Академический Документы
Профессиональный Документы
Культура Документы
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 315
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 315
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 315
INTRODUCTION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 11 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 12 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 14 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 18 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 20 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 21 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 22 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 23 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 24 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 315
OVERVIEW OF CONTROL CONCEPTS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
– The resulting internal control improvements weren’t sufficient.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In the late 1990s and early 2000s, a series
of multi-million-dollar accounting frauds
made headlines.
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002
(aka, SOX).
• Applies to publicly held companies and their
auditors.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-held
companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the way
boards of directors, management, and
accountants operate.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
• Has five members, three of whom cannot be
CPAs.
• Charges fees to firms to fund the PCAOB.
• Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
• Currently recognizes FASB statements as
being generally accepted.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 30 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 31 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 32 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
– New rules for audit committees
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 35 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• If management willfully and knowingly violates the
• certification,
Important they canofbe:
aspects SOX include:
– Imprisoned up to 20 years
– Creation of the Public Company Accounting Oversight
– Fined up to $5 million
Board (PCAOB) to oversee the auditing profession.
• Management and directors cannot receive loans that would not
– New rules for
be available auditors
to people outside the company.
•– New
They rules for auditoncommittees
must disclose a rapid and current basis material
changes to their financial condition.
– New rules for management
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 36 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES
• New internal ACT
control requirements:
– Section 404 of SOX requires companies to issue a
• report accompanying the financial statements that:
Important aspects of SOX include:
• States management is responsible for
– Creation of the Public Company
establishing Accounting
and maintaining Oversight
an adequate internal
Board (PCAOB) to oversee
control structure the
and auditing profession.
procedures.
• Contains
– New rules for auditorsmanagement’s assessment of the
company’s internal controls.
– New rules for audit committees
• Attests to the accuracy of the internal controls,
– New rules forincluding
management
disclosures of significant defects or
– New internalmaterial
controlnoncompliance
requirements found during the tests.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 37 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
• SOX also requires that the auditor attests to and reports
– New rules for audit committees
on management’s internal control assessment.
– New• rules
Eachfor management
audit report must describe the scope of the
auditor’scontrol
– New internal internal requirements
control tests.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying the
framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many people feel there is a basic conflict
• Communicates company core values to employees and
between creativity
inspires and
them to live controls.
by those values.
• Draws attention to how the organization creates value.
– Robert Simons has espoused four levers of
• Helps employees understand management’s intended
controls to help companies reconcile this
direction.
conflict:
• Must be broad enough to appeal to all levels.
• A concise belief system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 40 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps employees act ethicallyACT
by setting limits beyond
which they must not pass.
• Levers
• Does ofnotControl
create rules and standard operating
procedures that can stifle creativity.
– Many people feel there is a basic conflict
• Encourages employees to think and act creatively to
between creativity
solve problems and and
meet controls.
customer needs as long as
they operate within limits such as:
– Robert Simons has espoused four
– Meeting minimum standards of performance
levers of
controls to help
– Shunning companies
off-limits activitiesreconcile this
conflict:
– Avoiding actions that could damage the company’s
reputation.
• A concise belief system
• A boundary system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 41 of 315
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many
• Ensures
people feeland
efficient there is a achievement
effective basic conflict
of important
controls.
between creativity and controls.
• This system measures company progress by comparing
– Robert
actualSimons has
to planned espoused four levers of
performance.
• Helps to
controls managers track critical performance
help companies reconcile outcomes
this
and monitor performance of individuals, departments,
conflict:
and locations.
•• AProvides
concise feedback
belief system
to enable management to adjust and
• Afine-tune.
boundary system
• A diagnostic control system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 42 of 315
SOX AND THE FOREIGN CORRUPT
• Helps top-level
PRACTICES ACT
managers with high-level activities that
demand frequent and regular attention. Examples:
– Developing company strategy.
• Levers of Control
– Setting company objectives.
– Many– people feel there
Understanding is a basic
and assessing conflict
threats and risks.
between– Monitoring
creativity and incontrols.
changes competitive conditions and
emerging technologies.
– Robert Simons has
– Developing espoused
responses fourplans
and action levers
to of
controlsproactively
to help deal
companies
with these reconcile this
high-level issues.
• Also helps managers focus the attention of subordinates
conflict:
on key strategic issues and to be more involved in their
• A concise belief system
decisions.
