CAHPTER 5

1
CAHPTER 5

• Business and Information Process Rules, Risks and
  Controls

2

• A risk is any exposure to the chance of injury or
  loss.
• You cant have an opportunity without some risk,
  and with every risk there is some potential
  opportunity
• Change creates opportunities. Work patterns
  change. Information technology has been one of
  the biggest enablers of change in recent years.
  Each new generation of faster and cheaper
  computers, new software and new
  telecommunications equipment all provide
  opportunities to do things we previously had not
  event thought about.
• Change creates many new opportunities. The
  opportunities an organization seeks are guided by
  its objectives. But with every opportunity there
  is some element of risk. We seek to manage these
  risks by a systems of controls.
• The problem with controls is that implementation
  takes time and cost money
• The key is identifying and controlling the most
  material in a manner such that the benefits of
  controlling the risk exceed the cost of the
  controls, while the efficiency of the
  organization is balanced with effectiveness.

3
EXHIBIT 5-1 Materiality of Risk
4

• Strategic risk are risks associated with doing
  the wrong things
• Decision risk are risk associated with making a
  bad decision
• Operating risk are risk associated with doing the
  right things the wrong way
• Financial risks are risk associated with the loss
  of financial resources or the creation of
  financial liabilities.
• Information risks are risks associated with
  information processing
• Internal controls encompass a set rules, policies
  and procedures an organization implements to
  provide reasonable assurance that (1) its
  financial reports are reliable, (2) its
  operations are effective and efficient and (3)
  its activity comply with applicable laws and
  regulations.

5
EXHIBIT 5-2 Relationship among Components,
Objectives, and the Entity
6

• The control environment sets the tone of the
  organization, which influence the control
  consciousness of its people. The control
  environment includes the following areas
• Integrity and ethical behavior
• Commitment to competence
• Boards of directors and audit committee
  participation
• Management philosophy and operating style
• Organization structure
• Assignment of authority and responsibility
• Human resource policies and practices
• Risk assessment identifies and analyzes the
  relevant risk associated with the organization
  achieving its objectives.
• Some of the specific controls the auditor will
  investigate to minimize risks a associated with
  company assets include

7
EXHIBIT 5-3 Relevant controls for Audit Review
8
Control activities

• Control activities are the policies and
  procedures the organization uses to ensure that
  necessary actions are taken to minimize risks
  associated with achieving its objectives.
• Control usage Prevent, Detect, or Correct, The
  purpose of each control is evident by its name
• Preventive controls focus on preventing an error
  or irregularity
• Detective controls focus on identifying when an
  error or irregularity has occurred
• Corrective controls focus on recovering the
  damage from, or minimizing the cost an error or
  irregularity
• An error is an unintended mistake on the part of
  an employee while an irregularity is an
  intentional effort to do something that is
  undesirable to the organization.

9

• Other categories of controls that are very
  important include segregation of duties, physical
  control, information processing controls and
  performance reviews, for example
• Separation of Duties, separation of duties
  structures the work of people so the work of one
  person is checked by the work of the next person
  performs his/her assigned tasks.
• Physical controls, Physical controls include
  security over the assets themselves, limiting
  access to the assets to only authorized people
  and periodically reconciling the quantities on
  hand with the quantities recorded in the
  organizations records
• Information Processing, Information Processing
  control are used to check accuracy, completeness
  and authorization of transactions. The two broad
  groups are (1) general controls cover data center
  operations, system software acquisition and
  maintenance, access security and application
  system development and maintenance. (2)
  application control apply to the processing of a
  specific application, like running a computer
  program to prepare employees payroll checks each
  month.
• Performance Reviews, Performance Reviews are any
  reviews of an entitys performance.

