Professional Documents
Culture Documents
Why AIS Threats Are Increasing: Control Risks Have Increased in The Last Few Years Because
Why AIS Threats Are Increasing: Control Risks Have Increased in The Last Few Years Because
Romney/Steinbart
INTRODUCTION
Historically, many organizations have not adequately
Romney/Steinbart
INTRODUCTION
Some vocabulary terms for this chapter:
Romney/Steinbart
INTRODUCTION
Control and security are important
Romney/Steinbart
INTRODUCTION
To use IT in achieving control objectives,
accountants must:
Romney/Steinbart
INTRODUCTION
Control objectives are the same regardless of the
Romney/Steinbart
INTRODUCTION
One of the primary objectives of an AIS is to
consultants by:
Taking a proactive approach to eliminating system
threats; and
Detecting, correcting, and recovering from threats
when they do occur.
Romney/Steinbart
INTRODUCTION
It is much easier to build controls into a system
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
limitations, including:
Romney/Steinbart
functions:
Preventive controls
Deter problems before they arise.
Romney/Steinbart
functions:
Preventive controls
Detective controls
Romney/Steinbart
functions:
Preventive controls
Detective controls
Corrective controls
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
mandated that:
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
Many
feel
there is
a basic
conflict
between creativity
people
Ensures
efficient
and
effective
achievement
of important
and controls.
controls.
Robert
Simons
hasmeasures
espoused company
four levers
of controls
to help
This
system
progress
by comparing
companies
reconcile
thisperformance.
conflict:
actual
to planned
Aconcise
Helpsbelief
managers
systemtrack critical performance outcomes
and monitor
A boundary
systemperformance of individuals, departments,
and locations.
A diagnostic control system
Provides feedback to enable management to adjust and
fine-tune.
Romney/Steinbart
Romney/Steinbart
CONTROL FRAMEWORKS
A number of frameworks have been
COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
CONTROL FRAMEWORKS
A number of frameworks have been
COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
CONTROL FRAMEWORKS
COBIT framework
Romney/Steinbart
CONTROL FRAMEWORKS
The COBIT framework allows:
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
The framework addresses the issue of control from
Business objectives
IT resources
Includes:
People
Application systems
Technology
Facilities
Data
Romney/Steinbart
CONTROL FRAMEWORKS
The framework addresses the issue of control from
Business objectives
IT resources
IT processes
Broken into four domains:
Planning and organization
Acquisition and implementation
Delivery and support
Monitoring
Romney/Steinbart
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different
Romney/Steinbart
CONTROL FRAMEWORKS
A number of frameworks have been
COBIT framework
The COSO internal control
framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control framework
Romney/Steinbart
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal Control
Integrated Framework:
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
Control activities
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
Control activities
Risk assessment
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
Control activities
Risk assessment
Information and communication
Romney/Steinbart
CONTROL FRAMEWORKS
COSOs internal control model has five crucial
components:
-
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
Romney/Steinbart
CONTROL FRAMEWORKS
A number of frameworks have been
COBIT framework
The COSO internal control framework
COSOs Enterprise Risk
Management framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
CONTROL FRAMEWORKS
Nine years after COSO issued the preceding
Romney/Steinbart
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the
Romney/Steinbart
CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entitys board of directors,
management, and other personnel.
Applied in strategy setting and across the enterprise.
To identify potential events that may affect the entity.
And manage risk to be within its risk appetite.
In order to provide reasonable assurance of the achievement
of entity objectives.
Romney/Steinbart
CONTROL FRAMEWORKS
Basic principles behind ERM:
Risk
Romney/Steinbart
CONTROL FRAMEWORKS
Basic principles behind ERM:
Risk
Opportunity
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
COSO developed a model
Romney/Steinbart
CONTROL FRAMEWORKS
Columns at the top
Strategic objectives
Romney/Steinbart
CONTROL FRAMEWORKS
Columns at the top
Strategic objectives
Operations objectives
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
Columns
Compliance
objectives
help the
at the
top
companythe
comply
represent
fourwith
types of
applicable laws and
objectives
that
regulations.
management
must meet to
External parties often set
achieve
goals.
the company
compliance
rules.
