Rais11 ch06

!
"
#

|

1 of 315

$ %&' %$
Questions to be addressed in this chapter:
± What are the basic internal control concepts, and why are
computer control and security important?
± What is the difference between the COBIT, COSO, and ERM
control frameworks?
± What are the major elements in the internal environment of a
company?
± What are the four types of control objectives that companies
need to set?
± What events affect uncertainty, and how can they be identified?
± How is the Enterprise Risk Management model used to assess
and respond to risk?
± What control activities are commonly used in companies?
± How do organizations communicate information and monitor
control processes?
|

p of 315

$ %&' %$
(

± Control risks have increased in the last few years
because:
There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
Wide area networks are giving customers and suppliers
access to each other¶s systems and data, making
confidentiality a major concern.
|

3 of 315

$ %&' %$
Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
± Computer control problems are often underestimated and
downplayed.
± Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
± Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
± Productivity and cost pressures may motivate management to
forego time-consuming control measures.
|

of 315

$ %&' %$
Some vocabulary terms for this chapter:

± A ÷ ÷ is any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
± The or
÷ of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
± The is the probability that the
threat will occur.
|

5 of 315

$ %&' %$
#
)
± Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security
policies.
Making controls a part of the applications development
process.
Moving sensitive data to more secure environments.
|

þ of 315

$ %&' %$
To use IT in achieving control objectives,

accountants must:
± Understand how to protect systems from
threats.
± Have a good understanding of IT and its
capabilities and risks.
Achieving adequate security and control
over the information resources of an
organization should be a top management
priority.
|

- of 315

$ %&' %$
Control objectives are the same regardless of

the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because:
± Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
± Segregation of duties must be achieved differently in
an AIS.
± Computers provide opportunities for enhancement of
some internal controls.
|

V of 315

$ %&' %$
One of the primary objectives of an AIS is to

control a business organization.
± Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
Management expects accountants to be control
consultants by:
± Taking a proactive approach to eliminating system
threats; and
± Detecting, correcting, and recovering from threats
when they do occur.
|

D of 315

$ %&' %$
It is much easier to build controls into a

system during the initial stage than to add
them after the fact.
Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.
|

10 of 315

%*!*!( %+ %$ %, %$!
In today¶s dynamic business environment,

companies must react quickly to changing
conditions and markets, including steps to:
± Hire creative and innovative employees.
± Give these employees power and flexibility to:
Satisfy changing customer demands;
Pursue new opportunities to add value to the organization;
and
Implement process improvements.
At the same time, the company needs control
systems so they are not exposed to excessive
risks or behaviors that could harm their
reputation for honesty and integrity.
|

11 of 315

%*!*!( %+ %$ %, %$!

÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± -
# #. ##/
0
1
# )1
#
2#
3
# )
) /
|

1p of 315

%*!*!( %+ %$ %, %$!

± Assets (including data) are safeguarded.
±
# #
#
#

) /
|

13 of 315

%*!*!( %+ %$ %, %$!

± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
±
# )1 ##/
|

1 of 315

%*!*!( %+ %$ %, %$!

± Accurate and reliable information is provided.
±

)
))#
#
4 5/
|

15 of 315

%*!*!( %+ %$ %, %$!

± There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
± %)

)# # )1#/
0
1
#
)

) # 6)# #
#

4 # #
7 2 /
|

1þ of 315

%*!*!( %+ %$ %, %$!

± Operational efficiency is promoted and improved.
± #
)
# )

#/
|

1- of 315

%*!*!( %+ %$ %, %$!

± Operational efficiency is promoted and improved.
± Adherence to prescribed managerial policies is encouraged.
± 2
) 4 ))
4 #
.
|

1V of 315

%*!*!( %+ %$ %, %$!
Internal control is a because:

± It permeates an organization¶s operating activities.
± It is an integral part of basic management activities.
Internal control provides , rather
than absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.
|

1D of 315

%*!*!( %+ %$ %, %$!
Internal control systems have inherent

limitations, including:
± They are susceptible to errors and poor decisions.
± They can be overridden by management or by
collusion of two or more employees.
Internal control objectives are often at odds with
each other.
± EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
|

p0 of 315

%*!*!( %+ %$ %, %$!
Internal controls perform three important

functions:
± 1 1

& ) /
|

p1 of 315

%*!*!( %+ %$ %, %$!

functions:
± Preventive controls
± &
1

&
1 ) 3
8 4 # /
|

pp of 315

%*!*!( %+ %$ %, %$!

functions:
± Preventive controls
± Detective controls
±
1

# ) 1
# 9
± #
:
±
: #
± ;# )1
) /
|

p3 of 315

%*!*!( %+ %$ %, %$!
Internal controls are often classified as:

± 5

# # 8
2 7
1
# 4 #/
)) 2 # ) /
!6) 9

/
|

p of 315

%*!*!( %+ %$ %, %$!
Internal controls are often classified as:

± General controls
± ))

1 #
#

# #/

# 4

)
1 # # 2 #
)#
# )
# #
# # )#/
|

p5 of 315

%*!*!( %+ %$ %, %$!
An effective system of internal controls

should exist in all organizations to:
± Help them achieve their missions and goals.
± Minimize surprises.
|

pþ of 315

%< $& ! +%!5$ %'
!
In 1D--, Congress passed the ÷
÷ ÷, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
A significant effect was to require that corporations
maintain good systems of internal accounting control.
± Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
± The resulting internal control improvements weren¶t sufficient.
|

p- of 315

%< $& ! +%!5$ %'
!
In the late 1DD0s and early p000s, a series
of multi-million-dollar accounting frauds
made headlines.
± The impact on financial markets was
substantial, and Congress responded with
passage of the j ÷
(aka, j).
Applies to publicly held companies and their
auditors.
|

pV of 315

%< $& ! +%!5$ %'
!
The intent of SOX is to:
± Prevent financial statement fraud
± Make financial reports more transparent
± Protect investors
± Strengthen internal controls in publicly-held
companies
± Punish executives who perpetrate fraud
SOX has had a material impact on the way
boards of directors, management, and
accountants operate.
|

pD of 315

%< $& ! +%!5$ %'
!
Important aspects of SOX include:
±
)

%1 # -%. 1 #
) /
1 4

/
# %/
#
# 3

#)#
# ##
# )/

2 +

)#/
|

30 of 315

%< $& ! +%!5$ %'
!
± Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
± $4 #
) )

)7 #

9
±

)
# )

± 1 5
± # = #
# ) # ) #
/
|

31 of 315

%< $& ! +%!5$ %'
!
± $4 #
#
)
=# 1

9
± 88)
± # # )
± #
1

± ;

±
1

|

3p of 315

%< $& ! +%!5$ %'
!
± $4 #
=# 1

))1#
# #
# #
# 1/
#
) ) 4
) # # # 48#
)7 #
) /
|

33 of 315

%< $& ! +%!5$ %'
!
± New rules for auditors
± $4 #

;

)7 #
#
# 4
#)#
)/
%
6)/

) #
1 # # #
) #

/
|

3 of 315

%< $& ! +%!5$ %'
!% # !9
+%

±

# #

Important aspects
)# of SOXinclude:
4 1 4# #
# /
± ;
Board (PCAOB) to )
oversee the auditing
/
profession.
± # 4 #1 #

48 #/
± New rules
± for audit

committees

7
± $41
4 #
# #

#/

|

35 of 315

%< $& ! +%!5$ %'
!
4 # 84 1
Important aspects

of9
SOX include:
± ) # )
± + # ) >?
; # #

1 4 #
± New rules for
1 auditors
)) #
)/
± New
rules for auditcommittees
#
) # #

# /
± $4
|

3þ of 315

%< $& ! +%!5$ %'

$4 !

3 9
±
@@ %< 3
)
)
)
9
)
± Creation of the Public Company
Accounting
# Oversight
#3
Board (PCAOB) to oversee

the
# auditing profession.
)
#/

± New rules for auditors7

)7
/
± New rules for audit committees

± New rules for
#
management
#

#

± $4

)

3 # # /
|

3- of 315

%< $& ! +%!5$ %'
!
%< 3 # # )
± New rules for audit committees
7
/
± New rules
!
for management
# ) #

)
# 7

± $4
/
3
|

3V of 315

%< $& ! +%!5$ %'
!
After the passage of SOX, the SEC further
mandated that:
± Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
± The report must contain a statement identifying the
framework used.
± Management must disclose any and all material
internal control weaknesses.
± Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
|

3D of 315

%< $& ! +%!5$ %'
!
,1

± Many people feel there is a basic conflict

)
1 ) #
between creativity
) and
1 controls.
1 /
&4 4 2
1 /
± Robert Simons has espoused four levers of
) ) ## 7 ##
controls to help companies reconcile this
#
/
conflict:
; # )) 1 /

|

0 of 315

%< $& ! +%!5$ %'

!
) )

#
4
)/
,1
&

# ## )
)
#

1 /
± Many people feel there is a basic conflict
!
) 8 #

1
between creativity
1 ) # and
controls.

#
) 4
9
± Robert Simons has espoused four levers of
± ; ## )

controls to help
± companies
=
1 reconcile this
conflict:
± 1 #

# #
)7
) /
A concise belief system
#
|

1 of 315

%< $& ! +%!5$ %'
!
,1

± Many people
! feel#

there is a
1

1 basic conflict
)

/
between creativity and controls.

