A20
Business Process
CHAPTER 1
-set of related, coordinated, and structured
System
activities performed by a person, computer, or a
-A set of two or more interrelated components
machine to accomplish a specific organizational
interacting to achieve a goal
goal
Goal Conflict
Transactions-agreement between 2 entities
-Occurs when components act in their own
Transaction Processing-process of capturing
interest without regard for overall goal
transaction data, processing it, and storing it for
Goal Congruence
later use
-Occurs when components acting in their own
Give-Get Exchange- transactions that always
interest contribute toward overall goal
occur
Data
5 Major Business Processes/Transaction
-Are facts that are recorded and stored.
Cycles
*Insufficient for decision making.
1. Revenue Cycle
Information
2. Expenditure Cycle
-Is processed data used in decision making.
3. Production or Conversion Cycle
*Information Overload
4. Human Resources/Payroll Cycle
Value of Information
5. Financing Cycle
-benefit provided by the information less cost
ACCOUNTING INFORMATION SYSTEMS
of producing it
-A system that collects, records, stores, and
Information Technology
processes data to produce information for
-computers and other electronic devices used to
decision makers
store, retrieve, transmit, and manipulate data
6 Components of an AIS
1. The people who use the system
2. The procedures and instructions used to
collect, process, and store data
3. The data about the organization and its
business activities
4. The software used to process the data
5. The information technology infrastructure,
What Makes Information Useful?
including the computers, peripheral devices, and
1. Relevant- can affect decision-making
network communications devices used in the AIS
2. Reliable- free from error and bias
6. The internal controls and security measures
3. Complete- faithful representation
that safeguard AIS data
4. Timely- available when needed
3 Important Business Function
5. Understandable- understand significance;
useful format
6. Verifiable- through consensus
7. Accessible- both timely and
understandable
1. Collect and store data
2. Transform data into information
3. Provide adequate controls
A well-designed AIS can add value to an
organization by:
1. Improving the quality and reducing the costs
*An organization’s value chain is a part of a
of products or services.
larger system called a supply chain.
2. Improving efficiency.
3. Sharing knowledge.
CHAPTER 2
4. Improving the efficiency and effectiveness of
Data Processing Cycle
its supply chain.
-The four operations
Predictive Analysis- uses data warehouses and
1.data input
complex algorithms to forecast future events,
2.data storage
based on historical trends and calculated
3.data processing
probabilities.
4.information output
Value Chain- linking together all the primary and
-performed on data to generate meaningful and
support activities in a business.
relevant information.
5 Primary Activities
1. DATA INPUT
1. Inbound logistics consists of receiving,
First step in processing input is to capture
storing, and distributing the materials an
transaction data and enter them into the
organization uses to create the services and
system.
products it sells.
The data capture process is usually triggered by
2. Operations activities transform inputs into
a business activity. Data must be collected
final products or services.
about three facets of each business activity:
3. Outbound logistics activities distribute
1. Each activity of interest
finished products or services to customers.
2. The resource(s) affected by each activity
4. Marketing and sales activities help
3. The people who participate in each activity
customers buy the organization’s products or
Source Documents
services.
-Documents used to capture transaction data at
5. Service activities provide post-sale support
its source
to customers.
Turnaround Documents
4 Support Activities
-Records of company data sent to an external
1. Firm infrastructure is the accounting, finance,
party and then returned to the system as input.
legal, and general administration activities that
allow an organization to function. The AIS is
part of the firm infrastructure.
2. Human resources activities include recruiting,
hiring, training, and compensating
employees.
3. Technology activities improve a product or
Source Data Automation
service.
-The collection of transaction data in
4. Purchasing activities procure raw materials,
machine-readable form at the time and place of
supplies, machinery, and the buildings used
origin.
to carry out the primary activities.
2. DATA STORAGE
A company’s data is one of its most important
resources. To function properly, an organization
must have ready and easy access to its data.