Strategic objectives
Companies in the same
Operations
industryobjectives
often have similar
concerns
in this area.
Reporting
objectives
Compliance objectives
Romney/Steinbart
CONTROL FRAMEWORKS
ERM can provide reasonable
Romney/Steinbart
CONTROL FRAMEWORKS
Columns on the right
Entire company
Romney/Steinbart
CONTROL FRAMEWORKS
Columns on the right
Entire company
Division
Romney/Steinbart
CONTROL FRAMEWORKS
Columns on the right
Entire company
Division
Business unit
Romney/Steinbart
CONTROL FRAMEWORKS
Columns on the right
Entire company
Division
Business unit
Subsidiary
Romney/Steinbart
CONTROL FRAMEWORKS
The horizontal rows are
Internal environment
The tone or culture of the
company.
Provides discipline and
structure and is the foundation
for all other components.
Essentially, the same as control
environment in the COSO
internal control framework.
Romney/Steinbart
CONTROL FRAMEWORKS
The horizontal rows are
Internal environment
Objective setting
Romney/Steinbart
CONTROL FRAMEWORKS
The horizontal rows are
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
The
Tohorizontal
implementrows
managements
are
riskrelated
responses,
eight
risk control
and policies
and procedures are established
control
components,
and implemented throughout
including:
the various levels and
Internal
environment
functions
of the organization.
Objective
settingto the control
Corresponds
activities
element in the COSO
Event
identification
internal
control framework.
Risk
assessment
Risk response
Control activities
Romney/Steinbart
environment
Internal
Employees
should understand
Objective
their rolesetting
and importance in
ERM identification
and how these
Event
responsibilities relate to those
Risk assessment
of others.
Risk response
Has a corresponding element
Control activities
in the COSO internal control
Information
framework. and
communication
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
The horizontal rows are
assessment
Risk
Deficiencies
are reported to
Risk
management.
response
Control
Corresponding
activities module in
COSO internal
Information
and control
framework.
communication
Monitoring
Romney/Steinbart
CONTROL FRAMEWORKS
The ERM model is
three-dimensional.
Means that each of the
eight risk and control
elements are applied to
the four objectives in the
entire company and/or
one of its subunits.
Romney/Steinbart
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal Control
Examining controls without first examining purposes and
Framework
risks of business processes provides little context for
evaluating
the results.
The internal
control
framework has been widely adopted as
principal
Makes it way
difficult
to know:internal controls as required by
the
to evaluate
Which control
systems
most
SOX. However,
there are
issuesare
with
it. important.
Whether
theyof
adequately
It has
too narrow
a focus. deal with risk.
Whether important control systems are missing.
Romney/Steinbart
CONTROL FRAMEWORKS
ERM framework vs. the internal control
framework
Romney/Steinbart
CONTROL FRAMEWORKS
These issues led to COSOs development of the
ERM framework.
Setting objectives.
Identifying positive and negative events that may affect the
companys ability to implement strategy and achieve objectives.
Developing a response to assessed risk.
Romney/Steinbart
CONTROL FRAMEWORKS
Romney/Steinbart
CONTROL FRAMEWORKS
Over time, ERM will probably become the most
Romney/Steinbart
INTERNAL ENVIRONMENT
The most critical component
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Managements philosophy, operating
Romney/Steinbart
INTERNAL ENVIRONMENT
Romney/Steinbart
INTERNAL ENVIRONMENT
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
The board of directors
An active and involved board of directors plays an important
role in internal control.
They should:
Oversee management
Scrutinize managements plans, performance, and activities
Approve company strategy
Review financial results
Annually review the companys security policy
Interact with internal and external auditors
Romney/Steinbart
INTERNAL ENVIRONMENT
Directors should possess management, technical,
Romney/Steinbart
INTERNAL ENVIRONMENT
Public companies must have an audit
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Commitment to integrity, ethical values,
and competence
Romney/Steinbart
INTERNAL ENVIRONMENT
Companies can endorse integrity as a basic
Management should:
Romney/Steinbart
INTERNAL ENVIRONMENT
Management should not assume that employees
Romney/Steinbart
INTERNAL ENVIRONMENT
Management should develop clearly stated
Romney/Steinbart
INTERNAL ENVIRONMENT
SOX only requires a code of ethics for senior
Romney/Steinbart
INTERNAL ENVIRONMENT
Management should require employees to report
Romney/Steinbart
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and
Romney/Steinbart
INTERNAL ENVIRONMENT
Management should require employees to report
Romney/Steinbart
INTERNAL ENVIRONMENT
Companies must make a commitment to
competence.