) )
)
± Robert

Simons has
) # espoused four levers of
)
/
) to
controls help companies
reconcile

8

)
this
# )
# 1 # #)
conflict:
#
/
A1 #
concise #
8
belief system
#0 #
A =/
boundary system
#

|

p of 315

%< $& ! +%!5$ %'

) )= 1 !4
= 1
1
## 3 # / !6) 9
± &1 )
) /
,1±

) 0
1/
± Many± people feel there
'## is a basic
# conflict
# 8/
between creativity
± ; and controls.

) 1
# #

/
± Robert Simons has
± &1 ) espoused
) four)
#
levers
of
controls)
1
to help #
companies
4 reconcile this
= 1 /
)
#
conflict:
8
# 1 1#
A concise belief system
#
/
A boundary system
& )# #
#
#
==
/
A diagnostic control system

1

|

3 of 315

%$ %, +;!(%A
A number of frameworks have been

developed to help companies develop
good internal control systems. Three
of the most important are:
± The COBIT framework
± The COSO internal control framework
± COSO¶s Enterprise Risk Management
framework (ERM)
|

of 315

%$ %, +;!(%A

± % 48
framework (ERM)
|

5 of 315

%$ %, +;!(%A
% 48
± Also know as the ÷÷

÷ ÷
framework.
± Developed by the Information Systems Audit
and Control Foundation (ISACF).
± A framework of generally applicable
information systems security and control
practices for IT control.
|

þ of 315

%$ %, +;!(%A
The COBIT framework allows:

± Management to benchmark security and
control practices of IT environments.
± Users of IT services to be assured that
adequate security and control exists.
± Auditors to substantiate their opinions on
internal control and advise on IT security and
control matters.
|

- of 315

0
1
%$ %, +;!(%A

#
B 3
The framework addresses the issue of
/C

# 1 ##
control from three vantage
1points or1 ))
#

dimensions:
) %%
0
19
± 0
1 ± !
1 - 1
) # .
± !

± #
±
± 1
± )
4
3
±
|

V of 315

%$ %, +;!(%A

control from three vantage points or
dimensions:
± Business objectives
±

#9
)
))

+

&
|

D of 315

%$ %, +;!(%A

control from three vantage points or
dimensions:
± Business objectives
± IT resources
± )
8 # 9
± # 2
±
3 # )
± & 1 # ))
± ;
|

50 of 315

%$ %, +;!(%A
COBIT consolidates standards from 3þ different

sources into a single framework.
It is having a big impact on the IS profession.
± Helps managers to learn how to balance risk and
control investment in an IS environment.
± Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate.
± Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.
|

51 of 315

%$ %, +;!(%A

good internal control systems. Three of
the most important are:
± %%
48
framework (ERM)
|

5p of 315

%$ %, +;!(%A
%%7
48
± The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
|

53 of 315

%$ %, +;!(%A
In 1DDp, COSO issued the

÷
÷
÷÷
:
± Defines internal controls.
± Provides guidance for evaluating and
enhancing internal control systems.
± Widely accepted as the authority on internal
controls.
± Incorporated into policies, rules, and
regulations used to control business activities.
|

5 of 315

%$ %, +;!(%A
COSO¶s internal control model has five

crucial components:
- 1

)) /

1 #
)
8
) # 4
1 /
|

55 of 315

%$ %, +;!(%A

crucial components:
- Control environment
-
1

# )
# # #
6
#
# #

## 8

# /
|

5þ of 315

%$ %, +;!(%A

crucial components:
- Control activities
- 8
2 4 # # 4
8
/
0
1 # 1
1 #

# 2 #
# 8/
|

5- of 315

%$ %, +;!(%A

crucial components:
- Risk assessment
- #

#

#

1 /
2 7 ))
) #
6
##
#
#

) /
|

5V of 315

%$ %, +;!(%A

crucial components:
- Risk assessment
- Information and communication
- ;
)
# # # #

/
|

5D of 315

%$ %, +;!(%A

± %%7 !) 8 ;
48 -!;.
|

þ0 of 315

%$ %, +;!(%A
Nine years after COSO issued the preceding

framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
Result: Enterprise Risk Manage Integrated
Framework (ERM)
± An enhanced corporate governance document.
± Expands on elements of preceding framework.
± Provides a focus on the broader subject of enterprise
risk management.
|

þ1 of 315

%$ %, +;!(%A
Intent of ERM is to achieve all goals of the

internal control framework and help the
organization:
± Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
± Achieve its financial and performance targets.
± Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
± Avoid adverse publicity and damage to the entity¶s
reputation.
|

þp of 315

%$ %, +;!(%A
ERM defines risk management as:

± A process effected by an entity¶s board of
directors, management, and other personnel.
± Applied in strategy setting and across the
enterprise.
± To identify potential events that may affect the
entity.
± And manage risk to be within its risk appetite.
± In order to provide reasonable assurance of
the achievement of entity objectives.
|

þ3 of 315

%$ %, +;!(%A
Basic principles behind ERM:

± Companies are formed to create value for
owners.
± Management must decide how much
uncertainty they will accept.
± Uncertainty can result in:
8
) 4 )) 9
± #1

1 :
± !# 6 1 /
|

þ of 315

%$ %, +;!(%A
Basic principles behind ERM:

± Companies are formed to create value for
owners.
± Management must decide how much
uncertainty they will accept.
± Uncertainty can result in:
Risk
%))
) 4 ))
) 1

)1
1 /
|

þ5 of 315

%$ %, +;!(%A
± The framework should help management

manage uncertainty and its associated risk to
build and preserve value.
± To maximize value, a company must balance
its growth and return objectives and risks with
efficient and effective use of company
resources.
|

þþ of 315

%$ %, +;!(%A
COSO developed a
model to illustrate
the elements of
ERM.
|

þ- of 315

%$ %, +;!(%A
Columns at the top

represent the four types of
÷ that
management must meet to
achieve company goals.
±
0
1

0
1
= 1
# 4 # ))

)7 /
|

þV of 315

%$ %, +;!(%A
Columns at the top

represent the four types of
÷ that
± Strategic objectives
± %) 0
1
%) 0
1 # 4

1 #

) )
9
±
#
)
± #
|

þD of 315

%$ %, +;!(%A
) 0
1 )

Columns at the #

) top
#
represent the6
)
four types of
)
#
÷ that
=
/
)1 #
=8 #
achieve
company goals. #

)
1
±)

Strategic objectives

/
± Operations objectives
± ) 0
1
|

-0 of 315

%$ %, +;!(%A
Columns at the
)
top
0
1 )

) the
represent
)
four4
types of
))
4 #
÷ that
/
± !6 )

)
/
± ±Strategic objectives
)
± Operations objectives
# 1

± Reporting /
objectives
± )
0
1
|

-1 of 315

%$ %, +;!(%A
ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can¶t control.
Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
|

-p of 315

%$ %, +;!(%A
Columns on the
right represent the
company¶s units:
± !
)
|

-3 of 315

%$ %, +;!(%A
Columns on the
right represent the
company¶s units:
± Entire company
± & 1
|

- of 315

%$ %, +;!(%A
Columns on the
right represent the
company¶s units:
± Entire company
± Division
±
|

-5 of 315

%$ %, +;!(%A
Columns on the
right represent the
company¶s units:
± Entire company
± Division
± Business unit
± #
|

-þ of 315

%$ %, +;!(%A
The horizontal rows are

eight related risk and
control components,
including:
± 1

)/
1 # #
) #

# #

)/
! ÷

÷ %%

48/
|

-- of 315

%$ %, +;!(%A

control components,
including:
± Internal environment
± %0
1
! ) )

) ) #
)
0
1
))
)7 #
4
)7

8/

0
1 # /
0
1 )1 # #

) # 8=

1 # # )# 8/
|

-V of 315

%$ %, +;!(%A

control components,
including:
± Objective setting
± !1 #

3 # 1

)7
) #
1 0
1/
; # 4 1 )9
± 8 - 1= )
1 3 #
).:
± %)) -) 1= )
1
#
0
1= )
./
|

-D of 315

# # 8 #
# 4
%$ %, +;!(%A # 4

)7
1
0
1/
D 1
The horizontal# 3 1
rows are
#
eight risk
related #
and
8 # 1 # #
control components,

9
including:
± , 8 #
± 1 # 1
± Objective
)
setting
± Event identification
± !

± 8 2

8 2#
# # /
)# 8
%%7

48/
|

V0 of 315

; # # 8
4
)7

%$ %, +;!(%A 8
9
± 1 #
± #

±
±
)
control components,
; 8 =4 #
including:
) 1 4 8
± Internal
environment
8 #
± Objective
8 setting )
#
)

=
)/
± Risk assessment
± 8 )
|

V1 of 315

%$ %, +;!(%A
Thehorizontal
) rows are
7
8related
eight )
risk

and )

# )
# #
control components,
# ) #
including:
1 1 #

2 /
)#

±
1 %%
Event identification
±
48/
Risk assessment
± Risk response
±
1
|

Vp of 315

)
# !;
)
%$ %, +;!(%A # #
)# #

# )

) /
The
horizontal rows are

4related
eight risk 1
and #

)
control
4 components,
4 #
including:
6 ) /
± !)
Internal environment
# ##
± #
Objective )

setting
± !;
Event# 4
identification
)
± Risk assessment
/
± Risk response

)#
±
Control activities
%%

± 48/
#

|

V3 of 315

%$ %, +;!(%A

control
!; )

components,
#
including:
# # # ##/

) # 4


1 #
) 1 /
± Risk assessment
&

)#
± Risk response
/
± Control activities#
)#
± %%
Information and

48/
communication
± ;
|

V of 315

%$ %, +;!(%A
The ERM model is

three-dimensional.
Means that each of
the eight risk and
control elements are
applied to the four
objectives in the
entire company
and/or one of its
subunits.
|

V5 of 315

%$ %, +;!(%A
!; +48
!6 */

4
6 )) #
8
)
)1 #
6
+48
1 /
± The internal
;8 control
#
framework has been
849
widely adopted
± (

as the principal
way to
)/
± (
evaluate #3
internal controls#
as 4 8/
required by SOX.
± ( )
/
However, there are issues with it.
4
/
|

Vþ of 315

%$ %, +;!(%A
!; 48 1/

48
± The internal control framework has been
widely adopted as the principal way to
;
4
evaluate internal controls as required by SOX.