LEDGERS- Cumulative accounting information is
stored in general and subsidiary ledgers.
a. General ledger- contains summary-level
data for every asset, liability, equity,
revenue, and expense account.
b. Subsidiary ledger- contains detailed
Audit Trail- A path that allows a transaction to
data for any general ledger account with
be traced through a data processing system
many individual sub-accounts.
from point of origin to output or backwards from
Control account - A title given to a general
output to point of origin.
ledger account that summarizes the total
Entity - The item about which information is
amounts recorded in a subsidiary ledger.
stored in a record.
Coding- systematic assignment of numbers or
Attributes - The properties,identifying numbers,
letters to items to classify and organize them.
and characteristics of interest of an entity that
Sequence Codes - Items are numbered
is stored in a database
consecutively so that gaps in the sequence code
Field- The portion of a data record where the
indicate missing items that should be
data value for a particular attribute is stored.
investigated.
Record- A set of fields whose data values
Block Codes - Blocks of numbers that are
describe specific attributes of an entity, such as
reserved for specific categories of data,
all payroll data relating to a single employee.
thereby helping to organize the data.
Data Value - The actual value stored in a field.
Group Codes - Two or more sub-groups of digits
It describes a particular attribute of an entity.
that are used to code an item. A group code is
File- A set of logically related records, such as
often used in conjunction with a block code.
the payroll records of all employees.
Mnemonic Code - Letters and numbers that are
Master File - A permanent file of
interspersed to identify an item.
records that stores cumulative
Chart of Accounts - A listing of all the numbers
data about an organization.
assigned to balance sheet and income statement
Transaction File - A file that contains the
accounts.
individual business transactions that occur
General Journal - A journal used to record
during a specific fiscal period.
infrequent or nonroutine transactions, such as
Database - A set of interrelated, centrally
loan payments and end-of-period
controlled data files that are stored with as
adjusting and closing entries.
little data redundancy as possible.
Specialized Journal - A journal used to record a
3. DATA PROCESSING
large number of repetitive transactions such as
Once business activity data have been entered
credit sales, cash receipts, purchases, and cash
into the system, they must be processed to
disbursements.
keep the databases current.
CRUD, are as follows:
1. Creating new data records, such as adding a
CHAPTER 3
newly hired employee to the payroll database.
Documentation - Narratives, flowcharts,
2. Reading, retrieving, or viewing existing
diagrams, and other written materials that
data.
explain how a system works. (read, evaluate,
3. Updating previously stored data.
prepare)
4. Deleting data, such as purging the vendor
Narrative description - Written, step-by-step
master file of all vendors the company no lon-
explanation of system components and how they
ger does business with.
interact.
Batch processing - Accumulating transaction
1. Data flow diagram (DFD), a graphical
records into groups or batches for processing at
description of data sources, data flows,
a regular interval such as daily or weekly. The
transformation processes, data storage, and
records are usually sorted into some sequence
data destinations
before processing.
2. Flowchart, which is a graphical description of
Online, real-time processing - The computer
a system. There are several types of flow
system processes data immediately after
charts, including:
capture and provides updated information to
users on a timely basis.
4. INFORMATION OUTPUT
The final step in the data processing cycle is
a. Document flowchart, which shows the
flow of documents and information between
departments or areas of responsibility
b. System flowchart, which shows the
information output. When displayed on a
relationship among the input, processing, and
monitor, output is referred to as “soft copy.”
output in an information system
When printed on paper, it is referred to as
c. Program flowchart, which shows the
“hard copy.”
sequence of logical operations a computer per-
Document- A record of a transaction or other
forms as it executes a program.
company data.
3. Business Process diagrams, which are
Reports -used by employees to control
graphical descriptions of the business processes
operational activities and by managers to make
used by a company
decisions and to formulate business strategies.
DATA FLOW DIAGRAM
Query - A request for the database to provide
the information needed to deal with a problem or
answer a question.
Enterprise resource planning
(ERP) system - A system that integrates all
aspects of an organization’s activities—such as
accounting, finance, marketing, human resources,
manufacturing, inventory management—into one
system.
Data source - The entity that produces or
sends the data that is entered into a system.
Data destination - The entity that receives data
produced by a system.
Data flow - The movement of data among
processes, stores, sources, and destinations.
Process - The action that transforms data into
other data or information.
Data store - The place or medium where system
data is stored.