Romney/Steinbart
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs and
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Organizational structure
Romney/Steinbart
INTERNAL ENVIRONMENT
Important aspects or organizational structure:
Romney/Steinbart
INTERNAL ENVIRONMENT
Statistically, fraud occurs more frequently in
Romney/Steinbart
INTERNAL ENVIRONMENT
In todays business world, the hierarchical
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Methods of assigning authority and
responsibility
Romney/Steinbart
INTERNAL ENVIRONMENT
Authority and responsibility are assigned through:
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
Human resources standards
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Hiring
Romney/Steinbart
INTERNAL ENVIRONMENT
Background checks can involve:
Romney/Steinbart
INTERNAL ENVIRONMENT
Sometimes professional firms are hired to do the
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Compensating
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Policies on training
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating
style.
Romney/Steinbart
INTERNAL ENVIRONMENT
Romney/Steinbart
INTERNAL ENVIRONMENT
These cultures do not just happen. They must be
Fraud awareness
Ethical considerations
Romney/Steinbart
INTERNAL ENVIRONMENT
Romney/Steinbart
INTERNAL ENVIRONMENT
Training can take place through:
Informal discussions
Formal meetings
Periodic memos
Written guidelines
Codes of ethics
Circulating reports of unethical behavior and its
consequences
Promoting security and fraud training programs
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Evaluating and promoting
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Discharging
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Managing disgruntled employees
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Vacations and rotation of duties
Romney/Steinbart
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
INTERNAL ENVIRONMENT
Confidentiality agreements and fidelity bond
insurance
Romney/Steinbart
INTERNAL ENVIRONMENT
In addition to the preceding policies, the
Companies fear:
Romney/Steinbart
INTERNAL ENVIRONMENT
Law enforcement officials and courts are busy with
violent crimes and may regard teen hacking as childish
pranks.
Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,
prosecute, and evaluate computer crimes.
When cases are prosecuted and a conviction obtained,
penalties are often very light. Judges often regard the
perps as model citizens.
Romney/Steinbart
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Romney/Steinbart
INTERNAL ENVIRONMENT
External influences
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
Romney/Steinbart
OBJECTIVE SETTING
Objective setting is the
second ERM
component.
It must precede many
of the other six
components.
For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
Romney/Steinbart
OBJECTIVE SETTING
Top management, with board approval, must
Romney/Steinbart
OBJECTIVE SETTING
Objectives set at the corporate level are linked to
Romney/Steinbart
OBJECTIVE SETTING
Objective-setting process proceeds as follows:
Romney/Steinbart
OBJECTIVE SETTING
As a rule of thumb:
Romney/Steinbart
OBJECTIVE SETTING
Operations objectives:
Are a product of management preferences, judgments, and
style.
Vary significantly among entities:
One may adopt technology; another waits until the bugs are
worked out.
Romney/Steinbart
OBJECTIVE SETTING
Compliance and reporting objectives:
Romney/Steinbart
EVENT IDENTIFICATION
Events are:
Romney/Steinbart
EVENT IDENTIFICATION
By their nature, events represent uncertainty:
Romney/Steinbart
EVENT IDENTIFICATION
Management must do its best to anticipate all
Romney/Steinbart
EVENT
IDENTIFICATION
Availability
of capital; lower or higher costs of
capital
Lower barriers to entry, resulting in new
Some of these factors
competition
include:
Price movements up or down
External factors:
Ability to issue credit and possibility of default
Economic factors
Concentration of competitors, customers, or
vendors
Presence or absence of liquidity
Movements in the financial markets or
currency fluctuations
Rising or lowering unemployment rates
Mergers or acquisitions
Potential regulatory, contractual, or criminal
legal liability
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Political factors
Election of government
officials with new agendas
New laws and regulations
Public policy, including higher
or lower taxes
Regulation affecting the
companys ability to compete
Romney/Steinbart
EVENT IDENTIFICATION
External factors:
Economic factors
Natural environment
Political factors
Social factors
Romney/Steinbart
EVENT IDENTIFICATION
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Romney/Steinbart
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Technology
Insufficient capacity to handle peak IT usages
Security breaches
Data or system unavailability from internal factors
Inadequate data integrity
Poor systems selection/development
Inadequately maintained systems
Romney/Steinbart
EVENT IDENTIFICATION
Lists can help management identify factors,
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
EVENT IDENTIFICATION
Companies usually use two or more of the
Romney/Steinbart
components of COSOs
ERM model are risk
assessment and risk
response.
