control in AIS

8/12/2019 control in AIS

1/314

2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314

C HAPTER 6

Control and AccountingInformation Systems


2/314


INTRODUCTION

Questions to be addressed in this chapter: What are the basic internal control concepts, and why are

computer control and security important? What is the difference between the COBIT, COSO, and ERM

control frameworks?

What are the major elements in the internal environment of acompany? What are the four types of control objectives that companies

need to set? What events affect uncertainty, and how can they be identified? How is the Enterprise Risk Management model used to assess

and respond to risk? What control activities are commonly used in companies? How do organizations communicate information and monitor

control processes?


3/314


INTRODUCTION

Why AIS Threats Are Increasing

Control risks have increased in the last few yearsbecause:

There are computers and servers everywhere, andinformation is available to an unprecedented number ofworkers.

Distributed computer networks make data available to manyusers, and these networks are harder to control than

centralized mainframe systems. Wide area networks are giving customers and suppliers

access to each others systems and data, making

confidentiality a major concern.


4/314


INTRODUCTION

Historically, many organizations have not adequatelyprotected their data due to one or more of the followingreasons: Computer control problems are often underestimated and

downplayed. Control implications of moving from centralized, host-basedcomputer systems to those of a networked system or Internet-based system are not always fully understood.

Companies have not realized that data is a strategic resourceand that data security must be a strategic requirement.

Productivity and cost pressures may motivate management toforego time-consuming control measures.


5/314


INTRODUCTION

Some vocabulary terms for this chapter:

A threatis any potential adverse occurrenceor unwanted event that could injure the AIS or

the organization. The exposureor impactof the threat is the

potential dollar loss that would occur if the

threat becomes a reality. The l ikel ihoodis the probability that the

threat will occur.


6/314


INTRODUCTION

Control and Security are Important

Companies are now recognizing the problems andtaking positive steps to achieve better control,

including: Devoting full-time staff to security and control concerns. Educating employees about control measures.

Establishing and enforcing formal information securitypolicies.

Making controls a part of the applications developmentprocess.

Moving sensitive data to more secure environments.


7/314 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 314

INTRODUCTION

To use IT in achieving control objectives,accountants must: Understand how to protect systems from

threats. Have a good understanding of IT and its

capabilities and risks.

Achieving adequate security and controlover the information resources of anorganization should be a top managementpriority.



INTRODUCTION

Control objectives are the same regardless ofthe data processing method, but a computer-based AIS requires different internal control

policies and procedures because: Computer processing may reduce clerical errors but

increase risks of unauthorized access or modificationof data files.

Segregation of duties must be achieved differently inan AIS.

Computers provide opportunities for enhancement ofsome internal controls.



INTRODUCTION

One of the primary objectives of an AIS is tocontrol a business organization.

Accountants must help by designing effective control

systems and auditing or reviewing control systemsalready in place to ensure their effectiveness.

Management expects accountants to be controlconsultants by:

Taking a proactive approach to eliminating systemthreats; and

Detecting, correcting, and recovering from threatswhen they do occur.



INTRODUCTION

It is much easier to build controls into asystem during the initial stage than to addthem after the fact.

Consequently, accountants and controlexperts should be members of the teamsthat develop or modify information

systems.



OVERVIEW OF CONTROL CONCEPTS

In todays dynamic business environment,companies must react quickly to changingconditions and markets, including steps to: Hire creative and innovative employees.

Give these employees power and flexibility to: Satisfy changing customer demands; Pursue new opportunities to add value to the organization;

and Implement process improvements.

At the same time, the company needs controlsystems so they are not exposed to excessiverisks or behaviors that could harm theirreputation for honesty and integrity.




Internal c ontro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:

Assets (including data) are safeguarded. This objective includes prevention or timely

detection of unauthorized acquisition, use, ordisposal of material company assets.





Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and

fairly reflect company assets.







Records are maintained in sufficient detail to accurately andfairly reflect company assets







Accurate and reliable information is provided.

There is reasonable assurance that financial reports are

prepared in accordance with GAAP.









prepared in accordance with GAAP. Operational efficiency is promoted and improved.

This objective includes ensuring that companyreceipts and expenditures are made in accordancewith management and directors authorizations.










Adherence to prescribed managerial policies is encouraged.










Adherence to prescribed managerial policies is encouraged.

The organization complies with applicable laws andregulations.




Internal control is a processbecause: It permeates an organizations operating activities.

It is an integral part of basic management activities.

Internal control provides reasonable, ratherthan absolute, assurance, because completeassurance is difficult or impossible to achieveand prohibitively expensive.




Internal control systems have inherentlimitations, including: They are susceptible to errors and poor decisions.

They can be overridden by management or bycollusion of two or more employees.

Internal control objectives are often at odds witheach other. EXAMPLE: Controls to safeguard assets may also

reduce operational efficiency.




