurance that the
following control objectives are achieved:
Assets (including data) are safeguarded.

This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.
Romney/Steinbart



Records are maintained in sufficient detail to accurately
and fairly reflect company assets.
Romney/Steinbart



Records are maintained in sufficient detail to accurately and fairly
reflect company assets.
Accurate and reliable information is provided.
Romney/Steinbart



There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
Romney/Steinbart



There is reasonable assurance that financial reports are prepared
in accordance with GAAP.
Operational efficiency is promoted and improved.
This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors authorizations.
Romney/Steinbart



Adherence to prescribed managerial policies is
encouraged.
Romney/Steinbart



Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws and
regulations.
Romney/Steinbart

Internal control is a process because:
It permeates an organizations operating activities.

It is an integral part of basic management activities.
Internal control provides reasonable, rather
than absolute, assurance, because complete

assurance is difficult or impossible to achieve and
prohibitively expensive.
Romney/Steinbart

Internal control systems have inherent
limitations, including:
They are susceptible to errors and poor

decisions.
They can be overridden by management or by
collusion of two or more employees.
Internal control objectives are often at
odds with each other.
EXAMPLE: Controls to safeguard assets may also

reduce operational efficiency.
Romney/Steinbart

Internal controls perform three important
functions:
Preventive controls
Deter problems before they arise.
Romney/Steinbart

functions:
Preventive controls
Detective controls
Discover problems quickly when they do arise.
Romney/Steinbart

functions:
Preventive controls
Detective controls
Corrective controls
Remedy problems that have occurred by:

Identifying the cause;
Correcting the resulting errors; and
Modifying the system to prevent future
problems of this sort.
Romney/Steinbart

Internal controls are often classified as:
General controls
Those designed to make sure an

organizations control environment is
stable and well managed.
They apply to all sizes and types of
systems.
Examples: Security management
controls.
Romney/Steinbart

Internal controls are often classified as:
General controls
Application controls
Prevent, detect, and correct

transaction errors and fraud.
Concerned with accuracy,
completeness, validity, and
authorization of the data captured,
entered into the system, processed,
stored, transmitted to other systems,
and reported.
Romney/Steinbart

An effective system of internal controls should
exist in all organizations to:
Help them achieve their missions and goals.

Minimize surprises.
Romney/Steinbart
SOX AND THE FOREIGN CORRUPT PRACTICES

ACT
In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this

act incorporated language from an AICPA
pronouncement.
The primary purpose of the act was to prevent the bribery
of foreign officials to obtain business.
A significant effect was to require that corporations
maintain good systems of internal accounting control.
Generated significant interest among management, accountants,

and auditors in designing and evaluating internal control systems.
The resulting internal control improvements werent sufficient.
Romney/Steinbart

ACT
In the late 1990s and early 2000s, a series of multi-
million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and

Congress responded with passage of the Sarbanes-Oxley
Act of 2002 (aka, SOX).
Applies to publicly held companies and their auditors.
Romney/Steinbart

ACT
The intent of SOX is to:
Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards
of directors, management, and accountants

operate.
Romney/Steinbart

ACT
Important aspects of SOX include:
Creation of the Public Company Accounting

Oversight Board (PCAOB) to oversee the
auditing profession.
Has five members, three of whom cannot be

CPAs.
Charges fees to firms to fund the PCAOB.
Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
Currently recognizes FASB statements as
being generally accepted.
Romney/Steinbart

ACT
Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.
New rules for auditors
They must report specific information to the companys audit

committee, such as:
Critical accounting policies and practices
Alternative GAAP treatments
Auditor-management disagreements
Audit partners must be rotated periodically.
Romney/Steinbart

ACT

Auditors cannot perform certain non-audit services, such as:

Bookkeeping
Information systems design and implementation
Internal audit outsourcing services
Management functions
Human resource services
Romney/Steinbart

ACT

Permissible non-audit services must be approved by the

board of directors and disclosed to investors.
Cannot audit a company if a member of top management was
employed by the auditor and worked on the companys audit
in the past 12 months.
Romney/Steinbart

ACT

New rules for audit committees
Members must be on the companys board

of directors and must otherwise be
independent of the company.
One member must be a financial expert.
The committee hires, compensates, and
oversees the auditors, and the auditors
report directly to the committee.
Romney/Steinbart

ACT
The CEO and CFO must certify that:

The financial statements and disclosures are fairly
Important
aspects
of SOX by
include:
presented,
were reviewed
management, and are not
misleading.
Creation
of the Public Company Accounting Oversight
Management is responsible for internal controls.
Board
(PCAOB) to oversee the auditing profession.
The auditors were advised of any material internal control
weaknesses or fraud.
New
rules
for auditchanges
committees
Any
significant
to controls after managements
were
disclosed and corrected.
Newevaluation
rules for
management
Romney/Steinbart

ACT
If management willfully and knowingly violates the

certification,
they can
Important
aspects
ofbe:
SOX include:
Imprisoned up to 20 years
Creation
of the Public Company Accounting Oversight
Fined up to $5 million
Management and directors cannot receive loans that would not
be available to people outside the company.
New
They
mustfor
disclose
on a rapid and current basis material
rules
audit committees
changes to their financial condition.
New rules for management
Romney/Steinbart

ACT
New internal control requirements:

Section 404 of SOX requires companies to issue a
report accompanying the financial statements that:
Important aspects
of SOX include:
States management is responsible for
establishing and maintaining an adequate internal
Board (PCAOB)
to oversee
theand
auditing
profession.
control
structure
procedures.
Contains
New rules for
auditors managements assessment of the
companys internal controls.
Attests to the accuracy of the internal controls,
New rules for including
management
disclosures of significant defects or
material
noncompliance
found during the tests.
New internal
control
requirements
Romney/Steinbart

ACT

SOX also requires that the auditor attests to and reports
on managements internal control assessment.
New rules
foraudit
management
Each
report must describe the scope of the
auditorscontrol
internal control
tests.
New internal
requirements
Romney/Steinbart

ACT
After the passage of SOX, the SEC further
mandated that:
Management must base its evaluation on a recognized

control framework, developed using a due-process
procedure that allows for public comment. The most
likely framework is the COSO model discussed later in
the chapter.
The report must contain a statement identifying the
framework used.
Management must disclose any and all material
internal control weaknesses.
Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
Romney/Steinbart

ACT
Levers of control
Many people feel there is a basic conflict between creativity

Communicates company core values to employees and
and controls.
inspires them to live by those values.
Robert Simons has espoused four levers of controls to help
Draws
attention
to conflict:
how the organization creates value.
companies
reconcile
this
Helps employees understand managements intended

A concise
belief system
direction.
Must be broad enough to appeal to all levels.
Romney/Steinbart

ACT
Helps employees act ethically by setting limits beyond

which they must not pass.
Levers
of not
Control
Does
create rules and standard operating
that can
Many procedures
people feel there
is astifle
basiccreativity.
conflict between creativity
Encourages employees to think and act creatively to
and controls.
solve problems and meet customer needs as long as
Robert
Simons has espoused four levers of controls to help
they operate within limits such as:
companies reconcile this conflict:
Meeting minimum standards of performance
A concise belief system
Shunning off-limits activities
A boundary system
Avoiding actions that could damage the companys
reputation.
Romney/Steinbart

ACT
Levers of control
Many
feel
there is
a basic
conflict
between creativity
people
Ensures
efficient
and
effective
achievement
of important
and controls.
controls.
Robert
Simons
hasmeasures
espoused company
four levers
of controls
to help
This
system
progress
by comparing
companies
reconcile
thisperformance.
conflict:
actual
to planned
Aconcise
Helpsbelief
managers
systemtrack critical performance outcomes
and monitor
A boundary
systemperformance of individuals, departments,
and locations.
A diagnostic control system
Provides feedback to enable management to adjust and
fine-tune.
Romney/Steinbart

ACT
Helps top-level managers with high-level activities that

demand frequent and regular attention. Examples:
Levers ofDeveloping
Controlcompany strategy.
Setting company objectives.
Many people feel there is a basic conflict between creativity
Understanding and assessing threats and risks.
and controls.
Monitoring changes in competitive conditions and
Robert Simons has espoused four levers of controls to help
emerging technologies.
companies
reconcile this
conflict:
Developing
responses and action plans to
A concise belief system
proactively deal with these high-level issues.
A boundary system
Also helps managers focus the attention of
A diagnostic
subordinates
key strategic issues and to be more
control on
system
involved incontrol
their decisions.
An interactive
system
Data from this system are best interpreted and
discussed in face-to-face meetings.
Romney/Steinbart
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop

good internal control systems. Three
of the most important are:
The
COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
Romney/Steinbart
CONTROL FRAMEWORKS

good internal control systems. Three
of the most important are:
The
COBIT framework
framework (ERM)
Romney/Steinbart
CONTROL FRAMEWORKS
COBIT framework
Also know as the Control Objectives for Information

and Related Technology framework.
Developed by the Information Systems Audit and Control
Foundation (ISACF).
A framework of generally applicable information systems
security and control practices for IT control.
Romney/Steinbart
CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and control practices of

IT environments.
Users of IT services to be assured that adequate security and
control exists.
Auditors to substantiate their opinions on internal control
and advise on IT security and control matters.
Romney/Steinbart
To satisfy business objectives,

information must conform to
certain criteria referred to as
business requirements for
The framework addressesinformation.
the issue of control from
The criteria are divided into
three vantage points or dimensions:
seven distinct yet overlapping
Business objectives
categories that map into COSO
objectives:
Effectiveness (relevant,
pertinent, and timely)
Efficiency
Confidentiality
Integrity
Availability
Compliance with legal
requirements
Reliability
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
The framework addresses the issue of control from
Business objectives
IT resources
Includes:
People
Application systems
Technology
Facilities
Data
Romney/Steinbart
CONTROL FRAMEWORKS
The framework addresses the issue of control from
Business objectives
IT resources
IT processes
Broken into four domains:
Planning and organization
Acquisition and implementation
Delivery and support
Monitoring
Romney/Steinbart
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different
sources into a single framework.

