CIS Midterms

8/9/2019 CIS Midterms

1/42

Control and Accounting Information Systems

INTRODUCTION

Why AIS threats are increasing

Control risks have increased in the last few years ecause!

There are com"uters and servers everywhere# and information is availale toan un"recedented numer of workers$

Distriuted com"uter networks make data availale to many users# and thesenetworks are harder to control than centrali%ed mainframe systems$

&ide area networks are giving customers and su""liers access to eachother's systems and data# making con(dentiality a ma)or concern$

*istorically# many organi%ations have not ade+uately "rotected their data due to one ormore of the following reasons!

Com"uter control "rolems are often underestimated and down"layed$

Control im"lications of moving from centrali%ed# host,ased com"uter systems tothose of a networked system or Internet,ased system are not always fully

understood$

Com"anies have not reali%ed that data is a strategic resource and that data securitymust e a strategic re+uirement$

-roductivity and cost "ressures may motivate management to forego time,consuming control measures$

Some vocaulary terms for this cha"ter!

A threatis any "otential adverse occurrence or unwanted event that could in)urethe AIS or the organi%ation$

The exposureor impactof the threat is the "otential dollar loss that would occur ifthe threat ecomes a reality$

The likelihoodis the "roaility that the threat will occur$

Why Control and Security are important?

Devoting full,time sta. to security and control concerns$

/ducating em"loyees aout control measures$

/stalishing and enforcing formal information security "olicies$

0aking controls a "art of the a""lications develo"ment "rocess$

0oving sensitive data to more secure environments$

As an accountant# we must!

Understand how to "rotect systems from threats$

*ave a good understanding of IT and its ca"ailities and risks$

Achieving ade+uate security and control over the information resources of an organi%ationshould e a to" management "riority$

/1$


2/42

Although com"uter "rocessing may reduce clerical errors# it may increase risks ofunauthori%ed access or modi(cation of data (les$

Segregation of duties must e achieved di.erently in an AIS as com"uter "rogramsmay e res"onsile for one or more of these functions$

One of the "rimary o)ectives of an AIS is to control a usiness organi%ation$

Accountants must hel" y designing e.ective control systems and auditing orreviewing control systems already in "lace to ensure their e.ectiveness$

0anagement e1"ects accountants to e control consultants y!

Taking a "roactive a""roach to eliminating system threats2 and

Detecting# correcting# and recovering from threats when they do occur$

It is much easier to uild controls into a system during the initial stage than to add themafter the fact$

Conse+uently# accountants and control e1"erts should e memers of the teams thatdevelo" or modify information systems$

O3/R3I/& O4 CONTRO5 CONC/-TS

In today's dynamic usiness environment# com"anies must react +uickly to changingconditions and markets$ One way to do this is to!

*ire creative and innovative em"loyees$

6ive these em"loyees "ower and 7e1iility to!

Satisfy changing customer demands2

-ursue new o""ortunities to add value to the organi%ation2 and

Im"lement "rocess im"rovements$

At the same time# the com"any needs control systems so they are not e1"osed toe1cessive risks or ehaviors that could harm their re"utation for honesty and integrity$

Internal controlis the "rocess im"lemented y the oard of directors# management# andthose under their direction to "rovide reasonale assurance that the following controlo)ectives are achieved!

Assets (including data) are safeguarded.

This o)ective includes "revention or timely detection of unauthori%edac+uisition# use# or dis"osal of material com"any assets$

Records are maintained in sucient detail to accurately and fairly reectcompany assets.

Accurate and reliale information is pro!ided.

"here is reasonale assurance that #nancial reports are prepared inaccordance $ith %AA&.

'perational eciency is promoted and impro!ed.

This o)ective includes ensuring that com"any recei"ts and e1"enditures aremade in accordance with management and directors' authori%ations$

Adherence to prescried managerial policies is encouraged.


3/42

"he organiation complies $ith applicale la$s and regulations$

Internal control is aprocessecause!

It "ermeates an organi%ation's o"erating activities$

It is an integral "art of asic management activities$

Internal control "rovides reasonable# rather than asolute# assurance# ecause com"leteassurance is di8cult or im"ossile to achieve and "rohiitively e1"ensive$

Internal control systems have inherent limitations# including!

They are susce"tile to errors and "oor decisions$

They can e overridden y management or y collusion of two or more em"loyees$

Internal control o)ectives are often at odds with each other$

/9A0-5/! Controls to safeguard assets may also reduce o"erational e8ciency$

Internal controls "erform three im"ortant functions!

&re!enti!e controls

Deter "rolems efore they arise$

etecti!e controls

Discover "rolems +uickly when they do arise$

Correcti!e controls

Remedy "rolems that have occurred or discovered y!

Identifying the cause2

Correcting the resulting errors2 and

0odifying the system to "revent future "rolems of this sort$ Internal controls are often classi(ed as!

%eneral controls

Those designed to make sure an organi%ation's control environment is staleand well managed$

They a""ly to all si%es and ty"es of systems# from large to com"le1mainframe systems to client server systems to deskto":la"to" com"utersystems

/1am"les! Security management controls2 information systems management

controls2 IT infrastructure controls2 software ac+uisition# develo"ment andmaintenance controls$

Application controls

-revent# detect# and correct transaction errors and fraud$

Concerned with accuracy# com"leteness# validity# and authori%ation of thedata ca"tured# entered into the system# "rocessed# stored# transmitted toother systems# and re"orted$

An e.ective system of internal controls should e1ist in all organi%ations to!


4/42

*el" them achieve their missions and goals$

0inimi%e sur"rises$

SO9 AND T*/ 4OR/I6N CORRU-T -RACTIC/S ACT

In ;


5/42

Auditor,management disagreements

Audit "artners must e rotated "eriodically$

Auditors cannot "erform certain non,audit services# such as!

Bookkee"ing

Information systems design and im"lementation

Internal audit outsourcing services 0anagement functions

*uman resource services

-ermissile non,audit services must e a""roved y the oard of directors

and disclosed to investors$

Cannot audit a com"any if a memer of to" management was em"loyed y

the auditor and worked on the com"any's audit in the "ast ;? months$

+e$ rules for audit committees

0emers must e on the com"any's oard of directors and must otherwisee inde"endent of the com"any$

One memer must e a (nancial e1"ert$

The committee hires# com"ensates# and oversees the auditors# and theauditors re"ort directly to the committee$

+e$ rules for management

The C/O and C4O must certify that!

The (nancial statements and disclosures are fairly "resented# were reviewedy management# and are not misleading$

0anagement is res"onsile for internal controls$

The auditors were advised of any material internal control weaknesses orfraud$

Any signi(cant changes to controls after management's evaluation weredisclosed and corrected$

If management willfully and knowingly violates the certi(cation# they can e!

Im"risoned u" to ?> years

4ined u" to million

0anagement and directors cannot receive loans that would not e availaleto "eo"le outside the com"any$

They must disclose on a ra"id and current asis material changes to their(nancial condition$

+e$ internal control re,uirements

New internal control re+uirements!

Section E>E of SO9 re+uires com"anies to issue a re"ort accom"anying the(nancial statements that!


6/42

States management is res"onsile for estalishing and maintaining anade+uate internal control structure and "rocedures$

Contains management's assessment of the com"any's internal controls$

Attests to the accuracy of the internal controls# including disclosures ofsigni(cant defects or material noncom"liance found during the tests$

SO9 also re+uires that the auditor attests to and re"orts on management'sinternal control assessment$

/ach audit re"ort must descrie the sco"e of the auditor's internal controltests$

After the "assage of SO9# the S/C further mandated that!