Internal controls perform three importantfunctions:

Preventive controls

Deter problems before they arise.





Preventive controls

Detective controls Discover problems quickly when they do arise.





Preventive controls

Detective controls

Corrective controls

Remedy problems that have occurred by:

Identifying the cause; Correcting the resulting errors; and

Modifying the system to prevent futureproblems of this sort.




Internal controls are often classified as: General controls

Those designed to make sure an

organizations control environment is stableand well managed.

They apply to all sizes and types of systems.

Examples: Security management controls.


25/314



Internal controls are often classified as: General controls

Application controls

Prevent, detect, and correct transaction errorsand fraud.

Are concerned with accuracy, completeness,validity, and authorization of the data captured,entered into the system, processed, stored,

transmitted to other systems, and reported.


26/314



An effective system of internal controlsshould exist in all organizations to: Help them achieve their missions and goals

Minimize surprises


27/314


SOX AND THE FOREIGN CORRUPTPRACTICES ACT

In 1977, Congress passed the Foreign CorruptPract ices Act, and to the surprise of the profession, thisact incorporated language from an AICPApronouncement.

The primary purpose of the act was to prevent thebribery of foreign officials to obtain business.

A significant effect was to require that corporationsmaintain good systems of internal accounting control.

Generated significant interest among management, accountants,and auditors in designing and evaluating internal controlsystems.

The resulting internal control improvements werent sufficient.


28/314



In the late 1990s and early 2000s, a seriesof multi-million-dollar accounting fraudsmade headlines.

The impact on financial markets wassubstantial, and Congress responded withpassage of the Sarbanes-Oxley Actof 2002

(aka, SOX). Applies to publicly held companies and theirauditors


29/314


30/314



Important aspects of SOX include:

Creation of the Public Company AccountingOversight Board (PCAOB) to oversee the auditingprofession.

Has five members, three of whom cannot beCPAs.

Charges fees to firms to fund the PCAOB.

Sets and enforces auditing, quality control,

ethics, independence, and other standardsrelating to audit reports.

Currently recognizes FASB statements asbeing generally accepted.


31/314




Creation of the Public Company Accounting OversightBoard (PCAOB) to oversee the auditing profession.

New rules for auditors

They must report specific information to the companys auditcommittee, such as:

Critical accounting policies and practices

Alternative GAAP treatments

Auditor-management disagreements

Audit partners must be rotated periodically.


32/314






Auditors cannot perform certain non-audit services, such as:

Bookkeeping

Information systems design and implementation Internal audit outsourcing services

Management functions

Human resource services


33/314






Permissible non-audit services must be approved by theboard of directors and disclosed to investors.

Cannot audit a company if a member of top management was

employed by the auditor and worked on the companys auditin the past 12 months.


34/314





New rules for auditors New rules for audit committees

Members must be on the companys boardof directors and must otherwise be

independent of the company.

One member must be a financial expert.

The committee hires, compensates, andoversees the auditors, and the auditorsreport directly to the committee.

The CEO and CFO must certify that:


35/314






New rules for management

The CEO and CFO must certify that:

The financial statements and disclosures are fairlypresented, were reviewed by management, and are notmisleading.

Management is responsible for internal controls. The auditors were advised of any material internal control

weaknesses or fraud.

Any significant changes to controls after managementsevaluation were disclosed and corrected.

If management willfully and knowingly violates the


36/314







If management willfully and knowingly violates thecertification, they can be:

Imprisoned up to 20 years.

Fined up to $5 million.

Management and directors cannot receive loans that would notbe available to people outside the company.

They must disclose on a rapid and current basis materialchanges to their financial condition.

New internal control requirements:


37/314







New internal control requirements

q

Section 404 of SOX requires companies to issue areport accompanying the financial statements that:

States management is responsible for

establishing and maintaining an adequate internalcontrol structure and procedures.

Contains managements assessment of thecompanys internal controls.

Attests to the accuracy of the internal controls,

including disclosures of significant defects ormaterial noncompliance found during the tests.


38/314







New internal control requirements

SOX also requires that the auditor attests to and reportson managements internal control assessment.

Each audit report must describe the scope of theauditors internal control tests.


39/314



After the passage of SOX, the SEC furthermandated that: Management must base its evaluation on a

recognized control framework, developed using adue-process procedure that allows for publiccomment. The most likely framework is the COSOmodel discussed later in the chapter.

The report must contain a statement identifying theframework used.

Management must disclose any and all materialinternal control weaknesses.

Management cannot conclude that the company haseffective internal control if there are any materialweaknesses.


40/314



Levers of Control

Many people feel there is a basic conflictbetween creativity and controls.

Robert Simons has espoused four levers ofcontrols to help companies reconcile thisconflict:

A concise belief system

Communicates company core values to employees andinspires them to live by them.