It is having a big impact on the IS profession.
Helps managers to learn how to balance risk and
control investment in an IS environment.
Provides users with greater assurance that security and
IT controls provided by internal and third parties are
adequate.
Guides auditors as they substantiate their opinions and
provide advice to management on internal controls.
Romney/Steinbart
CONTROL FRAMEWORKS

good internal control systems. Three of
the most important are:
The
COBIT framework
The COSO internal control
framework
framework (ERM)
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control framework
The Committee of Sponsoring Organizations (COSO) is a

private sector group consisting of:
The American Accounting Association

The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
Romney/Steinbart
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal Control
Integrated Framework:
Defines internal controls.

Provides guidance for evaluating and enhancing internal
control systems.
Widely accepted as the authority on internal controls.
Incorporated into policies, rules, and regulations used to
control business activities.
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
The core of any business is its people.

Their integrity, ethical values, and competence make
up the foundation on which everything else rests.
Romney/Steinbart
CONTROL FRAMEWORKS
components:
-
Control environment
Control activities
Policies and procedures must be established and

executed to ensure that actions identified by
management as necessary to address risks are, in
fact, carried out.
Romney/Steinbart
CONTROL FRAMEWORKS
components:
-
Control environment
Control activities
Risk assessment
The organization must be aware of and deal with the

risks it faces.
It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and
manage the related risks.
Romney/Steinbart
CONTROL FRAMEWORKS
components:
-
Control environment
Control activities
Risk assessment
Information and communication
Information and communications systems surround the

control activities.
They enable the organizations people to capture and
exchange information needed to conduct, manage, and
control its operations.
Romney/Steinbart
CONTROL FRAMEWORKS
components:
-
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
The entire process must be monitored and modified

as necessary.
Romney/Steinbart
CONTROL FRAMEWORKS

good internal control systems. Three of
the most important are:
The
COBIT framework
COSOs Enterprise Risk
Management framework (ERM)
Romney/Steinbart
CONTROL FRAMEWORKS
Nine years after COSO issued the preceding
framework, it began investigating how to

effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
Result: Enterprise Risk Manage Integrated
Framework (ERM)
An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterprise
risk management.
Romney/Steinbart
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the
internal control framework and help the

organization:
Provide reasonable assurance that company objectives

and goals are achieved and problems and surprises are
minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take and
resources to allocate to overcome or mitigate risk.
Avoid adverse publicity and damage to the entitys
reputation.
Romney/Steinbart
CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entitys board of directors,
management, and other personnel.
Applied in strategy setting and across the enterprise.
To identify potential events that may affect the entity.
And manage risk to be within its risk appetite.
In order to provide reasonable assurance of the achievement
of entity objectives.
Romney/Steinbart
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.

Management must decide how much uncertainty they will
accept.
Uncertainty can result in:
Risk
The possibility that something will happen to:

Adversely affect the ability to create value; or
Erode existing value.
Romney/Steinbart
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for owners.

Management must decide how much uncertainty they will
accept.
Uncertainty can result in:
Risk
Opportunity
The possibility that something will happen to

positively affect the ability to create or preserve
value.
Romney/Steinbart
CONTROL FRAMEWORKS
The framework should help management manage

uncertainty and its associated risk to build and preserve
value.
To maximize value, a company must balance its growth and
return objectives and risks with efficient and effective use of
company resources.
Romney/Steinbart
CONTROL FRAMEWORKS
COSO developed a model
to illustrate the elements

of ERM.
Romney/Steinbart
CONTROL FRAMEWORKS
Columns at the top
represent the four types of

objectives that
management must meet to
achieve company goals.
Strategic objectives
Strategic objectives are

high-level goals that are
aligned with and support
the companys mission.
Romney/Steinbart
CONTROL FRAMEWORKS
Columns at the top
represent the four types of

objectives that
achieve company goals.
Operations objectives
Operations objectives deal with

effectiveness and efficiency of
company operations, such as:
Performance and
profitability goals
Safeguarding assets
Romney/Steinbart
CONTROL FRAMEWORKS
Reporting objectives help

ensure the accuracy,
Columns
completeness,
and reliability of
at the top
internal and
company
represent
the external
four types
of
reports of both a financial and
objectives
that
non-financial nature.
Improve decision-making and
achieve
company
monitor
companygoals.
activities and
Strategic
objectives
performance
more efficiently.
Operations objectives
Reporting objectives
Romney/Steinbart
CONTROL FRAMEWORKS
Columns
Compliance
objectives
help the
at the
top
companythe
comply
represent
fourwith
types of
applicable laws and
objectives
that
regulations.
management
must meet to
External parties often set
achieve
goals.
the company
compliance
rules.
Companies in the same
Operations
industryobjectives
often have similar
concerns
in this area.
Reporting
objectives
Compliance objectives
Romney/Steinbart
CONTROL FRAMEWORKS
ERM can provide reasonable
assurance that reporting and

compliance objectives will be
achieved because companies have
control over them.
However, strategic and
operations objectives are
sometimes at the mercy of
external events that the company
cant control.
Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
Romney/Steinbart
CONTROL FRAMEWORKS
Columns on the right
represent the companys

units:
Entire company
Romney/Steinbart
CONTROL FRAMEWORKS

units:
Entire company
Division
Romney/Steinbart
CONTROL FRAMEWORKS

units:
Entire company
Division
Business unit
Romney/Steinbart
CONTROL FRAMEWORKS

units:
Entire company
Division
Business unit
Subsidiary
Romney/Steinbart
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and

control components,
including:
Internal environment
The tone or culture of the
company.
Provides discipline and
structure and is the foundation
for all other components.
Essentially, the same as control
environment in the COSO
internal control framework.
Romney/Steinbart
CONTROL FRAMEWORKS

control components,
including:
Objective setting
Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives that
support the companys mission and are consistent with the companys
tolerance for risk.
Strategic objectives are set first as a foundation for the other three.
The objectives provide guidance to companies as they identify riskcreating events and assess and respond to those risks.
Romney/Steinbart
CONTROL FRAMEWORKS

control components,
including:
Objective setting
Event identification
Requires management to identify events that may affect the companys
ability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment and
response); or
Opportunities (positive-impact events that influence strategy and
objective-setting processes).
Romney/Steinbart
Identified risks are assessed to

determine how to manage them
and how they affect the
companys ability to achieve its
objectives.
Qualitative
and
quantitative
The
horizontal
rows
are
methods
used
to assess
eight
relatedare
risk
and
risks individually and by
control
components,
category
in terms of:
including:
Likelihood
Positive and negative
Objective
setting
impact
Event
identification
Effect
on other
Riskorganizational
assessment units
Risks are analyzed on an
inherent and a residual basis.
Corresponds to the risk
assessment element in COSOs
internal control framework.
CONTROL FRAMEWORKS
Romney/Steinbart
Management aligns identified risks

with the companys tolerance for
risk by choosing to:
Avoid
Reduce
The
horizontal rows are
Share
eight
related risk and
Accept
control
components,
Management takes an entity-wide
including:
or portfolio view of risks in
assessing
the likelihood of the
Objective
setting impact, and
risks,
their potential
costs-benefits
of alternate
responses.
Risk assessment
Risk response
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
The
Tohorizontal
implementrows
managements
are
riskrelated
responses,
eight
risk control
and policies
and procedures are established
control
components,
and implemented throughout
including:
the various levels and
Internal
environment
functions
of the organization.
Objective
settingto the control
Corresponds
activities
element in the COSO
Event
identification
internal
control framework.
Risk
assessment
Risk response
Control activities
Romney/Steinbart
Information about the company

and ERM components must be
identified, captured, and
communicated so employees
can fulfill their responsibilities.
Information
able to
The
horizontalmust
rowsbeare
flow
through
all and
levels and
eight
related
risk
functions in the company as
control
components,
well as
flowing to and from
including:
external parties.
environment
Internal
Employees
should understand
Objective
their rolesetting
and importance in
ERM identification
and how these
Event
responsibilities relate to those
Risk assessment
of others.
Risk response
Has a corresponding element
Control activities
in the COSO internal control
Information
framework. and
communication
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS

ERM components,
processes must be
control
monitored on an ongoing basis
including:
and modified as needed.
Accomplished with ongoing
Objective setting
management activities and
separate evaluations.
assessment
Risk
Deficiencies
are reported to
Risk
management.
response
Control
Corresponding
activities module in
COSO internal
Information
and control
framework.
communication
Monitoring
Romney/Steinbart
CONTROL FRAMEWORKS
The ERM model is
three-dimensional.
Means that each of the
eight risk and control
elements are applied to
the four objectives in the
entire company and/or
one of its subunits.
Romney/Steinbart
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control
Examining controls without first examining purposes and
Framework
risks of business processes provides little context for
evaluating
the results.
The internal
control
framework has been widely adopted as
principal
Makes it way
difficult
to know:internal controls as required by
the
to evaluate
Which control
systems
most
SOX. However,
there are
issuesare
with
it. important.
Whether
theyof
adequately
It has
too narrow
a focus. deal with risk.
Whether important control systems are missing.
Romney/Steinbart
CONTROL FRAMEWORKS
ERM framework vs. the internal control
framework
The internal control framework has been widely adopted as

the principal way to evaluate internal controls as required by
SOX. However, there are issues with it.
It has too narrow of a focus. May contribute to systems with

many controls to protect
Focusing on controls first has an inherent bias toward
against risks that are no longer
past problems and concerns.
important.
Romney/Steinbart
CONTROL FRAMEWORKS
These issues led to COSOs development of the
ERM framework.
Takes a risk-based, rather than controls-based,

approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSOs internal
control framework and contains three additional
elements:
Setting objectives.
Identifying positive and negative events that may affect the
companys ability to implement strategy and achieve objectives.
Developing a response to assessed risk.
Romney/Steinbart
CONTROL FRAMEWORKS
Controls are flexible and relevant because they are linked to

current organizational objectives.
ERM also recognizes more options than simply controlling
risk, which include accepting it, avoiding it, diversifying it,
sharing it, or transferring it.
Romney/Steinbart
CONTROL FRAMEWORKS
Over time, ERM will probably become the most
widely adopted risk and control model.

Consequently, its eight components are the topic of
the remainder of the chapter.
Romney/Steinbart
INTERNAL ENVIRONMENT
The most critical component
of the ERM and the internal

control framework.
Is the foundation on which the
other seven components rest.
Influences how organizations:
Establish strategies and

objectives
Structure business activities
Identify, access, and respond
to risk
A deficient internal control
environment often results in

risk management and control
breakdowns.
Romney/Steinbart
Internal environment consists of the following:
Managements philosophy, operating style, and risk

appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
Managements philosophy, operating style, and

risk appetite
competence
External influences
Romney/Steinbart
Managements philosophy, operating
style, and risk appetite
An organizations management has shared beliefs and

attitudes about risk.
That philosophy affects everything the organization
does, long- and short-term, and affects their
communications.
Companies also have a risk appetite, which is the
amount of risk a company is willing to accept to achieve
its goals and objectives.
That appetite needs to be in alignment with company
strategy.
Romney/Steinbart
The more responsible managements philosophy and

operating style, the more likely employees will behave
responsibly.
This philosophy must be clearly communicated to all
employees; it is not enough to give lip service.
Management must back up words with actions; if they show
little concern for internal controls, then neither will
employees.
Romney/Steinbart
This component can be assessed by asking questions such as:
Does management take undue business risks or assess potential

risks and rewards before acting?
Does management attempt to manipulate performance
measures such as net income?
Does management pressure employees to achieve results
regardless of methods or do they demand ethical behavior?
Romney/Steinbart

appetite
competence
External influences
Romney/Steinbart
An active and involved board of directors plays an important
role in internal control.
They should:
Oversee management
Scrutinize managements plans, performance, and activities
Approve company strategy
Review financial results
Annually review the companys security policy
Interact with internal and external auditors
Romney/Steinbart
Directors should possess management, technical,
or other expertise, knowledge, or experience, as

well as a willingness to advocate for shareholders.
At least a majority should be independent, outside
directors not affiliated with the company or any of
its subsidiaries.
Romney/Steinbart
Public companies must have an audit
committee, composed entirely of independent,

outside directors.
The audit committee oversees:
Works with the corporations external and internal

auditors.
The companys internal control structure;

Its financial reporting process; and
Its compliance with laws, regulations, and standards.
Hires, compensates, and oversees the auditors.

Auditors report all critical accounting policies and practices to
the audit committee.
Provides an independent review of managements

actions.
Romney/Steinbart

appetite
competence
External influences
Romney/Steinbart
Commitment to integrity, ethical values,
and competence
Management must create an organizational culture that

stresses integrity and commitment to both ethical values and
competence.
Ethical standards of behavior make for good business.

Tone at the top is everything.
Employees will watch the actions of the CEO, and the message
of those actions (good or bad) will tend to permeate the
organization.
Romney/Steinbart
Companies can endorse integrity as a basic
operating principle by actively teaching and

requiring it.
Management should:
Make it clear that honest reports are more important than

favorable ones.
Management should avoid:
Unrealistic expectations, incentives, or temptations.

Attitude of earnings or revenue at any price.
Overly aggressive sales practices.
Unfair or unethical negotiation practices.
Implied kickback offers.
Excessive bonuses.
Bonus plans with upper and lower cutoffs.
Romney/Steinbart
Management should not assume that employees
would always act honestly.

Consistently reward and encourage honesty.
Give verbal labels to honest and dishonest acts.
The combination of these two will produce more
consistent moral behavior.
Romney/Steinbart
Management should develop clearly stated
policies that explicitly describe honest and

dishonest behaviors, often in the form of a
written code of conduct.
In particular, such a code would cover issues that are

uncertain or unclear.
Dishonesty often appears when situations are gray and
employees rationalize the most expedient action as
opposed to making a right vs. wrong choice.
Romney/Steinbart
SOX only requires a code of ethics for senior
financial management. However, the ACFE

suggests that companies create a code of conduct
for all employees:
Should be written at a fifth-grade level.
Should be reviewed annually with employees and
signed.
This approach helps employees keep themselves out of
trouble.
Helps the company if they need to take legal action
against the employee.
Romney/Steinbart
Management should require employees to report
dishonest, illegal, or unethical behavior and discipline

employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.

Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
Companies must make a commitment to competence.
Begins with having competent employees.

Varies with each job but is a function of knowledge, experience,
training, and skills.
Romney/Steinbart
The levers of control, particularly beliefs and
boundaries systems, can be used to create the kind

of commitment to integrity an organization wants.
Requires more than lip service and signing forms.

Must be systems in which top management actively
participates in order to:
Demonstrate the importance of the system.

Create buy-in and a team spirit.
Romney/Steinbart
Management should require employees to report
dishonest, illegal, or unethical behavior and

discipline employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.

Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that
other employees are clear about consequences.
Romney/Steinbart
Companies must make a commitment to
competence.
Begins with having competent employees.

Varies with each job but is a function of knowledge,
experience, training, and skills.
Romney/Steinbart
The levers of control, particularly beliefs and
boundary systems, can be used to create the kind of

commitment to integrity an organization wants.
Requires more than lip service and signing forms.

Must be systems in which top management actively
participates in order to:
Demonstrate the importance of the system.

Create buy-in and a team spirit.
Romney/Steinbart

appetite
competence
External influences
Romney/Steinbart
A companys organizational structure defines its lines of

authority, responsibility, and reporting.
Provides the overall framework for planning, directing,

executing, controlling, and monitoring its operations.
Romney/Steinbart
Important aspects or organizational structure:
Degree of centralization or decentralization.

Assignment of responsibility for specific tasks.
Direct-reporting relationships or matrix structure.
Organization by industry, product, geographic location,
marketing network.
How the responsibility allocation affects managements
information needs.
Organization of accounting and IS functions.
Size and nature of company activities.
Romney/Steinbart
Statistically, fraud occurs more frequently in
organizations with complex structures.
The structures may unintentionally impede communication

and clear assignment of responsibility, making fraud easier
to commit and conceal; or
The structure may be intentionally complex to facilitate the
fraud.
Romney/Steinbart
In todays business world, the hierarchical
organizations with many layers of management

are giving way to flatter organizations with selfdirected work teams.
Team members are empowered to make decisions
without multiple layers of approvals.
Emphasis is on continuous improvement rather than
on regular evaluations.
These changes have a significant impact on the nature
and type of controls needed.
Romney/Steinbart

appetite
competence
Methods of assigning authority and
responsibility
External influences
Romney/Steinbart
Methods of assigning authority and
responsibility
Management should make sure:
Employees understand the entitys objectives.

