Add to collection(s) Add to saved
  1. Business
  2. Management

Chapter 7

Chapter 7 Controlling Information Systems:
Introduction to Enterprise Risk
Management and Internal Control
Accounting Information Systems 8e
Ulric J. Gelinas and Richard Dull
© 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated,
in whole or in part, except for use as permitted in a license distributed with a certain product
or service or otherwise on a password-protected website for classroom use
Learning Objectives
• Summarize the eight elements of COSO’s Enterprise Risk
Management—Integrated Framework.
• Understand that management employs internal control
systems as part of organizational and IT governance
initiatives.
• Describe how internal control systems help organizations
to objectives and respond to risks.
• Describe fraud, computer fraud, and computer abuse.
• Enumerate control goals for operations and information
processes.
• Describe the major categories of control plans.
2
Why are Controls Needed?
1. To provide reasonable assurance that the
goals of each business process are being
achieved.
2. To mitigate the risk that the enterprise will
be exposed to some type of harm, danger,
or loss (including loss caused by fraud or
other intentional and unintentional acts).
3. To provide reasonable assurance that the
company is in compliance with applicable
legal and regulatory obligations.
3
Components of Enterprise Risk
Management (ERM)
•
Internal Environment
– Encompasses the tone of an organization.
– Sets the basis for how risk is viewed and addressed by an
entity’s people.
– Includes risk management philosophy and risk appetite,
integrity and ethical values, and the environment in which
they operate.
• Objective Setting
– Objectives must exist before management can identify
potential events affecting their achievement.
– ERM ensures management has a process in place to set
objectives and that the objectives support and align with the
entity’s mission and are consistent with its risk appetite.
4
Objective Setting
5
Components of ERM (Cont’d.)
• Event Identification
– Internal and external events affecting achievement of an
entity’s objectives must be identified, distinguishing
between risks and opportunities.
– Opportunities are channeled back to management’s
strategy or objective-setting processes.
• Risk Assessment
– Risks are analyzed, considering likelihood and impact, as a
basis for determining how they should be managed.
– Risks are assessed on an inherent and a residual basis.
• Risk Response
– Management selects risk responses – avoiding, accepting,
reducing, or sharing risk – developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
6
Risk Assessment and Residual Risk
1.
Estimate the annual dollar loss should a costly event,
i.e. a destructive fire, take place. Assume an estimated
loss of $1,000,000.
2.
Estimate the annual probability that the event will occur
(i.e., the likelihood). Assume the estimate is 5 percent.
3.
Multiply item 1 by item 2 to get an initial expected gross
risk (loss) of $50,000 ($1,000,000 × 0.05). This is the
maximum amount or upper limit that should be paid for
controls and the related risk reduction offered by such
controls, in a given year.
4.
If the company would pay $1,000 annually (cost of
control) for a $20,000 fire insurance policy (reduced risk
exposure due to control), the expected gross risk (loss)
remains at $50,000. The company’s residual expected
risk exposure is now $31,000 [$50,000 - ($20,000 –
$1,000)]. The expected loss is reduced by the amount
of the insurance policy (less the cost of the policy).
7
Risk Assessment and Residual Risk
(Cont.)
5.
Assume the company installs a sprinkler system with a
5-year annualized cost (net present value) of $10,000
each year to install and maintain (cost of control). The
sprinkler system lowered the likelihood of a damaging
fire from 5 to 2 percent so the insurance company
agreed to increase its coverage to $30,000 while
holding the annual premium constant at $1,000.
6.
The residual expected risk exposure is $1,000,
calculated as follows: Expected gross risk ($20,000 or
$1,000,000 × 0.02) plus the insurance policy ($30,000)
equals a gain of $10,000, subtract the insurance
premium ($1,000) and the sprinkler system ($10,000),
leaving the residual expected risk at $1,000.
8
Components of ERM (Cont’d.)
• Control Activities
– Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out.
• Information and Communication
– Relevant information is identified, captured, and communicated
to enable people to carry out their responsibilities.
– Effective communication also occurs in a broader sense,
flowing down, across and up the entity.
• Monitoring
–
Enterprise risk management is monitored and modifications are
made as necessary.
–
Monitoring is accomplished through ongoing management
activities, separate evaluations, or both.
9
Objectives, Risks, and
Responses
10
Internal Control Legislation
• Sarbanes-Oxley Act (SOX) of 2002
– Created public company accounting
oversight board.
– Increased accountability for company
officers and board of directors.
– Increased white collar crime penalties.
– Prohibits audit firms from providing design
and implementation of financial information
systems.
11
Sarbanes-Oxley Act of 2002 (SOX)
• Section 302—CEOs and CFOs
must certify quarterly and annual
financial statements.
• Section 404—Mandates the annual
report filed with the SEC include an
internal control report.
12
Sarbanes-Oxley Act of 2002 (SOX)
(see Exhibit 7.4 for details)
• Title I—Public Company Accounting Oversight
Board: Establishes the PCAOB and assigns
oversight and enforcement authority over the board
to the SEC.