Draws attention to how the organization creates value. Helps employees understand managements intended

direction.

Must be broad enough to appeal to all levels.


41/314



Levers of Control




A boundary system

Helps employees act ethically by setting limits beyond

which they must not pass. Does not create rules and standard operating

procedures that can stifle creativity.

Encourages employees to think and act creatively tosolve problems and meet customer needs as long as

they operate within limits such as: Meeting minimum standards of performance

Shunning off-limits activities

Avoiding actions that could damage the companysreputation.


42/314



Levers of Control




A boundary system

A diagnostic control system

Ensures efficient and effective achievement of importantcontrols.

This system measures company progress by comparingactual to planned performance.

Helps managers track critical performance outcomesand monitor performance of individuals, departments,and locations.

Provides feedback to enable management to adjust andfine-tune.


43/314



Levers of Control




A boundary system

A diagnostic control system

An interactive control system

Helps top-level managers with high-level activities thatdemand frequent and regular attention. Examples:

Developing company strategy.

Setting company objectives.

Understanding and assessing threats and risks.

Monitoring changes in competitive conditions andemerging technologies.

Developing responses and action plans toproactively deal with these high-level issues.

Also helps managers focus the attention of subordinateson key strategic issues and to be more involved in their

decisions. Data from this system are best interpreted and

discussed in face-to-face meetings.


44/314


CONTROL FRAMEWORKS

A number of frameworks have beendeveloped to help companies developgood internal control systems. Threeof the most important are:

The COBIT framework

The COSO internal control framework COSOs Enterprise Risk Management

framework (ERM)


45/314


CONTROL FRAMEWORKS


The COBIT framework


framework (ERM)


46/314


CONTROL FRAMEWORKS

COBIT Framework

Also know as the Control Objectives forInformation and Related Technology

framework. Developed by the Information Systems Audit

and Control Foundation (ISACF).

A framework of generally applicableinformation systems security and controlpractices for IT control.


47/314


CONTROL FRAMEWORKS

The COBIT framework allows:

Management to benchmark security andcontrol practices of IT environments.

Users of IT services to be assured thatadequate security and control exists.

Auditors to substantiate their opinions on

internal control and advise on IT security andcontrol matters.


48/314


CONTROL FRAMEWORKS

The framework addresses the issue ofcontrol from three vantage points ordimensions:

Business objectives

To satisfy business objectives,information must conform tocertain criteria referred to as

business requirements forinformation.

The criteria are divided intoseven distinct yet overlappingcategories that map into COSOobjectives:

Effectiveness (relevant,pertinent, and timely)

Efficiency

Confidentiality

Integrity Availability

Compliance with legalrequirements

Reliability


49/314


CONTROL FRAMEWORKS


Business objectives

IT resources Includes: People

Application systems

Technology Facilities

Data


50/314


CONTROL FRAMEWORKS


Business objectives

IT resources

IT processes Broken into four domains

Planning and organization Acquisition and implementation

Delivery and support

Monitoring


51/314


CONTROL FRAMEWORKS

COBIT consolidates standards from 36 differentsources into a single framework.

It is having a big impact on the IS profession.

Helps managers to learn how to balance risk andcontrol investment in an IS environment.

Provides users with greater assurance that securityand IT controls provided by internal and third parties

are adequate. Guides auditors as they substantiate their opinions

and provide advice to management on internalcontrols.


52/314


CONTROL FRAMEWORKS


The COBIT framework


framework (ERM)


53/314


CONTROL FRAMEWORKS

COSOs Internal Control Framework

The Committee of Sponsoring Organizations(COSO) is a private sector group consisting

of: The American Accounting Association

The AICPA

The Institute of Internal Auditors

The Institute of Management Accountants

The Financial Executives Institute


54/314


CONTROL FRAMEWORKS

In 1992, COSO issued the InternalCon trol Integrated Framework:

Defines internal controls.

Provides guidance for evaluating andenhancing internal control systems.

Widely accepted as the authority on internal

controls. Incorporated into policies, rules, and

regulations used to control business activities.


55/314


CONTROL FRAMEWORKS

COSOs internal control model has five

crucial components:

- Control environment

The core of any business is its people.

Their integrity, ethical values, and competence makeup the foundation on which everything else rests.


56/314


CONTROL FRAMEWORKS


crucial components:


- Control activities Policies and procedures must be established and

executed to ensure that actions identified bymanagement as necessary to address risks are, in

fact, carried out.


57/314


CONTROL FRAMEWORKS


crucial components:


- Control activities

- Risk assessment The organization must be aware of and deal with the

risks it faces.

It must set objectives for its diverse activities andestablish mechanisms to identify, analyze, andmanage the related risks.


58/314


CONTROL FRAMEWORKS


crucial components:



- Risk assessment

- Information and communication

Information and communications systems surround thecontrol activities.