Authority and responsibility for business objectives is assigned
to specific departments and individuals.
Ownership of responsibility encourages employees to

take initiative in solving problems and holds them
accountable for achieving objectives.
Management:
Must be sure to identify who is responsible for the IS security

policy.
Should monitor results so decisions can be reviewed and, if
necessary, overruled.
Romney/Steinbart
Authority and responsibility are assigned through:
Formal job descriptions

Employee training
Operating plans, schedules, and budgets
Codes of conduct that define ethical behavior, acceptable practices,
regulatory requirements, and conflicts of interest
Written policies and procedures manuals (a good job reference and
job training tool) which covers:
Proper business practices
Knowledge and experience needed by key personnel
Resources provided to carry out duties
Policies and procedures for handling particular transactions
The organizations chart of accounts
Sample copies of forms and documents
Romney/Steinbart

appetite
competence
External influences
Romney/Steinbart
Human resources standards
Employees are both the companys greatest control

strength and the greatest control weakness.
Organizations can implement human resource policies
and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency and
loyalty and reduce the organizations vulnerability.
Romney/Steinbart
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Hiring
Should be based on educational background, relevant work

experience, past achievements, honesty and integrity, and
how well candidates meet written job requirements.
Employees should undergo a formal, in-depth employment
interview.
Resumes, reference letters, and thorough background checks
are critical.
Romney/Steinbart
Background checks can involve:
Verifying education and experience.

Talking with references.
Checking for criminal records, credit issues, and other
publicly available data.
Note that you must have the employees or candidates
written permission to conduct a background check, but
that permission does not need to have an expiration
date.
Background checks are important because recent
studies show that about 50% of resumes have been
falsified or embellished.
Romney/Steinbart
Sometimes professional firms are hired to do the
background checks because applicants are

becoming more aggressive in their deceptions.
Some get phony degrees from online diploma mills.
A Pennsylvania district attorney recently filed suit against a

Texas university for issuing an MBA to the DAs 6-year-old
black cat.
Others actually hack (or hire someone to hack) into the

systems of universities to create or alter transcripts and
other academic data.
No employee should be exempted from
background checks. Anyone from the custodian

to the company president is capable of
committing fraud, sabotage, etc.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Compensating
Employees should be paid a fair and competitive wage.

Poorly compensated employees are more likely to feel the
resentment and financial pressures that lead to fraud.
Appropriate incentives can motivate and reinforce
outstanding performance.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Policies on training
Training programs should familiarize new employees

with:
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating
style.
Training needs to be ongoing, not just one time.

Companies who shortchange training are more likely to
experience security breaches and fraud.
Romney/Steinbart
Many believe employee training and education are the most

important elements of fraud prevention and security
programs.
Fraud is less likely to occur when employees believe security
is everyones business.
An ideal corporate culture exists when:
Employees are proud of their company and protective of its

assets.
They believe fraud hurts everyone and that they therefore have a
responsibility to report it.
Romney/Steinbart
These cultures do not just happen. They must be
created, taught, and practiced, and the following

training should be provided:
Fraud awareness
Employees should be aware of frauds prevalence and dangers,

why people do it, and how to deter and detect it.
Ethical considerations
The company should promote ethical standards in its practice

and its literature.
Acceptable and unacceptable behavior should be defined and
labeled, leaving as little gray area as possible.
Romney/Steinbart
Punishment for fraud and unethical behavior.
Employees should know the consequences (e.g., reprimand,

dismissal, prosecution) of bad behavior.
Should be disseminated as a consequence rather than a threat.
EXAMPLE: Using a computer to steal or commit fraud is a
federal crime, and anyone doing so faces immediate dismissal
and/or prosecution.
The company should display notices of program and data
ownership and advise employees of the penalties of misuse.
Romney/Steinbart
Training can take place through:
Informal discussions
Formal meetings
Periodic memos
Written guidelines
Codes of ethics
Circulating reports of unethical behavior and its
consequences
Promoting security and fraud training programs
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Do periodic performance appraisals to help employees

understand their strengths and weaknesses.
Base promotions on performance and qualifications.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Discharging
Fired employees are disgruntled employees.

Disgruntled employees are more likely to commit a sabotage
or fraud against the company.
Employees who are terminated (whether voluntary or
involuntary) should be removed from sensitive jobs
immediately and denied access to information systems.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Disgruntled employees may be isolated and/or

unhappy, but are much likelier fraud candidates than
satisfied employees.
The organization can try to reduce the employees
pressures through grievance channels and counseling.
Difficult to do because many employees feel that seeking

counseling will stigmatize them in their jobs.
Disgruntled employees should not be allowed to

continue in jobs where they could harm the
organization.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Some fraud schemes, such as lapping and kiting, cannot

continue without the constant attention of the perpetrator.
Mandatory vacations or rotation of duties can prevent these
frauds or lead to early detection.
These measures will only be effective if someone else is
doing the job while the usual employee is elsewhere.
Romney/Steinbart
important:
Hiring
Compensating
Training
Discharging
Romney/Steinbart
Confidentiality agreements and fidelity bond
insurance
Employees, suppliers, and contractors should be required to

sign and abide by nondisclosure or confidentiality
agreements.
Key employees should have fidelity bond insurance coverage
to protect the company against losses from fraudulent acts
by those employees.
Romney/Steinbart
In addition to the preceding policies, the
company should seek prosecution and

incarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go
unreported. They are not prosecuted for several
reasons.
Companies fear:
Public relations nightmares

Copycat attacks
But unreported fraud and intrusions create a false

sense of security.
Romney/Steinbart
Law enforcement officials and courts are busy with
violent crimes and may regard teen hacking as childish
pranks.
Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,
prosecute, and evaluate computer crimes.
When cases are prosecuted and a conviction obtained,
penalties are often very light. Judges often regard the
perps as model citizens.
Romney/Steinbart

appetite
competence
External influences
Romney/Steinbart
External influences
External influences that affect the control environment

include requirements imposed by:
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
Romney/Steinbart
OBJECTIVE SETTING
Objective setting is the
second ERM
component.
It must precede many
of the other six
components.
For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
Romney/Steinbart
OBJECTIVE SETTING
Top management, with board approval, must
articulate why the company exists and what it

hopes to achieve.
Often referred to as the corporate vision or mission.
Uses the mission statement as a base from which
to set corporate objectives.

The objectives:
Need to be easy to understand and measure.
Should be prioritized.
Should be aligned with the companys risk appetite.
Romney/Steinbart
OBJECTIVE SETTING
Objectives set at the corporate level are linked to
and integrated with a cascading series of subobjectives in the various sub-units.

For each set of objectives:
Critical success factors (what has to go right) must be

defined.
Performance measures should be established to determine
whether the objectives are met.
Romney/Steinbart
OBJECTIVE SETTING
Objective-setting process proceeds as follows:
First, set strategic objectives, the high-level goals that

support the companys mission and create value for
shareholders.
To meet these objectives, identify alternative ways of
accomplishing them.
For each alternative, identify and assess risks and
implications.
Formulate a corporate strategy.
Then set operations, compliance, and reporting
objectives.
Romney/Steinbart
OBJECTIVE SETTING
As a rule of thumb:
The mission and strategic objectives are stable.

The strategy and other objectives are more dynamic:
Must be adapted to changing conditions.

Must be realigned with strategic objectives.
Romney/Steinbart
OBJECTIVE SETTING
Operations objectives:
Are a product of management preferences, judgments, and
style.
Vary significantly among entities:
One may adopt technology; another waits until the bugs are
worked out.
Are influenced by and must be relevant to the industry,

economic conditions, and competitive pressures.
Give clear direction for resource allocationa key success
factor.
Romney/Steinbart
OBJECTIVE SETTING
Compliance and reporting objectives:
Many are imposed by external entities, e.g.:
Reports to IRS or to EPA

Financial reports that comply with GAAP
A companys reputation can be impacted significantly (for

better or worse) by the quality of its compliance.
Romney/Steinbart
EVENT IDENTIFICATION
Events are:
Incidents or occurrences that

emanate from internal or
external sources.
That affect implementation of
strategy or achievement of
objectives.
Impact can be positive,
negative, or both.
Events can range from obvious
to obscure.
Effects can range from
inconsequential to highly
significant.
Romney/Steinbart
By their nature, events represent uncertainty:
Will they occur?