)

However, there are issues with
it.
8
)/
It has too narrow of a focus.
+

4# ) ) #

/
|

V- of 315

%$ %, +;!(%A
These issues led to COSO¶s development of the

ERM framework.
± Takes a risk-based, rather than controls-based,
approach to the organization.
± Oriented toward future and constant change.
± Incorporates rather than replaces COSO¶s internal
control framework and contains three additional
elements:
Setting objectives.
Identifying positive and negative events that may affect the
company¶s ability to implement strategy and achieve
objectives.
Developing a response to assessed risk.
|

VV of 315

%$ %, +;!(%A
± Controls are flexible and relevant because

they are linked to current organizational
objectives.
± ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.
|

VD of 315

%$ %, +;!(%A
Over time, ERM will probably become the

most widely adopted risk and control
model.
Consequently, its eight components are
the topic of the remainder of the chapter.
|

D0 of 315

$ !$, !$*%$;!$
The most critical component
of the ERM and the internal
control framework.
Is the foundation on which the
other seven components rest.
Influences how organizations:
± Establish strategies and
objectives
± Structure business activities
± Identify, access, and respond
to risk
A deficient internal control
environment often results in
risk management and control
breakdowns.
|

D1 of 315

$ !$, !$*%$;!$
Internal environment consists of the following:

± Management¶s philosophy, operating style, and risk
appetite
± The board of directors
± Commitment to integrity, ethical values, and
competence
± Organizational structure
± Methods of assigning authority and responsibility
± Human resource standards
± External influences
|

Dp of 315

$ !$, !$*%$;!$

± ;7 ) ) ) #
8 ))
competence
|

D3 of 315

$ !$, !$*%$;!$
;7 ) ) )

# 8 ))
± An organization¶s management has shared beliefs
and attitudes about risk.
± That philosophy affects everything the organization
does, long- and short-term, and affects their
communications.
± Companies also have a ÷ ÷, which is the
amount of risk a company is willing to accept to
achieve its goals and objectives.
± That appetite needs to be in alignment with company
strategy.
|

D of 315

$ !$, !$*%$;!$
± The more responsible management¶s

philosophy and operating style, the more
likely employees will behave responsibly.
± This philosophy must be clearly
communicated to all employees; it is not
enough to give lip service.
± Management must back up words with
actions; if they show little concern for internal
controls, then neither will employees.
|

D5 of 315

$ !$, !$*%$;!$
± This component can be assessed by asking

questions such as:
Does management take undue business risks or
assess potential risks and rewards before acting?
Does management attempt to manipulate
performance measures such as net income?
Does management pressure employees to achieve
results regardless of methods or do they demand
ethical behavior?
|

Dþ of 315

$ !$, !$*%$;!$

appetite
± # #

competence
|

D- of 315

$ !$, !$*%$;!$
# #

± An active and involved board of directors
plays an important role in internal control.
± They should:
Oversee management
Scrutinize management¶s plans, performance, and
activities
Approve company strategy
Review financial results
Annually review the company¶s security policy
Interact with internal and external auditors
|

DV of 315

$ !$, !$*%$;!$
Directors should possess management,

technical, or other expertise, knowledge,
or experience, as well as a willingness to
advocate for shareholders.
At least a majority should be independent,
outside directors not affiliated with the
company or any of its subsidiaries.
|

DD of 315

$ !$, !$*%$;!$
Public companies must have an ÷

÷÷, composed entirely of independent,

outside directors.
± The audit committee oversees:
The company¶s internal control structure;
Its financial reporting process; and
Its compliance with laws, regulations, and standards.
± Works with the corporation¶s external and internal
auditors.
Hires, compensates, and oversees the auditors.
Auditors report all critical accounting policies and practices to
the audit committee.
± Provides an independent review of management¶s
actions.
|

100 of 315

$ !$, !$*%$;!$

appetite
±
1 #

)

|

101 of 315

$ !$, !$*%$;!$

1
#
)

± Management must create an organizational
culture that stresses integrity and commitment
to both ethical values and competence.
Ethical standards of behavior make for good
business.
Tone at the top is everything.
Employees will watch the actions of the CEO, and
the message of those actions (good or bad) will
tend to permeate the organization.
|

10p of 315

$ !$, !$*%$;!$
Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
± Management should:
Make it clear that honest reports are more important than
favorable ones.
± Management should avoid:
Unrealistic expectations, incentives, or temptations.
Attitude of earnings or revenue at any price.
Overly aggressive sales practices.
Unfair or unethical negotiation practices.
Implied kickback offers.
Excessive bonuses.
Bonus plans with upper and lower cutoffs.
|

103 of 315

$ !$, !$*%$;!$
Management should not assume that employees

would always act honestly.
± Consistently reward and encourage honesty.
± Give verbal labels to honest and dishonest acts.
± The combination of these two will produce more
consistent moral behavior.
|

10 of 315

$ !$, !$*%$;!$
Management should develop clearly stated

policies that explicitly describe honest and
dishonest behaviors, often in the form of a
written code of conduct.
± In particular, such a code would cover issues that are
uncertain or unclear.
± Dishonesty often appears when situations are gray
and employees rationalize the most expedient action
as opposed to making a right vs. wrong choice.
|

105 of 315

$ !$, !$*%$;!$
SOX only requires a code of ethics for senior

financial management. However, the ACFE
suggests that companies create a code of
conduct for all employees:
± Should be written at a fifth-grade level.
± Should be reviewed annually with employees and
signed.
± This approach helps employees keep themselves out
of trouble.
± Helps the company if they need to take legal action
against the employee.
|

10þ of 315

$ !$, !$*%$;!$
Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
± Reports of dishonest acts should be thoroughly investigated.
± Those found guilty should be dismissed.
± Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
Companies must make a commitment to competence.
± Begins with having competent employees.
± Varies with each job but is a function of knowledge, experience,
training, and skills.
|

10- of 315

$ !$, !$*%$;!$
The levers of control, particularly beliefs

and boundaries systems, can be used to
create the kind of commitment to integrity
an organization wants.
± Requires more than lip service and signing
forms.
± Must be ÷
in which top management
actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
|

10V of 315

$ !$, !$*%$;!$
Management should require employees to

report dishonest, illegal, or unethical
behavior and discipline employees who
knowingly fail to report.
± Reports of dishonest acts should be
thoroughly investigated.
± Those found guilty should be dismissed.
± Prosecution should be undertaken when
possible, so that other employees are clear
about consequences.
|

10D of 315

$ !$, !$*%$;!$
Companies must make a commitment to

competence.
± Begins with having competent employees.
± Varies with each job but is a function of
knowledge, experience, training, and skills.
|

110 of 315

$ !$, !$*%$;!$
The levers of control, particularly beliefs

and boundary systems, can be used to
create the kind of commitment to integrity
an organization wants.
± Requires more than lip service and signing
forms.
± Must be ÷
in which top management
actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
|

111 of 315

$ !$, !$*%$;!$

appetite
competence
± % 2

|

11p of 315

$ !$, !$*%$;!$
% 2

± A company¶s organizational structure defines
its lines of authority, responsibility, and
reporting.
Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
|

113 of 315

$ !$, !$*%$;!$
Important aspects or organizational structure:

± Degree of centralization or decentralization.
± Assignment of responsibility for specific tasks.
± Direct-reporting relationships or matrix structure.
± Organization by industry, product, geographic
location, marketing network.
± How the responsibility allocation affects
management¶s information needs.
± Organization of accounting and IS functions.
± Size and nature of company activities.
|

11 of 315

$ !$, !$*%$;!$
Statistically, fraud occurs more frequently

in organizations with complex structures.
± The structures may unintentionally impede
communication and clear assignment of
responsibility, making fraud easier to commit
and conceal; or
± The structure may be intentionally complex to
facilitate the fraud.
|

115 of 315

$ !$, !$*%$;!$
In today¶s business world, the hierarchical

organizations with many layers of management
are giving way to flatter organizations with self-
directed work teams.
± Team members are empowered to make decisions
without multiple layers of approvals.
± Emphasis is on continuous improvement rather than
on regular evaluations.
± These changes have a significant impact on the
nature and type of controls needed.
|

11þ of 315

$ !$, !$*%$;!$

appetite
competence
± ;# # )
|

11- of 315

$ !$, !$*%$;!$
;# #
)
± Management should make sure:
Employees understand the entity¶s objectives.
Authority and responsibility for business objectives is
assigned to specific departments and individuals.
± Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
± Management:
Must be sure to identify who is responsible for the IS security
policy.
Should monitor results so decisions can be reviewed and, if
necessary, overruled.
|

11V of 315

$ !$, !$*%$;!$
Authority and responsibility are assigned through:
± Formal job descriptions
± Employee training
± Operating plans, schedules, and budgets
± Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
± Written policies and procedures manuals (a good job reference
and job training tool) which covers:
Proper business practices
Knowledge and experience needed by key personnel
Resources provided to carry out duties
Policies and procedures for handling particular transactions
The organization¶s chart of accounts
Sample copies of forms and documents
|