Context diagram - Highest-level DFD; a
summary-level view of a system, showing the
data processing system, its input(s) and
output(s), and their sources and destinations.
FLOWCHARTS
-An analytical technique that uses a standard set
of symbols to describe pictorially some aspect
of an IS in a clear, concise, and logical manner.
4 Categories
1. Input/output symbols show input to or output
from a system.
2. Processing symbols show data processing,
either electronically or by hand.
3. Storage symbols show where data is stored.
4. Flow and miscellaneous symbols indicate the
flow of data, where flowcharts begin or end,
where decisions are made, and how to add
explanatory notes to flowcharts.
TYPES OF FLOW CHART
1. Document flow charts were developed to
Database administrator (DBA) - The person
responsible for coordinating, controlling, and
illustrate the flow of documents and data
managing the database. data warehouse - Very
among areas of responsibility within an
large databases containing detailed and
organization.
summarized data for a number of years that are
Internal control flowchart
used for analysis rather than transaction
-Used to describe, analyze, and evaluate internal
processing.
controls, including identifying system strengths,
Business intelligence - Analyzing large amounts
weaknesses, and inefficiencies.
of data for strategic decision making.
2. System flowchart depicts the
Online analytical processing (OLAP) - Using
relationships among system input,
queries to investigate hypothesized relationships
processing, storage, and output.
among data.
3. A program flowchart illustrates the
Data mining - Using sophisticated statistical
sequence of logical operations performed
analysis to “discover” not hypothesized
by a computer in executing a program.
relationships in the data.
THE ADVANTAGES OF DATABASE SYSTEMS
CHAPTER 4
1.Data Integration
-Files are logically combined and made accessible
to various systems.
2.Data Sharing
-With data in one place it is more easily
accessed by authorized users.
3.Minimizing Data Redundancy and Data
Inconsistency
-Eliminates the same data being stored in
Field- Attributes about an entity
multiple files, thus reducing inconsistency in
Record- Related group of fields
multiple versions of the same data.
File- Related group of records
4.Data Independence
Database - A set of interrelated, centrally
-Data is separate from the programs that access
coordinated data files that are stored with as
it. Changes can be made to the data without
little data redundancy as possible.
necessitating a change in the programs and vice
versa.
Database Management System
5.Cross-Functional Analysis
(DBMS) - The program that manages and
-Relationships between data from various
controls the data and the interfaces between
organizational departments can be more easily
the data and the application pro-
combined.
grams that use the data stored in the database.
DATABASE TERMINOLOGIES
Database System - The database, the DBMS,
Database Management System (DBMS)
and the application programs that access the
-Interface between software applications and
database through the DBMS.
the data in files.
Database Administrator (DBA)
Data manipulation language (DML) - DBMS
-Person responsible for maintaining the database
language that changes database content,
Data Dictionary
including data element creations, updates,
-Information about the structure of the
insertions, and deletions.
database
Data query language (DQL) -High-level,
-field names, descriptions, uses
English-like, DBMS language that contains
LOGICAL AND PHYSICAL VIEWS OF DATA
powerful, easy-to-use commands that enable
Programmers must know the physical
location and layout of records.
users to retrieve, sort, order, and display data
RELATIONAL DATABASES
Record Layout - Document that shows the items
Relational data model represents the
stored in a file, including the order and length of
conceptual and external level schemas as if data
the data fields and the type of data stored.
are stored in tables.
Logical view - How people conceptually organize,
Table
view, and understand the relationships among
-Each row, a tuple, contains data about one
data items.
instance of an entity.
Physical view - The way data is physically
-This is equivalent to a record
arranged and stored in the computer system.
-Each column contains data about one attribute
Schema - A description of the data elements in
of an entity.
a database, the relationships among them,
-This is equivalent to a field
and the logical model used to organize and
Attributes
describe the data.
a.Primary Key
a. conceptual-level schema - The
-An attribute or combination of attributes that
organization-wide view of the entire
can be used to uniquely identify a specific row
database that lists all data elements and
(record) in a table.
the relationships between them.
b.Foreign Key
b. external-level schema - An individual
-An attribute in one table that is a primary key
user’s view of portions of a database; also
in another table.
called a subschema.