0anagement must ase its evaluation on a recogni%ed control framework#develo"ed using a due,"rocess "rocedure that allows for "ulic comment$ The mostlikely framework is the COSO model$

The re"ort must contain a statement identifying the framework used$

0anagement must disclose any and all material internal control weaknesses$

0anagement cannot conclude that the com"any has e.ective internal control ifthere are any material weaknesses$

-e!ers of control

A concise elief system

Communicates com"any core values to em"loyees and ins"ires themto live y it$

Draws attention to how the organi%ation creates value$

*el"s em"loyees understand management's intended direction$

0ust e road enough to a""eal to all levels$

A oundary system

*el"s em"loyees act ethically y setting limits eyond which theymust not "ass$

Does not create rules and standard o"erating "rocedures that can sti7ecreativity and innitiative$

/ncourages em"loyees to think and act creatively to solve "rolemsand meet customer needs as long as they o"erate within limits suchas!

0eeting minimum standards of "erformance

Shunning o.,limits activities

Avoiding actions that could damage the com"any's re"utation$

A diagnostic control system

/nsures e8cient and e.ective achievement of im"ortant controls$

This system measures com"any "rogress y com"aring actual to"lanned "erformance$


7/42

*el"s managers track critical "erformance outcomes and monitor"erformance of individuals# de"artments# and locations$

-rovides feedack to enale management to ad)ust and (ne,tune$

An interacti!e control system

*el"s to",level managers with high,level activities that demandfre+uent and regular attention$ /1am"les!

Develo"ing com"any strategy$

Setting com"any o)ectives$

Understanding and assessing threats and risks$

0onitoring changes in com"etitive conditions and emergingtechnologies$

Develo"ing res"onses and action "lans to "roactively deal withthese high,level issues$

Also hel"s managers focus the attention of suordinates on keystrategic issues and to e more involved in their decisions$

Data from this system are est inter"reted and discussed in face,to,face meetings$

CONTRO5 4RA0/&ORFS

A numer of frameworks have een develo"ed to hel" com"anies develo" good internalcontrol systems$ Three of the most im"ortant are!

1. The COBIT framework Also know as the Control Ob"ecti#es for Information and $elated %echnology

framework$

Develo"ed y the Information Systems Audit and Control 4oundation @ISAC4$

A framework of generally a""licale information systems security and control"ractices for IT control$

The COBIT framework allows!

0anagement to enchmark security and control "ractices of IT environments$

Users of IT services to e assured that ade+uate security and control e1ists$

Auditors to sustantiate their o"inions on internal control and advise on IT securityand control matters$

The framework addresses the issue of control from three vantage "oints or dimensions!

*usiness oecti!es

To satisfy usiness o)ectives# information must conform to certain criteriareferred to as Gusiness re+uirements for information$H

The criteria are divided into seven distinct yet overla""ing categories thatma" into COSO o)ectives!

/.ectiveness @relevant# "ertinent# and timely

/8ciency


8/42

Con(dentiality

Integrity

Availaility

Com"liance with legal re+uirements

Reliaility

I" resources Includes!

-eo"le

A""lication systems

Technology

4acilities

Data

I" processes

Broken into four domains!

-lanning and organi%ation

Ac+uisition and im"lementation

Delivery and su""ort

0onitoring

COBIT consolidates standards from J di.erent sources into a single framework$

It is having a ig im"act on the IS "rofession$

*el"s managers to learn how to alance risk and control investment in an ISenvironment$

-rovides users with greater assurance that security and IT controls "rovided yinternal and third "arties are ade+uate$

6uides auditors as they sustantiate their o"inions and "rovide advice tomanagement on internal controls$

2. COSOs internal control framework The Committee of S"onsoring Organi%ations @COSO is a "rivate sector grou"

consisting of!

The American Accounting Association

The AIC-A

The Institute of Internal Auditors

The Institute of 0anagement Accountants

The 4inancial /1ecutives Institute

In ;


9/42

-rovides guidance for evaluating and enhancing internal control systems$

&idely acce"ted as the authority on internal controls$

Incor"orated into "olicies# rules# and regulations used to control usiness activities$

COSO's internal control model has (ve crucial com"onents!

Control en!ironment

The core of any usiness is its "eo"le$ Their integrity# ethical values# and com"etence make u" the foundation on

which everything else rests$

Control acti!ities

-olicies and "rocedures must e estalished and e1ecuted to ensure thatactions identi(ed y management as necessary to address risks are# in fact#carried out$

Ris/ assessment

The organi%ation must e aware of and deal with the risks it faces$

It must set o)ectives for its diverse activities and estalish mechanisms toidentify# analy%e# and manage the related risks$

Information and communication

Information and communications systems surround the control activities$

They enale the organi%ation's "eo"le to ca"ture and e1change informationneeded to conduct# manage# and control its o"erations$

0onitoring

The entire "rocess must e monitored and modi(ed as necessary$

3. COSOs Enterprise Risk Manaement framework !ERM"

Nine years after COSO issued the "receding framework# it egan investigating how toe.ectively identify# assess# and manage risk so organi%ations could im"rove the riskmanagement "rocess$

Result! /nter"rise Risk 0anage Integrated 4ramework @/R0

An enhanced cor"orate governance document$

/1"ands on elements of "receding framework$

-rovides a focus on the roader su)ect of enter"rise risk management$ Intent of /R0 is to achieve all goals of the internal control framework and hel" the

organi%ation!

-rovide reasonale assurance that com"any o)ectives and goals are achieved and"rolems and sur"rises are minimi%ed$

Achieve its (nancial and "erformance targets$

Assess risks continuously and identify ste"s to take and resources to allocate toovercome or mitigate risk$

Avoid adverse "ulicity and damage to the entity's re"utation$


10/42

/R0 de(nes risk management as!

A "rocess e.ected y an entity's oard of directors# management# and other"ersonnel$

A""lied in strategy setting and across the enter"rise$

To identify "otential events that may a.ect the entity$

And manage risk to e within its risk a""etite$

In order to "rovide reasonale assurance of the achievement of entity o)ectives$

Basic "rinci"les ehind /R0!

Com"anies are formed to create value for owners$

0anagement must decide how much uncertainty they will acce"t$

Uncertainty can result in!

Ris/

The "ossiility that something will ha""en to!

Adversely a.ect the aility to create value2 or

/rode e1isting value$

'pportunity

The "ossiility that something will ha""en to "ositively a.ect theaility to create or "reserve value$

The framework should hel" management manage uncertainty and its associatedrisk to uild and "reserve value$

To ma1imi%e value# a com"any must alance its growth and return o)ectives andrisks with e8cient and e.ective use of com"any resources$

COSO develo"ed a model to illustrate the elements of /R0$

Columns at the to" re"resent the four ty"es of ob"ecti#esthat management must meetto achieve com"any goals$


11/42

Strategic oecti!es

Strategic o)ectives are high,level goals that are aligned with and su""ort thecom"any's mission$

'perations oecti!es

O"erations o)ectives deal with e.ectiveness and e8ciency of com"anyo"erations# such as!

-erformance and "ro(taility goals

Safeguarding assets

Reporting oecti!es

Re"orting o)ectives hel" ensure the accuracy# com"leteness# and reliailityof internal and e1ternal com"any re"orts of oth a (nancial and non,(nancialnature$

Im"rove decision,making and monitor com"any activities and "erformancemore e8ciently$

Compliance oecti!es

Com"liance o)ectives hel" the com"any com"ly with a""licale laws andregulations$

/1ternal "arties often set the com"liance rules$

Com"anies in the same industry often have similar concerns in this area$

/R0 can "rovide reasonale assurance that re"orting and com"liance o)ectives will eachieved ecause com"anies have control over them$

*owever# strategic and o"erations o)ectives are sometimes at the mercy of e1ternalevents that the com"any can't control$

Therefore# in these areas# the only reasonale assurance the /R0 can "rovide is thatmanagement and directors are informed on a timely asis of the "rogress the com"any ismaking in achieving them$

Columns on the right re"resent the com"any's units!