11D of 315

$ !$, !$*%$;!$

appetite
competence
±
##
|

1p0 of 315

$ !$, !$*%$;!$

##
± Employees are both the company¶s greatest control
strength and the greatest control weakness.
± Organizations can implement human resource
policies and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
± Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency
and loyalty and reduce the organization¶s
vulnerability.
|

1p1 of 315

$ !$, !$*%$;!$
The following policies and procedures are

important:
± Hiring
± Compensating
± Training
± Evaluating and promoting
± Discharging
± Managing disgruntled employees
± Vacations and rotation of duties
± Confidentiality insurance and fidelity bonds
|

1pp of 315

$ !$, !$*%$;!$

important:
±
± Compensating
± Training
± Discharging
|

1p3 of 315

$ !$, !$*%$;!$
Hiring
± Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
± Employees should undergo a formal, in-depth
employment interview.
± Resumes, reference letters, and thorough
background checks are critical.
|

1p of 315

$ !$, !$*%$;!$
Background checks can involve:

± Verifying education and experience.
± Talking with references.
± Checking for criminal records, credit issues, and other
publicly available data.
± Note that you must have the employee¶s or
candidate¶s written permission to conduct a
background check, but that permission does not need
to have an expiration date.
± Background checks are important because recent
studies show that about 50% of resumes have been
falsified or embellished.
|

1p5 of 315

$ !$, !$*%$;!$
Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
± Some get phony degrees from online ³diploma mills.´
A Pennsylvania district attorney recently filed suit against a
Texas ³university´ for issuing an MBA to the DA¶s þ-year-old
black cat.
± Others actually hack (or hire someone to hack) into
the systems of universities to create or alter
transcripts and other academic data.
$ employee should be exempted from
background checks. Anyone from the custodian
to the company president is capable of
committing fraud, sabotage, etc.
|

1pþ of 315

$ !$, !$*%$;!$

important:
± Hiring
± )
± Training
± Discharging
|

1p- of 315

$ !$, !$*%$;!$
Compensating
± Employees should be paid a fair and
competitive wage.
± Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
± Appropriate incentives can motivate and
reinforce outstanding performance.
|

1pV of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
±
± Discharging
|

1pD of 315

$ !$, !$*%$;!$
Policies on training
± Training programs should familiarize new employees
with:
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating
style.
± Training needs to be ongoing, not just one time.
± Companies who shortchange training are more likely
to experience security breaches and fraud.
|

130 of 315

$ !$, !$*%$;!$
± Many believe employee training and

education are the most important elements of
fraud prevention and security programs.
± Fraud is less likely to occur when employees
believe security is everyone¶s business.
± An ideal corporate culture exists when:
Employees are proud of their company and
protective of its assets.
They believe fraud hurts everyone and that they
therefore have a responsibility to report it.
|

131 of 315

$ !$, !$*%$;!$
These cultures do not just happen. They must

be created, taught, and practiced, and the
following training should be provided:
± Fraud awareness
Employees should be aware of fraud¶s prevalence and
dangers, why people do it, and how to deter and detect it.
± Ethical considerations
The company should promote ethical standards in its practice
and its literature.
Acceptable and unacceptable behavior should be defined
and labeled, leaving as little gray area as possible.
|

13p of 315

$ !$, !$*%$;!$
± Punishment for fraud and unethical behavior.

Employees should know the consequences (e.g.,
reprimand, dismissal, prosecution) of bad
behavior.
Should be disseminated as a consequence rather
than a threat.
EXAMPLE: ³Using a computer to steal or commit
fraud is a federal crime, and anyone doing so
faces immediate dismissal and/or prosecution.´
The company should display notices of program
and data ownership and advise employees of the
penalties of misuse.
|

133 of 315

$ !$, !$*%$;!$
Training can take place through:

± Informal discussions
± Formal meetings
± Periodic memos
± Written guidelines
± Codes of ethics
± Circulating reports of unethical behavior and
its consequences
± Promoting security and fraud training
programs
|

13 of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
± Training
± !1 # )
± Discharging
|

135 of 315

$ !$, !$*%$;!$
Evaluating and promoting

± Do periodic performance appraisals to help
employees understand their strengths and
weaknesses.
± Base promotions on performance and
qualifications.
|

13þ of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
± Training
± &

|

13- of 315

$ !$, !$*%$;!$
Discharging
± Fired employees are disgruntled employees.
± Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
± Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
|

13V of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
± Training
± Discharging
± ; # # )
|

13D of 315

$ !$, !$*%$;!$
Managing disgruntled employees

± Disgruntled employees may be isolated and/or
unhappy, but are much likelier fraud candidates than
satisfied employees.
± The organization can try to reduce the employee¶s
pressures through grievance channels and
counseling.
Difficult to do because many employees feel that seeking
counseling will stigmatize them in their jobs.
± Disgruntled employees should not be allowed to
continue in jobs where they could harm the
organization.
|

10 of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
± Training
± Discharging
± *
# #
|

11 of 315

$ !$, !$*%$;!$
Vacations and rotation of duties

± Some fraud schemes, such as lapping and
kiting, cannot continue without the constant
attention of the perpetrator.
± Mandatory vacations or rotation of duties can
prevent these frauds or lead to early
detection.
± These measures will only be effective if

is doing the job while the
usual employee is elsewhere.
|

1p of 315

$ !$, !$*%$;!$

important:
± Hiring
± Compensating
± Training
± Discharging
± #
# # #
|

13 of 315

$ !$, !$*%$;!$
Confidentiality agreements and fidelity

bond insurance
± Employees, suppliers, and contractors should
be required to sign and abide by
nondisclosure or confidentiality agreements.
± Key employees should have fidelity bond
insurance coverage to protect the company
against losses from fraudulent acts by those
employees.
|

1 of 315

$ !$, !$*%$;!$
In addition to the preceding policies, the

company should seek prosecution and
incarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go
unreported. They are not prosecuted for several
reasons.
± Companies fear:
Public relations nightmares
Copycat attacks
± But unreported fraud and intrusions create a false
sense of security.
|

15 of 315

$ !$, !$*%$;!$
± Law enforcement officials and courts are busy with

violent crimes and may regard teen hacking as
³childish pranks.´
± Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
± Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,
prosecute, and evaluate computer crimes.
± When cases are prosecuted and a conviction
obtained, penalties are often very light. Judges often
regard the perps as ³model citizens.´
|

1þ of 315

$ !$, !$*%$;!$

appetite
competence
± !6

|

1- of 315

$ !$, !$*%$;!$
External influences
± External influences that affect the control
environment include requirements imposed
by:
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
|

1V of 315

%E! *! ! $5
Objective setting is the
second ERM
component.
It must precede many
of the other six
components.
For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
|

1D of 315

%E! *! ! $5
Top management, with board approval, must

articulate why the company exists and what it
hopes to achieve.
± Often referred to as the
or
.
Uses the mission statement as a base from
which to set corporate objectives.
The objectives:
± Need to be easy to understand and measure.
± Should be prioritized.
± Should be aligned with the company¶s risk appetite.
|

150 of 315

%E! *! ! $5
Objectives set at the corporate level are

linked to and integrated with a cascading
series of sub-objectives in the various sub-
units.
For each set of objectives:
± Critical success factors (what has to go right)
must be defined.
± Performance measures should be established
to determine whether the objectives are met.
|

151 of 315

%E! *! ! $5
Objective-setting process proceeds as follows:

± First, set strategic objectives, the high-level goals that
support the company¶s mission and create value for
shareholders.
± To meet these objectives, identify alternative ways of
accomplishing them.
± For each alternative, identify and assess risks and
implications.
± Formulate a corporate strategy.
± Then set operations, compliance, and reporting
objectives.
|

15p of 315

%E! *! ! $5
As a rule of thumb:
± The mission and strategic objectives are
stable.
± The strategy and other objectives are more
dynamic:
Must be adapted to changing conditions.
Must be realigned with strategic objectives.
|

153 of 315

%E! *! ! $5
Operations objectives:
± Are a product of management preferences,
judgments, and style.
± Vary significantly among entities:
One may adopt technology; another waits until the
bugs are worked out.
± Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
± Give clear direction for resource allocation²a
key success factor.
|

15 of 315

%E! *! ! $5
Compliance and reporting objectives:

± Many are imposed by external entities, e.g.:
Reports to IRS or to EPA
Financial reports that comply with GAAP
± A company¶s reputation can be impacted
significantly (for better or worse) by the quality
of its compliance.
|

155 of 315

!*!$ &!$ + %$
Events are:
± Incidents or occurrences that
emanate from internal or
external sources.
± That affect implementation of
strategy or achievement of
objectives.
± Impact can be positive,
negative, or both.
± Events can range from
obvious to obscure.
± Effects can range from
inconsequential to highly
significant.
|

15þ of 315

!*!$ &!$ + %$
By their nature, events represent

uncertainty:
± Will they occur?
± If so, when?
± And what will the impact be?
± Will they trigger another event?
± Will they happen individually or concurrently?
|

15- of 315

!*!$ &!$ + %$
Management must do its best to anticipate all

possible events²positive or negative²that
might affect the company:
± Try to determine which are most and least likely.
± Understand the interrelationships of events.
COSO identified many internal and external
factors that could influence events and affect a
company¶s ability to implement strategy and
achieve objectives.
|

15V of 315

!*!$ 1
&!$ + %$

) : 4

)
,4 4
Some of these
)
factors include:

1 ) #4
± External factors:

# # ) #
!

)

1#

3 #
;1
8

4 )
;
3

|

15D of 315

!*!$ &!$ + %$
Some of these factors include:

Economic factors
$ 1
$ #

# 38
! # 4
!

#1 )
|

1þ0 of 315

!*!$ &!$ + %$

Economic factors
Natural environment

!
1

4 4 #
$4 4 #

)

#
4 6

)7
)
|

1þ1 of 315

!*!$ &!$ + %$
#)

#
48 )
1
## )#

Economic factors # 1

4
))
Natural environment
)
2 )
Political factors 1

)#

))
|

1þp of 315

!*!$ &!$ + %$
$4 =

4

## =
± External factors: # 1

Economic factors !

