Soumettre la recherche
Mettre en ligne
Romney ch06
•
Télécharger en tant que PPT, PDF
•
6 j'aime
•
2,768 vues
Sri Rahayu
Suivre
Control And Accounting Information System
Lire moins
Lire la suite
Formation
Signaler
Partager
Signaler
Partager
1 sur 314
Télécharger maintenant
Recommandé
James hall ch 15
James hall ch 15
David Julian
Ais Romney 2006 Slides 18 Introduction To Systems Development
Ais Romney 2006 Slides 18 Introduction To Systems Development
Sharing Slides Training
Control&accounting information system
Control&accounting information system
sellyhood
Deegan fat4e ppt_ch07
Deegan fat4e ppt_ch07
Mohammad Saadman
Pp 11-new
Pp 11-new
Sri Apriyanti Husain
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
Sukanya Ben
James hall ch 3
James hall ch 3
David Julian
James hall ch 5
James hall ch 5
David Julian
Recommandé
James hall ch 15
James hall ch 15
David Julian
Ais Romney 2006 Slides 18 Introduction To Systems Development
Ais Romney 2006 Slides 18 Introduction To Systems Development
Sharing Slides Training
Control&accounting information system
Control&accounting information system
sellyhood
Deegan fat4e ppt_ch07
Deegan fat4e ppt_ch07
Mohammad Saadman
Pp 11-new
Pp 11-new
Sri Apriyanti Husain
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
MIS-CH10: e-Commerce: Digital Markets, Digital Goods
Sukanya Ben
James hall ch 3
James hall ch 3
David Julian
James hall ch 5
James hall ch 5
David Julian
Rmk bab 7 scott aplikasi perspektif pengukuran
Rmk bab 7 scott aplikasi perspektif pengukuran
arie_aribowo
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
James hall ch 13
James hall ch 13
David Julian
Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
Sistem Informasi Akuntansi
Sistem Informasi Akuntansi
Ferdy Pradana
MIS-CH11: Managing Knowledge
MIS-CH11: Managing Knowledge
Sukanya Ben
James hall ch 1
James hall ch 1
David Julian
Chapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
Pertemuan 2 sistem informasi akuntansi romney ch01
Pertemuan 2 sistem informasi akuntansi romney ch01
Lukman Hakim
MIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation Systems
Sukanya Ben
Introduction to accounting information system
Introduction to accounting information system
Abhishek Ghosh
Chapter 1 MIS
Chapter 1 MIS
Amirul Shafiq Ahmad Zuperi
Accounting information system
Accounting information system
sellyhood
Deegan fat4e ppt_ch02
Deegan fat4e ppt_ch02
Mohammad Saadman
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
Governance, Risk Management, and Internal Control
Governance, Risk Management, and Internal Control
International Federation of Accountants
Coso framework
Coso framework
Darryl Woolley
Completing the audit
Completing the audit
sellyhood
Real time Audit
Real time Audit
PawanRohilla12
Sistem pelaporan dan buku besar
Sistem pelaporan dan buku besar
Rohmad Adi Siaman SST Akt., M.Ec.Dev.
Romney ch05
Romney ch05
Sri Rahayu
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Budianto Budie
Contenu connexe
Tendances
Rmk bab 7 scott aplikasi perspektif pengukuran
Rmk bab 7 scott aplikasi perspektif pengukuran
arie_aribowo
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
James hall ch 13
James hall ch 13
David Julian
Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sreekanth Narendran
Sistem Informasi Akuntansi
Sistem Informasi Akuntansi
Ferdy Pradana
MIS-CH11: Managing Knowledge
MIS-CH11: Managing Knowledge
Sukanya Ben
James hall ch 1
James hall ch 1
David Julian
Chapter 1 auditing and internal control
Chapter 1 auditing and internal control
jayussuryawan
Pertemuan 2 sistem informasi akuntansi romney ch01
Pertemuan 2 sistem informasi akuntansi romney ch01
Lukman Hakim
MIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation Systems
Sukanya Ben
Introduction to accounting information system
Introduction to accounting information system
Abhishek Ghosh
Chapter 1 MIS
Chapter 1 MIS
Amirul Shafiq Ahmad Zuperi
Accounting information system
Accounting information system
sellyhood
Deegan fat4e ppt_ch02
Deegan fat4e ppt_ch02
Mohammad Saadman
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
ermin08
Governance, Risk Management, and Internal Control
Governance, Risk Management, and Internal Control
International Federation of Accountants
Coso framework
Coso framework
Darryl Woolley
Completing the audit
Completing the audit
sellyhood
Real time Audit
Real time Audit
PawanRohilla12
Sistem pelaporan dan buku besar
Sistem pelaporan dan buku besar
Rohmad Adi Siaman SST Akt., M.Ec.Dev.
