Controlling Information Systems:

1
Controlling Information Systems Introduction to
Internal Control
2
Learning Objectives

• Summarize the eight elements of COSOs Enterprise
  Risk ManagementIntegrated Framework.
• Understand that management employs internal
  control systems as part of organizational and IT
  governance initiatives.
• Describe how internal control systems assist
  organizations to achieve objectives and respond
  to risks.
• Describe fraud, computer fraud, and computer
  abuse.
• Enumerate control goals for operations and
  information processes.
• Describe the major categories of control plans.

3
Why do we need controls?

• (1) to provide reasonable assurance that the
  goals of each business process are being achieved
• (2) to mitigate the risk that the enterprise will
  be exposed to some type of harm, danger, or loss
  (including loss caused by fraud or other
  intentional and unintentional acts)
• (3) to provide reasonable assurance that the
  company is in compliance with applicable legal
  and regulatory obligations.

4
Organizational Governance

• Organizational Process to
• Select Objectives
• Determine Processes necessary to Achieve
  Objectives
• Monitor Performance
• Includes Internal Control

5
Example Objective Setting
Mission, vision, purpose e.g., to be the leading
producer of household products in the regions in
which we operate
Strategic objectives e.g., to be in the top
quartile of product sales for retailers of our
products
Strategy e.g., expand production of our top-five
selling retail products to meet increased demand
Related objectives, e.g., increase production of
x by 15 hire 180 qualified new staff maintain
product quality
Source Adapted from Enterprise Risk
ManagementIntegrated Framework, Application
Techniques, p. 20.
6
Enterprise Risk Management

• Structured Process for Creating Organization
  Objectives (i.e. Governance)
• Board of Director, Management Initiative
• Strategic Outlook
• Identify events that might effect organization
• Manage risk associated with these events

7
Components of Enterprise Risk Management

• Internal Environment
• Decisions formulated re
• Integrity, ethical values, risk, risk appetite,
  oversight functions, organization design,
  authority and responsibilities set
• Objective Setting
• Establish Strategies without which potential
  events can not be identified
• Operating, Reporting and Compliance Objectives
• Event Identification
• Risk and Opportunities that can effect the
  Objectives
• Risk Assessment and Response
• Opportunities Feedback to Objective Setting
  Process

8
Components of Enterprise Risk Management

• Risk Assessment
• What is the impact of a risk on an Objective
• Likelihood Probability that the risk will occur
• Impact - Effect of the risk occurring

9
Risk vs. Exposure

• Estimate the annual dollar loss that would occur
  (i.e., the impact) should a costly event, say a
  destructive fire, take place. For argument sake,
  say that the estimated loss is 1,000,000.
• Estimate the annual probability that the event
  will occur (i.e., the likelihood). Suppose the
  estimate is 5 percent.
• Multiply item 1 by item 2 to get an initial
  expected gross risk (loss) of 50,000
  (1,000,000 0.05), which is the maximum amount
  or upper limit that should be paid for controls
  and the related risk reduction offered by such
  controls, in a given year. Next, we illustrate a
  recommendation plan using one corrective control,
  a fire insurance policy, and one preventive
  control, a sprinkler system.
• Assume that the company would pay 1,000 annually
  (cost of control) for a 20,000 fire insurance
  policy (reduced risk exposure due to control).
  The estimated monetary damage remains at 1
  million and expected gross risk (loss) remains at
  50,000, because there is still a 5 percent
  chance that a fire could occur. But, the
  companys residual expected risk exposure is now
  31,000 50,000 (20,000 1,000). Our
  expected loss is reduced by the amount of the
  insurance policy (less the cost of the policy).

10
Risk vs. Exposure (Cont.)

• Next, you recommend that the company install a
  sprinkler system with a 5-year annualized cost
  (net present value) of 10,000 each year to
  install and maintain (cost of control). At this
  point you might be tempted to say that the
  companys residual expected risk just increased
  to 41,000 (31,000 10,000), but wait! The
  sprinkler system lowered the likelihood of a
  damaging fire from 5 to 2 percent. In conjunction
  with this lower probability, the insurance
  company agreed to increase its coverage to
  30,000 while holding the annual premium constant
  at 1,000.
• Thus, the residual expected risk exposure is
  1,000, calculated as follows Expected gross
  risk (20,000 or 1,000,000 0.02) plus the
  insurance policy (30,000) equals a gain of
  10,000, but we must subtract the insurance
  premium (1,000) and the sprinkler system
  (10,000), leaving the residual expected risk at
  1,000.