# #
#
Natural environment
1 #
Political factors ) #4
Social factors
# 6 )

|

1þ3 of 315

!*!$ &!$ + %$

± Internal factors:

#3
)

)
1 #
)
)
) 6
|

1þ of 315

!*!$ &!$ + %$

Infrastructure

!) 8 #
)
!)
#

(8)

#

8 6)
|

1þ5 of 315

!*!$ &!$ + %$

Infrastructure
Personnel

#
4 ))

)
#
# # )

6

))
# 1 3 #
|

1þþ of 315

!*!$ &!$ + %$

Infrastructure
Personnel
Process

)
# )8

& 1

#3 #

#1 )
#3 #
|

1þ- of 315

!*!$ &!$ + %$
Lists can help management identify factors,

evaluate their importance, and examine those
that can affect objectives.
Identifying events at the activity and entity levels
allows companies to focus their risk assessment
on major business units or functions and align
their risk tolerance and risk appetite.
|

1þV of 315

!*!$ &!$ + %$
Companies usually use two or more of the

following techniques together to identify
events:
± '
) 1 )
1
% )#
# )
4

#
1 )
/
|

1þD of 315

!*!$ &!$ + %$

events:
± Use comprehensive lists of potential events
±

2 1

))) # # # )/
|

1-0 of 315

!*!$ &!$ + %$

events:
± Perform an internal analysis
± ; # 1 # )
)))

1 # 1
# #
)# )# #

# 4
##/
|

1-1 of 315

!*!$ &!$ + %$

events:
± Monitor leading events and trigger points
± #
48) # 1 4
!) 84 # # 6) #

# #
# 1 #
1 4/
|

1-p of 315

!*!$ &!$ + %$

events:
!6 # ) 1 # #
± Conduct#
workshops and #

) interviews
) 1/
± # #
|

1-3 of 315

!*!$ &!$ + %$

events:
± Conduct workshops
2 and
# interviews
6

) )
# ) # 1
± Perform
data
mining and analysis
) # )
/
± 2 )

|

1- of 315

A !;!$ $& A
!%$!
The fourth and fifth
components of
COSO¶s ERM model
are risk assessment
and risk response.

COSO indicates
8 6
there are8
twotypes
)
of risk:

8 # )

8/
± 8
|

1-5 of 315

A !;!$ $& A
!%$!
The fourth and fifth
components of
COSO¶s ERM model
are risk assessment
and risk response.
COSO indicates
there are two types
8
of
risk: )
±
Inherent risk

± )
# 8/
8
|

1-þ of 315

A !;!$ $& A
!%$!
Companies should:
± Assess inherent risk
± Develop a response
± Then assess residual risk
The ERM model indicates four ways to respond
to risk:

1 4 #

± #
8 # # )
8
)
1

/
|

1-- of 315

A !;!$ $& A
!%$!
Companies should:
to risk:
± Reduce it
±
) &7
)1
/
|

1-V of 315

A !;!$ $& A
!%$!
Companies should:
to risk:
± Reduce it
± Accept it 1
±
1

# /
|

1-D of 315

A !;!$ $& A
!%$!
Companies should:
to risk:
&7
1
± Reduce it
)#
/
± Accept it ; 3 9
± Share it ± # 1
± 1 # ± !6 )#

±
6) )
|

1V0 of 315

A !;!$ $& A
!%$!
Accountants:
± Help management design effective controls to
reduce inherent risk.
± Evaluate internal control systems to ensure
they are operating effectively.
± Assess and reduce inherent risk using the risk
assessment and response strategy.
|

1V1 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

!1 ! )

)
#

± The first step in risk

#

assessment and #
response strategy is
event identification, !
#
which we have already

discussed.

1 #

= No

)

)
8
Yes
#
8 )

#
|

1Vp of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

! 8 #
# )
! )
)
± Some events pose

more risk because they
are more probable than #

others. #
± Some events pose
more risk because their !
#
dollar impact would be

more significant.
± Likelihood and impact
must be considered 1 #

= No
together:

)
)

± If either increases, the 8
materiality of the event
and the need to protect Yes
against it rises. #
8 )

#
|

1V3 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

#
! )
)
± Management must

identify one or more
controls that will protect #

#
the company from each
event. !
#
± In evaluating benefits of

each control procedure,
consider effectiveness
1 #
and timing.
=

No
)

)
8
Yes
#
8 )

#
|

1V of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

All other factors equal:
± A preventive control is ! )
)
better than a detective

one.
± However, if preventive #

controls fail, detective #
controls are needed to
discover the problem, !
#
and corrective controls

are needed to recover.
± Consequently, the three
complement each
= No
1 #
other, and a good

)
internal control system )

8
should have all three.
± Similarly, a company Yes
should use all four #
8 )
levers of control.
#
|

1V5 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

!
#
! )
)

± It would be cost-
prohibitive to create an #

internal control system #
that provided foolproof
protection against all !
#
events.

± Also, some controls
negatively affect
1 #
operational efficiency,
= No

and too many controls )

)
can make it very 8
inefficient. Yes
#
8 )

#
|

1Vþ of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

The benefits of an
internal control ! )
)
procedure must

exceed its costs.
#

Benefits can be hard #
to quantify, but
include: !
#
± Increased sales and

productivity
± Reduced losses

± Better integration with
= No
1 #
customers and suppliers

)

)
± Increased customer 8
loyalty
± Competitive advantages Yes
± Lower insurance #
8 )
premiums
#
|

1V- of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

Costs are usually
easier to measure ! )
)

than benefits.
Primary cost is #

#
personnel, including:
± Time to perform control !
#
procedures

± Costs of hiring
additional employees to
effectively segregate 1 #

= No
duties

)

)
± Costs of programming 8
controls into a system Yes
#
8 )

#
|

1VV of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

Other costs of a poor
control system include: ! )
)
± Lost sales

± Lower productivity
#

± Drop in stock price if #
security problems arise
± Shareholder or !
#
regulator lawsuits

± Fines and penalties
imposed by
governmental agencies
1 #

= No

)

)
8
Yes
#
8 )

#
|

1VD of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

The expected loss
related to a risk is ! )
)

measured as:
± Expected loss = #

impact x likelihood #
The value of a !

#
control procedure

is the difference
between:

= No
1 #

± Expected loss with

)
)

control procedure 8
± Expected loss without it
Yes
#
8 )

#
|

1D0 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

&
=

1 ! )
)

± After estimating
benefits and costs, #

management #
determines if the control
is cost beneficial, i.e., is !
#
the cost of

implementing a control
procedure less than the
change in expected
=
No
1 #

loss that would be
)
attributable to the )
8

change?
Yes
#
8 )

#
|

1D1 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

In evaluating costs
and benefits, ! )
)
management must

consider factors other
than those in the #

#
expected benefit
calculation. !
#
± If an event threatens an

organization¶s existence, it
may be worthwhile to
institute controls even if
costs exceed expected
= 1 #

No
benefits.

)
± The additional cost can be )
8
viewed as a catastrophic
loss insurance premium. Yes
#
8 )

#
|

1Dp of 315

!6)
# , 4
)
# F > 6 / F >G"/
!6)
# A
4 !;!$ $&6 A

)
# F > /? F >@/
! # 1
)
# F >G" = >@ F >G/

!%$!
! #

)
# F >@H - 1./
6
#
>G = >@H F >@G/
,7 6) 9

# ) #
/
± Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce
the probability of a catastrophic theft.
± A catastrophic theft could result in losses of
$V00,000.
± Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 1p%.
± Companies with motion detectors only have about a
.5% probability of catastrophic theft.
± The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $3,000.
± Should Hobby Hole install the motion detectors?
|

1D3 of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

)
! )
)

1 #

)
8 #

#
± When controls are cost
effective, they should !
#
be implemented so risk

can be reduced.

= 1 #

No

)
)
8

Yes
#
8 )

#
|

1D of 315

# 1
A !;!$

)
$& A !%$!
! 8 #
)
1

Risks that are not
reduced must be ! )
)
accepted, shared, or

avoided.
± If the risk is within the #

company¶s risk tolerance, #
they will typically accept
the risk. !
#
± A reduce or share

response is used to bring
residual risk into an
acceptable risk tolerance
= 1 #
range.
No
± An avoid response is
)
typically only used when )
8
there is no way to cost-
effectively bring risk into Yes
an acceptable risk #
8 )
tolerance range.
#
|

1D5 of 315

%$ %, * !
The sixth component of
COSO¶s ERM model.
÷÷ ÷ are
policies, procedures,
and rules that provide
reasonable assurance
that management¶s
control objectives are
met and their risk
responses are carried
out.
|

1Dþ of 315

%$ %, * !
It is management¶s responsibility to develop a

secure and adequately controlled system.
± Controls are much more effective when built in on the
front end.
± Consequently, systems analysts, designers, and end
users should be involved in designing adequate
computer-based control systems.
Management must also establish a set of
procedures to ensure control compliance and
enforcement.
± Usually, the purview of the information security officer
and the operations staff.
|

1D- of 315

%$ %, * !
It is critical that controls be in place during

the year-end holiday season. A
disproportionate amount of computer fraud
and security break-ins occur during this
time because:
± More people are on vacation and fewer
around to mind the store.
± Students are not tied up with school.
± Counterculture hackers may be lonely.
|

1DV of 315

%$ %, * !
Generally, control procedures fall into one

of the following categories:
± Proper authorization of transactions and
activities
± Segregation of duties
± Project development and acquisition controls
± Change management controls
± Design and use of documents and records
± Safeguard assets, records, and data
± Independent checks on performance
|

1DD of 315

%$ %, * !