COSO indicates there
are risk
twothat
types
ofbefore
risk:
The
exists
Inherent risk
management
takes any steps to
control the likelihood or impact
of a risk.
Romney/Steinbart
components of COSOs
ERM model are risk
assessment and risk
response.
COSO indicates there
are two types of risk:
Inherent risk
The risk that remains after
Residual risk
management implements
internal controls or some other
form of response to risk.
Romney/Steinbart
to risk:
Reduce it
Romney/Steinbart
to risk:
Reduce it
Accept it
Romney/Steinbart
to risk:
Reduce it
Accept it
Share it
Romney/Steinbart
to risk:
Reduce it
Accept it
Share it
Avoid it
Romney/Steinbart
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Event
identification
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Estimate likelihood
and impact
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Identify controls
Management must
identify one or more
controls that will protect
the company from each
event.
In evaluating benefits of
each control procedure,
consider effectiveness
and timing.
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
All other factors equal:
A preventive control is
better than a detective
one.
However, if preventive
controls fail, detective
controls are needed to
discover the problem, and
corrective controls are
needed to recover.
Consequently, the three
complement each other,
and a good internal
control system should
have all three.
Similarly, a company
should use all four levers
of control.
2008 Prentice Hall Business Publishing
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Estimate costs and
benefits
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
The benefits of an
internal control
procedure must exceed
its costs.
Benefits can be hard to
quantify, but include:
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Costs are usually easier
to measure than
benefits.
Primary cost is
personnel, including:
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Other costs of a poor
Lost sales
Lower productivity
Drop in stock price if
security problems arise
Shareholder or regulator
lawsuits
Fines and penalties
imposed by governmental
agencies
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
The expected loss
related to a risk is
measured as:
Expected loss =
impact x likelihood
The value of a
control procedure is
the difference
between:
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Determine cost-
benefit
effectiveness
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
In evaluating costs and
benefits, management
must consider factors
other than those in the
expected benefit
calculation.
If an event threatens an
organizations existence, it
may be worthwhile to
institute controls even if
costs exceed expected
benefits.
The additional cost can be
viewed as a catastrophic loss
insurance premium.
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Implement the
control or avoid,
share, or accept the
risk
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
RISK ASSESSMENT
AND RISK RESPONSE
Risks that are not
reduced must be
accepted, shared, or
avoided.
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
CONTROL ACTIVITIES
The sixth component of
Romney/Steinbart
CONTROL ACTIVITIES
It is managements responsibility to develop a
Romney/Steinbart
CONTROL ACTIVITIES
It is critical that controls be in place during the
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Proper authorization of transactions and
activities
Romney/Steinbart
CONTROL ACTIVITIES
Authorizations are often documented by signing
Romney/Steinbart
CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorization
Special authorization
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
An employee should not be in a position to commit and
conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Romney/Steinbart
CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single employee be
given too much responsibility over business transactions or
processes.
An employee should not be in a position to commit and
conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$900
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$900
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
duties.
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Segregation of accounting duties
Romney/Steinbart
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
RECORDING FUNCTIONS
Preparing source
documents
Maintaining journals,
ledgers, or other files
Preparing reconciliations
Preparing performance
reports
EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can
steal some of the cash and falsify accounts to
FUNCTIONS
conceal the theft.