Tendances
(20)
Rmk bab 7 scott aplikasi perspektif pengukuran
Rmk bab 7 scott aplikasi perspektif pengukuran
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
James hall ch 13
James hall ch 13
Conducting an Information Systems Audit
Conducting an Information Systems Audit
Sistem Informasi Akuntansi
Sistem Informasi Akuntansi
MIS-CH11: Managing Knowledge
MIS-CH11: Managing Knowledge
James hall ch 1
James hall ch 1
Chapter 1 auditing and internal control
Chapter 1 auditing and internal control
Pertemuan 2 sistem informasi akuntansi romney ch01
Pertemuan 2 sistem informasi akuntansi romney ch01
MIS-CH04: Ethical and Social Issues in INformation Systems
MIS-CH04: Ethical and Social Issues in INformation Systems
Introduction to accounting information system
Introduction to accounting information system
Chapter 1 MIS
Chapter 1 MIS
Accounting information system
Accounting information system
Deegan fat4e ppt_ch02
Deegan fat4e ppt_ch02
Chapter 1 - The Information System: An Accountant's Perspective
Chapter 1 - The Information System: An Accountant's Perspective
Governance, Risk Management, and Internal Control
Governance, Risk Management, and Internal Control
Coso framework
Coso framework
Completing the audit
Completing the audit
Real time Audit
Real time Audit
Sistem pelaporan dan buku besar
Sistem pelaporan dan buku besar
En vedette
Romney ch05
Romney ch05
Sri Rahayu
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Budianto Budie
Pengendalian dan sia
Pengendalian dan sia
Budianto Budie
Sistem informasi akuntansi - Teknik Dokumentasi dan penyususnan Sistem
Sistem informasi akuntansi - Teknik Dokumentasi dan penyususnan Sistem
Adora Aline A.
Pertemuan 3 Sistem Pemrosesan Transaksi Romney ch02 edit
Pertemuan 3 Sistem Pemrosesan Transaksi Romney ch02 edit
Lukman Hakim
Sistem Informasi Akuntansi
Sistem Informasi Akuntansi
awalalghali
Bab 1 - Tinjauan Menyeluruh SIA (Romney & Steibart)
Bab 1 - Tinjauan Menyeluruh SIA (Romney & Steibart)
Budianto Budie
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi PPT
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi PPT
Putri Yulia R
Romney ch11
Romney ch11
Sri Rahayu
Ppt bab 6 sia ii translate Teknik Dokumentasi dan pengembangan sistem
Ppt bab 6 sia ii translate Teknik Dokumentasi dan pengembangan sistem
Fergieta Prahasdhika
Peran ia dalam mewujudkan 3 g
Peran ia dalam mewujudkan 3 g
Sri Rahayu
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi
Putri Yulia R
Romney ch12
Romney ch12
Sri Rahayu
James hall ch 6
James hall ch 6
David Julian
En vedette
(14)
Romney ch05
Romney ch05
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Bab 6 Dokumentasi Sistem Informasi Akuntansi_Flowchart
Pengendalian dan sia
Pengendalian dan sia
Sistem informasi akuntansi - Teknik Dokumentasi dan penyususnan Sistem
Sistem informasi akuntansi - Teknik Dokumentasi dan penyususnan Sistem
Pertemuan 3 Sistem Pemrosesan Transaksi Romney ch02 edit
Pertemuan 3 Sistem Pemrosesan Transaksi Romney ch02 edit
Sistem Informasi Akuntansi
Sistem Informasi Akuntansi
Bab 1 - Tinjauan Menyeluruh SIA (Romney & Steibart)
Bab 1 - Tinjauan Menyeluruh SIA (Romney & Steibart)
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi PPT
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi PPT
Romney ch11
Romney ch11
Ppt bab 6 sia ii translate Teknik Dokumentasi dan pengembangan sistem
Ppt bab 6 sia ii translate Teknik Dokumentasi dan pengembangan sistem
Peran ia dalam mewujudkan 3 g
Peran ia dalam mewujudkan 3 g
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi
Tinjauan Menyeluruh Atas Sistem Informasi Akuntansi
Romney ch12
Romney ch12
James hall ch 6
James hall ch 6
Similaire à Romney ch06
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
JoshJaro
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Sharing Slides Training
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
sharing notes123
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
sharing notes123
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
Sharing Slides Training
Control and ais, revenue cycle
Control and ais, revenue cycle
Sri Rahayu
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
Internal controls & ai ss
Internal controls & ai ss
Kashif Rana ACCA
AIS CH_01 Accounting Information Systems an overview.PPT
AIS CH_01 Accounting Information Systems an overview.PPT
EyobFirst
Internal controls in an IT environment
Internal controls in an IT environment
Chris Nicole Apat-Orcullo, CPA
It and business risk alignment guide
It and business risk alignment guide
AstalapulosListestos
Data Management Strategies
Data Management Strategies
Micheal Axelsen
Value-added it auditing
Value-added it auditing
Marc Vael
Chap001_edited.ppt
Chap001_edited.ppt
FitraDharma1
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
TRANANHQUAN4
It Governance Methodology Cox
It Governance Methodology Cox
William Cox MBA, QPM, CSM, PMP, CPHIMS
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
bartholomeocoombs