± ) 2
#

1
|

p00 of 315

%$ %, * !
) 2

#
1
± Management lacks the time and resources to
supervise each employee activity and
decision.
± Consequently, they establish policies and
empower employees to perform activities
within policy.
± This empowerment is called ÷ !÷
and is an important part of an organization¶s
control procedures.
|

p01 of 315

%$ %, * !
Authorizations are often documented by signing

initializing, or entering an authorization code.
Computer systems can record ÷
÷ as a means of signing a document.
Employees who process transactions should
verify the presence of the appropriate
authorizations.
Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.
|

p0p of 315

%$ %, * !
Typically at least two levels of authorization:

± General authorization
Management authorizes employees to handle routine
transactions without special approval.
± Special authorization
For activities or transactions that are of significant
consequences, management review and approval is
required.
Might apply to sales, capital expenditures, or
write-offs over a particular dollar limit.
Management should have written policies for
both types of authorization and for all types of
transactions.
|

p03 of 315

%$ %, * !

activities
± #
|

p0 of 315

%$ %, * !
#
± Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
± An employee should not be in a position to
commit conceal fraud or unintentional
errors.
± Segregation of duties is discussed in two
sections:
Segregation of accounting duties
Segregation of duties within the systems function
|

p05 of 315

%$ %, * !
j÷ ÷
employee be given too much responsibility
over business transactions or processes.
± An employee should not be in a position to
commit conceal fraud or unintentional
errors.
± Segregation of duties is discussed in two
sections:

#
Segregation of duties within the systems function
|

p0þ of 315

%$ %, * !

# 7 /
|

p0- of 315

%$ %, * !

)
2 7 I 7 >/
|

p0V of 315

%$ %, * !
,#
>
8) 8

/
|

p0D of 315

%$ %, * !
,#
>
# # 7 #)

) )
8 >

/ - 8 7 4 84/.
|

p10 of 315

%$ %, * !
,#
>
# # 7 #)

) )
8 >

/ - 8 7 4 84/.
|

p11 of 315

%$ %, * !
,#
>G

# 8 4
> 4 ) B C ))/ $4

8 >G/
|

p1p of 315

%$ %, * !
,#
>G
4 4 1

J
|

p13 of 315

%$ %, * !
$4 7
/

)
/
|

p1 of 315

%$ %, * !
,#
>
; 8) 8/

÷ ÷ "
|

p15 of 315

%$ %, * !
,#
>
)
# 8
> 2 7
/
|

p1þ of 315

%$ %, * !
,#
>
4 4
J
|

p1- of 315

%$ %, * !
j÷ ÷ ÷

± Effective segregation of accounting duties is achieved
when the following functions are separated:
÷ !÷ ²Approving transactions and decisions.
²Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
÷²Handling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organization¶s bank account.
± If any two of the preceding functions are the
responsibility of one person, then problems can arise.
|

p1V of 315

%$ %, * !
' %&, +'$ %$ !%&$5 +'$ %$
#
)

# 1 #

6# ; 0
(

8 #

1

8 )

) )

)
!<;,! %+ %,!;9 ) 4

#

) #
'

#
)
%K
%$

#

/ +'$ %$
%,' %$9 -
2

# #
# . )1

)
#

# /
|

p1D of 315

!<;,! %+ %,!;9
) 4
#

8

%$ %, * ! 2#

2

#
' %&, +'$ %$ !%&$5
)/+'$ %$
#
)
%,' %$9

# 1 #

-
# #
6# ; 0
2 . )1
(

8 #
) 2

1

8

)

) )

) /
' %K %$

+'$ %$
2

|

pp0 of 315

!<;,! %+ %,!;9
) 4
2

# 8)

# # %$ %, * !

2
#
#

' %&,
) +'$
%$ !%&$5 +'$ %$
6)
#

)

) 7
# ##
1 #

##
6#
; 0

)
(
/

8 #
%,' %$9

1

8 )

- ) )

# # 2 . )
)1 )

#
1
)

4
))) 2#/
' %K %$
+'$ %$
2

|

pp1 of 315

%$ %, * !
In a system that incorporates an effective

separation of duties, it should be difficult
for any single employee to commit
embezzlement successfully.
But when two or more people ,
then segregation of duties becomes
impotent and controls are overridden.
|

ppp of 315

%$ %, * !
,#
>
)) / / /
|

pp3 of 315

%$ %, * !
,#
>
# 4 #4/

1 # /
|

pp of 315

%$ %, * !
Employees can collude with other employees or

with customers or vendors.
The most frequent form of employee/vendor
collusions include:
± Billing at inflated prices
± Performing substandard work and receiving full
payment
± Payment for non-performance
± Duplicate billings
± Improperly funneling more work to or purchasing
more goods from a colluding company
|

pp5 of 315

%$ %, * !
The most frequent form of

employee/customer collusions include:
± Unauthorized loans or insurance payments
± Receipt of assets or services at unauthorized
discount prices
± Forgiveness of amounts owed
± Unauthorized extension of due dates
|

ppþ of 315

%$ %, * !
#
employee be given too much responsibility over
business transactions or processes.
± An employee should not be in a position to commit
conceal fraud or unintentional errors.
± Segregation of duties is discussed in two sections:
Segregation of accounting duties
# 4

|

pp- of 315

%$ %, * !
j÷ ÷ ÷ ÷

÷
÷
± In a highly integrated information system,
procedures once performed by separate
individuals are combined.
± Therefore, anyone who has unrestricted
access to the computer, its programs, and live
data could have the opportunity to perpetrate
and conceal fraud.
± To combat this threat, organizations must
implement effective segregation of duties
within the IS function.
|

ppV of 315

%$ %, * !
Authority and responsibility must be divided clearly

among the following functions:
± #
)
# )
)
#
/
|

ppD of 315

%$ %, * !

± Systems administration
± $48
! ))
#1

8# 2 7
# 6 48 #
48 )
#
)) /
|

p30 of 315

%$ %, * !

± Network management ! )

±

# )
#
# 6
/
|

p31 of 315

%$ %, * !

± Network management
± Security management ;

± 2 7
#
#
#
)1 # #/
|

p3p of 315

%$ %, * !

± Security management
± Change management
± '
#
2
# )
# #
)/
|

p33 of 315

%$ %, * !

± Users ) #
± # # #
#/
|

p3 of 315

%$ %, * !

± Users
± Systems analysts
± ' # )1 ##
4

) )
/
|

p35 of 315

%$ %, * !

± Users
± Systems analysts
± Programming 4

)7
)/
± ) )
! # )
))

)
#
# ## ) )#
#/
|

p3þ of 315

%$ %, * !

± Users
± Systems analysts ;
#
)
± Programming # # )
± Computer operations ) /
±
|

p3- of 315

%$ %, * !

± !
# 1
Security management
± Change management )) ))1#/
± Users ; 4 48

)/
± Systems analysts

) # )/
± Programming
;
# )
± Computer operations

± Information systems#
library
/
± &
& )/
|

p3V of 315

%$ %, * !
It is important that different people perform the

preceding functions.
± Allowing a person to do two or more jobs exposes the
company to the possibility of fraud.
In addition to adequate segregation of duties,
organizations should ensure that the people who
design, develop, implement, and operate the IS
are qualified and well trained.
The same holds true for systems security
personnel.
|

p3D of 315

%$ %, * !
Generally, control procedures fall into one of the

following categories:
± Proper authorization of transactions and activities
± 0
#1 ) #
3

|

p0 of 315

%$ %, * !
0
#1 ) #
3

± It¶s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
Should contain appropriate controls for:
± Management review and approval
± User involvement
± Analysis
± Design
± Testing
± Implementation
± Conversion
Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).
|

p1 of 315

%$ %, * !
Examples abound of poorly managed

projects that have wasted large sums of
money because certain basic principles of
project management control were ignored.
|

pp of 315

=
)
#
%$ %, * !
2 7
4
# 4
The following basic principles )0

of control
should
be
applied to systems development in order

) # to reduce

1 the
=
potential for cost overruns and
project failure and to
/
improve the efficiency and effectiveness
# ## of the IS:
#4
±
) 4 ) #

3 /
!
# # )
# ))
# ))1 ) #
)) #/
# 1 # 1

2

3
##
) #
6 /
|

p3 of 315

)0
#1 ) ) 4
4 )0
4
) #
%$ %, * !

# 9
;# 8
The following basic principles of )#
control should be
( 4 )
applied to systems development in order to reduce the
potential for cost overruns andproject

)#
) #
failure and to
0

improve the efficiency and effectiveness of the IS:
0
#
± Strategic master plan
)
#I) 4 )
± 0

1 4# #

)

)# /
!
)0
# #
# 4
)

/
)0

) )0

1
# )#/
|

p of 315

%$ %, * !
The following basic principles of control should be

potential for cost overruns and project failure and to
± Project controls
± & )

#
& )
8 #
2#
#

# 6 2

)
.
|

p5 of 315

%$ %, * !

