Your SlideShare is downloading. ×
0
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ais Romney 2006 Slides 06 Control And Ais Part 1

1,181

Published on

Ais Romney 2006 Slides 06 Control And Ais Part 1

Ais Romney 2006 Slides 06 Control And Ais Part 1

Published in: Education, Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,181
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HAPTER 6 Control and Accounting Information Systems
  • 2. INTRODUCTION <ul><li>Questions to be addressed in this chapter: </li></ul><ul><ul><li>What are the basic internal control concepts, and why are computer control and security important? </li></ul></ul><ul><ul><li>What is the difference between the COBIT, COSO, and ERM control frameworks? </li></ul></ul><ul><ul><li>What are the major elements in the internal environment of a company? </li></ul></ul><ul><ul><li>What are the four types of control objectives that companies need to set? </li></ul></ul><ul><ul><li>What events affect uncertainty, and how can they be identified? </li></ul></ul><ul><ul><li>How is the Enterprise Risk Management model used to assess and respond to risk? </li></ul></ul><ul><ul><li>What control activities are commonly used in companies? </li></ul></ul><ul><ul><li>How do organizations communicate information and monitor control processes? </li></ul></ul>
  • 3. INTRODUCTION <ul><li>Why AIS Threats Are Increasing </li></ul><ul><ul><li>Control risks have increased in the last few years because: </li></ul></ul><ul><ul><ul><li>There are computers and servers everywhere, and information is available to an unprecedented number of workers. </li></ul></ul></ul><ul><ul><ul><li>Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. </li></ul></ul></ul><ul><ul><ul><li>Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern. </li></ul></ul></ul>
  • 4. INTRODUCTION <ul><li>Historically, many organizations have not adequately protected their data due to one or more of the following reasons: </li></ul><ul><ul><li>Computer control problems are often underestimated and downplayed. </li></ul></ul><ul><ul><li>Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet-based system are not always fully understood. </li></ul></ul><ul><ul><li>Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. </li></ul></ul><ul><ul><li>Productivity and cost pressures may motivate management to forego time-consuming control measures. </li></ul></ul>
  • 5. INTRODUCTION <ul><li>Some vocabulary terms for this chapter: </li></ul><ul><ul><li>A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. </li></ul></ul><ul><ul><li>The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. </li></ul></ul><ul><ul><li>The likelihood is the probability that the threat will occur. </li></ul></ul>
  • 6. INTRODUCTION <ul><li>Control and Security are Important </li></ul><ul><ul><li>Companies are now recognizing the problems and taking positive steps to achieve better control, including: </li></ul></ul><ul><ul><ul><li>Devoting full-time staff to security and control concerns. </li></ul></ul></ul><ul><ul><ul><li>Educating employees about control measures. </li></ul></ul></ul><ul><ul><ul><li>Establishing and enforcing formal information security policies. </li></ul></ul></ul><ul><ul><ul><li>Making controls a part of the applications development process. </li></ul></ul></ul><ul><ul><ul><li>Moving sensitive data to more secure environments. </li></ul></ul></ul>
  • 7. INTRODUCTION <ul><li>To use IT in achieving control objectives, accountants must: </li></ul><ul><ul><li>Understand how to protect systems from threats. </li></ul></ul><ul><ul><li>Have a good understanding of IT and its capabilities and risks. </li></ul></ul><ul><li>Achieving adequate security and control over the information resources of an organization should be a top management priority. </li></ul>
  • 8. INTRODUCTION <ul><li>Control objectives are the same regardless of the data processing method, but a computer-based AIS requires different internal control policies and procedures because: </li></ul><ul><ul><li>Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. </li></ul></ul><ul><ul><li>Segregation of duties must be achieved differently in an AIS. </li></ul></ul><ul><ul><li>Computers provide opportunities for enhancement of some internal controls. </li></ul></ul>
  • 9. INTRODUCTION <ul><li>One of the primary objectives of an AIS is to control a business organization. </li></ul><ul><ul><li>Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness. </li></ul></ul><ul><li>Management expects accountants to be control consultants by: </li></ul><ul><ul><li>Taking a proactive approach to eliminating system threats; and </li></ul></ul><ul><ul><li>Detecting, correcting, and recovering from threats when they do occur. </li></ul></ul>