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
keturahhazelhurst
Management ch18 (2)
Management ch18 (2)
Fida Karim 🇵🇰
Ch 01
Ch 01
Muhammad Nur Febryandi
Similaire à Romney ch06
(20)
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
Control and ais, revenue cycle
Control and ais, revenue cycle
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
Internal controls & ai ss
Internal controls & ai ss
AIS CH_01 Accounting Information Systems an overview.PPT
AIS CH_01 Accounting Information Systems an overview.PPT
Internal controls in an IT environment
Internal controls in an IT environment
It and business risk alignment guide
It and business risk alignment guide
Data Management Strategies
Data Management Strategies
Value-added it auditing
Value-added it auditing
Chap001_edited.ppt
Chap001_edited.ppt
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
It Governance Methodology Cox
It Governance Methodology Cox
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
CHAPTER 10INFORMATION GOVERNANCEInformation Governance a.docx
Management ch18 (2)
Management ch18 (2)
Ch 01
Ch 01
Plus de Sri Rahayu
1stmeet
1stmeet
Sri Rahayu
Retail n service budget
Retail n service budget
Sri Rahayu
Jawaban cash n receivable budget
Jawaban cash n receivable budget
Sri Rahayu
Bahan lengkap
Bahan lengkap
Sri Rahayu
Cash Budget
Cash Budget
Sri Rahayu
Contoh Soal
Contoh Soal
Sri Rahayu
Anggaran Piutang
Anggaran Piutang
Sri Rahayu
Anggaran piutang
Anggaran piutang
Sri Rahayu
Kasus flowchart
Kasus flowchart
Sri Rahayu
Plus de Sri Rahayu
(9)
1stmeet
1stmeet
Retail n service budget
Retail n service budget
Jawaban cash n receivable budget
Jawaban cash n receivable budget
Bahan lengkap
Bahan lengkap
Cash Budget
Cash Budget
Contoh Soal
Contoh Soal
Anggaran Piutang
Anggaran Piutang
Anggaran piutang
Anggaran piutang
Kasus flowchart
Kasus flowchart
Dernier
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
GeoBlogs
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
iammrhaywood
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
Sapna Thakur
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
Disha Kariya
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
dawncurless
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
pragatimahajan3
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
Thiyagu K
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
Chameera Dedduwage
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
National Information Standards Organization (NISO)
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
christianmathematics
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
chloefrazer622
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
TechSoup
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
RAM LAL ANAND COLLEGE, DELHI UNIVERSITY.
Dernier
(20)
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
Romney ch06
1.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 315 C HAPTER 6 Control and Accounting Information Systems
2.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 315 INTRODUCTION • Questions to be addressed in this chapter: – What are the basic internal control concepts, and why are computer control and security important? – What is the difference between the COBIT, COSO, and ERM control frameworks? – What are the major elements in the internal environment of a company? – What are the four types of control objectives that companies need to set? – What events affect uncertainty, and how can they be identified? – How is the Enterprise Risk Management model used to assess and respond to risk? – What control activities are commonly used in companies? – How do organizations communicate information and monitor control processes?
3.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 315 INTRODUCTION • Why AIS threats are increasing – Control risks have increased in the last few years because: • There are computers and servers everywhere, and information is available to an unprecedented number of workers. • Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. • Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
4.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 315 INTRODUCTION • Historically, many organizations have not adequately protected their data due to one or more of the following reasons: – Computer control problems are often underestimated and downplayed. – Control implications of moving from centralized, host-based computer systems to those of a networked system or Internet- based system are not always fully understood. – Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. – Productivity and cost pressures may motivate management to forego time-consuming control measures.
5.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 315 INTRODUCTION • Some vocabulary terms for this chapter: – A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. – The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. – The likelihood is the probability that the threat will occur.
