Академический Документы
Профессиональный Документы
Культура Документы
"
#
|
|
|
|
|
#
)
± Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security
policies.
Making controls a part of the applications development
process.
Moving sensitive data to more secure environments.
|
|
|
|
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± -
# #. ##/
0
1
# )1
#
2#
3
# )
) /
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
±
# #
#
#
) /
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
±
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
± Accurate and reliable information is provided.
±
)
))#
#
4 5/
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
± Accurate and reliable information is provided.
± There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
± %)
)# # )1#/
0
1
#
)
) # 6)# #
#
4 # #
7 2 /
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
± Accurate and reliable information is provided.
± There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
± Operational efficiency is promoted and improved.
± #
)
#
)
#/
|
÷ ÷ is the process implemented by the
board of directors, management, and those under their
direction to provide reasonable assurance that the
following control objectives are achieved:
± Assets (including data) are safeguarded.
± Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
± Accurate and reliable information is provided.
± There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
± Operational efficiency is promoted and improved.
± Adherence to prescribed managerial policies is encouraged.
± 2
)
4 ))
4 #
.
|
|
|
|
|
# 9
± #
:
±
: #
± ;# )1
)
/
|
|
)
1
# # 2 #
)#
# )
# #
# # )#/
|
|
|
|
%1 # -%. 1 #
) /
1 4
/
# %/
#
# 3
#)#
# ##
# )/
2 +
)#/
|
)
# )
±
1 5
± # = #
# ) # ) #
/
|
#
)
=# 1
9
± 88)
± # # )
±
#
1
± ;
±
1
|
|
|
|
)
9
Important aspects of SOX include:
)
± Creation of the Public Company
Accounting
# Oversight
#3
Board (PCAOB) to oversee
the
# auditing profession.
)
#/
± New rules for auditors7
)7
/
± New rules for audit committees
± New rules for
#
management
#
#
± $4
)
3 # # /
|
|
|
|
|
|
|
% 48
± Also know as the ÷÷
÷ ÷
framework.
± Developed by the Information Systems Audit
and Control Foundation (ISACF).
± A framework of generally applicable
information systems security and control
practices for IT control.
|
|
|
|
|
%%7
48
± The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
|
|
|
|
|
|
|
|
|
|
|
COSO developed a
model to illustrate
the elements of
ERM.
|
|
|
Columns at the #
)
top
#
represent the6
)
four types of
)
#
÷ that
=
/
management must meet to
)1 #
=8 #
achieve
company goals. #
)
1
±)
Strategic objectives
/
± Operations objectives
± ) 0
1
|
Columns at the
)
top
0
1
)
) the
represent
)
four4
types of
))
4 #
÷ that
/
management must meet to
± !6
)
achieve company goals.
)
/
± ±Strategic objectives
)
± Operations objectives
# 1
± Reporting /
objectives
± )
0
1
|
|
Columns on the
right represent the
company¶s units:
± !
)
|
Columns on the
right represent the
company¶s units:
± Entire company
± & 1
|
Columns on the
right represent the
company¶s units:
± Entire company
± Division
±
|
Columns on the
right represent the
company¶s units:
± Entire company
± Division
± Business unit
± #
|
|
|
)
control components,
; 8 =4 #
including:
)
1 4 8
± Internal
environment
8
#
± Objective
8 setting )
#
)
=
± Event identification
)/
± Risk assessment
± 8 )
|
Thehorizontal
)
rows are
7
8related
eight )
risk
and )
# )
#
#
control components,
# )
#
including:
1
1
#
± Internal environment
2 /
± Objective setting
)#
±
1
%%
Event identification
±
48/
Risk assessment
± Risk response
±
1
|
|
|
!; +48
!6 */
4
6 )) #
8
)
)1 #
6
+48
1
/
± The internal
;8 control
#
framework has been
849
widely adopted
± (
as the principal
way to
)/
± (
evaluate #3
internal controls#
as 4 8/
required by SOX.
± ( )
/
However, there are issues with it.
4
/
|
|
|
|
|
|
|
|
|
|
|
|
# #
± An active and involved board of directors
plays an important role in internal control.
± They should:
Oversee management
Scrutinize management¶s plans, performance, and
activities
Approve company strategy
Review financial results
Annually review the company¶s security policy
Interact with internal and external auditors
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
% 2
± A company¶s organizational structure defines
its lines of authority, responsibility, and
reporting.
Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
|
|
|
|
|
|
|
|
##
± Employees are both the company¶s greatest control
strength and the greatest control weakness.
± Organizations can implement human resource
policies and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
± Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency
and loyalty and reduce the organization¶s
vulnerability.
|
|
|
Hiring
± Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
± Employees should undergo a formal, in-depth
employment interview.