They enable the organizations people to capture andexchange information needed to conduct, manage, andcontrol its operations.


59/314


CONTROL FRAMEWORKS


crucial components:



- Risk assessment

- Information and communication

- Monitoring The entire process must be monitored and modified

as necessary.


60/314


CONTROL FRAMEWORKS


The COBIT framework


framework (ERM)


61/314


CONTROL FRAMEWORKS

Nine years after COSO issued the precedingframework, it began investigating how toeffectively identify, assess, and manage risk soorganizations could improve the risk

management process. Result: Enterprise Risk Manage Integrated

Framework (ERM) An enhanced corporate governance document.

Expands on elements of preceding framework.

Provides a focus on the broader subject of enterpriserisk management.


62/314


CONTROL FRAMEWORKS

Intent of ERM is to achieve all goals of theinternal control framework and help theorganization: Provide reasonable assurance that company

objectives and goals are achieved and problems andsurprises are minimized.

Achieve its financial and performance targets.

Assess risks continuously and identify steps to take

and resources to allocate to overcome or mitigaterisk.

Avoid adverse publicity and damage to the entitysreputation.


63/314


CONTROL FRAMEWORKS

ERM defines risk management as: A process effected by an entitys board of

directors, management, and other personnel

Applied in strategy setting and across theenterprise

To identify potential events that may affect theentity

And manage risk to be within its risk appetite In order to provide reasonable assurance of

the achievement of entity objectives.


64/314


CONTROL FRAMEWORKS

Basic principles behind ERM:

Companies are formed to create value forowners.

Management must decide how muchuncertainty they will accept.

Uncertainty can result in:

Risk The possibility that something will happen to:

Adversely affect the ability to create value; or

Erode existing value.


65/314


CONTROL FRAMEWORKS

Basic principles behind ERM:

Companies are formed to create value forowners.

Management must decide how muchuncertainty they will accept.

Uncertainty can result in:

Risk Opportunity

The possibility that something will happen topositively affect the ability to create or preservevalue.


66/314


CONTROL FRAMEWORKS

The framework should help managementmanage uncertainty and its associated risk tobuild and preserve value.

To maximize value, a company must balanceits growth and return objectives and risks withefficient and effective use of companyresources.


67/314


CONTROL FRAMEWORKS

COSO developed amodel to illustratethe elements of

ERM.


68/314


CONTROL FRAMEWORKS

Columns at the toprepresent the four types ofobject ivesthatmanagement must meet to

achieve company goals. Strategic objectives

Strategic objectives arehigh-level goals that arealigned with and support

the companys mission.


69/314


CONTROL FRAMEWORKS



Operations objectives

Operations objectives deal witheffectiveness and efficiency ofcompany operations, such as:

Performance andprofitability goals

Safeguarding assets


70/314


CONTROL FRAMEWORKS




Reporting objectives

Reporting objectives helpensure the accuracy,

completeness, and reliability ofinternal and external companyreports of both a financial andnon-financial nature.

Improve decision-making and

monitor company activities andperformance more efficiently.


71/314


CONTROL FRAMEWORKS




Reporting objectives

Compliance objectives

Compliance objectives help thecompany comply withapplicable laws andregulations.

External parties often set

the compliance rules.

Companies in the sameindustry often have similarconcerns in this area.


72/314


CONTROL FRAMEWORKS

ERM can provide reasonableassurance that reporting andcompliance objectives will beachieved because companieshave control over them.

However, strategic and

operations objectives aresometimes at the mercy ofexternal events that thecompany cant control.

Therefore, in these areas, theonly reasonable assurance theERM can provide is thatmanagement and directors areinformed on a timely basis of theprogress the company is makingin achieving them.


73/314


CONTROL FRAMEWORKS

Columns on theright represent thecompanys units:

Entire company


74/314


75/314


CONTROL FRAMEWORKS


Entire company Division

Business unit


76/314


CONTROL FRAMEWORKS


Entire company Division

Business unit

Subsidiary


77/314


CONTROL FRAMEWORKS

The horizontal rows areeight related risk andcontrol components,including:

Internal environment

The tone or culture of thecompany.

Provides discipline andstructure and is the foundationfor all other components.

Essentially the same as contro lenvi ronmentin the COSOinternal control framework.


78/314


CONTROL FRAMEWORKS


Internal environment Objective setting

Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives thatsupport the companys mission and are consistent with the companystolerance for risk.

Strategic objectives are set first as a foundation for the other three.

The objectives provide guidance to companies as they identify risk-

creating events and assess and respond to those risks.


79/314


CONTROL FRAMEWORKS



Event identification

Requires management to identify events that may affect the companysability to implement its strategy and achieve its objectives.

Management must then determine whether these events represent:

Risks (negative-impact events requiring assessment andresponse); or

Opportunities (positive-impact events that influence strategy and

objective-setting processes).

