資訊系統風險
與
內部控制
COSO Internal Control
Integrated Framework
• The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting of the
AAA, AICPA, IIA, IMA, and FEI. COSO’s internal
control integrated framework is considered the
authority on internal controls.
• COSO’s internal control model has five
components:
–
–
–
–
–
Control environment
Risk assessment
Control Activities
Information and communication
Monitoring
2
Control Objectives for Information
Technology (COBIT)
• Developed by the Information Systems Audit and
Control Foundation to provide guidance—to
managers, users, and auditors—on the best practices
for the management of information technology.
• According to COBIT
– IT resources must be managed by IT control processes to
ensure that the organization has the information it needs to
achieve its objectives.
– Exhibit 8.1 defines the IT resources that must be managed
and Chapter 1 describes the qualities that this information
must exhibit in order for it to be of value to the organization.
3
COBIT
• COBIT organizes IT internal control into
domains and process
• Domains include:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
• Processes detail steps in each domain
4
Risk Identification
• Economy Risks
– Affect an entire economy
• Examples include global economic
downturn, war, epidemic, terrorism,
environmental disasters
• Industry Risks
– Affect an entire industry
• Examples include industry wide cost
increases or demand decreases, or an
economy risk that has an especially
strong effect on a specific industry
5
Risk Identification
• Enterprise Risks
– Internal
• Lack of ethics, low employee morale, employee
incompetence
– External
• Increased competition, reduced brand quality
perceptions, crises involving business partners (value
system relationships), catastrophe that interrupts
operations, merger or acquisition
• Business Process Risks
– Risks associated with business process objects
• R’s, E’s, A’s, and R-E, E-E, E-A, R-A relationships
• Information Process Risks
– Risks associated with recording, maintaining, and reporting
information about business processes
6
The Control Matrix
• The control matrix is a tool designed to
assist you in analyzing a systems
flowchart and related narrative.
• It establishes the criteria to be used in
evaluating the controls in a particular
business process.
7
Sample
Control
Matrix
8
Operations Process Goals:
Effectiveness Goals
i.
ii.
Ensure the successful accomplishment of the goals set forth for the
business process
Different processes have different effectiveness goals. For
Causeway’s cash receipts process we include only two examples
here:
–
–
–
iii.
Goal A—to accelerate cash flow by promptly depositing cash receipts.
Goal B—to ensure compliance with compensating balance agreements
with the depository bank.
Other possible goals of a cash receipts would be shown as goals C, D,
and so forth, and described at the bottom of the matrix (in the matrix
legend).
With respect to other business processes, such as production, we
might be concerned with effectiveness goals related to the following:
–
–
Goal A—to maintain customer satisfaction by finishing production orders
on time.
Goal B—to increase market share by ensuring the highest quality of
finished goods.
9
Operations Process Goals:
Efficiency Goals
i.
The purpose of efficiency control goals of the operations
process is to ensure that all resources used throughout
the business process are being employed in the most
productive manner
In parentheses, notice that we have listed two resources
of the cash receipts process for which efficiency is
applicable—people and computers.
ii.
•
iii.
In fact, people and computers would always be considered in
the efficiency assessments related to accounting information
systems.
In other business processes, such as receiving goods
and supplies, we might also be concerned with the
productive use of equipment such as trucks, forklifts,
and hand-held scanners.
10
Operations Process Goals:
Security Goals
i. The purpose of security control goals of the operations process
is to ensure that entity resources are protected from loss,
destruction, disclosure, copying, sale, or other misuse.
ii. In parentheses, we have included two resources of the cash
receipts process over which security must be ensured—cash
and information (accounts receivable master data).
• With any business process, we are concerned with information that is
added, changed, or deleted as a result of executing the process, as well
as assets that are brought into or taken out of the organization as a
result of the process, such as cash, inventory, and fixed assets.
iii. With regard to other business processes, such as shipping, we
might include customer master data and shipping data.
• Note: The security over hard assets used to execute business
processes, such as computer equipment, trucks, trailers, and loading
docks, is handled through pervasive controls (discussed in Chapter 7).
11
Information Process Goals: Input Goals
i.
With respect to all business process data entering the
system, the purpose of input goals of the information
process is to ensure:
•
•
•
ii.
input validity (IV)
input completeness (IC) and
input accuracy (IA).
With the cash receipts process, we are concerned with
input validity, accuracy, and completeness over cash
receipts
•
•
Here, they are in the form of remittance advices
Notice that we specifically name the input data of concern in
parentheses.
iii. With respect to other business processes, such as hiring
employees, we would be concerned with other inputs,
such as employee, payroll, and benefit plan data.
12
Information Process Goals: Update Goals
i. Update goals must consider all related information that will
be affected by the input data, including master file data and
ledger data. For the business process input data, the
purpose of update control goals of the information process
is to ensure:
•
•
The update completeness (UC) and
Update accuracy (UA)
ii. With regard to the cash receipts information process, we
recognize that the accounts receivable data will be updated
by cash receipts
•
•
Cash received reflects the debit and customer account reflects the
credit).
Notice that we list accounts receivable master data in the control
matrix.
iii. Other business processes, such as cash payments, would
involve different update concerns, such as vendor, payroll,
or accounts payable master data.
13
Causeway Annotated Systems Flowchart
14
Annotating Present Control Plans
• Start on the upper left-hand column of the systems
flowchart and spot the first manual keying symbol, manual
process symbol, or computer process symbol (process
related symbols)
• Then, follow the sequential logic of the systems flowchart
and identify all of the process-related symbols.
• Each process-related symbol reflects an internal control
plan which is already present.
• It is important to recognize that while a control plan may be
present, it may not be working as effectively as it should;
thus, you might recommend ways to strengthen or augment
existing control plans
15
Annotate the Process Flow Chart
• Review the flowchart and determine
whether a control is present (P-) or
missing (M-)
• Annotate the flowchart
– If controls are present, mark P– If controls are absent, mark M-
16