  • 10. INTRODUCTION <ul><li>It is much easier to build controls into a system during the initial stage than to add them after the fact. </li></ul><ul><li>Consequently, accountants and control experts should be members of the teams that develop or modify information systems. </li></ul>
  • 11. OVERVIEW OF CONTROL CONCEPTS <ul><li>In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to: </li></ul><ul><ul><li>Hire creative and innovative employees. </li></ul></ul><ul><ul><li>Give these employees power and flexibility to: </li></ul></ul><ul><ul><ul><li>Satisfy changing customer demands; </li></ul></ul></ul><ul><ul><ul><li>Pursue new opportunities to add value to the organization; and </li></ul></ul></ul><ul><ul><ul><li>Implement process improvements. </li></ul></ul></ul><ul><li>At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity. </li></ul>
  • 12. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><li>This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets. </li></ul>
  • 13. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul>
  • 14. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul><ul><ul><li>Accurate and reliable information is provided. </li></ul></ul>
  • 15. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul><ul><ul><li>Accurate and reliable information is provided. </li></ul></ul><ul><ul><li>There is reasonable assurance that financial reports are prepared in accordance with GAAP. </li></ul></ul>
  • 16. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul><ul><ul><li>Accurate and reliable information is provided. </li></ul></ul><ul><ul><li>There is reasonable assurance that financial reports are prepared in accordance with GAAP. </li></ul></ul><ul><ul><li>Operational efficiency is promoted and improved. </li></ul></ul><ul><li>This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations. </li></ul>
  • 17. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul><ul><ul><li>Accurate and reliable information is provided. </li></ul></ul><ul><ul><li>There is reasonable assurance that financial reports are prepared in accordance with GAAP. </li></ul></ul><ul><ul><li>Operational efficiency is promoted and improved. </li></ul></ul><ul><ul><li>Adherence to prescribed managerial policies is encouraged. </li></ul></ul>
  • 18. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: </li></ul><ul><ul><li>Assets (including data) are safeguarded. </li></ul></ul><ul><ul><li>Records are maintained in sufficient detail to accurately and fairly reflect company assets. </li></ul></ul><ul><ul><li>Accurate and reliable information is provided. </li></ul></ul><ul><ul><li>There is reasonable assurance that financial reports are prepared in accordance with GAAP. </li></ul></ul><ul><ul><li>Operational efficiency is promoted and improved. </li></ul></ul><ul><ul><li>Adherence to prescribed managerial policies is encouraged. </li></ul></ul><ul><ul><li>The organization complies with applicable laws and regulations . </li></ul></ul>
  • 19. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control is a process because: </li></ul><ul><ul><li>It permeates an organization’s operating activities. </li></ul></ul><ul><ul><li>It is an integral part of basic management activities. </li></ul></ul><ul><li>Internal control provides reasonable , rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive. </li></ul>
  • 20. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal control systems have inherent limitations, including: </li></ul><ul><ul><li>They are susceptible to errors and poor decisions. </li></ul></ul><ul><ul><li>They can be overridden by management or by collusion of two or more employees. </li></ul></ul><ul><li>Internal control objectives are often at odds with each other. </li></ul><ul><ul><li>EXAMPLE: Controls to safeguard assets may also reduce operational efficiency. </li></ul></ul>
  • 21. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal controls perform three important functions: </li></ul><ul><ul><li>Preventive controls </li></ul></ul><ul><li>Deter problems before they arise. </li></ul>
  • 22. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal controls perform three important functions: </li></ul><ul><ul><li>Preventive controls </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul><ul><li>Discover problems quickly when they do arise. </li></ul>
  • 23. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal controls perform three important functions: </li></ul><ul><ul><li>Preventive controls </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul><ul><ul><li>Corrective controls </li></ul></ul><ul><li>Remedy problems that have occurred by: </li></ul><ul><ul><li>Identifying the cause; </li></ul></ul><ul><ul><li>Correcting the resulting errors; and </li></ul></ul><ul><ul><li>Modifying the system to prevent future problems of this sort. </li></ul></ul>