• •A boundary system
Data from this system are best interpreted and
discussed in face-to-face meetings.
• A diagnostic control system
• An interactive control system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 43 of 315
CONTROL FRAMEWORKS
• COBIT framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 46 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 47 of 315
• To satisfy business objectives,
CONTROL FRAMEWORKS
information must conform to
certain criteria referred to as
“business requirements for
• The framework addresses information.”
the issue of
• The criteria are divided into
control from three vantage
sevenpoints oroverlapping
distinct yet
dimensions: categories that map into COSO
objectives:
– Business objectives – Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 48 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 49 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 50 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 53 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 54 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 55 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 56 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 57 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 59 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 64 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 66 of 315
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 67 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 69 of 315
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
management must meet to
• Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Operations objectives
– Reporting objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 315
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
management must meet to
– External parties often set
achieve company goals.
the compliance rules.
– –Strategic objectives
Companies in the same
– Operations objectives
industry often have similar
– Reporting
concerns in this area.
objectives
– Compliance objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 71 of 315
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 73 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 74 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 75 of 315
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 76 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 80 of 315
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
• The horizontal rows are
– Share
eight related risk and
– Accept
control components,
• Management takes an entity-wide
including:
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
– Event identification
costs-benefits of alternate
responses.
– Risk assessment
– Risk response
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 81 of 315
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows
management’s
are
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
– Internal environment
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 82 of 315
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •TheInformation
horizontalmust rows beare
able to
flowrelated
eight throughriskall levels
and and
functions in the company as
control
well ascomponents,
flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their role and
Objective importance in
setting
– ERM
Eventand how these
identification
responsibilities relate to those
– Risk assessment
of others.
– Risk response
• Has a corresponding element
– in
Control activities
the COSO internal control
– framework.
Information and
communication
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 83 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 315
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
risks of
Control business processes provides little context for
Framework
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
– Which
widely adopted
controlas the principal
systems way to
are most important.
– Whether
evaluate they adequately
internal controlsdeal
as with risk.
required by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 86 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 87 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 88 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 315
CONTROL FRAMEWORKS
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 90 of 315
INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 91 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 92 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 93 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 94 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 95 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 96 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 97 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 98 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 315
INTERNAL ENVIRONMENT
• Public companies must have an audit
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process; and
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and practices to
the audit committee.
– Provides an independent review of management’s
actions.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 100 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 315
INTERNAL ENVIRONMENT
• Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important than
favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives, or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 103 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 104 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 105 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 106 of 315
INTERNAL ENVIRONMENT
• Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge, experience,
training, and skills.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 107 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 108 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 109 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 110 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 111 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 112 of 315
INTERNAL ENVIRONMENT
• Organizational structure
– A company’s organizational structure defines
its lines of authority, responsibility, and
reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 113 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 114 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 115 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 116 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 117 of 315
INTERNAL ENVIRONMENT
• Methods of assigning authority and
responsibility
– Management should make sure:
• Employees understand the entity’s objectives.
• Authority and responsibility for business objectives is
assigned to specific departments and individuals.
– Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS security
policy.
• Should monitor results so decisions can be reviewed and, if
necessary, overruled.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 315
INTERNAL ENVIRONMENT
• Authority and responsibility are assigned through:
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job reference
and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization’s chart of accounts
• Sample copies of forms and documents
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 120 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 121 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 123 of 315
INTERNAL ENVIRONMENT
• Hiring
– Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
– Employees should undergo a formal, in-depth
employment interview.
– Resumes, reference letters, and thorough
background checks are critical.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 315
INTERNAL ENVIRONMENT
• Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
– Some get phony degrees from online “diploma mills.”
• A Pennsylvania district attorney recently filed suit against a
Texas “university” for issuing an MBA to the DA’s 6-year-old
black cat.
– Others actually hack (or hire someone to hack) into
the systems of universities to create or alter
transcripts and other academic data.
• No employee should be exempted from
background checks. Anyone from the custodian
to the company president is capable of
committing fraud, sabotage, etc.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 126 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 127 of 315
INTERNAL ENVIRONMENT
• Compensating
– Employees should be paid a fair and
competitive wage.
– Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
– Appropriate incentives can motivate and
reinforce outstanding performance.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 128 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 129 of 315
INTERNAL ENVIRONMENT
• Policies on training
– Training programs should familiarize new employees
with:
• Their responsibilities.