1ntire company

i!ision

*usiness unit

Susidiary

The hori%ontal rows are eight related risk and control com"onents# including!

Internal en!ironment

The tone or culture of the com"any$

-rovides disci"line and structure and is the foundation for all othercom"onents$

/ssentially# the same as control environmentin the COSO internal controlframework$

'ecti!e setting


12/42

/nsures that management im"lements a "rocess to formulate strategic#o"erations# re"orting# and com"liance o)ectives that su""ort the com"any'smission and are consistent with the com"any's tolerance for risk$

Strategic o)ectives are set (rst as a foundation for the other three$

The o)ectives "rovide guidance to com"anies as they identify risk,creatingevents and assess and res"ond to those risks$

1!ent identi#cation

Re+uires management to identify events that may a.ect the com"any'saility to im"lement its strategy and achieve its o)ectives$

0anagement must then determine whether these events re"resent!

Risks @negative,im"act events re+uiring assessment and res"onse2 or

O""ortunities @"ositive,im"act events that in7uence strategy ando)ective,setting "rocesses$

Ris/ assessment

Identi(ed risks are assessed to determine how to manage them and how they

a.ect the com"any's aility to achieve its o)ectives$

Kualitative and +uantitative methods are used to assess risks individually andy category in terms of!

5ikelihood

-ositive and negative im"act

/.ect on other organi%ational units

Risks are analy%ed on an inherent and a residual asis$

Corres"onds to the risk assessment element in COSO's internal control

framework$

Ris/ response

0anagement aligns identi(ed risks with the com"any's tolerance for risk ychoosing to!

Avoid

Reduce

Share

Acce"t

0anagement takes an entity,wide or "ortfolio view of risks in assessing thelikelihood of the risks# their "otential im"act# and costs,ene(ts of alternateres"onses$

Control acti!ities

To im"lement management's risk res"onses# control "olicies and "roceduresare estalished and im"lemented throughout the various levels and functionsof the organi%ation$

Corres"onds to the control activities element in the COSO internal controlframework$


13/42

Information and communication

Information aout the com"any and /R0 com"onents must e identi(ed#ca"tured# and communicated so em"loyees can ful(ll their res"onsiilities$

Information must e ale to 7ow through all levels and functions in thecom"any as well as 7owing to and from e1ternal "arties$

/m"loyees should understand their role and im"ortance in /R0 and howthese res"onsiilities relate to those of others$

*as a corres"onding element in the COSO internal control framework$

0onitoring

/R0 "rocesses must e monitored on an ongoing asis and modi(ed asneeded$

Accom"lished with ongoing management activities and se"arate evaluations$

De(ciencies are re"orted to management$

Corres"onding module in COSO internal control framework$

The /R0 model is three,dimensional$

0eans that each of the eight risk and control elements are a""lied to the four o)ectives inthe entire com"any and:or one of its suunits$

1R0 2rame$or/ 3s. the Internal Control 2rame$or/

The internal control framework has een widely ado"ted as the "rinci"al way toevaluate internal controls as re+uired y SO9$ *owever# there are issues with it$

It has too narro$ of a focus.

/1amining controls without (rst e1amining "ur"oses and risks ofusiness "rocesses "rovides little conte1t for evaluating the results$

0akes it di8cult to know!

&hich control systems are most im"ortant$

&hether they ade+uately deal with risk$

&hether im"ortant control systems are missing$

2ocusing on controls #rst has an inherent ias to$ard past prolemsand concerns.

0ay contriute to systems with many controls to "rotect against risksthat are no longer im"ortant$

These issues led to COSO's develo"ment of the /R0 framework$

Takes a risk,ased# rather than controls,ased# a""roach to the organi%ation$

Oriented toward future and constant change$

Incor"orates rather than re"laces COSO's internal control framework and containsthree additional elements!

Setting o)ectives$

Identifying "ositive and negative events that may a.ect the com"any'saility to im"lement strategy and achieve o)ectives$


14/42

Develo"ing a res"onse to assessed risk$

CONTRO5 4RA0/&ORFS

Controls are 7e1ile and relevant ecause they are linked to current organi%ationalo)ectives$

/R0 also recogni%es more o"tions than sim"ly controlling risk# which includeacce"ting it# avoiding it# diversifying it# sharing it# or transferring it$

Over time# /R0 will "roaly ecome the most widely ado"ted risk and control model$

Conse+uently# its eight com"onents are the to"ic of the remainder of the cha"ter$

INT/RNA5 /N3IRON0/NT

The most critical com"onent of the /R0 and the internal control framework$

Is the foundation on which the other seven com"onents rest$

In7uences how organi%ations!

/stalish strategies and o)ectives

Structure usiness activities

Identify# access# and res"ond to risk

A de(cient internal control environment often results in risk management and controlreakdowns$

Internal environment consists of the following!

0anagement4s philosophy5 operating style5 and ris/ appetite

An organi%ation's management has shared eliefs and attitudes aout risk$

That "hiloso"hy a.ects everything the organi%ation does# long, and short,term# anda.ects their communications$

Com"anies also have a risk appetite# which is the amount of risk a com"any iswilling to acce"t to achieve its goals and o)ectives$

That a""etite needs to e in alignment with com"any strategy$

The more res"onsile management's "hiloso"hy and o"erating style# the morelikely em"loyees will ehave res"onsily$

This "hiloso"hy must e clearly communicated to all em"loyees2 it is not enough togive li" service$

0anagement must ack u" words with actions2 if they show little concern forinternal controls# then neither will em"loyees$

This com"onent can e assessed y asking +uestions such as!

Does management take undue usiness risks or assess "otential risks andrewards efore actingL

Does management attem"t to mani"ulate "erformance measures such as netincomeL

Does management "ressure em"loyees to achieve results regardless ofmethods or do they demand ethical ehaviorL


15/42

"he oard of directors

An active and involved oard of directors "lays an im"ortant role in internal control$

They should!

Oversee management

Scrutini%e management's "lans# "erformance# and activities

A""rove com"any strategy Review (nancial results

Annually review the com"any's security "olicy

Interact with internal and e1ternal auditors

Directors should "ossess management# technical# or other e1"ertise# knowledge# ore1"erience# as well as a willingness to advocate for shareholders$

At least a ma)ority should e inde"endent# outside directors not a8liated with thecom"any or any of its susidiaries$

-ulic com"anies must have an audit committee# com"osed entirely of inde"endent#outside directors$

The audit committee oversees!

The com"any's internal control structure2

Its (nancial re"orting "rocess2 and

Its com"liance with laws# regulations# and standards$

&orks with the cor"oration's e1ternal and internal auditors$

*ires# com"ensates# and oversees the auditors$

Auditors re"ort all critical accounting "olicies and "ractices to the auditcommittee$

-rovides an inde"endent review of management's actions$

Commitment to integrity5 ethical !alues5 and competence

0anagement must create an organi%ational culture that stresses integrity andcommitment to oth ethical values and com"etence$

/thical standards of ehavior make for good usiness$

Tone at the to" is everything$

/m"loyees will watch the actions of the C/O# and the message of thoseactions @good or ad will tend to "ermeate the organi%ation$

Com"anies can endorse integrity as a asic o"erating "rinci"le y actively teaching andre+uiring it$

0anagement should!

0ake it clear that honest re"orts are more im"ortant than favorale ones$

0anagement should avoid!

Unrealistic e1"ectations# incentives# or tem"tations$


16/42

Attitude of earnings or revenue at any "rice$

Overly aggressive sales "ractices$

Unfair or unethical negotiation "ractices$

Im"lied kickack o.ers$

/1cessive onuses$

Bonus "lans with u""er and lower cuto.s$ 0anagement should not assume that em"loyees would always act honestly$

Consistently reward and encourage honesty$

6ive veral laels to honest and dishonest acts$

The comination of these two will "roduce more consistent moral ehavior$

0anagement should develo" clearly stated "olicies that e1"licitly descrie honest anddishonest ehaviors# often in the form of a written code of conduct$

In "articular# such a code would cover issues that are uncertain or unclear$

Dishonesty often a""ears when situations are gray and em"loyees rationali%e themost e1"edient action as o""osed to making a right vs$ wrong choice$

SO9 only re+uires a code of ethics for senior (nancial management$ *owever# the AC4/suggests that com"anies create a code of conduct for all em"loyees!