6.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 315 INTRODUCTION • Control and security are important – Companies are now recognizing the problems and taking positive steps to achieve better control, including: • Devoting full-time staff to security and control concerns. • Educating employees about control measures. • Establishing and enforcing formal information security policies. • Making controls a part of the applications development process. • Moving sensitive data to more secure environments.
7.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 315 INTRODUCTION • To use IT in achieving control objectives, accountants must: – Understand how to protect systems from threats. – Have a good understanding of IT and its capabilities and risks. • Achieving adequate security and control over the information resources of an organization should be a top management priority.
8.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 315 INTRODUCTION • Control objectives are the same regardless of the data processing method, but a computer- based AIS requires different internal control policies and procedures because: – Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. – Segregation of duties must be achieved differently in an AIS. – Computers provide opportunities for enhancement of some internal controls.
9.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 315 INTRODUCTION • One of the primary objectives of an AIS is to control a business organization. – Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness. • Management expects accountants to be control consultants by: – Taking a proactive approach to eliminating system threats; and – Detecting, correcting, and recovering from threats when they do occur.
10.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 315 INTRODUCTION • It is much easier to build controls into a system during the initial stage than to add them after the fact. • Consequently, accountants and control experts should be members of the teams that develop or modify information systems.
11.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 11 of 315 OVERVIEW OF CONTROL CONCEPTS • In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to: – Hire creative and innovative employees. – Give these employees power and flexibility to: • Satisfy changing customer demands; • Pursue new opportunities to add value to the organization; and • Implement process improvements. • At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity.
12.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 12 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. • This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
13.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets.
14.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 14 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided.
15.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP.
16.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. • This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations.
17.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. – Adherence to prescribed managerial policies is encouraged.
18.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 18 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. – Adherence to prescribed managerial policies is encouraged. – The organization complies with applicable laws and regulations.
19.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control is a process because: – It permeates an organization’s operating activities. – It is an integral part of basic management activities. • Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
20.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 20 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal control systems have inherent limitations, including: – They are susceptible to errors and poor decisions. – They can be overridden by management or by collusion of two or more employees. • Internal control objectives are often at odds with each other. – EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.
21.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 21 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls • Deter problems before they arise.
22.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 22 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls – Detective controls • Discover problems quickly when they do arise.
23.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 23 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls – Detective controls – Corrective controls • Remedy problems that have occurred by: – Identifying the cause; – Correcting the resulting errors; and – Modifying the system to prevent future problems of this sort.
24.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 24 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: – General controls • Those designed to make sure an organization’s control environment is stable and well managed. • They apply to all sizes and types of systems. • Examples: Security management controls.
25.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 315 OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: – General controls – Application controls • Prevent, detect, and correct transaction errors and fraud. • Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
26.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 315 OVERVIEW OF CONTROL CONCEPTS • An effective system of internal controls should exist in all organizations to: – Help them achieve their missions and goals. – Minimize surprises.
27.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. • The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. • A significant effect was to require that corporations maintain good systems of internal accounting control. – Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. – The resulting internal control improvements weren’t sufficient.
28.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. – The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX). • Applies to publicly held companies and their auditors.
29.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • The intent of SOX is to: – Prevent financial statement fraud – Make financial reports more transparent – Protect investors – Strengthen internal controls in publicly-held companies – Punish executives who perpetrate fraud • SOX has had a material impact on the way boards of directors, management, and accountants operate.
30.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 30 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. • Has five members, three of whom cannot be CPAs. • Charges fees to firms to fund the PCAOB. • Sets and enforces auditing, quality control, ethics, independence, and other standards relating to audit reports. • Currently recognizes FASB statements as being generally accepted.
31.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 31 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors • They must report specific information to the company’s audit committee, such as: – Critical accounting policies and practices – Alternative GAAP treatments – Auditor-management disagreements • Audit partners must be rotated periodically.
32.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 32 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors • Auditors cannot perform certain non-audit services, such as: – Bookkeeping – Information systems design and implementation – Internal audit outsourcing services – Management functions – Human resource services
33.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors • Permissible non-audit services must be approved by the board of directors and disclosed to investors. • Cannot audit a company if a member of top management was employed by the auditor and worked on the company’s audit in the past 12 months.
34.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 34 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors – New rules for audit committees • Members must be on the company’s board of directors and must otherwise be independent of the company. • One member must be a financial expert. • The committee hires, compensates, and oversees the auditors, and the auditors report directly to the committee.
35.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 35 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors – New rules for audit committees – New rules for management • The CEO and CFO must certify that: – The financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading. – Management is responsible for internal controls. – The auditors were advised of any material internal control weaknesses or fraud. – Any significant changes to controls after management’s evaluation were disclosed and corrected.