-Used to link the two tables
c. subschema - A subset of the schema; the
Anomaly
way the user defines the data and the
1.Update anomaly - where a non-primary key
data relationships.
item is stored multiple times; updating the item
d. internal-level schema - A low-level view
in one location and not the others causes data
of the entire database describing how
inconsistencies.
the data are actually stored and
2.Insert anomaly - results in the inability to add
accessed.
records to a database
Data definition language (DDL) - DBMS
3.Delete anomaly - Removing a record also
language that builds the data dictionary, creates
removes unintended data from the database.
the database, describes logical views, and
Design Requirements for Relational Database
specifies record or field security constraints.
1. Every column must be single valued.
2. Primary keys must contain data (not null).
3. Foreign keys must contain the same data as
Fraud- is gaining an unfair advantage over
the primary key in another table.
another person. Legally, for an act to be
4. All other attributes must identify a
fraudulent there must be:
characteristic of the table identified by the
1. A false statement, representation, or
primary key.
disclosure
Entity integrity rule - A non-null primary key
2. A material fact, which is something that
ensures that every row in a table represents
induces a person to act
something and that it can be identified.
3. An intent to deceive
Referential integrity rule - Foreign keys which
4. A justifiable reliance; that is, the person
link rows in one table to rows in another table
relies on the misrepresentation to take an action
must have values that correspond to the value of
5. An injury or loss suffered by the victim
a primary key in another table.
White-collar criminals - Typically,
DATABASE SYSTEMS AND THE FUTURE OF
businesspeople who commit fraud. White-collar
ACCOUNTING
criminals usually resort to trickery or cun-
Database systems have the potential to
ning, and their crimes usually involve a violation
alter external reporting significantly. A
of trust or confidence.
significant advantage of database systems is the
Corruption - Dishonest conduct by those in
ability to create ad hoc queries to provide the
power which often involves actions that are
information needed for decision making.
illegitimate, immoral, or incompatible with
ethical standards.
CHAPTER 5
Investment fraud - Misrepresenting or leaving
Common Threats to AIS
out facts in order to promote an investment that
1.Natural Disasters and Terrorist Threats
promises fantastic profits with little or no risk.
-such as fires, floods, earthquakes, hurricanes
Forms of Fraud
2.Software Errors and/or Equipment
1.Misappropriation of assets -Theft of
Malfunction
company assets by employees
-operating system crashes, hardware failures,
Largest factors for theft of assets:
power outages and fluctuations, and undetected
a.Absence of internal control system
data transmission errors
b.Failure to enforce internal control system
3.Unintentional Acts (Human Error)
2.Fraudulent financial reporting
-accidents or innocent errors and omissions
-“intentional or reckless conduct, whether by act
4.Intentional Acts (Computer Crimes)
or omission, that results in materially misleading
-a computer crime, a fraud, or sabotage
financial statements” (The Treadway
Sabotage- An intentional act where the intent is
Commission).
to destroy a system or some of its components.
Reasons for Fraudulent Financial Statements
Cookie - A text file created by a website and
1. Deceive investors or creditors
stored on a visitor’s hard drive. Cookies store
2. Increase a company’s stock price
information about who the user is and what the
3. Meet cash flow needs
user has done on the site.
4. Hide company losses or other problems
Treadway Commission Actions to Reduce Fraud
1. Establish an environment which supports the
1.Pressures- a pressure is a person’s incentive
integrity of the financial reporting process.
or motivation for committing fraud
2. Identification of factors that lead to fraud.
2.Opportunity- is the condition or situation,
3. Assess the risk of fraud within the company.
including one’s personal abilities, that allows a
4. Design and implement internal controls to
perpetrator to do three things:
provide assurance that fraud is being prevented.
1.Commit the fraud
SAS #99
2.Conceal the fraud
Auditor's responsibility to detect fraud
a.Lapping- concealing the theft of cash by means
-Understand fraud
of a series of delays in posting collections to
-how and why it is committed
accounts receivable.