Should e written at a (fth,grade level$

Should e reviewed annually with em"loyees and signed$

This a""roach hel"s em"loyees kee" themselves out of troule$

*el"s the com"any if they need to take legal action against the em"loyee$

0anagement should re+uire em"loyees to re"ort dishonest# illegal# or unethical ehaviorand disci"line em"loyees who knowingly fail to re"ort$

Re"orts of dishonest acts should e thoroughly investigated$

Those found guilty should e dismissed$

-rosecution should e undertaken when "ossile# so that other em"loyees are clearaout conse+uences$

Com"anies must make a commitment to com"etence$

Begins with having com"etent em"loyees$

3aries with each )o ut is a function of knowledge# e1"erience# training# and skills$ The levers of control# "articularly eliefs and oundaries systems# can e used to create

the kind of commitment to integrity an organi%ation wants$

Re+uires more than li" service and signing forms$

0ust e systemsin which to" management actively "artici"ates in order to!

Demonstrate the im"ortance of the system$

Create uy,in and a team s"irit$


17/42

0anagement should re+uire em"loyees to re"ort dishonest# illegal# or unethical ehaviorand disci"line em"loyees who knowingly fail to re"ort$

Re"orts of dishonest acts should e thoroughly investigated$

Those found guilty should e dismissed$

-rosecution should e undertaken when "ossile# so that other em"loyees are clearaout conse+uences$

Com"anies must make a commitment to com"etence$

Begins with having com"etent em"loyees$

3aries with each )o ut is a function of knowledge# e1"erience# training# and skills$

The levers of control# "articularly eliefs and oundary systems# can e used to create thekind of commitment to integrity an organi%ation wants$

Re+uires more than li" service and signing forms$

0ust e systemsin which to" management actively "artici"ates in order to!

Demonstrate the im"ortance of the system$

Create uy,in and a team s"irit$

'rganiational structure

A com"any's organi%ational structure de(nes its lines of authority# res"onsiility#and re"orting$

-rovides the overall framework for "lanning# directing# e1ecuting# controlling#and monitoring its o"erations$

Im"ortant as"ects or organi%ational structure!

Degree of centrali%ation or decentrali%ation$

Assignment of res"onsiility for s"eci(c tasks$

Direct,re"orting relationshi"s or matri1 structure$

Organi%ation y industry# "roduct# geogra"hic location# marketing network$

*ow the res"onsiility allocation a.ects management's information needs$

Organi%ation of accounting and IS functions$

Si%e and nature of com"any activities$

Statistically# fraud occurs more fre+uently in organi%ations with com"le1 structures$

The structures may unintentionally im"ede communication and clear assignment ofres"onsiility# making fraud easier to commit and conceal2 or

The structure may e intentionally com"le1 to facilitate the fraud$

In today's usiness world# the hierarchical organi%ations with many layers of managementare giving way to 7atter organi%ations with self,directed work teams$

Team memers are em"owered to make decisions without multi"le layers ofa""rovals$

/m"hasis is on continuous im"rovement rather than on regular evaluations$


18/42

These changes have a signi(cant im"act on the nature and ty"e of controls needed$

0ethods of assigning authority and responsiility

0anagement should make sure!

/m"loyees understand the entity's o)ectives$

Authority and res"onsiility for usiness o)ectives is assigned to s"eci(cde"artments and individuals$

Ownershi" of res"onsiility encourages em"loyees to take initiative in solving"rolems and holds them accountale for achieving o)ectives$

0anagement!

0ust e sure to identify who is res"onsile for the IS security "olicy$

Should monitor results so decisions can e reviewed and# if necessary#overruled$

Authority and res"onsiility are assigned through!

4ormal )o descri"tions

/m"loyee training

O"erating "lans# schedules# and udgets

Codes of conduct that de(ne ethical ehavior# acce"tale "ractices# regulatoryre+uirements# and con7icts of interest

&ritten "olicies and "rocedures manuals @a good )o reference and )o training toolwhich covers!

-ro"er usiness "ractices

Fnowledge and e1"erience needed y key "ersonnel

Resources "rovided to carry out duties

-olicies and "rocedures for handling "articular transactions

The organi%ation's chart of accounts

Sam"le co"ies of forms and documents

6uman resources standards

/m"loyees are oth the com"any's greatest control strength and the greatestcontrol weakness$

Organi%ations can im"lement human resource "olicies and "ractices with res"ect to

hiring# training# com"ensating# evaluating# counseling# "romoting# and dischargingem"loyees that send messages aout the level of com"etence and ethical ehaviorre+uired$

-olicies on working conditions# incentives# and career advancement can "owerfullyencourage e8ciency and loyalty and reduce the organi%ation's vulneraility$

The following "olicies and "rocedures are im"ortant!

6iring


19/42

Should e ased on educational ackground# relevant work e1"erience# "astachievements# honesty and integrity# and how well candidates meet written )ore+uirements$

/m"loyees should undergo a formal# in,de"th em"loyment interview$

Resumes# reference letters# and thorough ackground checks are critical$

Background checks can involve!

3erifying education and e1"erience$

Talking with references$

Checking for criminal records# credit issues# and other "ulicly availale data$

Note that you must have the em"loyee's or candidate's written "ermission toconduct a ackground check# ut that "ermission does not need to have ane1"iration date$

Background checks are im"ortant ecause recent studies show that aout >M ofresumes have een falsi(ed or emellished$

Sometimes "rofessional (rms are hired to do the ackground checks ecause a""licants

are ecoming more aggressive in their dece"tions$

Some get "hony degrees from online Gdi"loma mills$H

A -ennsylvania district attorney recently (led suit against a Te1as GuniversityHfor issuing an 0BA to the DA's J,year,old lack cat$

Others actually hack @or hire someone to hack into the systems of universities tocreate or alter transcri"ts and other academic data$

+oem"loyee should e e1em"ted from ackground checks$ Anyone from the custodian tothe com"any "resident is ca"ale of committing fraud# saotage# etc$

Compensating

/m"loyees should e "aid a fair and com"etitive wage$

-oorly com"ensated em"loyees are more likely to feel the resentment and (nancial"ressures that lead to fraud$

A""ro"riate incentives can motivate and reinforce outstanding "erformance$

"raining

/valuating and "romoting

Discharging

0anaging disgruntled em"loyees

3acations and rotation of duties

Con(dentiality insurance and (delity onds

-olicies on training

Training "rograms should familiari%e new em"loyees with!

Their res"onsiilities$

/1"ected "erformance and ehavior$


20/42

Com"any "olicies# "rocedures# history# culture# and o"erating style$

Training needs to e ongoing# not )ust one time$

Com"anies who shortchange training are more likely to e1"erience securityreaches and fraud$

0any elieve em"loyee training and education are the most im"ortant elements offraud "revention and security "rograms$

4raud is less likely to occur when em"loyees elieve security is everyone's usiness$

An ideal cor"orate culture e1ists when!

/m"loyees are "roud of their com"any and "rotective of its assets$

They elieve fraud hurts everyone and that they therefore have ares"onsiility to re"ort it$

These cultures do not )ust ha""en$ They must e created# taught# and "racticed# and thefollowing training should e "rovided!