• Expected performance and behavior.
• Company policies, procedures, history, culture, and operating
style.
– Training needs to be ongoing, not just one time.
– Companies who shortchange training are more likely
to experience security breaches and fraud.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 131 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 134 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 135 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 136 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 137 of 315
INTERNAL ENVIRONMENT
• Discharging
– Fired employees are disgruntled employees.
– Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
– Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 138 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 139 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 140 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 141 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 144 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 145 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 146 of 315
INTERNAL ENVIRONMENT
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 147 of 315
INTERNAL ENVIRONMENT
• External influences
– External influences that affect the control
environment include requirements imposed
by:
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 148 of 315
OBJECTIVE SETTING
• Objective setting is the
second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 149 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 150 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 151 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 152 of 315
OBJECTIVE SETTING
• As a rule of thumb:
– The mission and strategic objectives are
stable.
– The strategy and other objectives are more
dynamic:
• Must be adapted to changing conditions.
• Must be realigned with strategic objectives.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 153 of 315
OBJECTIVE SETTING
• Operations objectives:
– Are a product of management preferences,
judgments, and style.
– Vary significantly among entities:
• One may adopt technology; another waits until the
bugs are worked out.
– Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
– Give clear direction for resource allocation—a
key success factor.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 154 of 315
OBJECTIVE SETTING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 155 of 315
EVENT IDENTIFICATION
• Events are:
– Incidents or occurrences that
emanate from internal or
external sources.
– That affect implementation of
strategy or achievement of
objectives.
– Impact can be positive,
negative, or both.
– Events can range from
obvious to obscure.
– Effects can range from
inconsequential to highly
significant.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 156 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 157 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 158 of 315
EVENT IDENTIFICATION
• Availability of capital; lower or higher costs of
capital
• Lower barriers to entry, resulting in new
• Some of these factors include:
competition
• Price movements up or down
– External factors:
• Ability to issue credit and possibility of default
• Economic• factors
Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or
currency fluctuations
• Rising or lowering unemployment rates
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal
legal liability
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 159 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 160 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 161 of 315
EVENT IDENTIFICATION
• Changing demographics, social
mores, family structures, and
• Some of these factors include: work/life priorities
• Consumer behavior that
– External factors: changes demand for products
• Economic factors and services or creates new
buying opportunities
• Natural environment
• Corporate citizenship
• Political factors • Privacy
• Social factors • Terrorism
• Human resource issues
causing production shortages
or stoppages
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 162 of 315
EVENT IDENTIFICATION
• New e-business technologies
• Some of these factors include: that lower infrastructure costs
or increase demand for IT-
– External factors: based services
• Economic factors • Emerging technology
• Increased or decreased
• Natural environment
availability of data
• Political factors • Interruptions or down time
• Social factors caused by external parties
• Technological factors
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 163 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 164 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 165 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 166 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 168 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 169 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 170 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 171 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 172 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 173 of 315
EVENT IDENTIFICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 175 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• The fourth and fifth
components of
COSO’s ERM model
are risk assessment
and risk response.
• COSO indicates
there are two types
• The risk that remains after
ofmanagement
risk: implements
–internal
Inherent riskor some other
controls
–form of response
Residual to risk.
risk
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 176 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• The most effective way to reduce
– Reduce it the likelihood and impact of risk is
to implement an effective system of
internal controls.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 177 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Don’t act to prevent or mitigate
it.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 178 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Transfer some of it to others via
– Share it activities such as insurance,
outsourcing, or hedging.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 179 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• Don’t engage in the activity that
– Reduce it produces it.
– Accept it • May require:
– Share it – Sale of a division
– Avoid it – Exiting a product line
– Canceling an expansion plan
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 180 of 315
RISK ASSESSMENT AND RISK
RESPONSE
• Accountants:
– Help management design effective controls to
reduce inherent risk.
– Evaluate internal control systems to ensure
they are operating effectively.
– Assess and reduce inherent risk using the risk
assessment and response strategy.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 181 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 182 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate likelihood
and impact Estimate the impact of potential
– Some events pose loss from each threat
more risk because they
are more probable than Identify set of controls to
others. guard against threat
– Some events pose
more risk because their Estimate costs and benefits
dollar impact would be from instituting controls
more significant.