36.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 36 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors – New rules for audit committees – New rules for management • If management willfully and knowingly violates the certification, they can be: – Imprisoned up to 20 years – Fined up to $5 million • Management and directors cannot receive loans that would not be available to people outside the company. • They must disclose on a rapid and current basis material changes to their financial condition.
37.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 37 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors – New rules for audit committees – New rules for management – New internal control requirements • New internal control requirements: – Section 404 of SOX requires companies to issue a report accompanying the financial statements that: • States management is responsible for establishing and maintaining an adequate internal control structure and procedures. • Contains management’s assessment of the company’s internal controls. • Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests.
38.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Important aspects of SOX include: – Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. – New rules for auditors – New rules for audit committees – New rules for management – New internal control requirements • SOX also requires that the auditor attests to and reports on management’s internal control assessment. • Each audit report must describe the scope of the auditor’s internal control tests.
39.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • After the passage of SOX, the SEC further mandated that: – Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter. – The report must contain a statement identifying the framework used. – Management must disclose any and all material internal control weaknesses. – Management cannot conclude that the company has effective internal control if there are any material weaknesses.
40.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 40 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Levers of control – Many people feel there is a basic conflict between creativity and controls. – Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system • Communicates company core values to employees and inspires them to live by those values. • Draws attention to how the organization creates value. • Helps employees understand management’s intended direction. • Must be broad enough to appeal to all levels.
41.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 41 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Levers of Control – Many people feel there is a basic conflict between creativity and controls. – Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system • A boundary system • Helps employees act ethically by setting limits beyond which they must not pass. • Does not create rules and standard operating procedures that can stifle creativity. • Encourages employees to think and act creatively to solve problems and meet customer needs as long as they operate within limits such as: – Meeting minimum standards of performance – Shunning off-limits activities – Avoiding actions that could damage the company’s reputation.
42.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 42 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Levers of control – Many people feel there is a basic conflict between creativity and controls. – Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system • A boundary system • A diagnostic control system • Ensures efficient and effective achievement of important controls. • This system measures company progress by comparing actual to planned performance. • Helps managers track critical performance outcomes and monitor performance of individuals, departments, and locations. • Provides feedback to enable management to adjust and fine-tune.
43.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 43 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT • Levers of Control – Many people feel there is a basic conflict between creativity and controls. – Robert Simons has espoused four levers of controls to help companies reconcile this conflict: • A concise belief system • A boundary system • A diagnostic control system • An interactive control system • Helps top-level managers with high-level activities that demand frequent and regular attention. Examples: – Developing company strategy. – Setting company objectives. – Understanding and assessing threats and risks. – Monitoring changes in competitive conditions and emerging technologies. – Developing responses and action plans to proactively deal with these high-level issues. • Also helps managers focus the attention of subordinates on key strategic issues and to be more involved in their decisions. • Data from this system are best interpreted and discussed in face-to-face meetings.
44.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 44 of 315 CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: –The COBIT framework –The COSO internal control framework –COSO’s Enterprise Risk Management framework (ERM)
45.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 45 of 315 CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: –The COBIT framework –The COSO internal control framework –COSO’s Enterprise Risk Management framework (ERM)
46.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 46 of 315 CONTROL FRAMEWORKS • COBIT framework – Also know as the Control Objectives for Information and Related Technology framework. – Developed by the Information Systems Audit and Control Foundation (ISACF). – A framework of generally applicable information systems security and control practices for IT control.
47.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 47 of 315 CONTROL FRAMEWORKS • The COBIT framework allows: – Management to benchmark security and control practices of IT environments. – Users of IT services to be assured that adequate security and control exists. – Auditors to substantiate their opinions on internal control and advise on IT security and control matters.
48.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 48 of 315 CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives • To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.” • The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives: – Effectiveness (relevant, pertinent, and timely) – Efficiency – Confidentiality – Integrity – Availability – Compliance with legal requirements – Reliability
49.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 49 of 315 CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives – IT resources • Includes: • People • Application systems • Technology • Facilities • Data
50.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 50 of 315 CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives – IT resources – IT processes • Broken into four domains: – Planning and organization – Acquisition and implementation – Delivery and support – Monitoring
51.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 315 CONTROL FRAMEWORKS • COBIT consolidates standards from 36 different sources into a single framework. • It is having a big impact on the IS profession. – Helps managers to learn how to balance risk and control investment in an IS environment. – Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. – Guides auditors as they substantiate their opinions and provide advice to management on internal controls.