4raud awareness

/m"loyees should e aware of fraud's "revalence and dangers# why "eo"ledo it# and how to deter and detect it$

/thical considerations

The com"any should "romote ethical standards in its "ractice and itsliterature$

Acce"tale and unacce"tale ehavior should e de(ned and laeled#leaving as little gray area as "ossile$

-unishment for fraud and unethical ehavior$

/m"loyees should know the conse+uences @e$g$# re"rimand# dismissal#

"rosecution of ad ehavior$

Should e disseminated as a conse+uence rather than a threat$

/9A0-5/! GUsing a com"uter to steal or commit fraud is a federal crime# andanyone doing so faces immediate dismissal and:or "rosecution$H

The com"any should dis"lay notices of "rogram and data ownershi" andadvise em"loyees of the "enalties of misuse$

Training can take "lace through!

Informal discussions

4ormal meetings

-eriodic memos

&ritten guidelines

Codes of ethics

Circulating re"orts of unethical ehavior and its conse+uences

-romoting security and fraud training "rograms

1!aluating and promoting


21/42

Do "eriodic "erformance a""raisals to hel" em"loyees understand their strengthsand weaknesses$

Base "romotions on "erformance and +uali(cations$

ischarging

4ired em"loyees are disgruntled em"loyees$

Disgruntled em"loyees are more likely to commit a saotage or fraud against the

com"any$

/m"loyees who are terminated @whether voluntary or involuntary should eremoved from sensitive )os immediately and denied access to informationsystems$

0anaging disgruntled employees

Disgruntled em"loyees may e isolated and:or unha""y# ut are much likelier fraudcandidates than satis(ed em"loyees$

The organi%ation can try to reduce the em"loyee's "ressures through grievancechannels and counseling$

Di8cult to do ecause many em"loyees feel that seeking counseling willstigmati%e them in their )os$

Disgruntled em"loyees should not e allowed to continue in )os where they couldharm the organi%ation$

3acations and rotation of duties

Some fraud schemes# such as la""ing and kiting# cannot continue without theconstant attention of the "er"etrator$

0andatory vacations or rotation of duties can "revent these frauds or lead to earlydetection$

These measures will only e e.ective if someone elseis doing the )o while theusual em"loyee is elsewhere$

Con#dentiality insurance and #delity onds

/m"loyees# su""liers# and contractors should e re+uired to sign and aide ynondisclosure or con(dentiality agreements$

Fey em"loyees should have (delity ond insurance coverage to "rotect thecom"any against losses from fraudulent acts y those em"loyees$

In addition to the "receding "olicies# the com"any should seek "rosecution andincarceration of hackers and fraud "er"etrators

0ost fraud cases and hacker attacks go unre"orted$ They are not "rosecuted for severalreasons$

Com"anies fear!

-ulic relations nightmares

Co"ycat attacks

But unre"orted fraud and intrusions create a false sense of security$

5aw enforcement o8cials and courts are usy with violent crimes and may regardteen hacking as Gchildish "ranks$H


22/42

4raud is di8cult# costly# and time,consuming to investigate and "rosecute$

5aw enforcement o8cials# lawyers# and )udges often lack the com"uter skillsneeded to investigate# "rosecute# and evaluate com"uter crimes$

&hen cases are "rosecuted and a conviction otained# "enalties are often verylight$ udges often regard the "er"s as Gmodel citi%ens$H

17ternal inuences /1ternal in7uences that a.ect the control environment include re+uirements

im"osed y!

4ASB

-CAOB

S/C

Insurance commissions

Regulatory agencies for anks# utilities# etc$

OB/CTI3/ S/TTIN6

O)ective setting is the second /R0 com"onent$

It must "recede many of the other si1 com"onents$

4or e1am"le# you must set o)ectives efore you can de(ne events that a.ect your ailityto achieve o)ectives

To" management# with oard a""roval# must articulate why the com"any e1ists and whatit ho"es to achieve$

Often referred to as the corporate vision ormission$

Uses the mission statement as a ase from which to set cor"orate o)ectives$

The o)ectives! Need to e easy to understand and measure$

Should e "rioriti%ed$

Should e aligned with the com"any's risk a""etite$

O)ectives set at the cor"orate level are linked to and integrated with a cascading seriesof su,o)ectives in the various su,units$

4or each set of o)ectives!

Critical success factors @what has to go right must e de(ned$

-erformance measures should e estalished to determine whether the o)ectivesare met$

O)ective,setting "rocess "roceeds as follows!

4irst# set strategic o)ectives# the high,level goals that su""ort the com"any'smission and create value for shareholders$

To meet these o)ectives# identify alternative ways of accom"lishing them$

4or each alternative# identify and assess risks and im"lications$

4ormulate a cor"orate strategy$


23/42

Then set o"erations# com"liance# and re"orting o)ectives$

As a rule of thum!

The mission and strategic o)ectives are stale$

The strategy and other o)ectives are more dynamic!

0ust e ada"ted to changing conditions$

0ust e realigned with strategic o)ectives$ O"erations o)ectives!

Are a "roduct of management "references# )udgments# and style$

3ary signi(cantly among entities!

One may ado"t technology2 another waits until the ugs are worked out$

Are in7uenced y and must e relevant to the industry# economic conditions# andcom"etitive "ressures$

6ive clear direction for resource allocationa key success factor$

Com"liance and re"orting o)ectives!

0any are im"osed y e1ternal entities# e$g$!

Re"orts to IRS or to /-A

4inancial re"orts that com"ly with 6AA-

A com"any's re"utation can e im"acted signi(cantly @for etter or worse y the+uality of its com"liance$

/3/NT ID/NTI4ICATION

/vents are!

Incidents or occurrences that emanate from internal or e1ternal sources$

That a.ect im"lementation of strategy or achievement of o)ectives$

Im"act can e "ositive# negative# or oth$

/vents can range from ovious to oscure$

/.ects can range from inconse+uential to highly signi(cant$

By their nature# events re"resent uncertainty!

&ill they occurL

If so# whenL

And what will the im"act eL

&ill they trigger another eventL

&ill they ha""en individually or concurrentlyL

0anagement must do its est to antici"ate all "ossile events"ositive or negativethatmight a.ect the com"any!

Try to determine which are most and least likely$


24/42

Understand the interrelationshi"s of events$

COSO identi(ed many internal and e1ternal factors that could in7uence events and a.ecta com"any's aility to im"lement strategy and achieve o)ectives$

Some of these factors include!

/1ternal factors!

1conomic factors

Availaility of ca"ital2 lower or higher costs of ca"ital

5ower arriers to entry# resulting in new com"etition

-rice movements u" or down

Aility to issue credit and "ossiility of default

Concentration of com"etitors# customers# or vendors

-resence or asence of li+uidity

0ovements in the (nancial markets or currency 7uctuations

Rising or lowering unem"loyment rates

0ergers or ac+uisitions

-otential regulatory# contractual# or criminal legal liaility

+atural en!ironment

Natural disasters such as (res# 7oods# or earth+uakes

/missions and waste

/nergy restrictions or shortages

Restrictions limiting develo"ment &olitical factors

/lection of government o8cials with new agendas

New laws and regulations

-ulic "olicy# including higher or lower ta1es

Regulation a.ecting the com"any's aility to com"ete

Social factors

Changing demogra"hics# social mores# family structures# and work:life

"riorities

Consumer ehavior that changes demand for "roducts and services orcreates new uying o""ortunities

Cor"orate citi%enshi"

-rivacy

Terrorism

*uman resource issues causing "roduction shortages or sto""ages


25/42

"echnological factors

New e,usiness technologies that lower infrastructure costs or increasedemand for IT,ased services

/merging technology

Increased or decreased availaility of data

Interru"tions or down time caused y e1ternal "arties

Internal factors!