  • 24. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal controls are often classified as: </li></ul><ul><ul><li>General controls </li></ul></ul><ul><li>Those designed to make sure an organization’s control environment is stable and well managed. </li></ul><ul><li>They apply to all sizes and types of systems. </li></ul><ul><li>Examples: Security management controls. </li></ul>
  • 25. OVERVIEW OF CONTROL CONCEPTS <ul><li>Internal controls are often classified as: </li></ul><ul><ul><li>General controls </li></ul></ul><ul><ul><li>Application controls </li></ul></ul><ul><li>Prevent, detect, and correct transaction errors and fraud. </li></ul><ul><li>Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported. </li></ul>
  • 26. OVERVIEW OF CONTROL CONCEPTS <ul><li>An effective system of internal controls should exist in all organizations to: </li></ul><ul><ul><li>Help them achieve their missions and goals </li></ul></ul><ul><ul><li>Minimize surprises </li></ul></ul>
  • 27. CONTROL FRAMEWORKS <ul><li>A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: </li></ul><ul><ul><li>The COBIT framework </li></ul></ul><ul><ul><li>The COSO internal control framework </li></ul></ul><ul><ul><li>COSO’s Enterprise Risk Management framework (ERM) </li></ul></ul>
  • 28. CONTROL FRAMEWORKS <ul><li>A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: </li></ul><ul><ul><li>The COBIT framework </li></ul></ul><ul><ul><li>The COSO internal control framework </li></ul></ul><ul><ul><li>COSO’s Enterprise Risk Management framework (ERM) </li></ul></ul>
  • 29. CONTROL FRAMEWORKS <ul><li>COBIT Framework </li></ul><ul><ul><li>Also know as the Control Objectives for Information and Related Technology framework. </li></ul></ul><ul><ul><li>Developed by the Information Systems Audit and Control Foundation (ISACF). </li></ul></ul><ul><ul><li>A framework of generally applicable information systems security and control practices for IT control. </li></ul></ul>
  • 30. CONTROL FRAMEWORKS <ul><li>The COBIT framework allows: </li></ul><ul><ul><li>Management to benchmark security and control practices of IT environments. </li></ul></ul><ul><ul><li>Users of IT services to be assured that adequate security and control exists. </li></ul></ul><ul><ul><li>Auditors to substantiate their opinions on internal control and advise on IT security and control matters. </li></ul></ul>
  • 31. CONTROL FRAMEWORKS <ul><li>The framework addresses the issue of control from three vantage points or dimensions: </li></ul><ul><ul><li>Business objectives </li></ul></ul><ul><li>To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.” </li></ul><ul><li>The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives: </li></ul><ul><ul><li>Effectiveness (relevant, pertinent, and timely) </li></ul></ul><ul><ul><li>Efficiency </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>Compliance with legal requirements </li></ul></ul><ul><ul><li>Reliability </li></ul></ul>
  • 32. CONTROL FRAMEWORKS <ul><li>The framework addresses the issue of control from three vantage points or dimensions: </li></ul><ul><ul><li>Business objectives </li></ul></ul><ul><ul><li>IT resources </li></ul></ul><ul><li>Includes: </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Application systems </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Facilities </li></ul></ul><ul><ul><li>Data </li></ul></ul>
  • 33. CONTROL FRAMEWORKS <ul><li>The framework addresses the issue of control from three vantage points or dimensions: </li></ul><ul><ul><li>Business objectives </li></ul></ul><ul><ul><li>IT resources </li></ul></ul><ul><ul><li>IT processes </li></ul></ul><ul><li>Broken into four domains </li></ul><ul><ul><li>Planning and organization </li></ul></ul><ul><ul><li>Acquisition and implementation </li></ul></ul><ul><ul><li>Delivery and support </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul>
  • 34. CONTROL FRAMEWORKS <ul><li>COBIT consolidates standards from 36 different sources into a single framework. </li></ul><ul><li>It is having a big impact on the IS profession. </li></ul><ul><ul><li>Helps managers to learn how to balance risk and control investment in an IS environment. </li></ul></ul><ul><ul><li>Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. </li></ul></ul><ul><ul><li>Guides auditors as they substantiate their opinions and provide advice to management on internal controls. </li></ul></ul>
  • 35. CONTROL FRAMEWORKS <ul><li>A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: </li></ul><ul><ul><li>The COBIT framework </li></ul></ul><ul><ul><li>The COSO internal control framework </li></ul></ul><ul><ul><li>COSO’s Enterprise Risk Management framework (ERM) </li></ul></ul>