11
Components of Enterprise Risk Management

• Risk Response (4 Types)
• Avoid exposure
• Leave risky activity
• Reduce exposure
• Reduce likelihood or impact
• Fire extinguishers
• Share exposure
• Insurance
• Accept exposure
• Cost gt Benefits of intervention
• Control Activities
• Procedures in place to make sure Risk Response
  are carried out

12
Components of Enterprise Risk Management

• Information and Communication
• Identify, Capture and Communicate
• So Decision Makers can carry out responsibilities
• Monitoring
• Evaluation of overall ERM process

13
Internal Control

• Definitions

14
Definition of Internal Control

• From SAS 78 (1995) - adopted COSO definition
• INTERNAL CONTROL is a process-effected by a an
  entitys board of directors, management, and
  other personnel-designed to provide reasonable
  assurance regarding the achievement of objectives
  in the following categories
• Effectiveness efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws regulations.

15
Five Interrelated Components of Internal Control

• 1. Control environment- tone at the top, the
  foundation
• 2. Risk assessment - identification/analysis of
  risks
• 3. Control activities - policies and procedures
• 4. Information communication - processing of
  info in a form and time frame that enables people
  to do their jobs
• 5. Monitoring - process that assess quality of
  internal control over time

16
COSO Report, SOA, and SAS 94

• In the section addressing implementation of the
  Sarbanes Oxley Act section 404, the SEC used the
  COSO description of internal control.
• It went on to say that management must base its
  evaluation of the effectiveness of its internal
  control system on a framework such as COSO
• COSO report stresses internal control is a
  process
• A complementary perspective on internal control
  is found in Statement on Auditing Standards (SAS)
  94, entitled The Effect on Information
  Technology on the Auditors Consideration of
  Internal Control in a Financial Statement Audit.
  
• This standard guides auditors in understanding
  the impact of IT on internal control and
  assessing IT-related control risks
• Further, SAS 94 highlights how IT can be used to
  strengthen internal control, while at the same
  time emphasizing how IT can actually weaken some
  controls

17
Recent Internal Control Legislation

• Sarbanes-Oxley Act (SOA) of 2002
• Created public company accounting oversight board
• Increased accountability for company officers and
  board of directors
• Increased white collar crime penalties
• Prohibits audit firms from providing design and
  implementation of financial information systems

18
Sarbanes-Oxley Act of 2002 (SOA)

• Section 302CEOs and CFOs must certify quarterly
  and annual financial statements
• Section 404Mandates the annual report filed with
  the SEC include an internal control report

19
Outline of SOA 2002
20
Fraud and its Relationship to Control

• Fraud deliberate act or untruth intended to
  obtain unfair or unlawful gain.
• Management charged with responsibility to prevent
  and/or disclose fraud
• Control systems enable management to do this job
• Management responsible to provide internal
  control system per the Foreign Corrupt Practices
  Act of 1977
• Section 1102 of the Sarbanes-Oxley Act
  specifically addresses corporate fraud
• Instances of fraud undermine managements ability
  to convince various authorities that it is
  upholding its stewardship responsibility

21
SAS 99

• The accounting profession too has been proactive
  in dealing with corporate fraud, as it has
  launched an anti-fraud program.
• One of the manifestations of this initiative is
  Statement on Auditing Standards (SAS) Number 99,
  entitled Consideration of Fraud in a Financial
  Statement Audit.
• SAS 99 has the same title as its predecessor, SAS
  82, but the new standard is much more
  encompassing than the old.
• For instance, SAS 99 emphasizes brainstorming
  fraud risks, increasing professional skepticism,
  using unpredictable audit test patterns, and
  detecting management override of internal
  controls.

22
EY Fraud Survey

• About 85 of fraud committed by company insiders
• About 55 of perpetrators were management
  employees
• More fraud in less-developed countries
• Only about 20 of fraud comes to the public
  knowledge
• About 40 of frauds are known to the public, 20
  are kept confidential, and the other 40 are not
  yet discovered
• Best prevention is internal control, management
  reviews, and internal audits
• The 1 fraud worry to executives is asset
  misappropriation
• The 2 fraud worry to executives is computer
  crime
• Most organizations now have formal fraud
  prevention policies including codes of corporate
  governance and employee conduct
• Most useful fraud prevention techniques are
  internal controls, management reviews, and
  internal audits

23
Gelinas and Dull Working Definition of IC Key
Points

• A system of internal control is not an end in
  itself. Rather, it is a means to an endthe end
  of attaining process objectives
• Internal control itself is a system. Therefore,
  like any system it must
• (1) have clearly defined goals and
• (2) consist of interrelated components that act
  in concert to achieve those goals.
• We can also say that internal control is a
  process
• Establishing a viable internal control system is
  managements responsibility.
• The strength of any internal control system is
  largely a function of the people who operate it.
• Internal control cannot be expected to provide
  absolute, 100 assurance that the organization
  will reach its objectives. Rather, the operative
  phrase is that it should provide reasonable
  assurance
• Internal control is not free controls should be
  built in and cost effective

24
Gelinas and Dull Working Definition of IC

• a system of integrated elements - people,
  structure, processes, and procedures - acting in
  concert to provide reasonable assurance that an
  organization achieves business process goals. The
  design and operation of the internal control
  system is the responsibility of top management
  and therefore should

25
(Text definition of IC cont.)