Infrastructure

Inade+uate access or "oor allocation of ca"ital

Availaility and ca"aility of com"any assets

Com"le1ity of systems

&ersonnel

/m"loyee skills and ca"aility

/m"loyees acting dishonestly or unethically

&ork"lace accidents# health or safety concerns

Strikes or e1"iration of laor agreements

&rocess

-rocess modi(cation without "ro"er change management "rocedures

-oorly designed "rocesses

-rocess e1ecution errors

Su""liers cannot deliver +uality goods on time "echnology

Insu8cient ca"acity to handle "eak IT usages

Security reaches

Data or system unavailaility from internal factors

Inade+uate data integrity

-oor systems selection:develo"ment

Inade+uately maintained systems

5ists can hel" management identify factors# evaluate their im"ortance# and e1amine thosethat can a.ect o)ectives$

Identifying events at the activity and entity levels allows com"anies to focus their riskassessment on ma)or usiness units or functions and align their risk tolerance and riska""etite$

Com"anies usually use two or more of the following techni+ues together to identifyevents!

8se comprehensi!e lists of potential e!ents


26/42

Often "roduced y s"ecial software that can tailor lists to an industry#activity# or "rocess$

&erform an internal analysis

An internal committee analy%es events# contacting a""ro"riate insiders andoutsiders for in"ut$

0onitor leading e!ents and trigger points

A""ro"riate transactions# activities# and events are monitored and com"aredto "rede(ned criteria to determine when action is needed$

Conduct $or/shops and inter!ie$s

/m"loyee knowledge and e1"ertise is gathered in structured discussions orindividual interviews$

&erform data mining and analysis

/1amine data on "rior events to identify trends and causes that hel" identify"ossile events$

Analye processes

Analy%e internal and e1ternal factors that a.ect in"uts# "rocesses# andout"uts to identify events that might hel" or hinder the "rocess$

RISF ASS/SS0/NT AND RISF R/S-ONS/

The fourth and (fth com"onents of COSO's /R0 model are risk assessment and riskres"onse$

COSO indicates there are two ty"es of risk!

Inherent ris/

The risk that e1ists efore management takes any ste"s to control the

likelihood or im"act of a risk$

Residual ris/

The risk that remains after management im"lements internal controls orsome other form of res"onse to risk$

Com"anies should!

Assess inherent risk

Develo" a res"onse

Then assess residual risk

The /R0 model indicates four ways to res"ond to risk!

Reduce it

The most e.ective way to reduce the likelihood and im"act of risk is toim"lement an e.ective system of internal controls$

Accept it

Don't act to "revent or mitigate it$

Share it


27/42

Transfer some of it to others via activities such as insurance# outsourcing# orhedging$

A!oid it

Don't engage in the activity that "roduces it$

0ay re+uire!

Sale of a division

/1iting a "roduct line

Canceling an e1"ansion "lan

Accountants!

*el" management design e.ective controls to reduce inherent risk$

/valuate internal control systems to ensure they are o"erating e.ectively$

Assess and reduce inherent risk using the risk assessment and res"onse strategy$

1!ent identi#cation

The (rst ste" in risk assessment and res"onse strategy is event identi(cation# whichwe have already discussed$

1stimate li/elihood and impact

Some events "ose more risk ecause they are more "roale than others$

Some events "ose more risk ecause their dollar im"act would e more signi(cant$

5ikelihood and im"act must e considered together!

If either increases# the materiality of the event and the need to "rotect against itrises$

Identify controls

0anagement must identify one or more controls that will "rotect the com"any fromeach event$

In evaluating ene(ts of each control "rocedure# consider e.ectiveness and timing$


All other factors e+ual!

A "reventive control is etter than a detective one$

*owever# if "reventive controls fail# detective controls are needed to discover the

"rolem# and corrective controls are needed to recover$ Conse+uently# the three com"lement each other# and a good internal control

system should have all three$

Similarly# a com"any should use all four levers of control$

1stimate costs and ene#ts

It would e cost,"rohiitive to create an internal control system that "rovidedfool"roof "rotection against all events$


28/42

Also# some controls negatively a.ect o"erational e8ciency# and too many controlscan make it very ine8cient$

The ene(ts of an internal control "rocedure must e1ceed its costs$

Bene(ts can e hard to +uantify# ut include!

Increased sales and "roductivity

Reduced losses

Better integration with customers and su""liers

Increased customer loyalty

Com"etitive advantages

5ower insurance "remiums

Costs are usually easier to measure than ene(ts$

-rimary cost is "ersonnel# including!

Time to "erform control "rocedures

Costs of hiring additional em"loyees to e.ectively segregate duties

Costs of "rogramming controls into a system

Other costs of a "oor control system include!

5ost sales

5ower "roductivity

Dro" in stock "rice if security "rolems arise

Shareholder or regulator lawsuits

4ines and "enalties im"osed y governmental agencies The e1"ected loss related to a risk is measured as!

/1"ected loss P im"act 1 likelihood

The value of a control "rocedure is the di.erence etween!

/1"ected loss with control "rocedure

/1"ected loss without it


etermine cost9ene#t e:ecti!eness

After estimating ene(ts and costs# management determines if the control is costene(cial# i$e$# is the cost of im"lementing a control "rocedure less than the changein e1"ected loss that would e attriutale to the changeL

In evaluating costs and ene(ts# management must consider factors other than those inthe e1"ected ene(t calculation$

If an event threatens an organi%ation's e1istence# it may e worthwhile to institutecontrols even if costs e1ceed e1"ected ene(ts$

The additional cost can e viewed as a catastro"hic loss insurance "remium$


29/42


-et4s go through an e7ample;

*oy *ole is trying to decide whether to install a motion detector system in itswarehouse to reduce the "roaility of a catastro"hic theft$

A catastro"hic theft could result in losses of Q>>#>>>$

5ocal crime statistics suggest that the "roaility of a catastro"hic theft at *oy

*ole is ;?M$

Com"anies with motion detectors only have aout a $M "roaility of catastro"hictheft$

The "resent value of "urchasing and installing a motion detector system and "ayingfuture security costs is estimated to e aout E#>>>$

Should *oy *ole install the motion detectorsL

Implement the control or a!oid5 share5 or accept the ris/

&hen controls are cost e.ective# they should e im"lemented so risk can ereduced$


Risks that are not reduced must e acce"ted# shared# or avoided$

If the risk is within the com"any's risk tolerance# they will ty"ically acce"t the risk$

A reduce or share res"onse is used to ring residual risk into an acce"tale risktolerance range$

An avoid res"onse is ty"ically only used when there is no way to cost,e.ectivelyring risk into an acce"tale risk tolerance range$

CONTRO5 ACTI3ITI/S

The si1th com"onent of COSO's /R0 model$

Control acti#itiesare "olicies# "rocedures# and rules that "rovide reasonale assurancethat management's control o)ectives are met and their risk res"onses are carried out$

CONTRO5 ACTI3ITI/S

It is management's res"onsiility to develo" a secure and ade+uately controlled system$

Controls are much more e.ective when uilt in on the front end$

Conse+uently# systems analysts# designers# and end users should e involved indesigning ade+uate com"uter,ased control systems$

0anagement must also estalish a set of "rocedures to ensure control com"liance andenforcement$

Usually# the "urview of the information security o8cer and the o"erations sta.$

CONTRO5 ACTI3ITI/S

It is critical that controls e in "lace during the year,end holiday season$ Adis"ro"ortionate amount of com"uter fraud and security reak,ins occur during this timeecause!

0ore "eo"le are on vacation and fewer around to mind the store$


30/42

Students are not tied u" with school$

Counterculture hackers may e lonely$

6enerally# control "rocedures fall into one of the following categories!

-ro"er authori%ation of transactions and activities

Segregation of duties

-ro)ect develo"ment and ac+uisition controls Change management controls

Design and use of documents and records

Safeguard assets# records# and data

Inde"endent checks on "erformance

6enerally# control "rocedures fall into one of the following categories!