If so, when?
And what will the impact be?
Will they trigger another event?
Will they happen individually or concurrently?
Romney/Steinbart
Management must do its best to anticipate all
possible eventspositive or negativethat might

affect the company:
Try to determine which are most and least likely.
Understand the interrelationships of events.
COSO identified many internal and external
factors that could influence events and affect a

companys ability to implement strategy and
achieve objectives.
Romney/Steinbart
EVENT
IDENTIFICATION
Availability
of capital; lower or higher costs of
capital
Lower barriers to entry, resulting in new
Some of these factors
competition
include:
Price movements up or down
External factors:
Ability to issue credit and possibility of default
Economic factors
Concentration of competitors, customers, or
vendors
Presence or absence of liquidity
Movements in the financial markets or
currency fluctuations
Rising or lowering unemployment rates
Mergers or acquisitions
Potential regulatory, contractual, or criminal
legal liability
Romney/Steinbart
Some of these factors include:
External factors:
Economic factors
Natural environment
Natural disasters such as fires,

floods, or earthquakes
Emissions and waste
Energy restrictions or
shortages
Restrictions limiting
development
Romney/Steinbart
External factors:
Economic factors
Natural environment
Political factors
Election of government
officials with new agendas
New laws and regulations
Public policy, including higher
or lower taxes
Regulation affecting the
companys ability to compete
Romney/Steinbart
Some of these factors
External factors:
Economic factors
Natural environment
Political factors
Social factors
Changing demographics, social

mores, family structures, and
include:
work/life priorities
Consumer behavior that
changes demand for products
and services or creates new
buying opportunities
Corporate citizenship
Privacy
Terrorism
Human resource issues
causing production shortages
or stoppages
Romney/Steinbart
New e-business technologies

that lower infrastructure costs
or increase demand for IT External factors:
based services
Economic factors
Emerging technology
Natural environment
Increased or decreased
Political factors
availability of data
Social factors
Interruptions or down time
Technological factors
caused by external parties
Romney/Steinbart
Internal factors:
Infrastructure
Inadequate access or poor allocation of capital

Availability and capability of company assets
Complexity of systems
Romney/Steinbart
Internal factors:
Infrastructure
Personnel
Employee skills and capability

Employees acting dishonestly or unethically
Workplace accidents, health or safety
concerns
Strikes or expiration of labor agreements
Romney/Steinbart
Internal factors:
Infrastructure
Personnel
Process
Process modification without proper change

management procedures
Poorly designed processes
Process execution errors
Suppliers cannot deliver quality goods on time
Romney/Steinbart
Internal factors:
Infrastructure
Personnel
Process
Technology
Insufficient capacity to handle peak IT usages
Security breaches
Data or system unavailability from internal factors
Inadequate data integrity
Poor systems selection/development
Inadequately maintained systems
Romney/Steinbart
Lists can help management identify factors,
evaluate their importance, and examine those

that can affect objectives.
Identifying events at the activity and entity levels
allows companies to focus their risk assessment
on major business units or functions and align
their risk tolerance and risk appetite.
Romney/Steinbart
Companies usually use two or more of the
following techniques together to identify events:
Use comprehensive lists of potential events
Often produced by special software that can

tailor lists to an industry, activity, or process.
Romney/Steinbart

Perform an internal analysis
An internal committee analyzes events, contacting

appropriate insiders and outsiders for input.
Romney/Steinbart

Monitor leading events and trigger points
Appropriate transactions, activities, and events

are monitored and compared to predefined
criteria to determine when action is needed.
Romney/Steinbart

Conduct workshops and interviews
Employee knowledge and expertise is gathered

in structured discussions or individual
interviews.
Romney/Steinbart

Perform data mining and analysis
Examine data on prior events to identify trends

and causes that help identify possible events.
Romney/Steinbart

Perform data mining and analysis
Analyze processes
Analyze internal and external factors that affect

inputs, processes, and outputs to identify events
that might help or hinder the process.
Romney/Steinbart
RISK ASSESSMENT AND RISK RESPONSE

The fourth and fifth
components of COSOs
ERM model are risk
assessment and risk
response.
COSO indicates there
are risk
twothat
types
ofbefore
risk:
The
exists
Inherent risk
management
takes any steps to
control the likelihood or impact
of a risk.
Romney/Steinbart

The fourth and fifth
components of COSOs
ERM model are risk
assessment and risk
response.
COSO indicates there
are two types of risk:
Inherent risk
The risk that remains after
Residual risk
management implements
internal controls or some other
form of response to risk.
Romney/Steinbart

Companies should:
Assess inherent risk

Develop a response
Then assess residual risk
The ERM model indicates four ways to respond
to risk:
Reduce it
The most effective way to reduce

the likelihood and impact of risk is
to implement an effective system of
internal controls.
Romney/Steinbart

Companies should:

Develop a response
to risk:
Reduce it
Accept it
Dont act to prevent or mitigate

it.
Romney/Steinbart

Companies should:

Develop a response
to risk:
Reduce it
Accept it
Share it
Transfer some of it to others via

activities such as insurance,
outsourcing, or hedging.
Romney/Steinbart

Companies should:

Develop a response
to risk:
Reduce it
Accept it
Share it
Avoid it
Dont engage in the activity that

produces it.
May require:
Sale of a division
Exiting a product line
Canceling an expansion plan
Romney/Steinbart

Accountants:
Help management design effective controls to reduce

inherent risk.
Evaluate internal control systems to ensure they are
operating effectively.
Assess and reduce inherent risk using the risk assessment
and response strategy.
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Event
Estimate the likelihood or

probability of each event occurring
Estimate the impact of potential
loss from each threat
identification
Identify the events or threats

that confront the company
The first step in risk

assessment and response
strategy is event
identification, which we
have already discussed.
Identify set of controls to

guard against threat
Estimate costs and benefits
from instituting controls
Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes
Reduce risk by implementing set of

controls to guard against threat
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Estimate likelihood
and impact
Some events pose more

risk because they are
more probable than
others.
Some events pose more
risk because their dollar
impact would be more
significant.
Likelihood and impact
must be considered
together:
If either increases, the
materiality of the event
and the need to protect
against it rises.

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Identify controls
Management must
identify one or more
controls that will protect
the company from each
event.
In evaluating benefits of
each control procedure,
consider effectiveness
and timing.

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
All other factors equal:
A preventive control is
better than a detective
one.
However, if preventive
controls fail, detective
controls are needed to
discover the problem, and
corrective controls are
needed to recover.
Consequently, the three
complement each other,
and a good internal
control system should
have all three.
Similarly, a company
should use all four levers
of control.

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Estimate costs and
benefits
It would be costprohibitive to create an

internal control system
that provided foolproof
protection against all
events.
Also, some controls
negatively affect
operational efficiency,
and too many controls
can make it very
inefficient.

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
The benefits of an
internal control
procedure must exceed
its costs.
Benefits can be hard to
quantify, but include:
Increased sales and

productivity
Reduced losses
Better integration with
customers and suppliers
Increased customer loyalty
Competitive advantages
Lower insurance premiums

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Costs are usually easier
to measure than
benefits.
Primary cost is
personnel, including:
Time to perform control

procedures
Costs of hiring additional
employees to effectively
segregate duties
Costs of programming
controls into a system

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Other costs of a poor
control system include:
Lost sales
Lower productivity
Drop in stock price if
security problems arise
Shareholder or regulator
lawsuits
Fines and penalties
imposed by governmental
agencies

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
The expected loss
related to a risk is
measured as:
Expected loss =
impact x likelihood
The value of a
control procedure is
the difference
between:
Expected loss with

control procedure
Expected loss without it

Is it
costbeneficial
to protect
system
No
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Determine cost-

benefit
effectiveness

After estimating benefits

and costs, management
determines if the control
is cost beneficial, i.e., is
the cost of implementing
a control procedure less
than the change in
expected loss that would
be attributable to the
change?

Is it
costbeneficia
l
No
to protect
system
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
In evaluating costs and
benefits, management
must consider factors
other than those in the
expected benefit
calculation.
If an event threatens an
organizations existence, it
may be worthwhile to
institute controls even if
costs exceed expected
benefits.
The additional cost can be
viewed as a catastrophic loss
insurance premium.

Is it
costbeneficia
l
No
to protect
system
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
Expected Loss without control procedure = $800,000 x .12 = $96,000.

Expected loss with control procedure = $800,000 x .005 = $4,000.
Estimated value of control procedure = $96,000 - $4,000 = $92,000.
Estimated cost of control procedure = $43,000 (given).
Benefits exceed costs by $92,000 - $43,000 = $49,000.
Lets go through an example:
In this case, Hobby Hole should probably install the motion detectors.
Hobby Hole is trying to decide whether to install a

motion detector system in its warehouse to reduce the
probability of a catastrophic theft.
A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .
5% probability of catastrophic theft.
The present value of purchasing and installing a motion
detector system and paying future security costs is
estimated to be about $43,000.
Should Hobby Hole install the motion detectors?
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Implement the
control or avoid,
share, or accept the
risk
When controls are cost

effective, they should be
implemented so risk can
be reduced.

