Enterprise Risk Management

Chapter 7:
Controlling Information
Systems: Introduction to
Enterprise Risk Management
and Internal Control
Accounting Information Systems, 9e
Gelinas ►Dull ► Wheeler
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives
Summarize the eight elements of COSO’s
Enterprise Risk Management—Integrated
Framework.
Understand that management employs internal
control systems as part of organizational and IT
governance initiatives.
Describe how internal control systems help
organizations achieve objectives and respond to
risks.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives (cont’d)
Describe fraud, computer fraud, and computer
abuse.
Enumerate control goals for operations and
information processes.
Describe the major categories of control plans.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Suggested Exercise Questions
P 7-1 on page 250
P 7-3 on page 251
P 7-4 on page 253
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Why are Controls Needed?
1. To provide reasonable assurance that the goals
of each business process are being achieved.
2. To mitigate the risk that the enterprise will be
exposed to some type of harm, danger, or loss
(including loss caused by fraud or other
intentional and unintentional acts).
3. To provide reasonable assurance that the
company is in compliance with applicable
legal and regulatory obligations.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
A Control Hierarchy
Chapter 7
Besides the internal control
topics by the textbook, we
will also study about IS
analysis, design, and
maintenance related control
topics as well.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Governance
Organizational governance
 Highest level of control mechanism
 process by which organizations select objectives,
establish processes to achieve objectives, and
monitor performance.
 Enterprise Risk Management (ERM): a framework
that has been proven to be an effective process for
organizational governance
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Governance example
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Risk Management
Enterprise Risk Management (ERM): process,
effected by an entity’s board of directors,
management, and other personnel, applied in
strategy settings and across the enterprise,
designed to identify potential events that may
affect the entity, and manage risk to be within
its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Eight Components of Enterprise Risk
Management (ERM) – on page. 221
 Internal Environment
 Objective Setting
 Event Identification
 Risk Assessment
 Risk Response
 Control Activities
 Information and
Communication
 Monitoring
 Another reason why ERM
is necessary because of
“Sarbanes-Oxley Act of
2002 (SOX)”
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Sarbanes-Oxley Act (SOX) of 2002
 Created due to failure of governance (i.e., Enron)
 Detail from financial accounting and auditing courses
Created public company accounting oversight board (PCAOB).
Strengthened auditor independence rules.
Increased accountability of company officers and directors.
Mandated upper management to take responsibility for the
company’s internal control structure.
 Enhanced the quality of financial reporting.
 Increased white collar crime penalties.




© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Key Elements of SOX (AIS perspective)
Section 201—prohibits audit firms from
providing a wide array of nonaudit services to
audit clients
 in particular, the act prohibits consulting
engagements involving the design and
implementation of financial information systems.
Section 302—CEOs and CFOs must certify
quarterly and annual financial statements.
Section 404—Mandates the annual report filed
with the SEC include an internal control report.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Outline of SOX (AIS perspective)
Outline on page 226
Title III—Corporate Responsibility: Company’s
CEO and CFO must certify quarterly and annual
reports stating:
 They are responsible for establishing, maintaining,
and reporting on the effectiveness of internal
controls, including significant deficiencies, frauds,
or changes in internal controls.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Outline of SOX (AIS perspective)
Title IV—
Section 409 requires that companies disclose
information on material changes in their
financial condition or operations on a rapid
and current basis.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Outline of SOX (AIS perspective)
Title VIII—Corporate and Criminal Fraud
Accountability: Makes it a felony to knowingly
destroy, alter, or create records or documents
with the intent to impede, obstruct, or
influence an ongoing or contemplated federal
investigation (example on the next slide).
Offers legal protection to whistleblowers who
provide evidence of fraud. Provides criminal
penalties for those who knowingly execute, or
attempt to execute, securities fraud.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Recovered E-Mail between Enron and
Andersen Consulting
Outline of SOX (AIS perspective)
Title IX—White-Collar Crime Penalty
Enhancements: Requires that CEOs and CFOs
certify that information contained in periodic
reports fairly presents, in all material respects,
the financial condition and results of the
company’s operations. Sets criminal penalties
applicable to CEOs and CFOs if they knowingly
or willfully falsely so certify.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Your Computer Usage Pattern
Your property?