&roper authoriation of transactions and acti!ities

0anagement lacks the time and resources to su"ervise each em"loyee activity and

decision$

Conse+uently# they estalish "olicies and em"ower em"loyees to "erform activitieswithin "olicy$

This em"owerment is called authori'ationand is an im"ortant "art of anorgani%ation's control "rocedures$

Authori%ations are often documented y signing initiali%ing# or entering an authori%ationcode$

Com"uter systems can record digital signaturesas a means of signing a document$

/m"loyees who "rocess transactions should verify the "resence of the a""ro"riate

authori%ations$

Auditors review transactions for "ro"er authori%ation# as their asence indicates a "ossilecontrol "rolem$

Ty"ically at least two levels of authori%ation!

6eneral authori%ation

0anagement authori%es em"loyees to handle routine transactions withouts"ecial a""roval$

S"ecial authori%ation

4or activities or transactions that are of signi(cant conse+uences#management review and a""roval is re+uired$

0ight a""ly to sales# ca"ital e1"enditures# or write,o.s over a "articulardollar limit$

0anagement should have written "olicies for oth ty"es of authori%ation and for all ty"esof transactions$

Segregation of duties

6ood internal control re+uires that no single em"loyee e given too muchres"onsiility over usiness transactions or "rocesses$


31/42


32/42

/nsures that all a""licale devices are linked to the organi%ation's internaland e1ternal networks and that the networks o"erate continuously and"ro"erly$

Security management

/nsures that all as"ects of the system are secure and "rotected from internaland e1ternal threats$

Change management

0anages changes to the organi%ation's information system to ensure they aremade smoothly and e8ciently and to "revent errors and fraud$

8sers

Record transactions# authori%e data to e "rocessed# and use system out"ut$

Systems analysts

*el" users determine their information needs and design systems to meetthose needs$

&rogramming

Use design "rovided y the systems analysts to write the com"uter "rogramsfor the information system$

Computer operations

Run the software on the com"any's com"uters$

/nsure that data are in"ut "ro"erly# correctly "rocessed# and needed out"utis "roduced$

Information systems lirary

0aintains custody of cor"orate dataases# (les# and "rograms in a se"arate

storage area$

ata control

/nsures that source data have een "ro"erly a""roved$

0onitors the 7ow of work through the com"uter$

Reconciles in"ut and out"ut$

0aintains a record of in"ut errors to ensure their correction and resumission$

Distriutes system out"ut$

It is im"ortant that di.erent "eo"le "erform the "receding functions$

Allowing a "erson to do two or more )os e1"oses the com"any to the "ossiility offraud$

In addition to ade+uate segregation of duties# organi%ations should ensure that the "eo"lewho design# develo"# im"lement# and o"erate the IS are +uali(ed and well trained$

The same holds true for systems security "ersonnel$

&roect de!elopment and ac,uisition controls


33/42

It's im"ortant to have a formal# a""ro"riate# and "roven methodology to govern thedevelo"ment# ac+uisition# im"lementation# and maintenance of information systemsand related technologies$

Should contain a""ro"riate controls for!

0anagement review and a""roval

User involvement

Analysis

Design

Testing

Im"lementation

Conversion

Should make it "ossile for management to trace information in"uts fromsource to dis"osition and vice versa @the audit trail$

/1am"les aound of "oorly managed "ro)ects that have wasted large sums of money

ecause certain asic "rinci"les of "ro)ect management control were ignored$

The following asic "rinci"les of control should e a""lied to systems develo"ment inorder to reduce the "otential for cost overruns and "ro)ect failure and to im"rove thee8ciency and e.ectiveness of the IS!

Strategic master plan

A multi,year strategic "lan should align the organi%ation's information systemwith its usiness strategies and show the "ro)ects that must e com"leted toachieve long,range goals$

Should address hardware# software# "ersonnel# and infrastructurere+uirements$

/ach year# the oard and to" management should "re"are and a""rove the"lan and its su""orting udget$

Should e evaluated several times a year to ensure the organi%ation canac+uire needed com"onents and maintain e1isting ones$

&roect controls

A "ro)ect develo"ment "lan shows how a "ro)ect will e com"leted# including!

0odules or tasks to e "erformed

&ho will "erform them

Antici"ated com"letion dates

-ro)ect costs

-ro)ect milestones should e s"eci(ed"oints when "rogress is reviewed andactual com"letion times are com"ared to estimates$

/ach "ro)ect should e assigned to a manager and team who are res"onsilefor its success or failure$

At "ro)ect com"letion# a "ro)ect evaluation of the team memers should e"erformed$


34/42

ata processing schedule

Data "rocessing tasks should e organi%ed according to a schedule toma1imi%e the use of scarce com"uter resources$

Steering committee

A steering committee should guide and oversee systems develo"ment andac+uisition$

System performance measurements

To e evaluated "ro"erly# a system should e assessed with measures suchas!

Through"ut @out"ut "er unit of time

Utili%ation @"ercent of time it is used "roductively

Res"onse time @how long it takes to res"ond

&ost9implementation re!ie$

A review should e "erformed after a develo"ment "ro)ect is com"leted to

determine if the antici"ated ene(ts were achieved$

*el"s control "ro)ect develo"ment activities and encourage accurate ando)ective initial cost and ene(t estimates$

To sim"lify and im"rove systems develo"ment# some com"anies hire a systems integratora vendor who uses common standards and manages the develo"ment e.ort using theirown "ersonnel and those of the client and other vendors$

0any com"anies rely on the integrator's assurance that the "ro)ect will ecom"leted on time$

Unfortunately# the integrator is often wrong$

These third,"arty systems develo"ment "ro)ects are su)ect to the same costoverruns and missed deadlines as systems develo"ed internally$

&hen using systems integrators# com"anies should adhere to the same asic rules usedfor "ro)ect management of internal "ro)ects$ In addition# they should!

e!elop clear speci#cations

Before third "arties id# "rovide clear s"eci(cations# including!

/1act descri"tions and de(nitions of the system

/1"licit deadlines

-recise acce"tance criteria

Although it's e1"ensive to develo" these s"eci(cations# it will save money inthe end$

0onitor the systems integration proect

A s"onsors committee should monitor third,"arty develo"ment "ro)ects$

/stalished y the CIO and chaired y the "ro)ect's internal cham"ion$

Should include de"artment managers from all units that will use thesystem$


35/42

Should estalish formal "rocedures for measuring and re"orting "ro)ectstatus$

Best a""roach is to!

Divide "ro)ect into manageale tasks$

Assign res"onsiility for each task$

0eet on a regular asis @at least monthly to review "rogress

and assess +uality$

Change management controls

Organi%ations constantly modify their information systems to re7ect new usiness"ractices and take advantage of information technology advances$

Change management is the "rocess of making sure that the changes do notnegatively a.ect!

Systems reliaility

Security

Con(dentiality

Integrity

Availaility

esign and use of ade,uate documents and records

-ro"er design and use of documents and records hel"s ensure accurate andcom"lete recording of all relevant transaction data$

4orm and content should e ke"t as sim"le as "ossile to!

-romote e8cient record kee"ing

0inimi%e recording errors

4acilitate review and veri(cation

Documents that initiate a transaction should contain a s"ace for authori%ation$

Those used to transfer assets should have a s"ace for the receiving "arty'ssignature$

Documents should e se+uentially "re,numered!

To reduce likelihood that they would e used fraudulently$

To hel" ensure that all valid transactions are recorded$

A good audit trail facilitates!

Tracing individual transactions through the system$

Correcting errors$

3erifying system out"ut$

Safeguard assets5 records5 and data

&hen "eo"le consider safeguarding assets# they most often think of cash and"hysical assets# such as inventory and e+ui"ment$


36/42

Another com"any asset that needs to e "rotected is information$

According to the AC4/'s ?>>E National 4raud Survey# theft of information made u"only ;=$M of non,cash misa""ro"riations2 however# the median cost of aninformation theft was E>#>>>$ This cost was ;?JM higher than the ne1t mostcostly non,asset theft$ @/+ui"ment theft had a median cost of ;>#>>>$

0any "eo"le mistakenly elieve that the greatest risks com"anies face are from outsiders$

*owever# em"loyees "ose a much greater risk when it comes to loss of data ecause!