Identified risks are assessed todetermine how to manage them


80/314


CONTROL FRAMEWORKS




Risk assessment

and how they affect thecompanys ability to achieve itsobjectives.

Qualitative and quantitativemethods are used to assessrisks individually and bycategory in terms of:

Likelihood

Positive and negativeimpact

Effect on otherorganizational units

Risks are analyzed on aninherent and a residual basis.

Corresponds to the riskassessment element in COSOsinternal control framework.

Management aligns identified riskswith the companys tolerance for


81/314


CONTROL FRAMEWORKS




Risk assessment

Risk response

with the company s tolerance forrisk by choosing to:

Avoid

Reduce Share

Accept

Management takes an entity-wideor portfolio view of risks in

assessing the likelihood of therisks, their potential impact, andcosts-benefits of alternateresponses.

CO O O S


82/314


CONTROL FRAMEWORKS




Risk assessment

Risk response

Control activities

To implement managementsrisk responses, control policiesand procedures are establishedand implemented throughoutthe various levels and

functions of the organization. Corresponds to the control

activities element in the COSOinternal control framework.

CONTROL FRAMEWORKS

Information about the companyand ERM components must be


83/314


CONTROL FRAMEWORKS




Risk assessment

Risk response

Control activities

Information andcommunication

identified, captured, andcommunicated so employeescan fulfill their responsibilities.

Information must be able toflow through all levels andfunctions in the company aswell as flowing to and fromexternal parties.

Employees should understandtheir role and importance inERM and how theseresponsibilities relate to thoseof others.

Has a corresponding elementin the COSO internal controlframework.

CONTROL FRAMEWORKS


84/314


CONTROL FRAMEWORKS




Risk assessment

Risk response

Control activities

Information andcommunication

Monitoring

ERM processes must bemonitored on an ongoing basisand modified as needed.

Accomplished with ongoingmanagement activities andseparate evaluations.

Deficiencies are reported tomanagement.

Corresponding module inCOSO internal controlframework.

CONTROL FRAMEWORKS


85/314


CONTROL FRAMEWORKS

The ERM model isthree-dimensional.

Means that each of

the eight risk andcontrol elements areapplied to the fourobjectives in the

entire companyand/or one of itssubunits.

CONTROL FRAMEWORKS


86/314


CONTROL FRAMEWORKS

ERM Framework Vs. the InternalControl Framework

The internal control framework has been

widely adopted as the principal way toevaluate internal controls as required by SOX.However, there are issues with it.

It has too narrow of a focus.

Examining controls without first examining purposes andrisks of business processes provides little context forevaluating the results.

Makes it difficult to know:

Which control systems are most important. Whether they adequately deal with risk.

Whether important control systems are missing.

CONTROL FRAMEWORKS


87/314


CONTROL FRAMEWORKS

ERM Framework Vs. the InternalControl Framework

The internal control framework has been

widely adopted as the principal way toevaluate internal controls as required by SOX.However, there are issues with it.

It has too narrow of a focus.

Focusing on controls first has an inherent biastoward past problems and concerns.

May contribute to systems withmany controls to protectagainst risks that are no longerimportant.

CONTROL FRAMEWORKS


88/314


CONTROL FRAMEWORKS

These issues led to COSOs development of theERM framework. Takes a risk-based, rather than controls-based,

approach to the organization.

Oriented toward future and constant change. Incorporates rather than replaces COSOs internal

control framework and contains three additionalelements:

Setting objectives.

Identifying positive and negative events that may affect thecompanys ability to implement strategy and achieveobjectives.

Developing a response to assessed risk.

CONTROL FRAMEWORKS


89/314


CONTROL FRAMEWORKS

Controls are flexible and relevant becausethey are linked to current organizationalobjectives.

ERM also recognizes more options thansimply controlling risk, which includeaccepting it, avoiding it, diversifying it, sharingit, or transferring it.

CONTROL FRAMEWORKS


90/314


CONTROL FRAMEWORKS

Over time, ERM will probably become themost widely adopted risk and controlmodel.

Consequently, its eight components arethe topic of the remainder of the chapter.

INTERNAL ENVIRONMENT


91/314



The most critical componentof the ERM and the internalcontrol framework.

Is the foundation on which theother seven components rest.

Influences how organizations: Establish strategies and

objectives Structure business activities Identify, access, and respond

to risk

A deficient internal controlenvironment often results inrisk management and controlbreakdowns.



92/314



Internal environment consists of the following: Managements philosophy, operating style, and risk

appetite

The board of directors

Commitment to integrity, ethical values, andcompetence

Organizational structure

Methods of assigning authority and responsibility

Human resource standards

External influences



93/314



Internal environment consists of the following: Managements philosophy, operating style, and

risk appetite






External influences



94/314



Managements Philosophy, Operating Style,and Risk Appetite An organizations management has shared beliefs

and attitudes about risk.