± Project controls
± Data processing schedule
±

#
# # 1
#1 ) #
3 /
|

pþ of 315

%$ %, * !
of
The following basic principles 1 #
control ))
should be
# #
4
9
± ) -) )
.
± Strategic master plan ± ' 2 -)

± Project controls # )#
1 .
± Data processing schedule ± ) -4
± Steering committee 8 )#.
± )

|

p- of 315

%$ %, * !

1 4 # )#
± Project controls
#1 ) )0

± Data processing schedule
) # #
± Steering committee
)# 4
± System performance measurements
1#/
± = ) 1 4 )
)0

#1 )
1 #

#
0
1
#
/
|

pV of 315

%$ %, * !
To simplify and improve systems development,

some companies hire a systems integrator²a
vendor who uses common standards and
manages the development effort using their own
personnel and those of the client and other
vendors.
± Many companies rely on the integrator¶s assurance
that the project will be completed on time.
± Unfortunately, the integrator is often wrong.
± These third-party systems development projects are
subject to the same cost overruns and missed
deadlines as systems developed internally.
|

pD of 315

%$ %, * !
# ) # )1 #

When using systems
)

integrators,

# 9
companies should
± !6
adhere
#
) #to the same
#
± !6)
##
basic rules used for project management
±

)

of internal projects.
In addition,
7 6) 1 #1 )they

should: )

4 1 #/
± &1 )
)

|

p50 of 315

)
# #=)
#1 ) )0
/
%$ %, * !
± ! # % #
#
)0
7
) /
± #
# #)
When using systems integrators,
4 /
± # )
#
companies should adhere
to the
# ) same
)0
/
basic rules used
± for project
))
9 management
& 1 # )0
8/
of internal projects. In addition, they
)
8/
should: ; - .
1 4 ) # 3 /
± Develop clear specifications
± ; )0

|

p51 of 315

%$ %, * !

activities
±

|

p5p of 315

%$ %, * !

± Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
± Change management is the process of making sure
that the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
|

p53 of 315

%$ %, * !

activities
± & # #
#
#
|

p5 of 315

%$ %, * !
& # #3 #
#

#
± Proper design and use of documents and records
helps ensure accurate and complete recording of all
relevant transaction data.
± Form and content should be kept as simple as
possible to:
Promote efficient record keeping
Minimize recording errors
Facilitate review and verification
± Documents that initiate a transaction should contain a
space for authorization.
± Those used to transfer assets should have a space
for the receiving party¶s signature.
|

p55 of 315

%$ %, * !
Documents should be sequentially pre-

numbered:
± To reduce likelihood that they would be used
fraudulently.
± To help ensure that all valid transactions are
recorded.
A good audit trail facilitates:
± Tracing individual transactions through the system.
± Correcting errors.
± Verifying system output.
|

p5þ of 315

%$ %, * !

activities
± #
# # #
|

p5- of 315

%$ %, * !
#
# # #
± When people consider safeguarding assets, they
most often think of cash and physical assets, such as
inventory and equipment.
± Another company asset that needs to be protected is
information.
± According to the ACFE¶s p00 National Fraud Survey,
theft of information made up only 1-.3% of non-cash
misappropriations; however, the median cost of an
information theft was $30,000. This cost was 1pþ%
higher than the next most costly non-asset theft.
(Equipment theft had a median cost of $150,000.)
|

p5V of 315

%$ %, * !
Many people mistakenly believe that the

greatest risks companies face are from
outsiders.
However, employees pose a much greater
risk when it comes to loss of data
because:
± They know the system and its weaknesses
better.
± They are better able to hide their illegal acts.
|

p5D of 315

%$ %, * !
Insiders also create less-intentional threats to
systems, including:
± Accidentally deleting company data.
± Turning viruses loose.
± Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
Companies also face significant risks from
customers and vendors that have access to
company data.
|

pþ0 of 315

%$ %, * !
Many steps can be taken to safeguard

both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters - and V discuss computer-based
controls. In addition, it is important to:
± Maintain accurate records of all assets
#

##
)

/
|

pþ1 of 315

%$ %, * !

'
#
1 # 3 )/
controls. In addition, it '
is important

to:

86
± Maintain accurate records # #)
of all assets
6

Periodically reconcile recorded amounts

to /
# ))
physical counts

|

pþp of 315

%$ %, * !

' )
controls. In addition, it is important

8# to:
8)

-
#
)
± Maintain accurate records of all assets
=
./
Periodically reconcile recorded amounts
,
to

8
8
physical counts # #
2#
Restrict access to assets ) /

# # #

|

pþ3 of 315

%$ %, * !

activities
± #)#

8 )

|

pþ of 315

%$ %, * !
,#
>
,7 8 # ; /

; # # $% 8/
|

pþ5 of 315

%$ %, * !
,#
>
7 #
1# #)# )
#7
)

47

## 8J
|

pþþ of 315

%$ %, * !
,#
>
# 1 4

)) # #)#

8/
|

pþ- of 315

%$ %, * !
Internal checks to ensure that transactions

are processed accurately are an important
control element.
These checks should be performed by
someone independent of the party(ies)
responsible for the activities.
|

pþV of 315

%$ %, * !
The following independent checks are

typically used:
± )= 1 1 4
; 1 #
)
# ) #

)
)

9
± # )
4 #
#

± =) # )

± )

)
|

pþD of 315

%$ %, * !

typically used:
± Top-level reviews
±
1 4
!6 ) 4 #
#/
!<;,!9
#
#
#
) # # 4

# )

# # 6) # ) 1
#
/
; # ) #
2 # 1 4
# ) #
# #
) /
|

p-0 of 315

%$ %, * !

8

#
)
#

4
# # 1

/
typically used:
!<;,!9
± 8

± )
)

± Analytical reviews
/
#
±

#)#
#
#
|

p-1 of 315

%$ %, * !

typically used: #

#

)

#/
!<;,!9 )
1/
=# #

± Reconciliation of
)
independently maintained
#
#
sets of records 3 /
± )
3 4

##
|

p-p of 315

%$ %, * !

typically used:
± Reconciliation of independently maintained
sets of records
± Comparison of actual quantities with recorded
! # 3
amounts
# /
± & =

|

p-3 of 315

%$ %, * !

typically used:
± Reconciliation of independently maintained
sets of records
± Comparison of actual quantities with recorded
amounts ) )

1 4
± Double-entry accounting 48/
± #)# 1 4
|

p- of 315

$+%; %$ $& %;;'$ %$
The seventh component of

COSO¶s ERM model.
The primary purpose of the AIS is
to gather, record, process, store,
summarize, and communicate
information about an organization.
So accountants must understand
how:
± Transactions are initiated
± Data are captured in or
converted to machine-readable
form
± Computer files are accessed
and updated
± Data are processed
± Information is reported to
internal and external parties
|

p-5 of 315

$+%; %$ $& %;;'$ %$
Accountants must also understand the

accounting records and procedures,
supporting documents, and specific
financial statement accounts involved in
processing and reporting transactions.
The preceding items facilitate an audit trail
which allows for transactions to be traced
from origin to financial statements and vice
versa.
|

p-þ of 315

$+%; %$ $& %;;'$ %$
According to the AICPA, an AIS has five

primary objectives:
± Identify and record all valid transactions.
± Properly classify transactions.
± Record transactions at their proper monetary
value.
± Record transactions in the proper accounting
period.
± Properly present transactions and related
disclosures in the financial statements.
|

p-- of 315

$+%; %$ $& %;;'$ %$
How to safeguard information and physical

assets:
± Create and enforce appropriate policies and
procedures.
± Maintain accurate records of all assets.
± Restrict access to assets.
± Protect records and documents.
|

p-V of 315

$+%; %$ $& %;;'$ %$
Accounting systems generally consist of several

accounting subsystems, each designed to
process transactions of a particular type.
Though they differ with respect to the type of
transactions processed, all accounting
subsystems follow the same sequence of
procedures, referred to as ÷ .
The five major accounting cycles and their
related control objectives and procedures are
detailed in Chapters 10±1.
|

p-D of 315

;%$ %$5
The eighth
component of
COSO¶s ERM
model.
Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
|

pV0 of 315

;%$ %$5
Key methods of monitoring performance include:
± Perform ERM evaluation
± Implement effective supervision
± Use responsibility accounting
± Monitor system activities
± Track purchased software
± Conduct periodic audits
± Employ a computer security officer, a Chief
Compliance Officer, and computer consultants
± Engage forensic specialists
± Install fraud detection software
± Implement a fraud hotline
|

pV1 of 315

;%$ %$5
± !; 1
|

pVp of 315

;%$ %$5
!; 1
± Can measure ERM effectiveness through a
formal evaluation or through a self-
assessment process.
± A special group can be assembled to conduct
the evaluation or it can be done by internal
auditing.
|

pV3 of 315

;%$ %$5
± )
1 )1
|

pV of 315

;%$ %$5
)

1 )1
± Involves:
Training and assisting employees;
Monitoring their performance;
Correcting errors; and
Safeguarding assets by overseeing employees
with access.
± Especially important in organizations that:
Can¶t afford elaborate responsibility reporting; or
Are too small for segregation of duties.
|

pV5 of 315

;%$ %$5
± ' )

|

pVþ of 315

;%$ %$5
' )