Discuss risks of material fraudulent
b.Kiting- Creating cash using the lag between the
statements
time a check is deposited and the time it clears
-Among members of audit team
the bank.
Obtain information
3.Convert the theft or misrepresentation to
-Look for fraud risk factors
personal gain
Identify, assess, and respond to risk
Rationalizations
-evaluating carefully the risk of-the management
-The excuse that fraud perpetrators use to
overriding internal controls
justify their illegal behavior.
Evaluate the results of audit tests
Computer Fraud - Any type of fraud that
-Determine impact of fraud on financial
requires computer technology to perpetrate.
statements
Rise of Computer Fraud
Document and communicate findings
1. Definition is not agreed on
-to management and the audit committee
2. Many go undetected
Incorporate a technological focus
3. High percentage is not reported
the impact technology has on
4. Lack of network security
-fraud risks and provides commentary and
5. Step-by-step guides are easily available
examples recognizing this impact
6. Law enforcement is overburdened
7. Difficulty calculating loss
Computer Fraud Classifications
Input Fraud
-Alteration or falsifying input
Processor Fraud
-Unauthorized system use
Computer Instructions Fraud
-Modifying software, illegal copying of software,
using software in an unauthorized manner,
creating software to undergo unauthorized
activities
Data Fraud
-Illegally using, copying, browsing, searching, or
3.Spoofing- Making an electronic communication
harming company data
look as if it comes from a trusted official source
Output Fraud
to lure the recipient into providing information
-Stealing, copying, or misusing computer
printouts or displayed information
E-mail
-E-mail sender appears as if it comes from a
different source
CHAPTER 6
Hacking - Unauthorized access, modification, or
Caller-ID
-Incorrect number is displayed
use of an electronic device or some element of a
IP address
computer system.
-Forged IP address to conceal identity of sender
Social Engineering
of data over the Internet or to impersonate
-Techniques, usually psychological tricks, to gain
another computer system
access to sensitive data or information
Address Resolution Protocol (ARP)
-Used to gain access to secure systems or
-Allows a computer on a LAN to intercept
locations
traffic meant for any other computer on the
Malware
LAN
-Any software which can be used to do harm
SMS
Types of Computer Attacks
-Incorrect number or name appears, similar to
1.Botnet—Robot Network
caller-ID but for text messaging
-Network of hijacked computer
Hijacking - Gaining control of someone
Web page
-Phishing
else’s computer to carry out illicit activities
Botnet - A network of powerful and
DNS
-Intercepting a request for a Web service and
dangerous hijacked computers that are used to
sending the request to a false service
attack systems or spread malware.
Hacking Attacks
Zombie - A hijacked computer, typically
part of a botnet
Bot herder - The person who creates a
1.Cross-Site Scripting (XSS)
-Unwanted code is sent via dynamic Web pages
disguised as user input.
botnet by installing software on PCs that
2.Buffer Overflow
responds to the bot herder’s electronic
-When the amount of data entered into a
instructions.
program is greater than the amount of the input
2.Denial-of-service (DoS) attack - A computer
buffer.
attack in which the attacker sends so many
3.SQL Injection (Insertion)
e-mail bombs or web page requests
-Malicious code is inserted in the place of a
Spamming - Simultaneously sending the
same unsolicited message to many people
Splog - Spam blogs created to
increase a website’s Google
PageRank
query to a database system.
4.Man-in-the-Middle
-Hacker places themselves between client and
host.
Masquerading/impersonation - Gaining
4.Internet Terrorism
access to a system by pretending to be an
-Act of disrupting electronic commerce and
authorized user.
harming computers and communications.
Piggybacking:
5.Internet Misinformation
1. The clandestine use of a neighbor’s Wi-Fi
- Using the Internet to spread false or
network
misleading information
2. Tapping into a communications line and
Hacking for Fraud
electronically latching onto a legitimate user
Internet Misinformation
before the user enters a secure system
Internet Misinformation
3. An unauthorized person following an
- Using the Internet to spread false or
authorized person through a secure door
misleading information
Additional Hacking Attacks
Internet Auction
1.Password Cracking
-Using an Internet auction site to defraud
-Penetrating system security to steal passwords
another person
2.War Dialing
Unfairly drive up bidding
-Computer automatically dials phone numbers
-Seller delivers inferior merchandise or fails to
looking for modems.
deliver at all
3.Phreaking
-Buyer fails to make payment
-Attacks on phone systems to obtain free phone
Internet Pump-and-Dump
service.