That philosophy affects everything the organizationdoes, long- and short-term, and affects theircommunications.

Companies also have a r isk appeti te, which is theamount of risk a company is willing to accept toachieve its goals and objectives.

That appetite needs to be in alignment with companystrategy.



95/314



The more responsible managementsphilosophy and operating style, the morelikely employees will behave responsibly.

This philosophy must be clearlycommunicated to all employees; it is notenough to give lip service.

Management must back up words with

actions; if they show little concern for internalcontrols, then neither will employees.



96/314



This component can be assessed by askingquestions such as:

Does management take undue business risks orassess potential risks and rewards before acting?

Does management attempt to manipulateperformance measures such as net income?

Does management pressure employees to achieveresults regardless of methods or do they demand

ethical behavior?



97/314




appetite






External influences



98/314



The Board of DirectorsAn active and involved board of directors

plays an important role in internal control.

They should: Oversee management

Scrutinize managements plans, performance, andactivities

Approve company strategy

Review financial results

Annually review the companys security policy

Interact with internal and external auditors



99/314



Directors should possess management,technical, or other expertise, knowledge,or experience, as well as a willingness to

advocate for shareholders. At least a majority should be independent,

outside directors not affiliated with the

company or any of its subsidiaries.



100/314



Public companies must have an audi tcommi t tee, composed entirely of independent,outside directors. The audit committee oversees:

The companys internal control structure; Its financial reporting process; Its compliance with laws, regulations, and standards.

Works with the corporations external and internalauditors.

Hires, compensates, and oversees the auditors.

Auditors report all critical accounting policies and practices tothe audit committee.

Provides an independent review of managementsactions.



101/314




appetite






External influences



102/314



Commitment to Integrity, EthicalValues, and Competence Management must create an organizational

culture that stresses integrity and commitmentto both ethical values and competence.

Ethical standards of behavior make for goodbusiness.

Tone at the top is everything.

Employees will watch the actions of the CEO, andthe message of those actions (good or bad) willtend to permeate the organization.



103/314



Companies can endorse integrity as a basicoperating principle by actively teaching andrequiring it. Management should:

Make it clear that honest reports are more important than

favorable ones. Management should avoid:

Unrealistic expectations, incentives or temptations. Attitude of earnings or revenue at any price. Overly aggressive sales practices.

Unfair or unethical negotiation practices. Implied kickback offers. Excessive bonuses. Bonus plans with upper and lower cutoffs.



104/314



Management should not assume that employeeswould always act honestly.

Consistently reward and encourage honesty.

Give verbal labels to honest and dishonest acts.

The combination of these two will produce moreconsistent moral behavior.



105/314



Management should develop clearly statedpolicies that explicitly describe honest anddishonest behaviors, often in the form of awritten code of conduct.

In particular, such a code would cover issues that areuncertain or unclear.

Dishonesty often appears when situations are grayand employees rationalize the most expedient actionas opposed to making a right vs. wrong choice.



106/314



SOX only requires a code of ethics for seniorfinancial management. However, the ACFEsuggests that companies create a code ofconduct for all employees:

Should be written at a fifth-grade level.

Should be reviewed annually with employees andsigned.

This approach helps employees keep themselves outof trouble.

Helps the company if they need to take legal actionagainst the employee.



107/314



Management should require employees to reportdishonest, illegal, or unethical behavior and disciplineemployees who knowingly fail to report. Reports of dishonest acts should be thoroughly investigated.

Those found guilty should be dismissed.

Prosecution should be undertaken when possible, so that otheremployees are clear about consequences.

Companies must make a commitment to competence. Begins with having competent employees.

Varies with each job but is a function of knowledge, experience,training, and skills.



108/314



The levers of control, particularly beliefsand boundaries systems, can be used tocreate the kind of commitment to integrityan organization wants. Requires more than lip service and signing

forms.

Must be sys temsin which top management

actively participates in order to: Demonstrate the importance of the system. Create buy-in and a team spirit.



109/314



Management should require employees toreport dishonest, illegal, or unethicalbehavior and discipline employees whoknowingly fail to report. Reports of dishonest acts should be

thoroughly investigated.

Those found guilty should be dismissed.

Prosecution should be undertaken whenpossible, so that other employees are clearabout consequences.



110/314



Companies must make a commitment tocompetence.

Begins with having competent employees.

Varies with each job but is a function ofknowledge, experience, training, and skills.



111/314



The levers of control, particularly beliefsand boundary systems, can be used tocreate the kind of commitment to integrityan organization wants. Requires more than lip service and signing

forms.

Must be sys temsin which top management

actively participates in order to: Demonstrate the importance of the system. Create buy-in and a team spirit.