– Likelihood and impact Is it
must be considered Avoid,
cost- No share, or
together: beneficial
accept
to protect
– If either increases, the system risk
materiality of the event
and the need to protect Yes
against it rises. Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 183 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 184 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• All other factors equal:
– A preventive control is Estimate the impact of potential
better than a detective loss from each threat
one.
– However, if preventive Identify set of controls to
controls fail, detective guard against threat
controls are needed to
discover the problem, Estimate costs and benefits
and corrective controls from instituting controls
are needed to recover.
– Consequently, the three
Is it
complement each other, cost- No
Avoid,
and a good internal beneficial share, or
accept
control system should to protect
risk
system
have all three.
– Similarly, a company Yes
should use all four Reduce risk by implementing set of
levers of control. controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 185 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate costs and
benefits Estimate the impact of potential
loss from each threat
– It would be cost-
prohibitive to create an Identify set of controls to
internal control system guard against threat
that provided foolproof
protection against all Estimate costs and benefits
events. from instituting controls
– Also, some controls
negatively affect Is it
Avoid,
operational efficiency, cost- No share, or
beneficial
and too many controls to protect accept
can make it very system risk
inefficient. Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 186 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The benefits of an
internal control Estimate the impact of potential
procedure must loss from each threat
exceed its costs.
Identify set of controls to
• Benefits can be hard guard against threat
to quantify, but include:
– Increased sales and Estimate costs and benefits
productivity from instituting controls
– Reduced losses
– Better integration with
customers and suppliers Is it
Avoid,
cost- No
– Increased customer beneficial share, or
loyalty to protect accept
risk
– Competitive advantages system
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 187 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Costs are usually
easier to measure Estimate the impact of potential
loss from each threat
than benefits.
• Primary cost is Identify set of controls to
guard against threat
personnel, including:
– Time to perform control Estimate costs and benefits
procedures from instituting controls
– Costs of hiring
additional employees to Is it
effectively segregate Avoid,
cost- No
beneficial share, or
duties to protect accept
– Costs of programming system risk
controls into a system Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 188 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Other costs of a poor
control system include: Estimate the impact of potential
– Lost sales loss from each threat
– Lower productivity
Identify set of controls to
– Drop in stock price if guard against threat
security problems arise
– Shareholder or Estimate costs and benefits
regulator lawsuits from instituting controls
– Fines and penalties
imposed by
governmental agencies Is it
Avoid,
cost- No
beneficial share, or
to protect accept
system risk
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 189 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The expected loss
Estimate the impact of potential
related to a risk is loss from each threat
measured as:
– Expected loss = Identify set of controls to
impact x likelihood guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 190 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Determine cost-
benefit effectiveness Estimate the impact of potential
loss from each threat
– After estimating
benefits and costs, Identify set of controls to
management guard against threat
determines if the control
is cost beneficial, i.e., is Estimate costs and benefits
the cost of from instituting controls
implementing a control
procedure less than the Is it
change in expected cost- Avoid,
beneficia No share, or
loss that would be l accept
attributable to the to protect risk
system
change?
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 191 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• In evaluating costs
and benefits, Estimate the impact of potential
management must loss from each threat
consider factors other
than those in the Identify set of controls to
guard against threat
expected benefit
calculation. Estimate costs and benefits
– If an event threatens an from instituting controls
organization’s existence, it
may be worthwhile to
institute controls even if Is it
costs exceed expected cost- Avoid,
beneficia No share, or
benefits.
l accept
– The additional cost can be to protect risk
viewed as a catastrophic system
loss insurance premium. Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 192 of 315
• Expected Loss without control procedure = $800,000 x .12 = $96,000.
• Expected RISK
loss withASSESSMENT ANDx RISK
control procedure = $800,000 .005 = $4,000.
• Estimated value of control procedure = $96,000 - $4,000 = $92,000.
•
RESPONSE
Estimated cost of control procedure = $43,000 (given).
• Benefits exceed costs by $92,000 - $43,000 = $49,000.
• Let’s go through an example:
• In this case, Hobby Hole should probably install the motion detectors.
– Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce
the probability of a catastrophic theft.
– A catastrophic theft could result in losses of $800,000.
– Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
– Companies with motion detectors only have about a
.5% probability of catastrophic theft.
– The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $43,000.
– Should Hobby Hole install the motion detectors?
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 193 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Implement the
Estimate the impact of potential
control or avoid, loss from each threat
share, or accept the
risk Identify set of controls to
guard against threat
– When controls are cost
effective, they should Estimate costs and benefits
be implemented so risk from instituting controls
can be reduced.
