P1258864250EFziB - PowerPoint PPT Presentation
1 / 16
Title:
P1258864250EFziB
Description:
... (COSO) is a private sector group consisting of the AAA, AICPA, IIA, IMA, and FEI. ... COSO's internal control integrated framework is considered the ... – PowerPoint PPT presentation
Number of Views:45
Avg rating:3.0/5.0
Title: P1258864250EFziB
1
- ??????
- ?
- ????
2
COSO Internal Control Integrated Framework
- The Committee of Sponsoring Organizations (COSO)
is a private sector group consisting of the AAA,
AICPA, IIA, IMA, and FEI. COSOs internal control
integrated framework is considered the authority
on internal controls. - COSOs internal control model has five
components - Control environment
- Risk assessment
- Control Activities
- Information and communication
- Monitoring
3
Control Objectives for Information Technology
(COBIT)
- Developed by the Information Systems Audit and
Control Foundation to provide guidanceto
managers, users, and auditorson the best
practices for the management of information
technology. - According to COBIT
- IT resources must be managed by IT control
processes to ensure that the organization has the
information it needs to achieve its objectives. - Exhibit 8.1 defines the IT resources that must be
managed and Chapter 1 describes the qualities
that this information must exhibit in order for
it to be of value to the organization.
4
COBIT
- COBIT organizes IT internal control into domains
and process - Domains include
- Planning and organization
- Acquisition and implementation
- Delivery and support
- Monitoring
- Processes detail steps in each domain
5
Risk Identification
- Economy Risks
- Affect an entire economy
- Examples include global economic downturn, war,
epidemic, terrorism, environmental disasters - Industry Risks
- Affect an entire industry
- Examples include industry wide cost increases or
demand decreases, or an economy risk that has an
especially strong effect on a specific industry
6
Risk Identification
- Enterprise Risks
- Internal
- Lack of ethics, low employee morale, employee
incompetence - External
- Increased competition, reduced brand quality
perceptions, crises involving business partners
(value system relationships), catastrophe that
interrupts operations, merger or acquisition - Business Process Risks
- Risks associated with business process objects
- Rs, Es, As, and R-E, E-E, E-A, R-A
relationships - Information Process Risks
- Risks associated with recording, maintaining, and
reporting information about business processes
7
The Control Matrix
- The control matrix is a tool designed to assist
you in analyzing a systems flowchart and related
narrative. - It establishes the criteria to be used in
evaluating the controls in a particular business
process.
8
Sample Control Matrix
9
Operations Process Goals Effectiveness Goals
- Ensure the successful accomplishment of the goals
set forth for the business process - Different processes have different effectiveness
goals. For Causeways cash receipts process we
include only two examples here - Goal Ato accelerate cash flow by promptly
depositing cash receipts. - Goal Bto ensure compliance with compensating
balance agreements with the depository bank. - Other possible goals of a cash receipts would be
shown as goals C, D, and so forth, and described
at the bottom of the matrix (in the matrix
legend). - With respect to other business processes, such as
production, we might be concerned with
effectiveness goals related to the following - Goal Ato maintain customer satisfaction by
finishing production orders on time. - Goal Bto increase market share by ensuring the
highest quality of finished goods.
10
Operations Process Goals Efficiency Goals
- The purpose of efficiency control goals of the
operations process is to ensure that all
resources used throughout the business process
are being employed in the most productive manner
- In parentheses, notice that we have listed two
resources of the cash receipts process for which
efficiency is applicablepeople and computers. - In fact, people and computers would always be
considered in the efficiency assessments related
to accounting information systems. - In other business processes, such as receiving
goods and supplies, we might also be concerned
with the productive use of equipment such as
trucks, forklifts, and hand-held scanners.
11
Operations Process Goals Security Goals
- The purpose of security control goals of the
operations process is to ensure that entity
resources are protected from loss, destruction,
disclosure, copying, sale, or other misuse. - In parentheses, we have included two resources of
the cash receipts process over which security
must be ensuredcash and information (accounts
receivable master data). - With any business process, we are concerned with
information that is added, changed, or deleted as
a result of executing the process, as well as
assets that are brought into or taken out of the
organization as a result of the process, such as
cash, inventory, and fixed assets. - With regard to other business processes, such as
shipping, we might include customer master data
and shipping data. - Note The security over hard assets used to
execute business processes, such as computer
equipment, trucks, trailers, and loading docks,
is handled through pervasive controls (discussed
in Chapter 7).
12
Information Process Goals Input Goals
- With respect to all business process data
entering the system, the purpose of input goals
of the information process is to ensure - input validity (IV)
- input completeness (IC) and
- input accuracy (IA).
- With the cash receipts process, we are concerned
with input validity, accuracy, and completeness
over cash receipts - Here, they are in the form of remittance advices
- Notice that we specifically name the input data
of concern in parentheses. - With respect to other business processes, such as
hiring employees, we would be concerned with
other inputs, such as employee, payroll, and
benefit plan data.
13
Information Process Goals Update Goals
- Update goals must consider all related
information that will be affected by the input
data, including master file data and ledger data.
For the business process input data, the purpose
of update control goals of the information
process is to ensure - The update completeness (UC) and
- Update accuracy (UA)
- With regard to the cash receipts information
process, we recognize that the accounts
receivable data will be updated by cash receipts - Cash received reflects the debit and customer
account reflects the credit). - Notice that we list accounts receivable master
data in the control matrix. - Other business processes, such as cash payments,
would involve different update concerns, such as
vendor, payroll, or accounts payable master data.
14
Causeway Annotated Systems Flowchart
15
Annotating Present Control Plans
- Start on the upper left-hand column of the
systems flowchart and spot the first manual
keying symbol, manual process symbol, or computer
process symbol (process related symbols) - Then, follow the sequential logic of the systems
flowchart and identify all of the process-related
symbols. - Each process-related symbol reflects an internal
control plan which is already present. - It is important to recognize that while a control
plan may be present, it may not be working as
effectively as it should thus, you might
recommend ways to strengthen or augment existing
control plans
16
Annotate the Process Flow Chart
- Review the flowchart and determine whether a
control is present (P-) or missing (M-) - Annotate the flowchart
- If controls are present, mark P-
- If controls are absent, mark M-
