Upload
arianne-llorente
View
26
Download
1
Tags:
Embed Size (px)
DESCRIPTION
AIS ppt
Citation preview
1
Chapter 7 Controlling Information Systems:
Introduction to Enterprise Risk Management and Internal Control
Accounting Information Systems 7eUlric J. Gelinas and Richard Dull
Copyright © 2008 Thomson Southwestern, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license.
2
Learning Objectives
• Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework.
• Understand that management employs internal control systems as part of organizational and IT governance initiatives.
• Describe how internal control systems assist organizations to achieve objectives and respond to risks.
• Describe fraud, computer fraud, and computer abuse.• Enumerate control goals for operations and information
processes.• Describe the major categories of control plans.
3
Organizational Governance
• Select Objectives
• Establish processes to achieve objectives
• Monitor performance toward objectives
4
Objective Setting Mission, vision, purpose: e.g., to be the leading producer of household products in the regions in which we operate
Strategicobjectivese.g., to be in thetop quartile ofproduct sales for retailers of our products
Strategye.g., expand productionof our top-five selling retailproducts to meet increaseddemand
Related objectives, e.g.,increase production of x by 15%hire 180 qualified new staffmaintain product quality
Source: Adapted from Enterprise Risk Management—Integrated Framework, Application Techniques, p. 20.
5
Why do we need controls?
• (1) to provide reasonable assurance that the goals of each business process are being achieved
• (2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts)
• (3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.
6
Components of Enterprise Risk Management
• Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
• Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
• Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
7
Risk vs. Exposure
1. Estimate the annual dollar loss that would occur (i.e., the impact) should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is –$1,000,000.
2. Estimate the annual probability that the event will occur (i.e., the likelihood). Suppose the estimate is 5 percent.
3. Multiply item 1 by item 2 to get an initial expected gross risk (loss) of –$50,000 (–$1,000,000 × 0.05), which is the maximum amount or upper limit that should be paid for controls and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system.
4. Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at –$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now –$31,000 [–$50,000 + ($20,000 – $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).
8
Risk vs. Exposure (Cont.)
4. Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to –$41,000 (–$31,000 – $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000.
5. Thus, the residual expected risk exposure is –$1,000, calculated as follows: Expected gross risk (–$20,000 or –$1,000,000 × 0.02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at –$1,000.
9
Components of Enterprise Risk Management (Continued)
• Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
• Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
• Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
• Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
10
Recent Internal Control Legislation
• Sarbanes-Oxley Act (SOA) of 2002– Created public company accounting
oversight board– Increased accountability for company
officers and board of directors– Increased white collar crime penalties– Prohibits audit firms from providing design
and implementation of financial information systems
11
Sarbanes-Oxley Act of 2002 (SOA)
• Section 302—CEOs and CFOs must certify quarterly and annual financial statements
• Section 404—Mandates the annual report filed with the SEC include an internal control report
12
Outline of SOA
2002
13
Definition of Internal Control
• From SAS 78 (1995) - adopted COSO definition:– INTERNAL CONTROL is a process-effected by a an
entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness & efficiency of operations• Reliability of financial reporting• Compliance with applicable laws & regulations.
14
General Control Model
15
Five Interrelated Components of Internal Control
1. Control environment- tone at the top
2. Risk assessment - identification/analysis of risks
3. Control activities - policies and procedures
4. Information & communication - processing of info in a form and time frame to enable people to do their jobs
5. Monitoring - process that assess quality of internal control over time
16
COSO Report, SOA, and SAS 94
• In the section addressing implementation of the Sarbanes Oxley Act section 404, the SEC used the COSO description of internal control. – It went on to say that management must base its evaluation of the
effectiveness of its internal control system on a framework such as COSO
– COSO report stresses internal control is a process • A complementary perspective on internal control is found in
Statement on Auditing Standards (SAS) 94, entitled “The Effect on Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.” – This standard guides auditors in understanding the impact of IT on
internal control and assessing IT-related control risks– Further, SAS 94 highlights how IT can be used to strengthen internal
control, while at the same time emphasizing how IT can actually weaken some controls
17
Fraud and its Relationship to Control
• Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain.– Management charged with responsibility to prevent and/or
disclose fraud
– Control systems enable management to do this job
– Management responsible to provide internal control system per the Foreign Corrupt Practices Act of 1977
– Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud
– Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility
18
SAS 99• The accounting profession too has been proactive in
dealing with corporate fraud, as it has launched an anti-fraud program.
• One of the manifestations of this initiative is Statement on Auditing Standards (SAS) Number 99, entitled Consideration of Fraud in a Financial Statement Audit. – SAS 99 has the same title as its predecessor, SAS 82, but
the new standard is much more encompassing than the old. – For instance, SAS 99 emphasizes brainstorming fraud risks,
increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls.