Is it
cost- Avoid,
beneficia No share, or
l accept
to protect risk
system
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 194 of 315
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Risks that are not
reduced must be Estimate the impact of potential
accepted, shared, or loss from each threat
avoided.
– If the risk is within the Identify set of controls to
company’s risk tolerance, guard against threat
they will typically accept
the risk. Estimate costs and benefits
– A reduce or share from instituting controls
response is used to bring
residual risk into an Is it
acceptable risk tolerance cost- Avoid,
range. beneficia No share, or
– An avoid response is l accept
typically only used when to protect risk
there is no way to cost- system
effectively bring risk into Yes
an acceptable risk Reduce risk by implementing set of
tolerance range. controls to guard against threat
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 195 of 315
CONTROL ACTIVITIES
• The sixth component of
COSO’s ERM model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 196 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 197 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 198 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 205 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 206 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 210 of 315
CONTROL ACTIVITIES
Ledger
$900
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 211 of 315
CONTROL ACTIVITIES
Ledger
$900
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 214 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 216 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 217 of 315
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
• Handling cash • Preparing source
• Handling inventories, tools, documents
or fixed assets • Maintaining journals,
• Writing checks ledgers, or other files
• Receiving checks in mail • Preparing reconciliations
• Preparing performance
reports
• EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can steal some of the cash and falsify accounts to
conceal the theft. FUNCTIONS
• SOLUTION: The pink fence •(segregation
Authorization of
of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 218 of 315
• EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that
CONTROL ACTIVITIES he has authorized can
authorize fictitious
transactions and then steal
CUSTODIAL FUNCTIONS RECORDING
the payments.FUNCTIONS
• Handling cash •• Preparing source
SOLUTION: The green fence
• Handling inventories, tools, documents
(segregation of custody and
or fixed assets • Maintaining journals,
authorization) prevents
• Writing checks ledgers, or from
employees otherauthorizing
files
• Receiving checks in mail • fictitious
Preparing orreconciliations
inaccurate
• transactions as a means of
Preparing performance
concealing
reports a theft.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 219 of 315
• EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the CONTROL ACTIVITIES
transactions can authorize
and record fictitious
CUSTODIAL
payments FUNCTIONS
that might, for RECORDING FUNCTIONS
• Handling
example, be sent
cashto the • Preparing source
employee’s
• Handlinghome addresstools,
inventories, documents
or the address
or fixed of a shell
assets • Maintaining journals,
company
• Writinghe creates.
checks ledgers, or other files
• SOLUTION:
• ReceivingThe purple
checks in mail • Preparing reconciliations
fence (segregation of • Preparing performance
recording and authorization) reports
prevents employees from
falsifying records to cover
up inaccurate or false
transactions that were
inappropriately authorized.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 220 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 221 of 315
CONTROL ACTIVITIES
Ledger
$1,000
• If this happens . . .
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 222 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 223 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 224 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 225 of 315
CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
– An employee should not be in a position to commit
and conceal fraud or unintentional errors.
– Segregation of duties is discussed in two sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 226 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 227 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 228 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 229 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 230 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 231 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 232 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 233 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 234 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 235 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 236 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 237 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 238 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 239 of 315
CONTROL ACTIVITIES
• Project development and acquisition controls
– It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
• Should contain appropriate controls for:
– Management review and approval
– User involvement
– Analysis
– Design
– Testing
– Implementation
– Conversion
• Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 240 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 241 of 315
• A multi-year strategic plan
should align the
CONTROL ACTIVITIES
organization’s information
system with its business
strategies and show the
• The following basic principlesprojects
of control
thatshould
must bebe
applied to systems development in order
completed to to reduce
achieve the
long-
potential for cost overruns andrange
project failure and to
goals.
• Should address
improve the efficiency and effectiveness of the IS:
hardware,
– Strategic master plan software, personnel, and
infrastructure requirements.
• Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
• Should be evaluated several
times a year to ensure the
organization can acquire
needed components and
maintain existing ones.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 242 of 315
• A project development plan shows
how a project will be completed,
CONTROL ACTIVITIES
including:
• Modules or tasks to be
• The following basic principles of performed
control should be
• Who will perform them
applied to systems development in order to reduce the
potential for cost overruns and• project
Anticipated completion dates
failure and to
• Project costs
improve the efficiency and effectiveness of the IS:
• Project milestones should be
– Strategic master plan
specified—points when progress
– Project controls is reviewed and actual completion
times are compared to estimates.