± Resumes, reference letters, and thorough
background checks are critical.
|
|
|
Compensating
± Employees should be paid a fair and
competitive wage.
± Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
± Appropriate incentives can motivate and
reinforce outstanding performance.
|
|
Policies on training
± Training programs should familiarize new employees
with:
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating
style.
± Training needs to be ongoing, not just one time.
± Companies who shortchange training are more likely
to experience security breaches and fraud.
|
|
|
|
|
|
|
|
Discharging
± Fired employees are disgruntled employees.
± Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
± Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
|
|
|
|
|
|
|
|
|
External influences
± External influences that affect the control
environment include requirements imposed
by:
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
|
|
|
|
|
As a rule of thumb:
± The mission and strategic objectives are
stable.
± The strategy and other objectives are more
dynamic:
Must be adapted to changing conditions.
Must be realigned with strategic objectives.
|
Operations objectives:
± Are a product of management preferences,
judgments, and style.
± Vary significantly among entities:
One may adopt technology; another waits until the
bugs are worked out.
± Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
± Give clear direction for resource allocation²a
key success factor.
|
|
|
|
|
|
|
|
|
|
)
)
1
#
)
)
)
6
|
#
8 6)
|
|
|
|
|
|
|
± # #
|
|
|
|
) &7
)1
/
|
|
|
)
8
Yes
#
8 )
#
|
!
8
#
# )
! )
)
± Some events pose
more risk because they
are more probable than #
others. #
± Some events pose
more risk because their !
#
dollar impact would be
more significant.
± Likelihood and impact
must be considered 1 #
= No
together:
)
)
± If either increases, the 8
materiality of the event
and the need to protect Yes
against it rises. #
8 )
#
|
#
! )
)
± Management must
identify one or more
controls that will protect #
#
the company from each
event. !
#
± In evaluating benefits of
each control procedure,
consider effectiveness
1 #
and timing.
=
No
)
)
8
Yes
#
8 )
#
|
All other factors equal:
± A preventive control is ! )
)
better than a detective
one.
± However, if preventive #
controls fail, detective #
controls are needed to
discover the problem, !
#
and corrective controls
are needed to recover.
± Consequently, the three
complement each
= No
1 #
other, and a good
)
internal control system )
8
should have all three.
± Similarly, a company Yes
should use all four #
8 )
levers of control.
#
|
!
#
! )
)
± It would be cost-
prohibitive to create an #
internal control system #
that provided foolproof
protection against all !
#
events.
± Also, some controls
negatively affect
1 #
operational efficiency,
= No
and too many controls )
)
can make it very 8
inefficient. Yes
#
8 )
#
|
The benefits of an
internal control ! )
)
procedure must
exceed its costs.
#
Benefits can be hard #
to quantify, but
include: !
#
± Increased sales and
productivity
± Reduced losses
± Better integration with
= No
1 #
customers and suppliers
)
)
± Increased customer 8
loyalty
± Competitive advantages Yes
± Lower insurance #
8 )
premiums
#
|
Costs are usually
easier to measure ! )
)
than benefits.
Primary cost is #
#
personnel, including:
± Time to perform control !
#
procedures
± Costs of hiring
additional employees to
effectively segregate 1 #
= No
duties
)
)
± Costs of programming 8
controls into a system Yes
#
8 )
#
|
Other costs of a poor
control system include: ! )
)
± Lost sales
± Lower productivity
#
± Drop in stock price if #
security problems arise
± Shareholder or !
#
regulator lawsuits
± Fines and penalties
imposed by
governmental agencies
1 #
= No
)
)
8
Yes
#
8 )
#
|
The expected loss
related to a risk is ! )
)
measured as:
± Expected loss = #
impact x likelihood #
)
)
control procedure 8
± Expected loss without it
Yes
#
8 )
#
|
&
=
1 ! )
)
± After estimating
benefits and costs, #
management #
determines if the control
is cost beneficial, i.e., is !
#
the cost of
implementing a control
procedure less than the
change in expected
=
No
1 #
loss that would be
)
attributable to the )
8
change?
Yes
#
8 )
#
|
In evaluating costs
and benefits, ! )
)
management must
consider factors other
than those in the #
#
expected benefit
calculation. !
#
± If an event threatens an
organization¶s existence, it
may be worthwhile to
institute controls even if
costs exceed expected
= 1 #
No
benefits.
)
± The additional cost can be )
8
viewed as a catastrophic
loss insurance premium. Yes
#
8 )
#
|
|
)
! )
)
1 #
)
8 #
#
± When controls are cost
effective, they should !
#
be implemented so risk
can be reduced.
= 1 #
No
)
)
8
Yes
#
8 )
#
|
Risks that are not
reduced must be ! )
)
accepted, shared, or
avoided.
± If the risk is within the #
company¶s risk tolerance, #
they will typically accept
the risk. !