19
E&Y Fraud Survey• About 85 % of fraud committed by company insiders• About 55% of perpetrators were management employees• More fraud in less-developed countries• About 40% of frauds are known to the public, 20% are kept
confidential, and the other 40% are not yet discovered• The #1 fraud worry to executives is asset misappropriation• The #2 fraud worry to executives is computer crime• Most organizations now have formal fraud prevention
policies including codes of corporate governance and employee conduct
• Most useful fraud prevention techniques are internal controls, management reviews, and internal audits
20
2006 Report on Fraud by Assoc. of CFE
• Median loss $159,000• One quarter at least $1 million• Typical organization loses 5% of revenue to
fraud• Detected more likely by tips than internal
controls• Frauds by employees:
– 30% by accounting department employees– 20% by upper management
21
Preview of some Computer Crime
• Salami slicing - rounding• Back door – non-secured access point• Trojan horse – code in harmless looking
program• Logic bomb – go off on event
occurrence• Worm – network invasion• Zombie – takes over another computer
22
Ethics and Controls• COSO report stresses ethics as part of control
environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• The Institute of Management Accountants has a code of ethics which is also tested on both the CMA and CFM exams
• Internal Auditing has ethics articles
• Many corporations have developed Codes of Conduct
23
Business Process Control Plans• Business Process Control Plans - reflect information
processing policies and procedures that assist in accomplishing control goals– The Control Environment The fact that the control environment
appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.
– Pervasive control plans also relate to a multitude of goals and processes
• Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate.
• They are broad in scope and apply equally to all business processes, hence they pervade all systems.
– Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.
24
25
Business Process Control Goals
• Control Goals - ends to be obtained– Control goals of operations processes– Control goals of information processes
26
Control Goals of the Operations Process
• Ensure effectiveness of operations
• Ensure efficient employment of resources
• Ensure security of resources
27
Control Goals of Operations Process• Ensure effectiveness of operations (including compliance)
– A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes
– Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources– A measure of the productivity of the resources applied to achieve a
set of goals– Ex. What is the cost of people, computers, and other resources to
deposit cash on the day received
• Ensure security of resources– Protecting an organization’s resources from loss, destruction,
disclosure, copying, sale, or other misuse– Ex. Are cash and information resources available when required?– Are they put to authorized use?
28
Control Goals of the Information Process
• For business event inputs, ensure
–Input validity
–Input completeness
–Input accuracy
• For master data, ensure
–update completeness
–update accuracy
29
Control Goals of Information Process
• Input validity– Input data approved and represent actual economic events and objects– Ex. Are all cash receipts input into the process supported by customer
payments
• Input completeness– Requires that all valid events or objects be captured and entered into
the system– Ex. Are all valid customer payments captured on a customer remittance
advice (RA) and entered into the process?
• Input Accuracy– Requires that events be correctly captured and entered into the system– Ex. Is correct payment amount and customer number on the RA? – Ex. Is the correct payment amount and customer number keyed into
the system?
30
Control Goals of Information Process
• Update completeness– Requires all events entered into the computer are reflected in their
respective master data– Ex. Are all input cash receipts recorded in the AR master data?
• Update accuracy– Requires that data entered into a computer are reflected correctly in
their respective master data– Ex. Are all input cash receipts correctly recorded in the AR master
data?
31
Lenox Company Systems Flowchart
Custome r
M AILROOM ACCOUNTS RECEIVABLE COM PUTER CASHIER
RAs
Che cks
Endorse dChe cks
A
RAs
Ke y custome rnumbe r,inv o ice
numbe r,amount andche ck numbe r
"Acce pte dand
proce sse d"
Accountsre ce iv ab le
maste r data
Prin t de positslip
A
Endorse dChe cks
Te mpfile
F ile d un tilde posit slipis re ce iv e d
Endorse dChe cks
Error rou tinenot shown
CompareEndorse dChe cks
De positslip
1
De positslip
De positslip
1
2
Bank
Cashre ce ip ts
e v e nt data
Ve rify, log e v e n t oncash re ce ip ts e v e n t
data, update AR,notify cle rk
At e ndof day
RA = Re mittance adv ice
Endorseche cks
32
Control Goals for the Lenox Cash Receipts Process
Control Goals of the Lenox Cash Receipts Business Process
Control goals of the operations process Control goals of the information process
Ensure effectiveness of operations
Ensure efficient employment of resources (e.g., people and computers)
Ensure security of resources (e.g., checks and AR master data)
For the remittance advice inputs, ensure:
For the AR master data, ensure:
A B IV IC IA UC UA
Effectiveness goals include:A – Timely deposit of checksB – Comply with compensating balance agreements with the depository bank
IV = Input validityIC = Input completenessIA = Input accuracyUC = Update completenessUA = Update accuracy
33
Other Classifications of Control Plans
• Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss
• Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation
• Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data
34
Gelinas and Dull Working Definition of IC: Key Points
• A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives
• Internal control itself is a system. Therefore, like any system it must – (1) have clearly defined goals and – (2) consist of interrelated components that act in concert to achieve those
goals.– We can also say that internal control is a process
• Establishing a viable internal control system is management’s responsibility.
• The strength of any internal control system is largely a function of the people who operate it.
• Internal control cannot be expected to provide absolute, 100% assurance that the organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance
• Internal control is not free; controls should be built in and cost effective
35
Gelinas and Dull Working Definition of IC
– INTERNAL CONTROL is a process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness & efficiency of operations• Reliability of reporting• Compliance with applicable laws & regulations.
36
Chapter Important Points
• Need for controls• ERM components• COSO components• Definition of controls• Need to avoid fraud• Pervasive versus process controls• Process control goals (operations and
information)• Preventive, detective, and corrective controls