Is it
costbeneficia
l
No
to protect
system
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Risks that are not
reduced must be
accepted, shared, or
avoided.
If the risk is within the

companys risk tolerance,
they will typically accept the
risk.
A reduce or share response
is used to bring residual risk
into an acceptable risk
tolerance range.
An avoid response is
typically only used when
there is no way to costeffectively bring risk into an
acceptable risk tolerance
range.

Is it
costbeneficia
l
No
to protect
system
Avoid,
share, or
accept
risk
Yes

Romney/Steinbart
CONTROL ACTIVITIES
The sixth component of
COSOs ERM model.

Control activities
are policies,
procedures, and rules
that provide reasonable
assurance that
managements control
objectives are met and
their risk responses are
carried out.
Romney/Steinbart
CONTROL ACTIVITIES
It is managements responsibility to develop a
secure and adequately controlled system.
Controls are much more effective when built in on the

front end.
Consequently, systems analysts, designers, and end
users should be involved in designing adequate
computer-based control systems.
Management must also establish a set of
procedures to ensure control compliance and

enforcement.
Usually, the purview of the information security officer

and the operations staff.
Romney/Steinbart
CONTROL ACTIVITIES
It is critical that controls be in place during the
year-end holiday season. A disproportionate

amount of computer fraud and security break-ins
occur during this time because:
More people are on vacation and fewer around to mind the

store.
Students are not tied up with school.
Counterculture hackers may be lonely.
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Proper authorization of transactions and activities

Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
Proper authorization of transactions and
activities
Management lacks the time and resources to supervise each

employee activity and decision.
Consequently, they establish policies and empower
employees to perform activities within policy.
This empowerment is called authorization and is an
important part of an organizations control procedures.
Romney/Steinbart
CONTROL ACTIVITIES
Authorizations are often documented by signing
initializing, or entering an authorization code.

Computer systems can record digital
signatures as a means of signing a document.
Employees who process transactions should
verify the presence of the appropriate
authorizations.
Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.
Romney/Steinbart
CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorization
Management authorizes employees to handle routine

transactions without special approval.
Special authorization
For activities or transactions that are of significant

consequences, management review and approval is required.
Might apply to sales, capital expenditures, or
write-offs over a particular dollar limit.
Management should have written policies for
both types of authorization and for all types of

transactions.
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
An employee should not be in a position to commit and
conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties

Segregation of duties within the systems function
Romney/Steinbart
CONTROL ACTIVITIES
Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
An employee should not be in a position to commit and
conceal fraud or unintentional errors.

Romney/Steinbart
CONTROL ACTIVITIES
To learn a little about segregation of duties,
lets first meet Bill.

Romney/Steinbart
CONTROL ACTIVITIES
Bill is in charge of a pile of the
organizations moneylets say $1,000.

Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Bill also keeps the books for that money.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Bill has a date tonight, and hes a little desperate to
impress that special someone, so he takes $100 of the

cash. (Thinks hes only borrowing it, you know.)
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$900
Bill also records an entry in the books to show
that $100 was spent for some legitimate

purpose. Now the balance in the books is $900.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$900
How will Bill ever get caught at his theft?
Romney/Steinbart
CONTROL ACTIVITIES
Now lets change the story. Bill is in charge
of the pile of cash.

Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
But Mary keeps the books.

This arrangement is a form of segregation of
duties.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Bill gets in a pinch again and takes $100 of
the organizations cash.

Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
How will Bill get caught?
Romney/Steinbart
CONTROL ACTIVITIES
Effective segregation of accounting duties is achieved

when the following functions are separated:
AuthorizationApproving transactions and decisions.

RecordingPreparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
CustodyHandling cash, maintaining an inventory storeroom,
receiving incoming customer checks, writing checks on the
organizations bank account.
If any two of the preceding functions are the

responsibility of one person, then problems can arise.
Romney/Steinbart
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
RECORDING FUNCTIONS
Preparing source
documents
Maintaining journals,
ledgers, or other files
Preparing reconciliations
Preparing performance
reports
EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can
steal some of the cash and falsify accounts to
FUNCTIONS
conceal the theft.
Authorization of
SOLUTION: The pink fence (segregation
of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
Romney/Steinbart
EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that
he has authorized can
authorize fictitious
transactions and then steal
RECORDING
the payments.FUNCTIONS
Preparing source
SOLUTION:
The green fence
documents of custody and
(segregation
authorization)
prevents
ledgers, orfrom
otherauthorizing
files
employees
fictitious
orreconciliations
inaccurate
Preparing
transactions
as a means of
concealing
a theft.
reports
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION
FUNCTIONS
Authorization of
transactions
Romney/Steinbart
EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the
transactions can authorize
and record fictitious
CUSTODIAL
FUNCTIONS
payments
that might,
for
Handling
example,
be sent
cashto the
employees
addresstools,
Handlinghome
inventories,
or the
address
of a shell
or fixed
assets
company
creates.
Writinghe
checks
SOLUTION:
purple
ReceivingThe
checks in mail
fence (segregation of
recording and authorization)

prevents employees from
falsifying records to cover
up inaccurate or false
transactions that were
inappropriately authorized.
AUTHORIZATION
FUNCTIONS
Authorization of
transactions
CONTROL ACTIVITIES
RECORDING FUNCTIONS
Preparing source
documents
ledgers, or other files
Preparing reconciliations
reports
Romney/Steinbart
CONTROL ACTIVITIES
In a system that incorporates an effective
separation of duties, it should be difficult for any

single employee to commit embezzlement
successfully.
But when two or more people collude, then
segregation of duties becomes impotent and
controls are overridden.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
If this happens . . .
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Then segregation of duties is out the
window. Collusion overrides segregation.
Romney/Steinbart
CONTROL ACTIVITIES
Employees can collude with other employees or
with customers or vendors.

The most frequent form of employee/vendor
collusions include:
Billing at inflated prices

Performing substandard work and receiving full
payment
Payment for non-performance
Duplicate billings
Improperly funneling more work to or purchasing more
goods from a colluding company
Romney/Steinbart
CONTROL ACTIVITIES
The most frequent form of employee/customer
collusions include:
Unauthorized loans or insurance payments

Receipt of assets or services at unauthorized discount prices
Forgiveness of amounts owed
Unauthorized extension of due dates
Romney/Steinbart
CONTROL ACTIVITIES
Good internal control requires that no single employee

be given too much responsibility over business
transactions or processes.
An employee should not be in a position to commit
and conceal fraud or unintentional errors.

Romney/Steinbart
CONTROL ACTIVITIES
Segregation of duties within the systems
function
In a highly integrated information system, procedures once

performed by separate individuals are combined.
Therefore, anyone who has unrestricted access to the
computer, its programs, and live data could have the
opportunity to perpetrate and conceal fraud.
To combat this threat, organizations must implement
effective segregation of duties within the IS function.
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Responsible for ensuring that

the different parts of an
information system operate
smoothly and efficiently.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Ensures that all applicable devices are

linked to the organizations internal
and external networks and that the
networks operate continuously and
properly.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Ensures that all aspects of the

system are secure and protected
from internal and external
threats.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Manages changes to the

organizations information
system to ensure they are made
smoothly and efficiently and to
prevent errors and fraud.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Record transactions, authorize
Users
data to be processed, and use
system output.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Users
Help users determine their
information needs and design
Systems analysts
systems to meet those needs.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Users
Systems analysts
Programming Use design provided by the
systems analysts to write the
computer programs for the
information system.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Run the software on the

companys computers.
Ensure that data are input
properly, correctly processed,
and needed output is produced.
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Security management
Change management
Users
Maintains custody of corporate
Systems analysts
databases, files, and programs in
Programming
a separate storage area.
Computer operations
Information systems library
Romney/Steinbart
CONTROL ACTIVITIES
Network management
Ensures that source data have
Security management
Change management been properly approved.
Monitors the flow of work
Users
through the computer.
Systems analysts
Reconciles input and output.
Programming
Maintains a record of input
Computer operations
errors to ensure their correction
Information systems and
library
resubmission.
Data control
Distributes system output.
Romney/Steinbart
CONTROL ACTIVITIES
It is important that different people perform the
preceding functions.
Allowing a person to do two or more jobs exposes the

company to the possibility of fraud.
In addition to adequate segregation of duties,
organizations should ensure that the people who

design, develop, implement, and operate the IS
are qualified and well trained.
The same holds true for systems security
personnel.
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Its important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
Should contain appropriate controls for:
Management review and approval
User involvement
Analysis
Design
Testing
Implementation
Conversion
Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit trail).
Romney/Steinbart
CONTROL ACTIVITIES
Examples abound of poorly managed projects that
have wasted large sums of money because certain

basic principles of project management control
were ignored.
Romney/Steinbart
A multi-year strategic plan

should align the
organizations information
system with its business
strategies and show the
The following basic principles of control should be
projects that must be
applied to systems development
in ordertotoachieve
reducelongthe
completed
goals.
potential for cost overruns andrange
project
failure and to
Should address
hardware,
improve the efficiency and effectiveness
of the
IS:
software, personnel, and
Strategic master plan
infrastructure requirements.
Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
Should be evaluated several
times a year to ensure the
organization can acquire
needed components and
maintain existing ones.
CONTROL ACTIVITIES
Romney/Steinbart
A project development plan

shows how a project will be
completed, including:
Modules or tasks to be
performed
The following basic principles of control
should be
Who
will to
perform
them
applied to systems development in
order
reduce
the
Anticipated
completion
potential for cost overruns and project
failure
and to dates
Project costs
of the IS:
Project milestones should be
specifiedpoints when progress
Project controls
is reviewed and actual completion
times are compared to estimates.
Each project should be assigned
to a manager and team who are
responsible for its success or
failure.
At project completion, a project
evaluation of the team members
should be performed.
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
applied to systems development in order to reduce the

potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:

Project controls
Data processing schedule
Data processing tasks should
be organized according to a
schedule to maximize the use
of scarce computer resources.
Romney/Steinbart
CONTROL ACTIVITIES


Project controls
Steering committee
A steering committee should

guide and oversee systems
development and acquisition.
Romney/Steinbart
CONTROL ACTIVITIES
To
evaluated
properly,
The following basic principles
of be
control
should
be a
system should be assessed
applied to systems development
in order to reduce the
with measures such as:
potential for cost overruns and project
failure and to
Throughput (output per
of the IS:
unit of time)
Utilization (percent of time
Project controls
it is used productively)
Response time (how long it
takes to respond)
Steering committee
System performance measurements
Romney/Steinbart
CONTROL ACTIVITIES

Project controls
Steering committee
System performance measurements
Post-implementation review
A review should be performed

after a development project is
completed to determine if the
anticipated benefits were
achieved.
Helps control project
development activities and
encourage accurate and
objective initial cost and
benefit estimates.
Romney/Steinbart
CONTROL ACTIVITIES
To simplify and improve systems development,
some companies hire a systems integratora

vendor who uses common standards and
manages the development effort using their own
personnel and those of the client and other
vendors.
Many companies rely on the integrators assurance that
the project will be completed on time.
Unfortunately, the integrator is often wrong.
These third-party systems development projects are
subject to the same cost overruns and missed deadlines
as systems developed internally.
Romney/Steinbart
CONTROL ACTIVITIES
Before third parties bid, provide clear
When using
systems integrators, companies should
specifications, including:
adhere to the
samedescriptions
basic rulesand
used
for project
Exact
definitions
of the system
management
of internal
projects. In addition, they
Explicit
deadlines
Precise acceptance criteria
should:
clear
Develop
Although
its expensive to develop these
specifications
specifications, it will save money in the end.
Romney/Steinbart
A sponsors committee should monitor third-party

development projects.
Established by the CIO and chaired by the
projects internal champion.
Should include department managers from all
When using systems
units integrators,
that will use thecompanies
system.
should
Should
establish
formalfor
procedures
adhere to the same
basic
rules used
projectfor
measuring and reporting project status.
management of internal projects. In addition, they
Best approach is to:
should:
Divide project into manageable tasks.
Develop clear specifications
Assign responsibility for each task.
Monitor the systems
integration
Meet
on a regularproject
basis (at least monthly)
to review progress and assess quality.
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
Change management is the process of making sure that
the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
Design and use of adequate documents
and records
Proper design and use of documents and records helps

ensure accurate and complete recording of all relevant
transaction data.
Form and content should be kept as simple as possible
to:
Promote efficient record keeping

Minimize recording errors
Facilitate review and verification
Documents that initiate a transaction should contain a

space for authorization.
Those used to transfer assets should have a space for
the receiving partys signature.
Romney/Steinbart
CONTROL ACTIVITIES
Documents should be sequentially pre-
numbered:
To reduce likelihood that they would be used
fraudulently.
To help ensure that all valid transactions are recorded.
A good audit trail facilitates:
Tracing individual transactions through the system.

Correcting errors.
Verifying system output.
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
When people consider safeguarding assets, they most

often think of cash and physical assets, such as
inventory and equipment.
Another company asset that needs to be protected is
information.
According to the ACFEs 2004 National Fraud Survey,
theft of information made up only 17.3% of non-cash
misappropriations; however, the median cost of an
information theft was $340,000. This cost was 126%
higher than the next most costly non-asset theft.
(Equipment theft had a median cost of $150,000.)
Romney/Steinbart
CONTROL ACTIVITIES
Many people mistakenly believe that the greatest
risks companies face are from outsiders.

However, employees pose a much greater risk
when it comes to loss of data because:
They know the system and its weaknesses better.

They are better able to hide their illegal acts.
Romney/Steinbart
CONTROL ACTIVITIES
Insiders also create less-intentional threats to
systems, including:
Accidentally deleting company data.

Turning viruses loose.
Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
These actions can result in crashed networks,
corrupt data, and hardware and software

malfunctions.
Companies also face significant risks from
customers and vendors that have access to
company data.
Romney/Steinbart
CONTROL ACTIVITIES
Many steps can be taken to safeguard both
information and physical assets from theft,

unauthorized use, and vandalism. Chapters 7 and
8 discuss computer-based controls. In addition, it
is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to physical

counts.
Romney/Steinbart
CONTROL ACTIVITIES

Use restricted storage areas
is important to:
for inventories and equipment.
Maintain accurate records of all

assets
Use
cash registers, safes,
lockboxes,
and safe
deposit
Periodically reconcile recorded amounts
to physical
counts
boxes to limit access to cash,
Restrict access to assets
securities, and paper assets.
Romney/Steinbart
CONTROL ACTIVITIES

Use fireproof storage areas,
is important to:
locked filing cabinets, backup

Maintain accurate records of all assets
of files (including copies at

Periodically reconcile recorded amounts to physical counts
off-site locations).
Restrict access to assets
Limit access to blank checks
Protect records and documents
and documents to authorized
personnel.
Romney/Steinbart
CONTROL ACTIVITIES

Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Lets look at Bill and Mary again. Assume that Bill
stole cash but Mary did NOT alter the books.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Can Bills theft be discovered if an independent
party doesnt compare a count of the cash to

whats recorded on the books?
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Segregation of duties only has value when
supplemented by independent checks.

Romney/Steinbart
CONTROL ACTIVITIES
Internal checks to ensure that transactions are
processed accurately are an important control

element.
These checks should be performed by someone
independent of the party(ies) responsible for the
activities.
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Top-level reviews
Management at all levels should monitor company

results and periodically compare actual performance
to:
Planned performance as shown in budgets, targets,
and forecasts
Prior-period performance
The performance of competitors
Romney/Steinbart
CONTROL ACTIVITIES
used:
Top-level reviews
Analytical reviews
Examinations of relationships between different sets of

data.
EXAMPLE: If credit sales increased significantly during
the period and there were no changes in credit policy,
then bad debt expense should probably have increased
also.
Management should periodically analyze and review
data relationships to detect fraud and other business
problems.
Romney/Steinbart
CONTROL ACTIVITIES
Check the accuracy and completeness of records by

reconciling
them with other
records
should have the
The following
independent
checks
arethat
typically
same balance.
used: EXAMPLES:
Top-level reviews
Bank reconciliations
Analytical reviews
Comparing accounts payable control account to sum
Reconciliation
of subsidiary
accounts.
of independently
maintained sets of
records
Romney/Steinbart
CONTROL ACTIVITIES
used:
Periodically, count significant assets

Top-level reviews
and reconcile the count to company
records.
Analytical reviews
EXAMPLE: Annual physical inventory.
Reconciliation of independently
maintained sets of records
High-dollar items and critical
Comparison of actual
quantities with recorded
components should be counted more
amounts
frequently.
Romney/Steinbart
CONTROL ACTIVITIES
used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Ensure that debits equal

credits.
Romney/Steinbart
CONTROL ACTIVITIES
used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
After one person processes a

transaction, another reviews
their work.
Romney/Steinbart
INFORMATION AND COMMUNICATION

The seventh component of COSOs
ERM model.
The primary purpose of the AIS is
to gather, record, process, store,
summarize, and communicate
information about an organization.
So accountants must understand
how:
Transactions are initiated
Data are captured in or converted
to machine-readable form
Computer files are accessed and
updated
Data are processed
Information is reported to
internal and external parties
Romney/Steinbart

Accountants must also understand the accounting
records and procedures, supporting documents,

and specific financial statement accounts involved
in processing and reporting transactions.
The preceding items facilitate an audit trail which
allows for transactions to be traced from origin to
financial statements and vice versa.
Romney/Steinbart

According to the AICPA, an AIS has five primary
objectives:
Identify and record all valid transactions.