10

• The information system consists of the methods
  and record used to record, maintain, and report
  the events of an entity as well as to maintain
  accountability for the related assets,
  liabilities and equity.
• The information system should do each
• Identify and record all business events on a
  timely basis
• Describe each event in sufficient detail
• Measure the proper monetary value of each event
• Determine the time period in which events
  occurred
• Present properly the events and related
  disclosures in the financial statements.
• The communication aspect of this components deal
  with providing an understanding of individuals
  roles and responsibilities pertaining to internal
  controls.

11

• Monitoring is the process of assessing the
  quality of internal control performance over
  time.
• Traditional accounting and auditing control
  philosophy has been based on the following
  concept and practices
• Extensive use of hard-copy documents
• Separation of duties and responsibilities so the
  work of one person checks the work of another
  person.
• Accounts who view their role primarily as
  independent, reactive and detective
• Heavy reliance on a year-end review of financial
  statements and extensive use of long checklists
  of required controls.
• Greater emphasis given to internal control than
  to operational efficiency.
• Avoidance or tolerance toward advances in
  information technology.

12

• Accountants and auditors enhance their ability to
  help an organization identify and control
  business and information process risk? We need to
  develop a control philosophy that effectively
  integrates IT into the process in such a way as
  to protect and enhance the organization
  simultaneously.
• Two rules to illustrate of focusing on specific
  control procedures rather than identifying risk
  for a specific business context.
• IT provides value by
• Helping the organization to be much more
  proactive in preventing, detecting, and
  correcting errors and irregularities
• Facilitating, rather than inhibiting, continual
  improvement in business and information processes

13
EXHIBIT 5-4 Traditional Noncomplex System
Update process
Batch input
Batch output
This provides a hardcopy of intermediate
processes
Hardcopy source documents provide the input
Disk or tape Master file
These file are usually used As inputs to other
processes
14
EXHIBIT 5-5 Complex Information System
15

• The following points summarize the changed
  philosophy
• Hardcopy document should largely be eliminated
• Separation of duties continues to be a relevant
  concept, but IT can be used as a substitute for
  some of the function normally assigned to a
  separate individual.
• Duplicate recording of business event data and
  reconciliations should be eliminated
• Accountants should become consultants with a
  real time, proactive control philosophy.
• Greater emphasis must be placed on implementing
  controls during the design and developments of
  information systems and on more auditor
  involvement in verifying the accuracy of the
  systems themselves.
• Greater emphasis must be placed on enhancing
  organizational effectiveness and internal
  controls must be adapted to remain strong.
• Information technology should be exploited to its
  fullest extent

16

• Develop a control philosophy based on the key
  control concepts identified in this chapter, the
  process an internal control systems rather
  straight forward
• Identify the organizations objectives, process
  and risk and determine risk materiality
• Select the internal control system-including
  rules, processes and procedures-to control
  materials risk
• Develop, test and implement the internal control
  system
• Monitor and refine the system
• Most of the risk associated with classifying and
  summarizing the event information and the risk of
  duplicate data and frequent reconciliation are
  avoided.

17

• Operating Events Risk, Business event risk
  results in errors and irregularities having one
  or more of the following characteristics
• A business event occurring at the wrong time or
  sequence
• A business event occurring without proper
  authorization
• A business event involving the wrong internal
  agent
• A business event involving the wrong external
  agent
• A business event involving the wrong resource
• A business event involving at the wrong amount of
  resource
• A business event occurring at the wrong location

18
EXHIBIT 5-6 Business and Information Processing
Risk in an Event Driven System
19

• Information Processing Risk . Risk relating to
  information processing include
• Recording risk
• Maintaining risk
• Reporting risk
• The following guideline with regard to the new
  fiduciary view of the profession
• Policies and procedures need to be revisited in
  terms of practicality and relevance, and revised
  as necessary
• Controls should be built into processes as
  enablers and not imposed externally to the
  process as barriers
• Cost and cycle time should be given high priority
  when building the fiduciary control environment

20
Reference

• Hollander, A. S. Eric L. Denna, J.
  Owen Cherrington.2000. Accounting Information
  Technology, And Business Solutions. Irwin
  McGraw-Kill, New York-USA.