52.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 52 of 315 CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: –The COBIT framework –The COSO internal control framework –COSO’s Enterprise Risk Management framework (ERM)
53.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 53 of 315 CONTROL FRAMEWORKS • COSO’s internal control framework – The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • The American Accounting Association • The AICPA • The Institute of Internal Auditors • The Institute of Management Accountants • The Financial Executives Institute
54.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 54 of 315 CONTROL FRAMEWORKS • In 1992, COSO issued the Internal Control Integrated Framework: – Defines internal controls. – Provides guidance for evaluating and enhancing internal control systems. – Widely accepted as the authority on internal controls. – Incorporated into policies, rules, and regulations used to control business activities.
55.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 55 of 315 CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment • The core of any business is its people. • Their integrity, ethical values, and competence make up the foundation on which everything else rests.
56.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 56 of 315 CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities • Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.
57.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 57 of 315 CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities - Risk assessment • The organization must be aware of and deal with the risks it faces. • It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.
58.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 58 of 315 CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities - Risk assessment - Information and communication • Information and communications systems surround the control activities. • They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.
59.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 59 of 315 CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities - Risk assessment - Information and communication - Monitoring • The entire process must be monitored and modified as necessary.
60.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 60 of 315 CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: –The COBIT framework –The COSO internal control framework –COSO’s Enterprise Risk Management framework (ERM)
61.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 315 CONTROL FRAMEWORKS • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. • Result: Enterprise Risk Manage Integrated Framework (ERM) – An enhanced corporate governance document. – Expands on elements of preceding framework. – Provides a focus on the broader subject of enterprise risk management.
62.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 315 CONTROL FRAMEWORKS • Intent of ERM is to achieve all goals of the internal control framework and help the organization: – Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized. – Achieve its financial and performance targets. – Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk. – Avoid adverse publicity and damage to the entity’s reputation.
63.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 315 CONTROL FRAMEWORKS • ERM defines risk management as: – A process effected by an entity’s board of directors, management, and other personnel. – Applied in strategy setting and across the enterprise. – To identify potential events that may affect the entity. – And manage risk to be within its risk appetite. – In order to provide reasonable assurance of the achievement of entity objectives.
64.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 64 of 315 CONTROL FRAMEWORKS • Basic principles behind ERM: – Companies are formed to create value for owners. – Management must decide how much uncertainty they will accept. – Uncertainty can result in: • Risk • The possibility that something will happen to: – Adversely affect the ability to create value; or – Erode existing value.
65.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 65 of 315 CONTROL FRAMEWORKS • Basic principles behind ERM: – Companies are formed to create value for owners. – Management must decide how much uncertainty they will accept. – Uncertainty can result in: • Risk • Opportunity • The possibility that something will happen to positively affect the ability to create or preserve value.
66.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 66 of 315 CONTROL FRAMEWORKS – The framework should help management manage uncertainty and its associated risk to build and preserve value. – To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.
67.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 67 of 315 CONTROL FRAMEWORKS • COSO developed a model to illustrate the elements of ERM.
68.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 315 CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives • Strategic objectives are high-level goals that are aligned with and support the company’s mission.
69.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 69 of 315 CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives – Operations objectives • Operations objectives deal with effectiveness and efficiency of company operations, such as: – Performance and profitability goals – Safeguarding assets
70.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 315 CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives – Operations objectives – Reporting objectives • Reporting objectives help ensure the accuracy, completeness, and reliability of internal and external company reports of both a financial and non-financial nature. • Improve decision-making and monitor company activities and performance more efficiently.
71.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 71 of 315 CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives – Operations objectives – Reporting objectives – Compliance objectives • Compliance objectives help the company comply with applicable laws and regulations. – External parties often set the compliance rules. – Companies in the same industry often have similar concerns in this area.
72.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 315 CONTROL FRAMEWORKS • ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them. • However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control. • Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.
73.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 73 of 315 CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company
74.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 74 of 315 CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division
75.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 75 of 315 CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division – Business unit
76.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 76 of 315 CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division – Business unit – Subsidiary
77.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment • The tone or culture of the company. • Provides discipline and structure and is the foundation for all other components. • Essentially, the same as control environment in the COSO internal control framework.
78.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting • Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk. • Strategic objectives are set first as a foundation for the other three. • The objectives provide guidance to companies as they identify risk- creating events and assess and respond to those risks.
79.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 79 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification • Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives. • Management must then determine whether these events represent: – Risks (negative-impact events requiring assessment and response); or – Opportunities (positive-impact events that influence strategy and objective-setting processes).
80.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 80 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification – Risk assessment • Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives. • Qualitative and quantitative methods are used to assess risks individually and by category in terms of: – Likelihood – Positive and negative impact – Effect on other organizational units • Risks are analyzed on an inherent and a residual basis. • Corresponds to the risk assessment element in COSO’s internal control framework.