Properly classify transactions.
Record transactions at their proper monetary value.
Record transactions in the proper accounting period.
Properly present transactions and related disclosures in the
financial statements.
Romney/Steinbart

How to safeguard information and physical assets:
Create and enforce appropriate policies and procedures.

Maintain accurate records of all assets.
Restrict access to assets.
Protect records and documents.
Romney/Steinbart

Accounting systems generally consist of several
accounting subsystems, each designed to process

transactions of a particular type.
Though they differ with respect to the type of
transactions processed, all accounting
subsystems follow the same sequence of
procedures, referred to as accounting cycles.
The five major accounting cycles and their
related control objectives and procedures are
detailed in Chapters 1014.
Romney/Steinbart
MONITORING
The eighth component
of COSOs ERM model.

Monitoring can be
accomplished with a
series of ongoing events
or by separate
evaluations.
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer, a Chief Compliance
Officer, and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
Romney/Steinbart
MONITORING
Employ a computer security officer and security
consultants
Romney/Steinbart
MONITORING
Can measure ERM effectiveness through a formal evaluation
or through a self-assessment process.
A special group can be assembled to conduct the evaluation
or it can be done by internal auditing.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
Involves:
Training and assisting employees;

Monitoring their performance;
Correcting errors; and
Safeguarding assets by overseeing employees with access.
Especially important in organizations that:
Cant afford elaborate responsibility reporting; or

Are too small for segregation of duties.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
Includes use of:
Budgets, quotas, schedules, standard costs, and quality

standards;
Performance reports that compare actual with planned
performance and highlight variances; and
Procedures for investigating significant variances and taking
timely actions to correct adverse conditions.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
Risk analysis and management software packages are

available to:
Review computer and network security measures;

Detect illegal entry into systems;
Test for weaknesses and vulnerabilities;
Report weaknesses found; and
Suggest improvements.
Romney/Steinbart
MONITORING
Cost parameters can be entered to balance
acceptable levels of risk tolerance and costeffectiveness.

Software is also available to monitor and combat
viruses, spyware, spam, pop-up ads, and to prevent
browsers from being hijacked.
Also helps companies recover from frauds and
malicious actions and restore systems to preincident status.
Romney/Steinbart
MONITORING
System transactions and activities should be
recorded in a log which indicates who accessed

what data, when, and from which terminal.
Logs should be reviewed frequently to monitor
system activity and trace any problems to their
source.
Data collected can be used to:
Evaluate employee productivity;
Control company costs;
Fight corporate espionage and other attacks; and
Comply with legal requirements.
Romney/Steinbart
MONITORING
Companies that monitor system activities need to ensure
they do not violate employee privacy rights.

Employers cannot discreetly observe communications of
employees when those employees have a reasonable
expectation of privacy.
Employers must therefore ensure that employees realize
their business communications are not private. One
way to accomplish that objective is to have written
policies that employees agree to in writing which
indicate:
The technology employees use on the job belongs to the company.

Emails received on company computers are not private and can be
read by supervisory personnel.
Employees should not use technology in any way to contribute to a
hostile work environment.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
The Business Software Alliance (BSA) aggressively

tracks down and fines companies who violate software
license agreements.
To comply with copyrights, companies should
periodically conduct software audits to ensure that.
There are enough licenses for all users; and

The company is not paying for more licenses than needed.
Employees should be informed of the consequences of

using unlicensed software.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
To monitor risk and detect fraud and errors, the company
should have periodic:
External audits
Internal audits
Special network security audits
Auditors should test system controls and browse system

usage files looking for suspicious activities (discussed in
Chapter 9).
Romney/Steinbart
MONITORING
Again, care should be exercised that employees
privacy rights are not violated.

Therefore, inform employees that auditors will
conduct random surveillance, which:
Avoids privacy violations

Creates a perception of detection that can deter crime and
reduce errors
Romney/Steinbart
MONITORING
Internal auditing involves:
Reviewing the reliability and integrity of financial and
operating information.
Providing an appraisal of internal control effectiveness.
Assessing employee compliance with management policies
and procedures and applicable laws and regulations.
Evaluating the efficiency and effectiveness of management.
Romney/Steinbart
MONITORING
Internal audits can detect:
Excess overtime
Under-used assets
Obsolete inventory
Padded expense reimbursements
Excessively loose budgets and quotas
Poorly justified capital expenditures
Production bottlenecks
Romney/Steinbart
MONITORING
Internal auditing should be organizationally
independent of the accounting and operating

functions.
The head should report to the audit committee of
the board of directors rather than to the controller
or CFO.
Romney/Steinbart
MONITORING
Employ a computer security officer and
security consultants
Romney/Steinbart
MONITORING
Employ a computer security officer and
computer consultants
The computer security officer (CSO) is in charge of AIS

security
Should be independent of the IS function

Should report to the COO or CEO
Many companies also use outside computer consultants or

in-house teams to test and evaluate their security procedures
and computer systems.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
Forensic accountants specialize in fraud detection and

investigation.
Now one of the fastest growing areas of accounting due to:

SOX
SAS-99
Boards of Directors demanding that forensic accounting be
an ongoing part of the financial reporting and corporate
governance process.
Romney/Steinbart
MONITORING
Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,

or other law enforcement agencies.
In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters who
use sophisticated technology to perpetrate their crimes.
The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
Romney/Steinbart
MONITORING
Management may also need to call on computer
forensic specialists for help.

They assist in discovering, extracting,
safeguarding, and documenting computer evidence
so that its authenticity, accuracy, and integrity will
not succumb to legal challenges.
Romney/Steinbart
MONITORING
Common incidents investigated by computer
forensic experts include:
Improper internet usage

Fraud
Sabotage
Loss, theft, or corruption of data
Retrieving information from emails and databases that users
thought they had erased
Determining who performed certain actions on a computer
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
People who commit fraud tend to follow certain patterns and leave
behind clues.
Software has been developed to seek out these fraud symptoms.
Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
Romney/Steinbart
MONITORING
consultants
Romney/Steinbart
MONITORING
People who witness fraudulent behavior are often torn

between conflicting feelings.
They want to protect company assets and report fraud

perpetrators.
But they are uncomfortable in the whistleblower role and find it
easier to remain silent.
They are particularly reluctant to report if they know of

others who have suffered repercussions from doing so.
Romney/Steinbart
MONITORING
SOX mandates that companies set up
mechanisms for employees to anonymously

report abuses such as fraud.
An effective way to comply with the law and resolve
employee concerns is to provide access to an
anonymous hotline.
Anonymous reporting can be accomplished through:
Phone lines
Web-based reporting
Anonymous emails
Snail mail
Romney/Steinbart
MONITORING
Outsourcing is available through a number of third
parties and offers several benefits, including:
Increased confidence on the part of employee that his/her

report is truly anonymous.
24/7 availability.
Often have multilingual capabilitiesan important plus for
multinational organizations.
The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
The employee can be advised of the outcome of his report.
Low cost.
Romney/Steinbart
MONITORING
A downside to anonymous reporting
mechanisms is that they will produce a

significant amount of petty or slanderous reports
that do not require investigation.
The ACFEs 2004 Report to the Nation indicates
that companies without fraud hotlines had
median fraud losses that were 140% higher than
companies that had fraud hotlines.
Romney/Steinbart
SUMMARY
In this chapter, youve learned about basic internal control
concepts and why computer control and security are so

important.
Youve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
Youve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
Youve also learned about events that affect uncertainty and
how these events can be identified.
Youve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
Finally, youve learned how organizations communicate
information and monitor control processes.
Romney/Steinbart

Why AIS Threats Are Increasing: Control Risks Have Increased in The Last Few Years Because

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Why AIS Threats Are Increasing: Control Risks Have Increased in The Last Few Years Because

Uploaded by

Copyright:

Available Formats

INTRODUCTION

Why AIS threats are increasing

Control risks have increased in the last few years

There are computers and servers everywhere, and information

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

protected their data due to one or more of the following

Computer control problems are often underestimated and

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

A threat is any potential adverse occurrence or unwanted

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Companies are now recognizing the problems and

Devoting full-time staff to security and control concerns.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Understand how to protect systems from threats.

Achieving adequate security and control over the

information resources of an organization should be

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

data processing method, but a computer-based

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

control a business organization.

Accountants must help by designing effective control

Management expects accountants to be control

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

during the initial stage than to add them after the

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

companies must react quickly to changing

Satisfy changing customer demands;

At the same time, the company needs control

systems so they are not exposed to excessive risks

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

board of directors, management, and those under their

Assets (including data) are safeguarded.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

board of directors, management, and those under their

Assets (including data) are safeguarded.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

board of directors, management, and those under their

Assets (including data) are safeguarded.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

board of directors, management, and those under their

Assets (including data) are safeguarded.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

OVERVIEW OF CONTROL CONCEPTS

board of directors, management, and those under their

Assets (including data) are safeguarded.