Using the Internet to pump up the price of a
4.Data Diddling
stock and then selling it
-Making changes to data before, during, or after
it is entered into a system.
5.Data Leakage
-Unauthorized copying of company data.
Social Engineering
Social engineering refers to techniques
or psychological tricks used to get people to
comply with the perpetrator’s wishes in order to
Hacking Embezzlement Schemes
gain physical or logical access to a building, com-
1.Salami Technique
puter, server, or network.
-Taking small amounts from many different
Social Engineering techniques
accounts.
1.Identity Theft
Round-down fraud - Instructing the
-Assuming someone else’s identity
computer to round down all interest calculations
2.Pretexting
to two decimal places
-Inventing a scenario that will lull someone into
2.Economic Espionage
divulging sensitive information
-Theft of information, trade secrets, and
3.Posing
intellectual property.
-Using a fake business to acquire sensitive
3.Cyber-Bullying
information
-Internet, cell phones, or other communication
4.Phishing
technologies to support deliberate, repeated,
and hostile behavior
-Posing as a legitimate company asking for
3.Trojan Horse
verification type information: passwords,
-Malicious computer instructions in an
accounts, usernames
authorized and otherwise properly functioning
5.Pharming
program
-Redirecting Web site traffic to a
-Time bombs/logic bombs; Idle until triggered
spoofed Website.
by a specified date or time, by a change in the
6.Typosquatting
system, by a message sent to the system, or by
-Typographical errors when entering a Website
an event that does not occur
name cause an invalid site to be accessed
More Malware
7.Tabnapping
Trap door/back door - A set of computer
-Changing an already open browser tab
instructions that allows a user to bypass the
8.Scavenging
system’s normal controls.
-Looking for sensitive information in items
Packet sniffers - Programs that capture data
thrown away
from information packets as they travel over the
9.Shoulder Surfing
Internet or company networks.
-Snooping over someone’s shoulder for sensitive
Superzapping- Unauthorized use of special
information
system programs to bypass regular system
More Social Engineering:
controls and perform illegal acts, all without
Lebanese Loping -Capturing ATM pin and card
leaving an audit trail
numbers
Skimming -Double-swiping a credit card
CHAPTER 7
Chipping -Planting a device to read credit card
Audit committee
information in a credit card reader
-The outside, independent board of director
Eavesdropping- Listening to private
members responsible for financial reporting,
communications
regulatory compliance, internal control, and
hiring and overseeing internal and external
Type of Malware
auditors.
1.Spyware
Internal Control
-Secretly monitors and collects personal
-System to provide reasonable assurance that
information about users and sends it to someone
objectives are met such as:
else
●
Safeguard assets.
-Adware; pops banner ads on a monitor, collects
●
Maintain records in sufficient detail to
information about the user’s Web-surfing, and
report company assets accurately and
spending habits, and forward it to the adware
fairly.
creator
●
Provide accurate and reliable information.
2.Key logging
●
Prepare financial reports in accordance
-Records computer activity, such as a user’s
keystrokes, e-mails sent and received, Web sites
visited, and chat session participation
with established criteria.
●
Promote and improve operational
efficiency.
●
●
Encourage adherence to prescribed
Public Company Accounting Oversight Board
managerial policies.
(PCAOB)
Comply with applicable laws and
-Oversight of auditing profession
regulations.
-established by Sarbanes Oxley
Threat/event - Any potential adverse
-sets up auditing, quality control, ethics,
occurrence or unwanted event that could injure
independence, and other auditing standards
the AIS or the organization.