81.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 81 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification – Risk assessment – Risk response • Management aligns identified risks with the company’s tolerance for risk by choosing to: – Avoid – Reduce – Share – Accept • Management takes an entity-wide or portfolio view of risks in assessing the likelihood of the risks, their potential impact, and costs-benefits of alternate responses.
82.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 82 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification – Risk assessment – Risk response – Control activities • To implement management’s risk responses, control policies and procedures are established and implemented throughout the various levels and functions of the organization. • Corresponds to the control activities element in the COSO internal control framework.
83.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 83 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification – Risk assessment – Risk response – Control activities – Information and communication • Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities. • Information must be able to flow through all levels and functions in the company as well as flowing to and from external parties. • Employees should understand their role and importance in ERM and how these responsibilities relate to those of others. • Has a corresponding element in the COSO internal control framework.
84.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 315 CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification – Risk assessment – Risk response – Control activities – Information and communication – Monitoring • ERM processes must be monitored on an ongoing basis and modified as needed. • Accomplished with ongoing management activities and separate evaluations. • Deficiencies are reported to management. • Corresponding module in COSO internal control framework.
85.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 85 of 315 CONTROL FRAMEWORKS • The ERM model is three-dimensional. • Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits.
86.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 86 of 315 CONTROL FRAMEWORKS • ERM Framework Vs. the Internal Control Framework – The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it. • It has too narrow of a focus. • Examining controls without first examining purposes and risks of business processes provides little context for evaluating the results. • Makes it difficult to know: – Which control systems are most important. – Whether they adequately deal with risk. – Whether important control systems are missing.
87.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 87 of 315 CONTROL FRAMEWORKS • ERM framework vs. the internal control framework – The internal control framework has been widely adopted as the principal way to evaluate internal controls as required by SOX. However, there are issues with it. • It has too narrow of a focus. • Focusing on controls first has an inherent bias toward past problems and concerns. • May contribute to systems with many controls to protect against risks that are no longer important.
88.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 88 of 315 CONTROL FRAMEWORKS • These issues led to COSO’s development of the ERM framework. – Takes a risk-based, rather than controls-based, approach to the organization. – Oriented toward future and constant change. – Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: • Setting objectives. • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. • Developing a response to assessed risk.
89.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 315 CONTROL FRAMEWORKS – Controls are flexible and relevant because they are linked to current organizational objectives. – ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.
90.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 90 of 315 CONTROL FRAMEWORKS • Over time, ERM will probably become the most widely adopted risk and control model. • Consequently, its eight components are the topic of the remainder of the chapter.
91.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 91 of 315 INTERNAL ENVIRONMENT • The most critical component of the ERM and the internal control framework. • Is the foundation on which the other seven components rest. • Influences how organizations: – Establish strategies and objectives – Structure business activities – Identify, access, and respond to risk • A deficient internal control environment often results in risk management and control breakdowns.
92.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 92 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
93.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 93 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
94.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 94 of 315 INTERNAL ENVIRONMENT • Management’s philosophy, operating style, and risk appetite – An organization’s management has shared beliefs and attitudes about risk. – That philosophy affects everything the organization does, long- and short-term, and affects their communications. – Companies also have a risk appetite, which is the amount of risk a company is willing to accept to achieve its goals and objectives. – That appetite needs to be in alignment with company strategy.
95.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 95 of 315 INTERNAL ENVIRONMENT – The more responsible management’s philosophy and operating style, the more likely employees will behave responsibly. – This philosophy must be clearly communicated to all employees; it is not enough to give lip service. – Management must back up words with actions; if they show little concern for internal controls, then neither will employees.
96.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 96 of 315 INTERNAL ENVIRONMENT – This component can be assessed by asking questions such as: • Does management take undue business risks or assess potential risks and rewards before acting? • Does management attempt to manipulate performance measures such as net income? • Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?
97.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 97 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
98.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 98 of 315 INTERNAL ENVIRONMENT • The board of directors – An active and involved board of directors plays an important role in internal control. – They should: • Oversee management • Scrutinize management’s plans, performance, and activities • Approve company strategy • Review financial results • Annually review the company’s security policy • Interact with internal and external auditors
99.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 315 INTERNAL ENVIRONMENT • Directors should possess management, technical, or other expertise, knowledge, or experience, as well as a willingness to advocate for shareholders. • At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries.
100.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 100 of 315 INTERNAL ENVIRONMENT • Public companies must have an audit committee, composed entirely of independent, outside directors. – The audit committee oversees: • The company’s internal control structure; • Its financial reporting process; and • Its compliance with laws, regulations, and standards. – Works with the corporation’s external and internal auditors. • Hires, compensates, and oversees the auditors. • Auditors report all critical accounting policies and practices to the audit committee. – Provides an independent review of management’s actions.