± Includes use of:
Budgets, quotas, schedules, standard costs, and
quality standards;
Performance reports that compare actual with
planned performance and highlight variances; and
Procedures for investigating significant variances
and taking timely actions to correct adverse
conditions.
|

pV- of 315

;%$ %$5
± ;
1
|

pVV of 315

;%$ %$5
;

1
± Risk analysis and management software
packages are available to:
Review computer and network security measures;
Detect illegal entry into systems;
Test for weaknesses and vulnerabilities;
Report weaknesses found; and
Suggest improvements.
|

pVD of 315

;%$ %$5
Cost parameters can be entered to

balance acceptable levels of risk tolerance
and cost-effectiveness.
Software is also available to monitor and
combat viruses, spyware, spam, pop-up
ads, and to prevent browsers from being
hijacked.
Also helps companies recover from frauds
and malicious actions and restore systems
to pre-incident status.
|

pD0 of 315

;%$ %$5
System transactions and activities should be

recorded in a log which indicates who accessed
what data, when, and from which terminal.
Logs should be reviewed frequently to monitor
system activity and trace any problems to their
source.
Data collected can be used to:
± Evaluate employee productivity;
± Control company costs;
± Fight corporate espionage and other attacks; and
± Comply with legal requirements.
|

pD1 of 315

;%$ %$5
Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
Employers cannot discreetly observe communications of
employees when those employees have a ³reasonable
expectation of privacy.´
Employers must therefore ensure that employees realize
their business communications are not ³private.´ One
way to accomplish that objective is to have written
policies that employees agree to in writing which
indicate:
± The technology employees use on the job belongs to the
company.
± Emails received on company computers are not private and can
be read by supervisory personnel.
± Employees should not use technology in any way to contribute to
a hostile work environment.
|

pDp of 315

;%$ %$5
±
8 )
# 4
|

pD3 of 315

;%$ %$5

8 )
# 4
± The Business Software Alliance (BSA) aggressively
tracks down and fines companies who violate
software license agreements.
± To comply with copyrights, companies should
periodically conduct software audits to ensure that.
There are enough licenses for all users; and
The company is not paying for more licenses than needed.
± Employees should be informed of the consequences
of using unlicensed software.
|

pD of 315

;%$ %$5
± #
) #
#
|

pD5 of 315

;%$ %$5
#
) #
#
± To monitor risk and detect fraud and errors,
the company should have periodic:
External audits
Internal audits
Special network security audits
± Auditors should test system controls and
browse system usage files looking for
suspicious activities (discussed in Chapter D).
|

pDþ of 315

;%$ %$5
Again, care should be exercised that

employees¶ privacy rights are not violated.
Therefore, inform employees that auditors
will conduct random surveillance, which:
± Avoids privacy violations
± Creates a ³perception of detection´ that can
deter crime and reduce errors
|

pD- of 315

;%$ %$5
Internal auditing involves:

± Reviewing the reliability and integrity of
financial and operating information.
± Providing an appraisal of internal control
effectiveness.
± Assessing employee compliance with
management policies and procedures and
applicable laws and regulations.
± Evaluating the efficiency and effectiveness of
management.
|

pDV of 315

;%$ %$5
Internal audits can detect:

± Excess overtime
± Under-used assets
± Obsolete inventory
± Padded expense reimbursements
± Excessively loose budgets and quotas
± Poorly justified capital expenditures
± Production bottlenecks
|

pDD of 315

;%$ %$5
Internal auditing should be organizationally

independent of the accounting and
operating functions.
The head should report to the audit
committee of the board of directors rather
than to the controller or CFO.
|

300 of 315

;%$ %$5
± !)
)

)
%
#
)

|

301 of 315

;%$ %$5
Employ a computer security officer, a

Chief Compliance Officer, and computer
consultants
± The computer security officer (CSO) is in
charge of AIS security
Should be independent of the IS function
Should report to the COO or CEO
± Many companies also use outside computer
consultants or in-house teams to test and
evaluate their security procedures and
computer systems.
|

30p of 315

;%$ %$5
± !
)

|

303 of 315

;%$ %$5
!
)

± Forensic accountants specialize in fraud
detection and investigation.
Now one of the fastest growing areas of
accounting due to:
± SOX
± SAS-DD
± Boards of Directors demanding that forensic accounting
be an ongoing part of the financial reporting and
corporate governance process.
|

30 of 315

;%$ %$5
Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
± In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
± The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
|

305 of 315

;%$ %$5
Management may also need to call on

computer forensic specialists for help.
They assist in discovering, extracting,
safeguarding, and documenting computer
evidence so that its authenticity, accuracy,
and integrity will not succumb to legal
challenges.
|

30þ of 315

;%$ %$5
Common incidents investigated by

computer forensic experts include:
± Improper internet usage
± Fraud
± Sabotage
± Loss, theft, or corruption of data
± Retrieving information from emails and
databases that users thought they had erased
± Determining who performed certain actions on
a computer
|

30- of 315

;%$ %$5
± # #
4
|

30V of 315

;%$ %$5
# #
4
± People who commit fraud tend to follow certain patterns and
leave behind clues.
± Software has been developed to seek out these fraud symptoms.
± Some companies employ ÷ (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
± For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
± These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
|

30D of 315

;%$ %$5
± ) #
|

310 of 315

;%$ %$5
) #

± People who witness fraudulent behavior are
often torn between conflicting feelings.
They want to protect company assets and report
fraud perpetrators.
But they are uncomfortable in the whistleblower
role and find it easier to remain silent.
± They are particularly reluctant to report if they
know of others who have suffered
repercussions from doing so.
|

311 of 315

;%$ %$5
SOX mandates that companies set up

mechanisms for employees to

report abuses such as fraud.
± An effective way to comply with the law and resolve
employee concerns is to provide access to an
anonymous hotline.
± Anonymous reporting can be accomplished through:
Phone lines
Web-based reporting
Anonymous emails
Snail mail
|

31p of 315

;%$ %$5
Outsourcing is available through a number of third
parties and offers several benefits, including:
± Increased confidence on the part of employee that his/her
report is truly anonymous.
± p/- availability.
± Often have multilingual capabilities²an important plus for
multinational organizations.
± The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
± The employee can be advised of the outcome of his report.
± Low cost.
|

313 of 315

;%$ %$5
A downside to anonymous reporting

mechanisms is that they will produce a
significant amount of petty or slanderous reports
that do not require investigation.
The ACFE¶s p00
indicates
that companies without fraud hotlines had
median fraud losses that were 10% higher than
companies that had fraud hotlines.
|

31 of 315

';;L
In this chapter, you¶ve learned about basic internal control
concepts and why computer control and security are so
important.
You¶ve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
You¶ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
You¶ve also learned about events that affect uncertainty and
how these events can be identified.
You¶ve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
Finally, you¶ve learned how organizations communicate
information and monitor control processes.
|

315 of 315

Rais11 ch06

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Rais11 ch06

Загружено:

Авторское право:

Доступные форматы

  !

          1 of 315

          p of 315

 (     

          3 of 315

           of 315

 Some vocabulary terms for this chapter:

          5 of 315

          þ of 315

 To use IT in achieving control objectives,

          - of 315

 Control objectives are the same regardless of

          V of 315

 One of the primary objectives of an AIS is to

          D of 315

 It is much easier to build controls into a

          10 of 315

 In today¶s dynamic business environment,

          11 of 315

          1p of 315

          13 of 315

  #        )1 ##/

          1 of 315

          15 of 315

          1þ of 315

          1- of 315

          1V of 315

 Internal control is a   because:

          1D of 315

 Internal control systems have inherent

          p0 of 315

 Internal controls perform three important

          p1 of 315

 Internal controls perform three important

          pp of 315

 Internal controls perform three important

          p3 of 315

 Internal controls are often classified as:

          p of 315

 Internal controls are often classified as:

          p5 of 315

 An effective system of internal controls

          pþ of 315

          p- of 315

          pV of 315

          pD of 315

          30 of 315

   ) )

          31 of 315

          3p of 315

     = #  1

          33 of 315

 ;    

          3 of 315

          35 of 315

          3þ of 315

          3- of 315

          3V of 315

          3D of 315

          0 of 315

          1 of 315

          p of 315

!

1 of 315

p of 315

(

3 of 315

of 315

Some vocabulary terms for this chapter:

5 of 315

þ of 315

To use IT in achieving control objectives,

- of 315

Control objectives are the same regardless of

V of 315

One of the primary objectives of an AIS is to

D of 315

It is much easier to build controls into a

10 of 315

In today¶s dynamic business environment,

11 of 315

1p of 315

13 of 315

# )1 ##/

1 of 315

15 of 315

1þ of 315

1- of 315

1V of 315

Internal control is a because:

1D of 315

Internal control systems have inherent

p0 of 315

Internal controls perform three important

p1 of 315

Internal controls perform three important

pp of 315

Internal controls perform three important

p3 of 315

Internal controls are often classified as:

p of 315

Internal controls are often classified as:

p5 of 315

An effective system of internal controls

pþ of 315

p- of 315

pV of 315

pD of 315

30 of 315

) )

31 of 315

3p of 315

=# 1

33 of 315

;

3 of 315

35 of 315

3þ of 315

3- of 315

3V of 315

3D of 315

0 of 315

1 of 315

p of 315

3 of 315

A number of frameworks have been

of 315

A number of frameworks have been

5 of 315

þ of 315

The COBIT framework allows:

- of 315

V of 315

The framework addresses the issue of

D of 315

The framework addresses the issue of

50 of 315

COBIT consolidates standards from 3þ different

51 of 315

A number of frameworks have been

5p of 315

53 of 315