• Reflect managements careful assessment of
  risks.
• Be based on managements evaluation of costs
  versus benefits.
• Be built on managements strong sense of
  business ethics and personal integrity.

26
Ethics and Controls

• COSO report stresses ethics as part of control
  environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• The Institute of Management Accountants has a
  code of ethics which is also tested on both the
  CMA and CFM exams
• Internal Auditing has ethics articles
• Many corporations have developed Codes of Conduct

27
Business Process Control Goals

• Control Goals - ends to be obtained
• Control goals of operations processes
• Control goals of information processes
• See Table 7.1 Control Goals (page 230)

28
Control Goals of the Operations Process

• Ensure effectiveness of operations
• Ensure efficient employment of resources
• Ensure security of resources

29
Control Goals of Operations Process

• Ensure effectiveness of operations
• A measure of success in meeting one or more
  operations process goals which reflect the
  criteria used to judge the effectiveness of
  various business processes
• Ex. Deposit cash receipts on the day received
• Ensure efficient employment of resources
• A measure of the productivity of the resources
  applied to achieve a set of goals
• Ex. What is the cost of people, computers, and
  other resources to deposit cash on the day
  received
• Ensure security of resources
• Protecting an organizations resources from loss,
  destruction, disclosure, copying, sale, or other
  misuse
• Ex. Are cash and information resources available
  when required?
• Are they put to authorized use?

30
Control Goals of the Information Process

• For business event inputs, ensure
• Input validity
• Input completeness
• Input accuracy
• For master data, ensure
• Update completeness
• Update accuracy

31
Control Goals of Information Process

• Input validity
• Input data is approved and represents actual
  economic events and objects
• Ex. Are all cash receipts input into the process
  supported by valid/authorized customer payments
• Input completeness
• Requires that all valid events or objects be
  captured and entered into the system
• Ex. Are all valid customer payment captured on a
  customer remittance advice (RA) and entered into
  the process?
• Input Accuracy
• Requires that events be correctly captured and
  entered into the system (correctly)
• Ex. Is correct payment amount and customer number
  on the RA?
• Ex. Is the correct payment amount and customer
  number keyed into the system?

32
Control Goals of Information Process

• Master Update Information Processing Activity
• Merge new data (from Inputs) with existing
  Master data
• Update completeness
• Requires all events entered into the computer are
  reflected in their respective master data
• Ex. Are all input cash receipts recorded in the
  AR master data?
• Update accuracy
• Requires that data entered into a computer are
  reflected correctly in their respective master
  data
• Ex. Are all input cash receipts correctly
  recorded in the AR master data?
• Potential Problems
• Programming Errors
• Operational Errors
• What happens in Real-Time Processing Environments?

33
Master Updates
34
Control Goals Map
35
Lenox Company Systems Flowchart
36
Control Goals for the Lenox Cash Receipts Process
37
Business Process Control Plans

• Business Process Control Plans - reflect
  information processing policies and procedures
  that assist in accomplishing control goals
• The Control Environment The fact that the control
  environment appears at the top of the hierarchy
  illustrates that the control environment
  comprises a multitude of factors that can either
  reinforce or mitigate the effectiveness of the
  pervasive and application control plans.
• Pervasive control plans also relate to a
  multitude of goals and processes
• Like the control environment, they provide a
  climate or set of surrounding conditions in which
  the various business processes operate.
• They are broad in scope and apply equally to all
  business processes, hence they pervade all
  systems.
• Business process control plans relate to those
  controls particular to a specific process or
  subsystem, such as billing or cash receipts, or
  to a particular technology used to process the
  data.

38
(No Transcript)
39
Other Classifications of Control Plans

• Preventive Controls Issue is prevented from
  occurring cash receipts are immediately
  deposited to avoid loss
• Detective Controls Issue is discovered
  unauthorized disbursement is discovered during
  reconciliation
• Corrective Controls issue is corrected
  erroneous data is entered in the system and
  reported on an error and summary report a clerk
  re-enters the data