112/314




appetite






External influences



113/314



Organizational Structure A companys organizational structure defines

its lines of authority, responsibility, and

reporting. Provides the overall framework for planning,

directing, executing, controlling, and monitoring itsoperations.


114/314



115/314



Statistically fraud occurs more frequentlyin organizations with complex structures

The structures may unintentionally impede

communication and clear assignment ofresponsibility, making fraud easier to commitand conceal; or

The structure may be intentionally complex to

facilitate the fraud.



116/314



In todays business world, the hierarchicalorganizations with many layers of managementare giving way to flatter organizations with self-directed work teams.

Team members are empowered to make decisionswithout multiple layers of approvals.

Emphasis is on continuous improvement rather thanon regular evaluations.

These changes have a significant impact on thenature and type of controls needed.



117/314




appetite






External influences



118/314



Methods of Assigning Authority andResponsibility Management should make sure:

Employees understand the entitys objectives Authority and responsibility for business objectives is

assigned to specific departments and individuals Ownership of responsibility encourages employees to

take initiative in solving problems and holds themaccountable for achieving objectives.

Management:

Must be sure to identify who is responsible for the IS securitypolicy. Should monitor results so decisions can be reviewed and, if

necessary, overruled.



119/314



Authority and responsibility are assigned through: Formal job descriptions

Employee training

Operating plans, schedules, and budgets

Codes of conduct that define ethical behavior, acceptable

practices, regulatory requirements, and conflicts of interest Written policies and procedures manuals (a good job reference

and job training tool) which covers:

Proper business practices

Knowledge and experience needed by key personnel

Resources provided to carry out duties Policies and procedures for handling particular transactions

The organizations chart of accounts

Sample copies of forms and documents



120/314




appetite






External influences



121/314


Human Resources Standards Employees are both the companys greatest control

strength and the greatest control weakness.

Organizations can implement human resource

policies and practices with respect to hiring, training,compensating, evaluating, counseling, promoting, anddischarging employees that send messages about thelevel of competence and ethical behavior required.

Policies on working conditions, incentives, and career

advancement can powerfully encourage efficiencyand loyalty and reduce the organizationsvulnerability.



122/314


The following policies and procedures areimportant:

Hiring

Compensating

Training

Evaluating and promoting

Discharging

Managing disgruntled employees Vacations and rotation of duties

Confidentiality insurance and fidelity bonds



123/314



Hiring

Compensating

Training


Discharging





124/314


Hiring Should be based on educational background,

relevant work experience, past achievements,

honesty and integrity, and how wellcandidates meet written job requirements.

Employees should undergo a formal, in-depthemployment interview.

Resumes, reference letters, and thoroughbackground checks are critical.



125/314


Background checks can involve: Verifying education and experience

Talking with references

Checking for criminal records, credit issues, and other

publicly available data. Note that you must have the employees or

candidates written permission to conduct abackground check, but that permission does not needto have an expiration date.

Background checks are important because recentstudies show that about 50% of resumes have beenfalsified or embellished.


126/314



127/314



Hiring

Compensating

Training


Discharging





128/314


Compensating Employees should be paid a fair and

competitive wage.

Poorly compensated employees are morelikely to feel the resentment and financialpressures that lead to fraud.

Appropriate incentives can motivate and

reinforce outstanding performance.



129/314



Hiring

Compensating

Training


Discharging





130/314


Policies on Training Training programs should familiarize new employees

with: Their responsibilities.

Expected performance and behavior. Company policies, procedures, history, culture, and operating

style.

Training needs to be ongoing, not just one-time.

Companies who shortchange training are more likelyto experience security breaches and fraud.



131/314


Many believe employee training andeducation are the most important elements offraud prevention and security programs.

Fraud is less likely to occur when employeesbelieve security is everyones business.

An ideal corporate culture exists when:

Employees are proud of their company and

protective of its assets. They believe fraud hurts everyone and that they

therefore have a responsibility to report it.



132/314


These cultures do not just happen. They mustbe created, taught, and practiced, and thefollowing training should be provided:

Fraud awareness Employees should be aware of frauds prevalence and

dangers, why people do it, and how to deter and detect it.

Ethical considerations The company should promote ethical standards in its practice

and its literature. Acceptable and unacceptable behavior should be defined

and labeled, leaving as little gray area as possible.



133/314


Punishment for fraud and unethical behavior. Employees should know the consequences (e.g.,

reprimand, dismissal, prosecution) of badbehavior.

Should be disseminated as a consequence ratherthan a threat.

EXAMPLE: Using a computer to steal or commitfraud is a federal crime, and anyone doing sofaces immediate dismissal and/or prosecution.

The company should display notices of programand data ownership and advise employees of thepenalties of misuse.



