Title: CH6 Control and Accounting Information Systems
1CH6 Control and Accounting Information Systems
2COBIT Frameworks
- COSOs Enterprise Risk Management Model
3The Internal Environment and Objective Setting
4 The Internal Environment
5The Internal Environment
- Managements Philosophy, Operating Style, and
Risk Appetite
6The Internal Environment
- The Board of Directors
- SOX section 301
- Commitment to integrity, ethical values, and
competence - Organizational structure
- Centralization or decentralization of authority
- Assignment of responsibility for specific tasks
- Whether there is a direct reporting relationship
or more of a matrix structure - Organization by industry, product line,
geographical location, or by a particular
distribution or marketing network - The way responsibility allocation affects
managements information requirements
7The Internal Environment
- The size and the nature of company activities
- Methods of assigning authority and responsibility
- Policy and procedures manual
- Human resource standards
- Hiring
- Compensating
- Training
- Fraud awareness
- Ethical considerations
- Punishment for fraud and unethical behavior
- Evaluating and Promoting
- Discharging
8The Internal Environment
- Managing Disgruntled Employees
- Vacations and rotation of duties
- Confidentiality agreements and fidelity bond
insurance - Prosecute and incarcerate hackers and fraud
perpetrators - External influences
- FASB
- PCAOB
- SEC
9Objective Setting
10Event identification?Risk assessment and Risk
response
11Event Identification
- COSO defines an event as an incident or
occurrence emanating from internal or external
sources that affects implementation of strategy
or achievement of objectives. Events may have
positive or negative impacts or both.
12(No Transcript)
13Techniques used to identify events
- Use comprehensive lists of potential events.
- Perform an internal analysis.
- Monitor leading events and trigger points.
- Conduct workshops and interviews.
- Perform data mining and analysis.
- Analyze business processes.
14Risk Assessment
- Inherent riskthe risk that exists before
management takes any steps to control the
likelihood or impact of a risk. - Residual riskthe risk that remains after
management implements internal controls, or some
other response to risk. - DR AR / IR CR
15Risk Response
Respond to Risk
16Identify the events, or threats, that confront
the company
- Companies typically accept risk when it is within
the companys risk tolerance range. - A reduce or share response is used to bring
residual risk into an acceptable risk tolerance
range. - An avoid response is typically only used when
there is no way to cost-effectively bring risk
into an acceptable risk tolerance range.
- Likelihood and impact must be considered
together. - Software tools have been developed to help
automate the risk assessment and response
process.
- A preventive control is superior to a detective
one. - Preventive, detective, and corrective controls
complement each other, and a good internal
control system should employ all three.
- The benefits of an internal control procedure
must exceed its costs. - Expected loss Impact Likelihood
Estimate the likelihood, or probability, of each
threat occurring
Estimate the impact, or potential loss, from each
threat
Identify controls to guard against each threat
Estimate the costs and benefits from instituting
controls
Avoid, share, or accept risk
Is it cost-beneficial to protect the system from
a threat?
No
YES
Reduce risk by implementing controls to guard
against the threat
17Control activities
18Control activities
- Control activities are policies, procedures, and
rules that provide reasonable assurance
managements control objectives are met and the
risk responses are carried out. - Controls are much more effective when placed in
the system as it is built.
19Control activities
- Control activities are in place during the
end-of-the-year season. - Extended employee vacations and fewer people to
mind the store - Student out of school with more time on their
hands - Counterculture hackers getting lonely this time
of year and increasing their attacks on systems - Focus 6-1
20Control activities
- Proper authorization of transactions and
activities - Specific authorization
- General authorization
- Segregation of duties
- Segregation of accounting duties
- Authorization, recording, custody
- Segregation of systems duties
- Systems administration, network management,
security management, change management, users,
systems analysis, programming, computer
operations, information system library, data
control.
21Control activities
22Control activities
- Project development and acquisition controls
- Strategic master plan, project control, data
processing schedule, steering committee, system
performance measurements, post-implement review. - Systems integrator
- Develop clear specifications, monitor the systems
integration project. - Change management control
23Control activities
- Design and use of documents and records
- Safeguard assts, records, and data
- Create and enforce appropriate policies and
procedures - Maintain accurate records of all assets
- Restrict access to assets
- Protect records and documents
24Information and Communication, Monitoring, and
Case
25Information and Communication
- According to the AICPA, an AIS has five primary
objectives - Identify and record all valid transactions.
- Properly classify transactions.
- Record transactions at their proper monetary
value. - Record transactions in the proper accounting
period. - Properly present transactions and related
disclosures in the financial statement.
26Monitoring
- Use Responsibility Accounting
- Monitor System Activities
- Companies who monitor system activities need to
make sure they do not violate employee privacy.
One way to do that is to have written policies
that employees agree to in writing and indicate
the following - The technology employees use on the job belongs
to the company. - E-mails received on company computers are not
private and can be ready by supervisory
personnel. - Employees should not use technology in any way to
contribute to a hostile work environment.
27Monitoring
- Track Purchased Software and Mobile Devices
- Conduct Periodic Audit
- Employ a computer Security Officer, a Chief
Compliance Officer, and Computer Consultants - Engage Forensic Specialists
28Monitoring
- Install Fraud Detection Software
- For example, ReliaStar Financial used a fraud
detection package from IBM to detect the
following - Hundreds of thousands of dollars in fraudulent
claim from a Los Angeles chiropractor. - A Long Island doctor who submitted bills weekly
for a rare and expensive procedure that is
normally done only once or twice in a lifetime. - A podiatrist who saw four patients and then
billed ReliaStar for almost 500 separate
procedures. - Implement a Fraud Hotline
29????
30????
- ?Maria ???,???????
- Ed Yates????????????????,??Jason???????????????
- ???????????,????????????
- Maria???????????????????????????????Jason??,??????
??????????????
31Thank You !