 Computer files, email by your personal email system
Talking about your boss or peers by email
Web shopping during lunch break
Visiting adult website
All files are deleted…are you safe now?
When leaving the company?
 Access to your computer
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Definition of Internal Control
Internal control is a process—effected by an
entity’s board of directors, management, and
other personnel—designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
 Effectiveness & efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws & regulations
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
COSO Influence on Defining Internal Control
(most current COSO framework on the class website)
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Matrix for Evaluating Internal
Controls
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Fraud and its Relationship to
Control
Fraud: deliberate act or untruth intended to
obtain unfair or unlawful gain.
 Management charged with responsibility to prevent
and/or disclose fraud. Instances of fraud undermine
management’s ability to convince various authorities
that it is upholding its stewardship responsibility.
 Control systems enable management to do this job.
 Management is responsible for an internal control
system per the Foreign Corrupt Practices Act of 1977.
 Section 1102 of the Sarbanes-Oxley Act specifically
addresses corporate fraud.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Consideration of Fraud in a
Financial Statement Audit (SAS 99)
The accounting profession has been proactive in
dealing with corporate fraud, as it has launched
an anti-fraud program.
One of the manifestations of this initiative is
Statement on Auditing Standards (SAS) No. 99.
SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using
unpredictable audit test patterns, and
detecting management override of internal
controls.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
2010 ACFE Report to the Nation on
Occupational Fraud and Abuse
Median loss from frauds was $160,000.
One quarter of lasses at least $1 million.
Projected global losses would be $2.9 trillion.
Typical fraud was underway 18 months.
Frauds were more likely detected by tips.
Over 80 percent of the frauds were committed
by individuals within the organization.
Small businesses are disproportionately
victimized by fraud (31 percent of cases).
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
PwC Economic Crime Survey
30% of companies reported frauds in the
previous 12 months and 43% reported an
increase from the previous year.
Larger companies reported a greater number of
frauds.
Collateral damage—described as damage or
significant damage to their business—was
reported in 100% of frauds.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
PwC Economic Crime Survey
(cont’d)
Frauds were detected by internal audit (17%),
internal tip-offs (16%) and fraud risk
management (14%).
There was a strong correlation between fraud
risk management activities and higher chances
of detecting frauds.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Computer Fraud and Abuse
Digital forensics
Computer crime
Malware
Computer virus
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
DIGITAL FORENSICS
Digital forensics – the collection,
authentication, preservation, and examination
of electronic information for presentation in
court
Two phases
1. Collecting, authenticating, and preserving
electronic evidence
2. Analyzing the findings
Phase 1: Collection – Places to look
for Electronic Evidence
Phase 1: Preservation
If possible, hard disk is removed without
turning computer on
Special forensics computer is used to ensure
that nothing is written to drive
Forensic image copy – an exact copy or
snapshot of all stored information
Mod H-30
Phase 1: Authentication
Authentication process necessary for ensuring
that no evidence was planted or destroyed
 MD5 hash value
It is like a fingerprint of the file.
There is a very small possibility of getting two identical
hashes (fingerprint) of two different files.
This feature can be useful both for comparing the files and
their integrity control.
