資訊系統風險 與 內部控制 COSO Internal Control Integrated Framework • The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of the AAA, AICPA, IIA, IMA, and FEI. COSO’s internal control integrated framework is considered the authority on internal controls. • COSO’s internal control model has five components: – – – – – Control environment Risk assessment Control Activities Information and communication Monitoring 2 Control Objectives for Information Technology (COBIT) • Developed by the Information Systems Audit and Control Foundation to provide guidance—to managers, users, and auditors—on the best practices for the management of information technology. • According to COBIT – IT resources must be managed by IT control processes to ensure that the organization has the information it needs to achieve its objectives. – Exhibit 8.1 defines the IT resources that must be managed and Chapter 1 describes the qualities that this information must exhibit in order for it to be of value to the organization. 3 COBIT • COBIT organizes IT internal control into domains and process • Domains include: – Planning and organization – Acquisition and implementation – Delivery and support – Monitoring • Processes detail steps in each domain 4 Risk Identification • Economy Risks – Affect an entire economy • Examples include global economic downturn, war, epidemic, terrorism, environmental disasters • Industry Risks – Affect an entire industry • Examples include industry wide cost increases or demand decreases, or an economy risk that has an especially strong effect on a specific industry 5 Risk Identification • Enterprise Risks – Internal • Lack of ethics, low employee morale, employee incompetence – External • Increased competition, reduced brand quality perceptions, crises involving business partners (value system relationships), catastrophe that interrupts operations, merger or acquisition • Business Process Risks – Risks associated with business process objects • R’s, E’s, A’s, and R-E, E-E, E-A, R-A relationships • Information Process Risks – Risks associated with recording, maintaining, and reporting information about business processes 6 The Control Matrix • The control matrix is a tool designed to assist you in analyzing a systems flowchart and related narrative. • It establishes the criteria to be used in evaluating the controls in a particular business process. 7 Sample Control Matrix 8 Operations Process Goals: Effectiveness Goals i. ii. Ensure the successful accomplishment of the goals set forth for the business process Different processes have different effectiveness goals. For Causeway’s cash receipts process we include only two examples here: – – – iii. Goal A—to accelerate cash flow by promptly depositing cash receipts. Goal B—to ensure compliance with compensating balance agreements with the depository bank. Other possible goals of a cash receipts would be shown as goals C, D, and so forth, and described at the bottom of the matrix (in the matrix legend). With respect to other business processes, such as production, we might be concerned with effectiveness goals related to the following: – – Goal A—to maintain customer satisfaction by finishing production orders on time. Goal B—to increase market share by ensuring the highest quality of finished goods. 9 Operations Process Goals: Efficiency Goals i. The purpose of efficiency control goals of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner In parentheses, notice that we have listed two resources of the cash receipts process for which efficiency is applicable—people and computers. ii. • iii. In fact, people and computers would always be considered in the efficiency assessments related to accounting information systems. In other business processes, such as receiving goods and supplies, we might also be concerned with the productive use of equipment such as trucks, forklifts, and hand-held scanners. 10 Operations Process Goals: Security Goals i. The purpose of security control goals of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse. ii. In parentheses, we have included two resources of the cash receipts process over which security must be ensured—cash and information (accounts receivable master data). • With any business process, we are concerned with information that is added, changed, or deleted as a result of executing the process, as well as assets that are brought into or taken out of the organization as a result of the process, such as cash, inventory, and fixed assets. iii. With regard to other business processes, such as shipping, we might include customer master data and shipping data. • Note: The security over hard assets used to execute business processes, such as computer equipment, trucks, trailers, and loading docks, is handled through pervasive controls (discussed in Chapter 7). 11 Information Process Goals: Input Goals i. With respect to all business process data entering the system, the purpose of input goals of the information process is to ensure: • • • ii. input validity (IV) input completeness (IC) and input accuracy (IA). With the cash receipts process, we are concerned with input validity, accuracy, and completeness over cash receipts • • Here, they are in the form of remittance advices Notice that we specifically name the input data of concern in parentheses. iii. With respect to other business processes, such as hiring employees, we would be concerned with other inputs, such as employee, payroll, and benefit plan data. 12 Information Process Goals: Update Goals i. Update goals must consider all related information that will be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure: • • The update completeness (UC) and Update accuracy (UA) ii. With regard to the cash receipts information process, we recognize that the accounts receivable data will be updated by cash receipts • • Cash received reflects the debit and customer account reflects the credit). Notice that we list accounts receivable master data in the control matrix. iii. Other business processes, such as cash payments, would involve different update concerns, such as vendor, payroll, or accounts payable master data. 13 Causeway Annotated Systems Flowchart 14 Annotating Present Control Plans • Start on the upper left-hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol (process related symbols) • Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols. • Each process-related symbol reflects an internal control plan which is already present. • It is important to recognize that while a control plan may be present, it may not be working as effectively as it should; thus, you might recommend ways to strengthen or augment existing control plans 15 Annotate the Process Flow Chart • Review the flowchart and determine whether a control is present (P-) or missing (M-) • Annotate the flowchart – If controls are present, mark P– If controls are absent, mark M- 16