  • 36. CONTROL FRAMEWORKS <ul><li>COSO’s Internal Control Framework </li></ul><ul><ul><li>The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: </li></ul></ul><ul><ul><ul><li>The American Accounting Association </li></ul></ul></ul><ul><ul><ul><li>The AICPA </li></ul></ul></ul><ul><ul><ul><li>The Institute of Internal Auditors </li></ul></ul></ul><ul><ul><ul><li>The Institute of Management Accountants </li></ul></ul></ul><ul><ul><ul><li>The Financial Executives Institute </li></ul></ul></ul>
  • 37. CONTROL FRAMEWORKS <ul><li>In 1992, COSO issued the Internal Control Integrated Framework : </li></ul><ul><ul><li>Defines internal controls. </li></ul></ul><ul><ul><li>Provides guidance for evaluating and enhancing internal control systems. </li></ul></ul><ul><ul><li>Widely accepted as the authority on internal controls. </li></ul></ul><ul><ul><li>Incorporated into policies, rules, and regulations used to control business activities. </li></ul></ul>
  • 38. CONTROL FRAMEWORKS <ul><li>COSO’s internal control model has five crucial components: </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><li>The core of any business is its people. </li></ul><ul><li>Their integrity, ethical values, and competence make up the foundation on which everything else rests. </li></ul>
  • 39. CONTROL FRAMEWORKS <ul><li>COSO’s internal control model has five crucial components: </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><li>Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out. </li></ul>
  • 40. CONTROL FRAMEWORKS <ul><li>COSO’s internal control model has five crucial components: </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><li>The organization must be aware of and deal with the risks it faces. </li></ul><ul><li>It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks. </li></ul>
  • 41. CONTROL FRAMEWORKS <ul><li>COSO’s internal control model has five crucial components: </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Information and communication </li></ul></ul><ul><li>Information and communications systems surround the control activities. </li></ul><ul><li>They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations. </li></ul>
  • 42. CONTROL FRAMEWORKS <ul><li>COSO’s internal control model has five crucial components: </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Information and communication </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul><ul><li>The entire process must be monitored and modified as necessary. </li></ul>
  • 43. CONTROL FRAMEWORKS <ul><li>A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: </li></ul><ul><ul><li>The COBIT framework </li></ul></ul><ul><ul><li>The COSO internal control framework </li></ul></ul><ul><ul><li>COSO’s Enterprise Risk Management framework (ERM) </li></ul></ul>
  • 44. CONTROL FRAMEWORKS <ul><li>Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. </li></ul><ul><li>Result: Enterprise Risk Manage Integrated Framework (ERM) </li></ul><ul><ul><li>An enhanced corporate governance document. </li></ul></ul><ul><ul><li>Expands on elements of preceding framework. </li></ul></ul><ul><ul><li>Provides a focus on the broader subject of enterprise risk management. </li></ul></ul>
  • 45. CONTROL FRAMEWORKS <ul><li>Intent of ERM is to achieve all goals of the internal control framework and help the organization: </li></ul><ul><ul><li>Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized. </li></ul></ul><ul><ul><li>Achieve its financial and performance targets. </li></ul></ul><ul><ul><li>Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk. </li></ul></ul><ul><ul><li>Avoid adverse publicity and damage to the entity’s reputation. </li></ul></ul>
  • 46. CONTROL FRAMEWORKS <ul><li>ERM defines risk management as: </li></ul><ul><ul><li>A process effected by an entity’s board of directors, management, and other personnel </li></ul></ul><ul><ul><li>Applied in strategy setting and across the enterprise </li></ul></ul><ul><ul><li>To identify potential events that may affect the entity </li></ul></ul><ul><ul><li>And manage risk to be within its risk appetite </li></ul></ul><ul><ul><li>In order to provide reasonable assurance of the achievement of entity objectives. </li></ul></ul>
  • 47. CONTROL FRAMEWORKS <ul><li>Basic principles behind ERM: </li></ul><ul><ul><li>Companies are formed to create value for owners. </li></ul></ul><ul><ul><li>Management must decide how much uncertainty they will accept. </li></ul></ul><ul><ul><li>Uncertainty can result in: </li></ul></ul><ul><ul><ul><li>Risk </li></ul></ul></ul><ul><li>The possibility that something will happen to: </li></ul><ul><ul><li>Adversely affect the ability to create value; or </li></ul></ul><ul><ul><li>Erode existing value. </li></ul></ul>