• Each project should be assigned
to a manager and team who are
responsible for its success or
failure.
• At project completion, a project
evaluation of the team members
should be performed.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 243 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 244 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 245 of 315
CONTROL ACTIVITIES
• To
• The following basic principles of be evaluated
control properly,
should be a
system should be assessed
applied to systems development in order to reduce the
with measures such as:
potential for cost overruns and project failure and to
– Throughput (output per
improve the efficiency and effectiveness of the IS:
unit of time)
– Strategic master plan – Utilization (percent of time
– Project controls it is used productively)
– Data processing schedule – Response time (how long it
– Steering committee takes to respond)
– System performance measurements
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 246 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 248 of 315
CONTROL ACTIVITIES
• Before third parties bid, provide clear
• When using systems
specifications, integrators,
including:
companies should
– Exact adhere
descriptions andto the same
definitions of the system
– Explicit deadlines
basic rules used for project management
– Precise acceptance criteria
of internal projects.
• Although In addition,
it’s expensive to developthey
these
should: specifications, it will save money in the end.
– Develop clear specifications
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 249 of 315
• A sponsors committee should monitor third-party
development projects.
CONTROL ACTIVITIES
– Established by the CIO and chaired by the
project’s internal champion.
– Should include department managers from all
• When using systems integrators,
units that will use the system.
– Should establish formal procedures for
companies should adhere
measuring to the
and reporting same
project status.
basic rules used
– Best for project
approach is to: management
• Divide project into manageable tasks.
of internal projects. In addition, they
• Assign responsibility for each task.
should: • Meet on a regular basis (at least monthly)
to review progress and assess quality.
– Develop clear specifications
– Monitor the systems integration project
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 250 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 252 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 254 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 255 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 257 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 258 of 315
CONTROL ACTIVITIES
• Insiders also create less-intentional threats to
systems, including:
– Accidentally deleting company data.
– Turning viruses loose.
– Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
• These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
• Companies also face significant risks from
customers and vendors that have access to
company data.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 259 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 260 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 261 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 262 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 264 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 265 of 315
CONTROL ACTIVITIES
Ledger
$1,000
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 266 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 267 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 268 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 270 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 271 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 272 of 315
CONTROL ACTIVITIES
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 273 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 274 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 276 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 277 of 315
INFORMATION AND COMMUNICATION
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 278 of 315
MONITORING
• The eighth
component of
COSO’s ERM
model.
• Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 279 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer, a Chief
Compliance Officer, and security consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 280 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 281 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 282 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 283 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 284 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 285 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 286 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 287 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 288 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 290 of 315
MONITORING
• Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
• Employers cannot discreetly observe communications of
employees when those employees have a “reasonable
expectation of privacy.”
• Employers must therefore ensure that employees realize
their business communications are not “private.” One
way to accomplish that objective is to have written
policies that employees agree to in writing which
indicate:
– The technology employees use on the job belongs to the
company.
– Emails received on company computers are not private and can
be read by supervisory personnel.
– Employees should not use technology in any way to contribute to
a hostile work environment.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 291 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 292 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 293 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 294 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 295 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 296 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 297 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 298 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 299 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 300 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 302 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 303 of 315
MONITORING
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
– In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
– The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 304 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 305 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 306 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 307 of 315
MONITORING
• Install fraud detection software
– People who commit fraud tend to follow certain patterns and
leave behind clues.
– Software has been developed to seek out these fraud symptoms.
– Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
– For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
– These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 308 of 315
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 309 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 310 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 311 of 315
MONITORING
• Outsourcing is available through a number of third
parties and offers several benefits, including:
– Increased confidence on the part of employee that his/her
report is truly anonymous.
– 24/7 availability.
– Often have multilingual capabilities—an important plus for
multinational organizations.
– The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
– The employee can be advised of the outcome of his report.
– Low cost.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 312 of 315
MONITORING
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 313 of 315
SUMMARY
• In this chapter, you’ve learned about basic internal control
concepts and why computer control and security are so
important.
• You’ve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
• You’ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
• You’ve also learned about events that affect uncertainty and
how these events can be identified.
• You’ve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
• Finally, you’ve learned how organizations communicate
information and monitor control processes.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 314 of 315