• Title II—Auditor Independence: Prohibits a CPA
firm that audits a public company to engage in
certain nonaudit services with the same client,
requires audit partner rotation, states that a
company’s CEO, CFO, controller, or chief
accountant cannot have been employed by the
company’s audit firm and participated in an audit of
that company during the prior one-year period.
13
Sarbanes-Oxley Act of 2002
(cont’d, see Exhibit 7.4 for details)
• Title III—Corporate Responsibility: Requires a
company’s CEO and CFO to certify quarterly and annual
reports,. They are certifying that they reviewed the
reports; the reports are not materially untruthful or
misleading; the financial statements fairly reflect in all
material respects the financial position of the company;
and they are responsible for establishing, maintaining,
and reporting on the effectiveness of internal controls,
including significant deficiencies, frauds, or changes in
internal controls.
14
Sarbanes-Oxley Act of 2002
(cont’d, see Exhibit 7.4 for details)
• Title IV—Enhanced Financial Disclosures: Requires each annual
report filed with the SEC to include an internal control report. The
report shall state the responsibility of management for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting. The report must also contain
management’s assessment, as of the end of the company’s fiscal
year, of the effectiveness of the internal control structure and
procedures of the company for financial reporting. Requires that
companies disclose whether or not they have adopted a code of
ethics for senior financial officers. Requires that companies disclose
whether or not their audit committee contains at least one member
who is a financial expert. Section 409 requires that companies
disclose information on material changes in their financial condition
or operations on a rapid and current basis.
15
Sarbanes-Oxley Act of 2002
(cont’d, see Exhibit 7.4 for details)
• Title V—Analysts Conflicts of Interests: Requires financial analysts
to properly disclose in research reports any conflicts of interest they
might hold with the companies they recommend.
• Title VI—Commission Resources and Authority: Authorizes the
SEC to censure or deny any person the privilege of appearing or
practicing before the SEC if that person is deemed to be
unqualified, have acted in an unethical manner, or have aided and
abetted in the violation of federal securities laws.
• Title VII—Studies and Reports: Authorizes the General Accounting
Office (GAO) to study the consolidation of public accounting firms
since 1989 and offer solutions to any recognized problems.
16
Sarbanes-Oxley Act of 2002
(cont’d, see Exhibit 7.4 for details)
• Title VIII—Corporate and Criminal Fraud Accountability: Makes it a
felony to knowingly destroy, alter, or create records or documents
with the intent to impede, obstruct, or influence an ongoing or
contemplated federal investigation. Offers legal protection to
whistleblowers who provide evidence of fraud. Provides criminal
penalties for those who knowingly execute, or attempt to execute,
securities fraud.
• Title IX—White-Collar Crime Penalty Enhancements: Requires that
CEOs and CFOs certify that information contained in periodic
reports fairly presents, in all material respects, the financial
condition and results of the company’s operations. Sets criminal
penalties applicable to CEOs and CFOs if they knowingly or willfully
falsely so certify.
17
Sarbanes-Oxley Act of 2002
(cont’d, see Exhibit 7.4 for details)
• Title X—Corporate Tax Returns: Conveys a “sense of the Senate”
that the corporate federal income tax returns are signed by the
CEO.
• Title XI—Corporate Fraud and Accountability: Provides for fines
and imprisonment of up to 20 years to individuals who corruptly
alter, destroy, mutilate, or conceal documents with the intent to
impair the document’s integrity or availability for use in an official
proceeding, or to otherwise obstruct, influence, or impede any
official proceeding. Authorizes the SEC to prohibit anyone from
serving as an officer or director if the person has committed
securities fraud.
18
Definition of Internal Control
• From SAS 78 (1995) - adopted COSO
definition:
– Internal control is a process-effected by an entity’s
board of directors, management, and other personneldesigned to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws & regulations
19
COSO Influence on Defining
Internal Control
20
Five Interrelated Components of
Internal Control
1. Control environment- tone at the top.
2. Risk assessment - identification/analysis of risks.
3. Control activities - policies and procedures.
4. Information & communication - processing of info
in a form and time frame to enable people to do
their jobs.
5. Monitoring - process that assess quality of
internal control over time.
21
Internal Control (as defined in
Gelinas & Dull)
Internal control is a process—effected by an
entity’s board of directors, management and
other personnel—designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
– efficiency and effectiveness of operations
– reliability of reporting*
– compliance with applicable laws and
regulations
*All
reporting, not just financial
Matrix for Evaluating Internal Controls
Fraud and its Relationship to Control
• Fraud: deliberate act or untruth intended to
obtain unfair or unlawful gain.
– Management charged with responsibility to prevent
and/or disclose fraud.
– Control systems enable management to do this job.
– Management is responsible for an internal control
system per the Foreign Corrupt Practices Act of 1977.
– Section 1102 of the Sarbanes-Oxley Act specifically
addresses corporate fraud.
– Instances of fraud undermine management’s ability to
convince various authorities that it is upholding its
stewardship responsibility.