  • 48. CONTROL FRAMEWORKS <ul><li>Basic principles behind ERM: </li></ul><ul><ul><li>Companies are formed to create value for owners. </li></ul></ul><ul><ul><li>Management must decide how much uncertainty they will accept. </li></ul></ul><ul><ul><li>Uncertainty can result in: </li></ul></ul><ul><ul><ul><li>Risk </li></ul></ul></ul><ul><ul><ul><li>Opportunity </li></ul></ul></ul><ul><li>The possibility that something will happen to positively affect the ability to create or preserve value. </li></ul>
  • 49. CONTROL FRAMEWORKS <ul><ul><li>The framework should help management manage uncertainty and its associated risk to build and preserve value. </li></ul></ul><ul><ul><li>To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources. </li></ul></ul>
  • 50. CONTROL FRAMEWORKS <ul><li>COSO developed a model to illustrate the elements of ERM. </li></ul>
  • 51. CONTROL FRAMEWORKS <ul><li>Columns at the top represent the four types of objectives that management must meet to achieve company goals. </li></ul><ul><ul><li>Strategic objectives </li></ul></ul><ul><li>Strategic objectives are high-level goals that are aligned with and support the company’s mission. </li></ul>
  • 52. CONTROL FRAMEWORKS <ul><li>Columns at the top represent the four types of objectives that management must meet to achieve company goals. </li></ul><ul><ul><li>Strategic objectives </li></ul></ul><ul><ul><li>Operations objectives </li></ul></ul><ul><li>Operations objectives deal with effectiveness and efficiency of company operations, such as: </li></ul><ul><ul><li>Performance and profitability goals </li></ul></ul><ul><ul><li>Safeguarding assets </li></ul></ul>
  • 53. CONTROL FRAMEWORKS <ul><li>Columns at the top represent the four types of objectives that management must meet to achieve company goals. </li></ul><ul><ul><li>Strategic objectives </li></ul></ul><ul><ul><li>Operations objectives </li></ul></ul><ul><ul><li>Reporting objectives </li></ul></ul><ul><li>Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature. </li></ul><ul><li>Improve decision-making and monitor company activities and performance more efficiently. </li></ul>
  • 54. CONTROL FRAMEWORKS <ul><li>Columns at the top represent the four types of objectives that management must meet to achieve company goals. </li></ul><ul><ul><li>Strategic objectives </li></ul></ul><ul><ul><li>Operations objectives </li></ul></ul><ul><ul><li>Reporting objectives </li></ul></ul><ul><ul><li>Compliance objectives </li></ul></ul><ul><li>Compliance objectives help the company comply with applicable laws and regulations. </li></ul><ul><ul><li>External parties often set the compliance rules. </li></ul></ul><ul><ul><li>Companies in the same industry often have similar concerns in this area. </li></ul></ul>
  • 55. CONTROL FRAMEWORKS <ul><li>ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them. </li></ul><ul><li>However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control. </li></ul><ul><li>Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them. </li></ul>
  • 56. CONTROL FRAMEWORKS <ul><li>Columns on the right represent the company’s units: </li></ul><ul><ul><li>Entire company </li></ul></ul>
  • 57. CONTROL FRAMEWORKS <ul><li>Columns on the right represent the company’s units: </li></ul><ul><ul><li>Entire company </li></ul></ul><ul><ul><li>Division </li></ul></ul>
  • 58. CONTROL FRAMEWORKS <ul><li>Columns on the right represent the company’s units: </li></ul><ul><ul><li>Entire company </li></ul></ul><ul><ul><li>Division </li></ul></ul><ul><ul><li>Business unit </li></ul></ul>
  • 59. CONTROL FRAMEWORKS <ul><li>Columns on the right represent the company’s units: </li></ul><ul><ul><li>Entire company </li></ul></ul><ul><ul><li>Division </li></ul></ul><ul><ul><li>Business unit </li></ul></ul><ul><ul><li>Subsidiary </li></ul></ul>
  • 60. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><li>The tone or culture of the company. </li></ul><ul><li>Provides discipline and structure and is the foundation for all other components. </li></ul><ul><li>Essentially the same as control environment in the COSO internal control framework. </li></ul>
  • 61. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><li>Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk. </li></ul><ul><li>Strategic objectives are set first as a foundation for the other three. </li></ul><ul><li>The objectives provide guidance to companies as they identify risk-creating events and assess and respond to those risks. </li></ul>
  • 62. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><li>Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives. </li></ul><ul><li>Management must then determine whether these events represent: </li></ul><ul><ul><li>Risks (negative-impact events requiring assessment and response); or </li></ul></ul><ul><ul><li>Opportunities (positive-impact events that influence strategy and objective-setting processes). </li></ul></ul>