134/314


Training can take place through: Informal discussions

Formal meetings

Periodic memos Written guidelines

Codes of ethics

Circulating reports of unethical behavior and

its consequences Promoting security and fraud training

programs



135/314



Hiring

Compensating

Training


Discharging





136/314


Evaluating and promoting Do periodic performance appraisals to help

employees understand their strengths and

weaknesses. Base promotions on performance and

qualifications.



137/314



Hiring

Compensating

Training


Discharging





138/314


Discharging Fired employees are disgruntled employees.

Disgruntled employees are more likely to

commit a sabotage or fraud against thecompany.

Employees who are terminated (whethervoluntary or involuntary) should be removed

from sensitive jobs immediately and deniedaccess to information systems.



139/314



Hiring

Compensating

Training


Discharging





140/314


Managing disgruntled employees Disgruntled employees may be isolated and/or

unhappy, but are much likelier fraud candidates thansatisfied employees.

The organization can try to reduce the employeespressures through grievance channels andcounseling.

Difficult to do because many employees feel that seekingcounseling will stigmatize them in their jobs.

Disgruntled employees should not be allowed tocontinue in jobs where they could harm theorganization.



141/314



Hiring

Compensating

Training


Discharging





142/314


Vacations and rotation of duties Some fraud schemes, such as lapping and

kiting, cannot continue without the constantattention of the perpetrator.

Mandatory vacations or rotation of duties canprevent these frauds or lead to earlydetection.

These measures will only be effective ifsomeone elseis doing the job while theusual employee is elsewhere.


143/314



144/314


Confidentiality agreements and fidelitybond insurance

Employees, suppliers, and contractors should

be required to sign and abide bynondisclosure or confidentiality agreements.

Key employees should have fidelity bondinsurance coverage to protect the company

against losses from fraudulent acts by thoseemployees.


145/314



146/314


Law enforcement officials and courts are busy withviolent crimes and may regard teen hacking aschildish pranks.

Fraud is difficult, costly, and time-consuming to

investigate and prosecute. Law enforcement officials, lawyers, and judges often

lack the computer skills needed to investigate,prosecute, and evaluate computer crimes.

When cases are prosecuted and a convictionobtained, penalties are often very light. Judges oftenregard the perps as model citizens.



147/314



appetite






External influences



148/314


External influences External influences that affect the control

environment include requirements imposedby:

FASB

PCAOB

SEC

Insurance commissions Regulatory agencies for banks, utilities, etc.

OBJECTIVE SETTING


149/314


Objective setting is thesecond ERMcomponent.

It must precede manyof the other sixcomponents.

For example, you mustset objectives beforeyou can define events

that affect your abilityto achieve objectives

OBJECTIVE SETTING


150/314


Top management, with board approval, mustarticulate why the company exists and what ithopes to achieve.

Often referred to as the corporate vision or mission.

Uses the mission statement as a base fromwhich to set corporate objectives.

The objectives:

Need to be easy to understand and measure. Should be prioritized.

Should be aligned with the companys risk appetite.

OBJECTIVE SETTING


151/314


Objectives set at the corporate level arelinked to and integrated with a cascadingseries of sub-objectives in the various sub-

units. For each set of objectives:

Critical success factors (what has to go right)must be defined.

Performance measures should be establishedto determine whether the objectives are met.

OBJECTIVE SETTING


152/314


Objective-setting process proceeds as follows: First, set strategic objectives, the high-level goals that

support the companys mission and create value for

shareholders.

To meet these objectives, identify alternative ways ofaccomplishing them.

For each alternative, identify and assess risks andimplications.

Formulate a corporate strategy. Then set operations, compliance, and reporting

objectives.

OBJECTIVE SETTING


153/314


As a rule of thumb: The mission and strategic objectives are

stable.

The strategy and other objectives are moredynamic:

Must be adapted to changing conditions.

Must be realigned with strategic objectives.

OBJECTIVE SETTING


154/314


Operations objectives:Are a product of management preferences,

judgments, and style

Vary significantly among entities: One may adopt technology; another waits until the

bugs are worked out.

Are influenced by and must be relevant to theindustry, economic conditions, and

competitive pressures. Give clear direction for resource allocationa

key success factor.

OBJECTIVE SETTING


155/314


Compliance and reporting objectives: Many are imposed by external entities, e.g.:

Reports to IRS or to EPA

Financial reports that comply with GAAP

A companys reputation can be impacted

significantly (for better or worse) by the qualityof its compliance.

EVENT IDENTIFICATION


156/314


Events are: Incidents or occurrences thatemanate from internal orexternal sources

That affect implementation ofstrategy or achievement ofobjectives.

Impact can be positive,negative, or both.

Events can range fromobvious to obscure.

Effects can range frominconsequential to highlysignificant.

EVENT IDENTIFICATION


157/314


By their nature, events representuncertainty:

Will they occur?

If so, when?And what will the impact be?

Will they trigger another event?

Will they happen individually or concurrently?

EV

control in AIS

Documents

Transcript of control in AIS