24
SAS 99
• The accounting profession has been proactive in
dealing with corporate fraud, as it has launched an
anti-fraud program.
• One of the manifestations of this initiative is
Statement on Auditing Standards (SAS) Number 99,
entitled Consideration of Fraud in a Financial
Statement Audit.
– SAS 99 has the same title as its predecessor, SAS 82,
but the new standard is much more encompassing
than the old.
– SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using unpredictable
audit test patterns, and detecting management
override of internal controls.
25
PwC Economic Crime Survey
• 43% of companies reported frauds in the past two years, a 6%
increase over the 2005 survey.
• Larger companies reported a greater number of frauds.
• Collateral damage—described as damage or significant damage to
their business—was reported by 80% of those who had suffered fraud.
• Average losses from frauds increased to $3.2 million from the $1.7
million reported in 2005.
• Most frauds (41%) were detected by chance.
• Other detection sources included whistle-blower hotlines (8%) and tipoffs (from internal sources 21%, and external sources 14%).
• There was a strong correlation between fraud risk management
activities and higher chances of detecting frauds.
26
Malicious Software (malware)
•
•
•
•
•
•
Salami slicing
Back door
Trojan horse
Logic bomb
Worm
Zombie
27
Ethics and Controls
• COSO report stresses ethics as part of control
environment (tone at the top).
• AICPA has built ethics issues into CPA exam.
• The Institute of Management Accountants has a
code of ethics which is also tested on both the
CMA and CFM exams.
• Internal Auditing has ethics articles.
• Many corporations have developed Codes of
Conduct.
28
Why a Control Framework?
• Uniform, consistent approach
• Complete analysis
• Directed at objectives, rather than list of
expected controls
• Can determine costs and benefits
• Results in recommendations for
improvements
Lenox Company Systems Flowchart
30
Control Goals for the Lenox Cash
Receipts Business Process
31
Business Process Control Goals
Control Goals - ends to be obtained
• Control goals of the operations processes
– Ensure effectiveness of operations
– Ensure efficient employment of resources
– Ensure security of resources
• Control goals of the information processes
– For business event inputs, ensure
• Input validity, input completeness, input accuracy
– For master data, ensure
• Update completeness, update accuracy
32
Control Goals of Operations Processes
• Ensure effectiveness of operations
– A measure of success in meeting one or more operations process
goals which reflect the criteria used to judge the effectiveness of
various business processes.
• Ex. Deposit cash receipts on the day received.
• Ensure efficient employment of resources
– A measure of the productivity of the resources applied to achieve a
set of goals.
• Ex. What is the cost of people, computers, and other resources needed
to deposit cash on the day received?
• Ensure security of resources
– Protecting an organization’s resources from loss, destruction,
disclosure, copying, sale, or other misuse.
• Ex. Are cash and information resources available when required?
33
Control Goals of Information
Processes
• Input validity
– Input data is approved and represents actual economic events
and objects.
• Ex. Are all cash receipts input into the process and supported by
customer payments?
• Input completeness
– Requires that all valid events or objects be captured and entered
into the system.
• Ex. Are all valid customer payment captured on a customer
remittance advice (RA) and entered into the process?
• Input accuracy
– Requires that events be correctly captured and entered into the
system.
• Ex. Is correct payment amount and customer number keyed in the
system?
34
Control Goals of Information
Processes
• Update completeness
– Requires all events entered into the computer are
reflected in their respective master data.
• Ex. Are all input cash receipts recorded in the AR master
data?
• Update accuracy
– Requires that data entered into a computer are
reflected correctly in their respective master data.
• Ex. Are all input cash receipts correctly recorded in the AR
master data?
35
A
Control
Hierarchy
36
Control Plans
• Business Process Control Plans
– Reflect information processing policies and procedures that
assist in accomplishing control goals.
– Relate to controls particular to a specific process or subsystem
(i.e. billing) or to a particular technology used to process the
data.
•
The Control Environment
– Appears at the top of the hierarchy.
– Consists of a multitude of factors that can either reinforce or
mitigate the effectiveness of the pervasive and application
control plans.
•
Pervasive Control Plans
– Also relate to a multitude of goals and processes.
– Provides a climate or set of surrounding conditions in which the
various business processes operate.
– Broad in scope and apply equally to all business processes,
hence they pervade all systems.
37
Lenox Control Matrix
Other Classifications of Control
Plans
• Preventive Controls
– Issue is prevented from occurring
• Ex. Cash receipts are immediately deposited to avoid loss.
• Detective Controls
– Issue is discovered
• Ex. Unauthorized disbursement is discovered during
reconciliation.
• Corrective Controls
– Issue is corrected
• Ex. Erroneous data is entered in the system and reported on an
error and summary report; a clerk re-enters the data.
39
Related documents
WCMSRiskManagement
WCMSRiskManagement
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
MIS2101 Unit 3.2 & 3.3
MIS2101 Unit 3.2 & 3.3
Problem Solving Essay.doc
Problem Solving Essay.doc
Download