Mod H-31
Forensic Hardware and Software
Tools
Forensics computers usually have a lot of RAM
and very fast processors
EnCase – software that finds all information on
disks
Quick View Plus and Conversions Plus – read
files in many formats
Mailbag Assistant – reads most e-mail
Mod H-32
Forensics Hardware and Software
Tools
Gargoyle – software that identifies encrypted
files and may decrypt them
Irfan View – reads image files
Ingenium – semantic analysis software that
searches for meaning rather than an exact
match
Mod H-33
Cell Phones
In 2004 - 200 countries with more than 1.5
billion users of GSM cell phones (Cingular and
most of Europe)
 GSM: Global System for Mobile Communications
Cell phones can be used for
 Illegal drug deals
 Storing stolen data
 Fraudulently securing goods and services
 Setting off explosives
Mod H-34
Cell Phones and Other Handheld Devices
Files Can Be Recovered from…
Mod H-35
Phase 2: Analysis
Interpretation of information uncovered
Recovered information must be put into
context
Digital forensic software pinpoints the file’s
location on the disk, its creator, the date it was
created and many other features of the file
Mod H-36
Where Data is Hiding
Mod H-37
History of Disk Activity
Live Analysis
Examination of a system while it is still running
Disadvantage - not possible to get an MD5 hash
value
Advantages include – the ability to retrieve
information from RAM
Helix – program to collect information during
live analysis
Mod H-39
RECOVERY AND INTERPRETATION
Snippets of e-mail, when put into context,
often tell an interesting story
Mod H-40
E-Mail between engineers about
the Spaceship Columbia
Mod H-41
E-Mail between Enron and
Andersen Consulting
Mod H-42
E-Mail from Arresting Officer in the
Rodney King Beating
Mod H-43
Internal E-Mail from Bill Gates to
Microsoft Employee
Mod H-44
Places to Look for Useful
Information
Deleted files and slack space
 Slack space – the space between the end of the file
and the end of the cluster
System and registry files
 Controls virtual memory on hard disk
 Has records on installs and uninstalls
 Has MAC address (unique address of computer on the
network)
Mod H-45
Places to Look for Useful
Information
Unallocated space – set of clusters that has
been marked as available to store information
but has not yet received any
Unused disk space
Erased information that has not been
overwritten
Mod H-46
Anti-Forensics
New branch of digital forensics
Set of tools and activities that make it hard or
impossible to track user activity
Three categories
 Configuration settings
 Third party tools
 Forensic defeating software
Mod H-47
Configuration Settings Examples:
Delete files: By passing the recycle bin
Rename the file with a different extension
Clear out virtual memory
Use Defrag to rearrange data on the hard disk
and overwrite deleted files
Use Disk Cleanup to delete ActiveX controls and
Java applets
Mod H-48
Configuration Settings Examples:
Delete temporary Internet files
Hide information by making it invisible with
Hidden feature in Word or Excel
Redact – black out portions of a document
Protect your files with passwords
Mod H-49
Configuration Settings Examples:
Make the information invisible
Use Windows to hide files
Protect file with password
Mod H-50
Third-Party Tools to
Alter your registry
Hide Excel files inside Word documents and visa
versa
Change the properties like creation date in
Windows
Replace disk contents with 1’s and 0’s – called
wiping programs
Mod H-51
Third Party Tools
Encryption – scrambles the contents of a file so
that you can’t read it without the decryption
key
Steganography – hiding information inside
other information
 The watermark on dollar bills is an example
U3 Smart drive – stores and can launch and run
software without going through the hard disk
thus leaving no trace of itself
Mod H-52
Forensic Defeating Software
Software on the market specially designed to
evade forensic examination
Such software would include programs to
remove
 data in slack space
 data in cache memory
 cookies, Internet files, Google search history, etc.
Mod H-53
WHO NEEDS DIGITAL FORENSICS
INVESTIGATORS?