#
± A reduce or share
response is used to bring
residual risk into an
acceptable risk tolerance
= 1 #
range.
No
± An avoid response is
)
typically only used when )
8
there is no way to cost-
effectively bring risk into Yes
an acceptable risk #
8 )
tolerance range.
#
|
|
|
|
) 2
#
1
± Management lacks the time and resources to
supervise each employee activity and
decision.
± Consequently, they establish policies and
empower employees to perform activities
within policy.
± This empowerment is called ÷ !÷
and is an important part of an organization¶s
control procedures.
|
#
± Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
± An employee should not be in a position to
commit conceal fraud or unintentional
errors.
± Segregation of duties is discussed in two
sections:
Segregation of accounting duties
Segregation of duties within the systems function
|
j÷ ÷
± Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
± An employee should not be in a position to
commit conceal fraud or unintentional
errors.
± Segregation of duties is discussed in two
sections:
#
Segregation of duties within the systems function
|
#
7
/
|
)
2 7 I
7 >/
|
,#
>
,#
>
|
,#
>
|
,#
>G
# 8 4
> 4 ) B
C ))/ $4
8 >G/
|
,#
>G
4 4
1
J
|
$4
7
/
)
/
|
,#
>
|
,#
>
)
# 8
> 2 7
/
|
,#
>
4 4
J
|
|
/ +'$ %$
%,' %$9
-
2
# #
# . )1
)
#
# /
|
) )
) /
4
)))
2#/
' %K %$
+'$ %$
2
|
|
,#
>
)) / / /
|
,#
>
|
|
|
#
± Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
± An employee should not be in a position to commit
conceal fraud or unintentional errors.
± Segregation of duties is discussed in two sections:
Segregation of accounting duties
# 4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/
)0
)
)0
1
# )#/
|
#
#
6 2
)
.
|
|
|
#
0
1
#
/
|
|
)
of internal projects.
In addition,
7 6) 1 #1
)they
should: )
4
1 #/
± &1
)
)
|
|
± Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
± Change management is the process of making sure
that the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
|
|
|
#
# # #
± When people consider safeguarding assets, they
most often think of cash and physical assets, such as
inventory and equipment.
± Another company asset that needs to be protected is
information.
± According to the ACFE¶s p00 National Fraud Survey,
theft of information made up only 1-.3% of non-cash
misappropriations; however, the median cost of an
information theft was $30,000. This cost was 1pþ%
higher than the next most costly non-asset theft.
(Equipment theft had a median cost of $150,000.)
|
|
|
|
Periodically reconcile recorded amounts
to /
# ))
physical counts
|
to
8
8
physical counts # #
2#
Restrict access to assets )
/
# # #
|
,#
>
|
,#
>
7 #
1# #)# )
#7
)
47
## 8J
|
,#
>
|
|
|
#
)
#
4
#
# 1
The following independent checks are
/
typically used:
!<;,!9
± 8
± Top-level reviews
± )
)
± Analytical reviews
/
#
±
#)#
#
#
|
|
|
|
|
|
|
|
The eighth
component of
COSO¶s ERM
model.
Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
|
|
|
!; 1
± Can measure ERM effectiveness through a
formal evaluation or through a self-
assessment process.
± A special group can be assembled to conduct
the evaluation or it can be done by internal
auditing.
|
|
|
± Monitor system activities
± Track purchased software
± Conduct periodic audits
± Employ a computer security officer, a Chief
Compliance Officer, and computer consultants
± Engage forensic specialists
± Install fraud detection software
± Implement a fraud hotline
|
' )
± Includes use of:
Budgets, quotas, schedules, standard costs, and
quality standards;
Performance reports that compare actual with
planned performance and highlight variances; and
Procedures for investigating significant variances
and taking timely actions to correct adverse
conditions.
|
|
|
|
|
8 )
# 4
± The Business Software Alliance (BSA) aggressively
tracks down and fines companies who violate
software license agreements.
± To comply with copyrights, companies should
periodically conduct software audits to ensure that.
There are enough licenses for all users; and
The company is not paying for more licenses than needed.
± Employees should be informed of the consequences
of using unlicensed software.
|
|
#
) #
#
± To monitor risk and detect fraud and errors,
the company should have periodic:
External audits
Internal audits
Special network security audits
± Auditors should test system controls and
browse system usage files looking for
suspicious activities (discussed in Chapter D).
|
|
|
|
|
|
|
!
)
± Forensic accountants specialize in fraud
detection and investigation.
Now one of the fastest growing areas of
accounting due to:
± SOX
± SAS-DD
± Boards of Directors demanding that forensic accounting
be an ongoing part of the financial reporting and
corporate governance process.
|
|
|
|
|
|
|
|
|
|
|
|