  • 63. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><li>Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives. </li></ul><ul><li>Qualitative and quantitative methods are used to assess risks individually and by category in terms of: </li></ul><ul><ul><li>Likelihood </li></ul></ul><ul><ul><li>Positive and negative impact </li></ul></ul><ul><ul><li>Effect on other organizational units </li></ul></ul><ul><li>Risks are analyzed on an inherent and a residual basis. </li></ul><ul><li>Corresponds to the risk assessment element in COSO’s internal control framework. </li></ul>
  • 64. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Risk response </li></ul></ul><ul><li>Management aligns identified risks with the company’s tolerance for risk by choosing to: </li></ul><ul><ul><li>Avoid </li></ul></ul><ul><ul><li>Reduce </li></ul></ul><ul><ul><li>Share </li></ul></ul><ul><ul><li>Accept </li></ul></ul><ul><li>Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses. </li></ul>
  • 65. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Risk response </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><li>To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions of the organization. </li></ul><ul><li>Corresponds to the control activities element in the COSO internal control framework. </li></ul>
  • 66. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Risk response </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><ul><li>Information and communication </li></ul></ul><ul><li>Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities. </li></ul><ul><li>Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties. </li></ul><ul><li>Employees should understand their role and importance in ERM and how these responsibilities relate to those of others. </li></ul><ul><li>Has a corresponding element in the COSO internal control framework. </li></ul>
  • 67. CONTROL FRAMEWORKS <ul><li>The horizontal rows are eight related risk and control components, including: </li></ul><ul><ul><li>Internal environment </li></ul></ul><ul><ul><li>Objective setting </li></ul></ul><ul><ul><li>Event identification </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Risk response </li></ul></ul><ul><ul><li>Control activities </li></ul></ul><ul><ul><li>Information and communication </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul><ul><li>ERM processes must be monitored on an ongoing basis and modified as needed. </li></ul><ul><li>Accomplished with ongoing management activities and separate evaluations. </li></ul><ul><li>Deficiencies are reported to management. </li></ul><ul><li>Corresponding module in COSO internal control framework. </li></ul>
  • 68. CONTROL FRAMEWORKS <ul><li>The ERM model is three-dimensional. </li></ul><ul><li>Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits. </li></ul>
  • 69. CONTROL FRAMEWORKS <ul><li>ERM Framework Vs. the Internal Control Framework </li></ul><ul><ul><li>The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it. </li></ul></ul><ul><ul><ul><li>It has too narrow of a focus. </li></ul></ul></ul><ul><li>Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results. </li></ul><ul><li>Makes it difficult to know: </li></ul><ul><ul><li>Which control systems are most important. </li></ul></ul><ul><ul><li>Whether they adequately deal with risk. </li></ul></ul><ul><ul><li>Whether important control systems are missing. </li></ul></ul>
  • 70. CONTROL FRAMEWORKS <ul><li>ERM Framework Vs. the Internal Control Framework </li></ul><ul><ul><li>The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it. </li></ul></ul><ul><ul><ul><li>It has too narrow of a focus. </li></ul></ul></ul><ul><ul><ul><li>Focusing on controls first has an inherent bias toward past problems and concerns. </li></ul></ul></ul><ul><li>May contribute to systems with many controls to protect against risks that are no longer important. </li></ul>
  • 71. CONTROL FRAMEWORKS <ul><li>These issues led to COSO’s development of the ERM framework. </li></ul><ul><ul><li>Takes a risk-based, rather than controls-based, approach to the organization. </li></ul></ul><ul><ul><li>Oriented toward future and constant change. </li></ul></ul><ul><ul><li>Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: </li></ul></ul><ul><ul><ul><li>Setting objectives. </li></ul></ul></ul><ul><ul><ul><li>Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. </li></ul></ul></ul><ul><ul><ul><li>Developing a response to assessed risk. </li></ul></ul></ul>
  • 72. CONTROL FRAMEWORKS <ul><ul><li>Controls are flexible and relevant because they are linked to current organizational objectives. </li></ul></ul><ul><ul><li>ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it. </li></ul></ul>
  • 73. CONTROL FRAMEWORKS <ul><li>Over time, ERM will probably become the most widely adopted risk and control model. </li></ul><ul><li>Consequently, its eight components are the topic of the remainder of the chapter. </li></ul>

×