Authorization of
SOLUTION: The pink fence (segregation
of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
Romney/Steinbart
EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that
he has authorized can
authorize fictitious
transactions and then steal
RECORDING
the payments.FUNCTIONS
Preparing source
SOLUTION:
The green fence
documents of custody and
(segregation
Maintaining journals,
authorization)
prevents
ledgers, orfrom
otherauthorizing
files
employees
fictitious
orreconciliations
inaccurate
Preparing
transactions
as a means of
Preparing performance
concealing
a theft.
reports
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION
FUNCTIONS
Authorization of
transactions
2008 Prentice Hall Business Publishing
Romney/Steinbart
EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the
transactions can authorize
and record fictitious
CUSTODIAL
FUNCTIONS
payments
that might,
for
Handling
example,
be sent
cashto the
employees
addresstools,
Handlinghome
inventories,
or the
address
of a shell
or fixed
assets
company
creates.
Writinghe
checks
SOLUTION:
purple
ReceivingThe
checks in mail
fence (segregation of
CONTROL ACTIVITIES
RECORDING FUNCTIONS
Preparing source
documents
Maintaining journals,
ledgers, or other files
Preparing reconciliations
Preparing performance
reports
Romney/Steinbart
CONTROL ACTIVITIES
In a system that incorporates an effective
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
If this happens . . .
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Employees can collude with other employees or
Romney/Steinbart
CONTROL ACTIVITIES
The most frequent form of employee/customer
collusions include:
Romney/Steinbart
CONTROL ACTIVITIES
Segregation of duties
Romney/Steinbart
CONTROL ACTIVITIES
Segregation of duties within the systems
function
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Record transactions, authorize
Users
data to be processed, and use
system output.
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Users
Help users determine their
information needs and design
Systems analysts
systems to meet those needs.
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming Use design provided by the
systems analysts to write the
computer programs for the
information system.
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Security management
Change management
Users
Maintains custody of corporate
Systems analysts
databases, files, and programs in
Programming
a separate storage area.
Computer operations
Information systems library
Romney/Steinbart
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
Systems administration
Network management
Ensures that source data have
Security management
Change management been properly approved.
Monitors the flow of work
Users
through the computer.
Systems analysts
Reconciles input and output.
Programming
Maintains a record of input
Computer operations
errors to ensure their correction
Information systems and
library
resubmission.
Data control
Distributes system output.
Romney/Steinbart
CONTROL ACTIVITIES
It is important that different people perform the
preceding functions.
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
Romney/Steinbart
CONTROL ACTIVITIES
Project development and acquisition controls
Its important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
Should contain appropriate controls for:
Management review and approval
User involvement
Analysis
Design
Testing
Implementation
Conversion
Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit trail).
2008 Prentice Hall Business Publishing
Romney/Steinbart
CONTROL ACTIVITIES
Examples abound of poorly managed projects that
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
The following basic principles of control should be
Romney/Steinbart
CONTROL ACTIVITIES
The following basic principles of control should be
Romney/Steinbart
CONTROL ACTIVITIES
To
evaluated
properly,
The following basic principles
of be
control
should
be a
system should be assessed
applied to systems development
in order to reduce the
with measures such as:
potential for cost overruns and project
failure and to
Throughput (output per
improve the efficiency and effectiveness
of the IS:
unit of time)
Strategic master plan
Utilization (percent of time
Project controls
it is used productively)
Data processing schedule
Response time (how long it
takes to respond)
Steering committee
System performance measurements
Romney/Steinbart
CONTROL ACTIVITIES
The following basic principles of control should be
Project controls
Data processing schedule
Steering committee
System performance measurements
Post-implementation review
Romney/Steinbart
CONTROL ACTIVITIES
To simplify and improve systems development,
Romney/Steinbart
CONTROL ACTIVITIES
Before third parties bid, provide clear
When using
systems integrators, companies should
specifications, including:
adhere to the
samedescriptions
basic rulesand
used
for project
Exact
definitions
of the system
management
of internal
projects. In addition, they
Explicit
deadlines
Precise acceptance criteria
should:
clear
Develop
Although
its expensive to develop these
specifications
specifications, it will save money in the end.
Romney/Steinbart
CONTROL ACTIVITIES
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Change management controls
Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
Change management is the process of making sure that
the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Design and use of adequate documents
and records
Romney/Steinbart
CONTROL ACTIVITIES
Documents should be sequentially pre-
numbered:
To reduce likelihood that they would be used
fraudulently.