Digital forensics is used in
 The military for national and international
investigations
 Law enforcement, to gather electronic evidence in
criminal investigations
 Corporations and not-for-profits for internal
investigations
 Consulting firms that special in forensics
Mod H-54
Organizations Use Digital Forensics
in Two Ways
1. Proactive education to educate employees
2. Reactive digital forensics for incident response
Mod H-55
Proactive Education to Educate
Employees
Proactive Education for Problem Prevention
What to do and not to do with computer
resources such as
The purposes for which e-mail should be used
How long it may be saved
What Internet sites are may be visited
Mod H-56
Reactive Digital forensics for
Incident Response
What to do if wrong-doing is suspected and how
to investigate it
 Encouraged by the Sarbanes-Oxley Act, which
expressly requires implementation of policies to
prevent illegal activity and to investigate allegations
promptly
Mod H-57
A Day in the Life…
As a digital forensics expert you must
 Know a lot about computers and how they work
 Keep learning
 Have infinite patience
 Be detail-oriented
 Be good at explaining how computers work
 Be able to stay cool and think on your feet
Mod H-58
Computer Crime
Computer crime – a crime in which a
computer, or computers, play a significant part
Computers are involved in crime in two ways
 As the targets of misdeeds
 As weapons or tools of misdeeds
Computer crimes can be committed
 Inside the organization
 Outside the organization
Mod H-59
Examples of Computer Crimes
Mod H-60
Crimes in Which Computers
Usually Play a Part
Mod H-61
Outside the Organization
Financial loss stemmed from
 Virus and worm attacks
 Unauthorized access
 Theft of hardware
 Theft of information
 Malware
Mod H-62
Types of Malware
Malware – software designed to harm you
computer or computer security
 Viruses
 Worms
 Misleading e-mail
Types of Malware
 Denial-of-service attacks
Distributed Denial-of-Service Attack
 Web defacing
 Malware bots
Mod H-63
Viruses
Computer virus (virus) – software that was
written with malicious intent to cause
annoyance or damage
Worm – a computer virus that replicates and
spreads itself from computer to computer
Mod H-64
Recent Problems
The most common type of worm was a botnet
in 2007 and 2008
Botnet –collection of computers that have been
infected with blocks of code (called bots) that
can run automatically by themselves.
A botnet can
 Collect e-mail addresses from infected machines
 Distribute vast amounts of e-mail
 Lie dormant to be used at a later date by crooks
Mod H-65
The Love Bug Worm
Mod H-66
Stand-Alone Viruses
Spoofing – forging of return address on email so that it appears to come from
someone other than sender of record
Klez family of worms
 Introduced spoofing of sender and recipient
Mod H-67
Trojan Horse Viruses
Trojan horse virus – hides inside other
software, usually an attachment or download
Examples:
 Key logger (key trapper) software – program that,
when installed on a computer, records every
keystroke and mouse click
 Ping-of-Death DoS attack designed to crash Web
sites
Mod H-68
Misleading E-mail: Virus Hoax
Objective is to cause damage to your system
Virus hoax is an e-mail telling you of a nonexistent virus
 Makes recipients believe that they already have a
virus and gives instructions on removal which
actually delete a Windows file
 Often purports to come from Microsoft -Microsoft
always sends you to a Web site to find the solution
to such a problem
Mod H-69
Denial-of-Service Attacks
Denial-of-Service (DoS) attack – floods a
Web site with so many requests for service
that it slows down or crashes
Objective is to prevent legitimate customers
from using Web site
Mod H-70
Distributed DoS
Distributed denial-of-service attack
(DDoS) – attacks from multiple computers
that flood a Web site with so many requests
for service that it slows down or crashes.
Mod H-71
Distributed Denial-of-Service
Attack
Mod H-72
Malware Bots
Bot – a computer program that runs
automatically.
Malware bots – bots that are used for fraud,
sabotage, denial-of-service attacks, or some
other malicious purpose
Zombies (or drones) – malware-bot-infected
computers
Mod H-73
Rootkits
Rootkit – software that gives you
administrator rights to a computer or network
and its purpose is to allow you to conceal
processes, files, or system data from the
operating system.
Mod H-74
Web Defacing
Web defacing – maliciously changing another’s
Web site
Electronic equivalent of graffiti
Mod H-75
Players
Hackers – knowledgeable computer users who
use their knowledge to invade other people’s
computers
Thrill-seeker hackers – break into computer
systems for entertainment
White-hat (ethical) hackers – computer
security professionals who are hired by a
company to uncover vulnerabilities in a
network
Mod H-76
Players
Black hat hackers – cyber vandals. They’re the
people who exploit or destroy information
Crackers – hackers for hire, are the people who
engage in electronic corporate espionage
 Social engineering – acquiring information that you
have no right to by means of deception
Mod H-77
Players
Hacktivists – politically motivated hackers who
use the Internet to send a political message
Cyberterrorists – those who seek to cause
harm to people or destroy critical systems or
information
Mod H-78
Players
Script kiddies (or bunnies) – people who would
like to be hackers but don’t have much
technical expertise
 Are often used by experienced hackers as shields
Mod H-79
COSO Influence on Defining
Internal Control
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.