They know the system and its weaknesses etter$

They are etter ale to hide their illegal acts$

Insiders also create less,intentional threats to systems# including!

Accidentally deleting com"any data$

Turning viruses loose$

Trying to (1 hardware or software without a""ro"riate e1"ertise @i$e$# when in dout#un"lug it$

These actions can result in crashed networks# corru"t data# and hardware and softwaremalfunctions$

Com"anies also face signi(cant risks from customers and vendors that have access tocom"any data$

0any ste"s can e taken to safeguard oth information and "hysical assets from theft#unauthori%ed use# and vandalism$ Cha"ters = and Q discuss com"uter,ased controls$ Inaddition# it is im"ortant to!

0aintain accurate records of all assets

&eriodically reconcile recorded amounts to physical counts.

Restrict access to assets

Use restricted storage areas for inventories and e+ui"ment$

Use cash registers# safes# locko1es# and safe de"osit o1es to limitaccess to cash# securities# and "a"er assets$

&rotect records and documents

Use (re"roof storage areas# locked (ling cainets# acku" of (les@including co"ies at o.,site locations$

5imit access to lank checks and documents to authori%ed "ersonnel$

In#epen#ent checks on performance Internal checks to ensure that transactions are "rocessed accurately are an im"ortant

control element$

These checks should e "erformed y someone inde"endent of the "arty@ies res"onsilefor the activities$

The following inde"endent checks are ty"ically used!

"op9le!el re!ie$s

0anagement at all levels should monitor com"any results and "eriodicallycom"are actual "erformance to!


37/42

-lanned "erformance as shown in udgets# targets# and forecasts

-rior,"eriod "erformance

The "erformance of com"etitors

Analytical re!ie$s

/1aminations of relationshi"s etween di.erent sets of data$

/9A0-5/! If credit sales increased signi(cantly during the "eriod and therewere no changes in credit "olicy# then ad det e1"ense should "roalyhave increased also$

0anagement should "eriodically analy%e and review data relationshi"s todetect fraud and other usiness "rolems$

Reconciliation of independently maintained sets of records

Check the accuracy and com"leteness of records y reconciling them withother records that should have the same alance$

/9A0-5/S!

Bank reconciliations

Com"aring accounts "ayale control account to sum of susidiaryaccounts$

Comparison of actual ,uantities $ith recorded amounts

-eriodically# count signi(cant assets and reconcile the count to com"anyrecords$

/9A0-5/! Annual "hysical inventory$

*igh,dollar items and critical com"onents should e counted more fre+uently$

oule9entry accounting /nsure that deits e+ual credits$

Independent re!ie$

After one "erson "rocesses a transaction# another reviews their work$

IN4OR0ATION AND CO00UNICATION

The seventh com"onent of COSO's /R0 model$

The "rimary "ur"ose of the AIS is to gather# record# "rocess# store# summari%e# andcommunicate information aout an organi%ation$

So accountants must understand how!

Transactions are initiated

Data are ca"tured in or converted to machine,readale form

Com"uter (les are accessed and u"dated

Data are "rocessed

Information is re"orted to internal and e1ternal "arties


38/42

Accountants must also understand the accounting records and "rocedures# su""ortingdocuments# and s"eci(c (nancial statement accounts involved in "rocessing and re"ortingtransactions$

The "receding items facilitate an audit trail which allows for transactions to e traced fromorigin to (nancial statements and vice versa$

According to the AIC-A# an AIS has (ve "rimary o)ectives!

Identify and record all valid transactions$

-ro"erly classify transactions$

Record transactions at their "ro"er monetary value$

Record transactions in the "ro"er accounting "eriod$

-ro"erly "resent transactions and related disclosures in the (nancial statements$

*ow to safeguard information and "hysical assets!

Create and enforce a""ro"riate "olicies and "rocedures$

0aintain accurate records of all assets$

Restrict access to assets$

-rotect records and documents$

Accounting systems generally consist of several accounting susystems# each designed to"rocess transactions of a "articular ty"e$

Though they di.er with res"ect to the ty"e of transactions "rocessed# all accountingsusystems follow the same se+uence of "rocedures# referred to as accounting cycles$

0ONITORIN6

The eighth com"onent of COSO's /R0 model$

0onitoring can e accom"lished with a series of ongoing events or y se"arateevaluations$

0ONITORIN6

Fey methods of monitoring "erformance include!

&erform 1R0 e!aluation

Can measure /R0 e.ectiveness through a formal evaluation or through a self,assessment "rocess$

A s"ecial grou" can e assemled to conduct the evaluation or it can e done yinternal auditing$

Implement e:ecti!e super!ision

Involves!

Training and assisting em"loyees2

0onitoring their "erformance2

Correcting errors2 and

Safeguarding assets y overseeing em"loyees with access$


39/42


40/42

The technology em"loyees use on the )o elongs to the com"any$

/mails received on com"any com"uters are not "rivate and can e read ysu"ervisory "ersonnel$

/m"loyees should not use technology in any way to contriute to a hostile workenvironment$

"rac/ purchased soft$are

The Business Software Alliance @BSA aggressively tracks down and (nes com"anieswho violate software license agreements$

To com"ly with co"yrights# com"anies should "eriodically conduct software audits toensure that$

There are enough licenses for all users2 and

The com"any is not "aying for more licenses than needed$

/m"loyees should e informed of the conse+uences of using unlicensed software$

Conduct periodic audits

To monitor risk and detect fraud and errors# the com"any should have "eriodic!

/1ternal audits

Internal audits

S"ecial network security audits

Auditors should test system controls and rowse system usage (les looking forsus"icious activities @discussed in Cha"ter


41/42


42/42

Some com"anies em"loy neural net&orks@"rograms that mimic the rain andhave learning ca"ailities# which are very accurate in identifying sus"ected fraud$

4or e1am"le# if a husand and wife were each using the same credit card in twodi.erent stores at the same time# a neural network would "roaly 7ag at least oneof the transactions immediately as sus"icious$

These networks and other recent advances in fraud detection software aresigni(cantly reducing the incidences of credit card fraud$

Implement a fraud hotline

-eo"le who witness fraudulent ehavior are often torn etween con7icting feelings$

They want to "rotect com"any assets and re"ort fraud "er"etrators$

But they are uncomfortale in the whistlelower role and (nd it easier toremain silent$

They are "articularly reluctant to re"ort if they know of others who have su.eredre"ercussions from doing so$

0ONITORIN6

SO9 mandates that com"anies set u" mechanisms for em"loyees to anonymouslyre"ortauses such as fraud$

An e.ective way to com"ly with the law and resolve em"loyee concerns is to"rovide access to an anonymous hotline$

Anonymous re"orting can e accom"lished through!

-hone lines

&e,ased re"orting

Anonymous emails

Snail mail

Outsourcing is availale through a numer of third "arties and o.ers several ene(ts#including!

Increased con(dence on the "art of em"loyee that his:her re"ort is trulyanonymous$

?E:= availaility$

Often have multilingual ca"ailitiesan im"ortant "lus for multinationalorgani%ations$

The outsourcer may e ale to do follow u" with the em"loyee if additional

information is needed after the initial contact$

The em"loyee can e advised of the outcome of his re"ort$

5ow cost$

A downside to anonymous re"orting mechanisms is that they will "roduce a signi(cantamount of "etty or slanderous re"orts that do not re+uire investigation

Date post:	01-Jun-2018
Category:	Documents
Upload:	km-macatangay
View:	232 times
Download:	0 times