To help ensure that all valid transactions are recorded.
A good audit trail facilitates:
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Safeguard assets, records, and data
Romney/Steinbart
CONTROL ACTIVITIES
Many people mistakenly believe that the greatest
Romney/Steinbart
CONTROL ACTIVITIES
Insiders also create less-intentional threats to
systems, including:
Romney/Steinbart
CONTROL ACTIVITIES
Many steps can be taken to safeguard both
Romney/Steinbart
CONTROL ACTIVITIES
Many steps can be taken to safeguard both
lockboxes,
and safe
deposit
Periodically reconcile recorded amounts
to physical
counts
boxes to limit access to cash,
Restrict access to assets
securities, and paper assets.
Romney/Steinbart
CONTROL ACTIVITIES
Many steps can be taken to safeguard both
Romney/Steinbart
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
CONTROL ACTIVITIES
Internal checks to ensure that transactions are
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Top-level reviews
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Top-level reviews
Analytical reviews
Romney/Steinbart
CONTROL ACTIVITIES
records
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Romney/Steinbart
CONTROL ACTIVITIES
The following independent checks are typically
used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
Romney/Steinbart
ERM model.
The primary purpose of the AIS is
to gather, record, process, store,
summarize, and communicate
information about an organization.
So accountants must understand
how:
Transactions are initiated
Data are captured in or converted
to machine-readable form
Computer files are accessed and
updated
Data are processed
Information is reported to
internal and external parties
Romney/Steinbart
Romney/Steinbart
objectives:
Romney/Steinbart
Romney/Steinbart
Romney/Steinbart
MONITORING
The eighth component
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer, a Chief Compliance
Officer, and security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Perform ERM evaluation
Can measure ERM effectiveness through a formal evaluation
or through a self-assessment process.
A special group can be assembled to conduct the evaluation
or it can be done by internal auditing.
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Implement effective supervision
Involves:
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Use responsibility accounting
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Monitor system activities
Romney/Steinbart
MONITORING
Cost parameters can be entered to balance
Romney/Steinbart
MONITORING
System transactions and activities should be
Romney/Steinbart
MONITORING
Companies that monitor system activities need to ensure
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Track purchased software
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Conduct periodic audits
To monitor risk and detect fraud and errors, the company
should have periodic:
External audits
Internal audits
Special network security audits
Romney/Steinbart
MONITORING
Again, care should be exercised that employees
Romney/Steinbart
MONITORING
Internal auditing involves:
Reviewing the reliability and integrity of financial and
operating information.
Providing an appraisal of internal control effectiveness.
Assessing employee compliance with management policies
and procedures and applicable laws and regulations.
Evaluating the efficiency and effectiveness of management.
Romney/Steinbart
MONITORING
Internal audits can detect:
Excess overtime
Under-used assets
Obsolete inventory
Padded expense reimbursements
Excessively loose budgets and quotas
Poorly justified capital expenditures
Production bottlenecks
Romney/Steinbart
MONITORING
Internal auditing should be organizationally
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and
security consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Employ a computer security officer and
computer consultants
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Engage forensic specialists
Romney/Steinbart
MONITORING
Most forensic accountants are CPAs and may
Romney/Steinbart
MONITORING
Management may also need to call on computer
Romney/Steinbart
MONITORING
Common incidents investigated by computer
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Install fraud detection software
People who commit fraud tend to follow certain patterns and leave
behind clues.
Software has been developed to seek out these fraud symptoms.
Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
Romney/Steinbart
MONITORING
Key methods of monitoring performance include:
Perform ERM evaluation
Implement effective supervision
Use responsibility accounting
Monitor system activities
Track purchased software
Conduct periodic audits
Employ a computer security officer and security
consultants
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline
2008 Prentice Hall Business Publishing
Romney/Steinbart
MONITORING
Implement a fraud hotline
Romney/Steinbart
MONITORING
SOX mandates that companies set up
Phone lines
Web-based reporting
Anonymous emails
Snail mail
Romney/Steinbart
MONITORING
Outsourcing is available through a number of third
Romney/Steinbart
MONITORING
A downside to anonymous reporting
Romney/Steinbart
SUMMARY
In this chapter, youve learned about basic internal control
Romney/Steinbart