-5 members appointed by SEC
Exposure/impact - The potential dollar loss
-auditing partners must rotate periodically to
should a particular threat become a reality.
avoid familiarity threat
New Auditing Rules
Functions of IC
1. Preventive
-Deter problems
2. Detective
-Discover problems
3. Corrective
-Correct problems
a.Partners must rotate periodically
b.Prohibited from performing certain non-audit
services
New Roles for Audit Committee
-Be part of board of directors and be
independent
-One member must be a financial expert
Categories of IC
-Oversees external auditors
1. General
New Rules for Management
-Overall IC system and
-Financial statements and disclosures are fairly
Processes
presented, were reviewed by management, and
-Controls designed to make sure an
are not misleading.
organization’s information system and control
-The auditors were told about all material
environment is stable and well managed.
internal control weaknesses and fraud.
2. Application
New Internal Control Requirements
-Transactions are processed correctly
-Management is responsible for establishing and
-more specific
maintaining an adequate internal control system.
-Controls that prevent, detect, and cor-
SOX Management Rules
rect transaction errors and fraud in application
-Base evaluation of internal control on a
programs.
recognized framework.
-Disclose all material internal control
Sarbanes Oxley (2002)
weaknesses.
-Designed to prevent financial statement fraud,
-Conclude a company does not have effective
make financial reports more transparent,
financial reporting internal controls of material
protect investors, strengthen internal controls,
weaknesses.
and punish executives who perpetrate fraud
Foreign Corrupt Practices Act (FCPA)
Internal Control Frameworks
-Legislation passed to prevent companies from
Control Objectives for Information and
bribing foreign officials to obtain business
Related Technology (COBIT)
-Business objectives
-IT resources
-Complete and reliable
-IT processes
-Improve decision making
Committee of Sponsoring Organizations
d.Compliance
(COSO)
-Laws and regulations are followed
Internal control—integrated framework
ERM—Event Identification
-Control environment
-“...an incident or occurrence emanating from
-Control activities
internal or external sources that affects
-Risk assessment
implementation of strategy or achievement of
-Information and communication
objectives.”
-Monitoring
●
Positive or negative impacts (or both)
Internal Control
●
Events may trigger other events
-Enterprise Risk Management Model
●
All events should be anticipated
-Risk-based vs. control-based
-COSO elements
Risk Assessment
-Setting objectives
Identify Risk
-Event identification
-Identify likelihood of risk
-Risk assessment
-Identify positive or negative impact
Can be controlled but also
Types of Risk
●
Accepted
1.Inherent
●
Diversified
-Risk that exists before any plans are made to
●
Shared
control it
●
Transferred
2.Residual
Control Environment
-Remaining risk after controls are in place to
-Management’s philosophy, operating style, and
reduce it
risk appetite
Risk appetite - The amount of risk a company is
-The board of directors
willing to accept to achieve its goals and
-Commitment to integrity, ethical values, and
objectives.
competence
ERM—Risk Response
-Organizational structure
1. Reduce- implement effective IC
-Methods of assigning authority and
2. Accept- accept likelihood of risk
responsibility
3. Share- buy insurance/oursource/hedge
-Human resource standards
4. Avoid- not engaging in activity that
-External influences
produces risk
Control Activities
ERM—Objective Setting
Policies and procedures to provide reasonable
a.Strategic
assurance that control objectives are met
-High-level goals aligned with corporate mission
a.Proper authorization of transactions and
b.Operational
activities
-Effectiveness and efficiency of operations
-Signature or code on document to signal
c.Reporting
authority over a process
b.Segregation of duties
Primary purpose of an AIS
c.Project development and acquisition controls
●
Gather
d.Change management controls
●
Record
e.Design and use of documents and records
●
Process
f.Safeguarding assets, records, and data
●
Summarize
g.Independent checks on performance
●
Communicate
Segregation of System Duties
-Like accounting system duties should also be
separated
These duties include:
Expected loss - The mathematical product of
the potential dollar loss that would occur should
a threat become a reality
*Expected loss = Impact x Likelihood
Segregation of Accounting Duties
-No one employee should be given too much
responsibility
Segregate:
1. Authorization- approval of transactions
2. Recording- preparing source documents
3. Custody-handling cash/writing checks
●
System administration
●
Network management
●
Security management
●
Change management
●
Users
●
Systems analysts
●
Programmers
●
Computer operators
●
Information system librarian
●
Data control