101.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
102.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 315 INTERNAL ENVIRONMENT • Commitment to integrity, ethical values, and competence – Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence. • Ethical standards of behavior make for good business. • Tone at the top is everything. • Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.
103.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 103 of 315 INTERNAL ENVIRONMENT • Companies can endorse integrity as a basic operating principle by actively teaching and requiring it. – Management should: • Make it clear that honest reports are more important than favorable ones. – Management should avoid: • Unrealistic expectations, incentives, or temptations. • Attitude of earnings or revenue at any price. • Overly aggressive sales practices. • Unfair or unethical negotiation practices. • Implied kickback offers. • Excessive bonuses. • Bonus plans with upper and lower cutoffs.
104.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 104 of 315 INTERNAL ENVIRONMENT • Management should not assume that employees would always act honestly. – Consistently reward and encourage honesty. – Give verbal labels to honest and dishonest acts. – The combination of these two will produce more consistent moral behavior.
105.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 105 of 315 INTERNAL ENVIRONMENT • Management should develop clearly stated policies that explicitly describe honest and dishonest behaviors, often in the form of a written code of conduct. – In particular, such a code would cover issues that are uncertain or unclear. – Dishonesty often appears when situations are gray and employees rationalize the most expedient action as opposed to making a right vs. wrong choice.
106.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 106 of 315 INTERNAL ENVIRONMENT • SOX only requires a code of ethics for senior financial management. However, the ACFE suggests that companies create a code of conduct for all employees: – Should be written at a fifth-grade level. – Should be reviewed annually with employees and signed. – This approach helps employees keep themselves out of trouble. – Helps the company if they need to take legal action against the employee.
107.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 107 of 315 INTERNAL ENVIRONMENT • Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report. – Reports of dishonest acts should be thoroughly investigated. – Those found guilty should be dismissed. – Prosecution should be undertaken when possible, so that other employees are clear about consequences. • Companies must make a commitment to competence. – Begins with having competent employees. – Varies with each job but is a function of knowledge, experience, training, and skills.
108.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 108 of 315 INTERNAL ENVIRONMENT • The levers of control, particularly beliefs and boundaries systems, can be used to create the kind of commitment to integrity an organization wants. – Requires more than lip service and signing forms. – Must be systems in which top management actively participates in order to: • Demonstrate the importance of the system. • Create buy-in and a team spirit.
109.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 109 of 315 INTERNAL ENVIRONMENT • Management should require employees to report dishonest, illegal, or unethical behavior and discipline employees who knowingly fail to report. – Reports of dishonest acts should be thoroughly investigated. – Those found guilty should be dismissed. – Prosecution should be undertaken when possible, so that other employees are clear about consequences.
110.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 110 of 315 INTERNAL ENVIRONMENT • Companies must make a commitment to competence. – Begins with having competent employees. – Varies with each job but is a function of knowledge, experience, training, and skills.
111.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 111 of 315 INTERNAL ENVIRONMENT • The levers of control, particularly beliefs and boundary systems, can be used to create the kind of commitment to integrity an organization wants. – Requires more than lip service and signing forms. – Must be systems in which top management actively participates in order to: • Demonstrate the importance of the system. • Create buy-in and a team spirit.
112.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 112 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
113.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 113 of 315 INTERNAL ENVIRONMENT • Organizational structure – A company’s organizational structure defines its lines of authority, responsibility, and reporting. • Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.
114.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 114 of 315 INTERNAL ENVIRONMENT • Important aspects or organizational structure: – Degree of centralization or decentralization. – Assignment of responsibility for specific tasks. – Direct-reporting relationships or matrix structure. – Organization by industry, product, geographic location, marketing network. – How the responsibility allocation affects management’s information needs. – Organization of accounting and IS functions. – Size and nature of company activities.
115.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 115 of 315 INTERNAL ENVIRONMENT • Statistically, fraud occurs more frequently in organizations with complex structures. – The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or – The structure may be intentionally complex to facilitate the fraud.
116.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 116 of 315 INTERNAL ENVIRONMENT • In today’s business world, the hierarchical organizations with many layers of management are giving way to flatter organizations with self- directed work teams. – Team members are empowered to make decisions without multiple layers of approvals. – Emphasis is on continuous improvement rather than on regular evaluations. – These changes have a significant impact on the nature and type of controls needed.
117.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 117 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
118.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 315 INTERNAL ENVIRONMENT • Methods of assigning authority and responsibility – Management should make sure: • Employees understand the entity’s objectives. • Authority and responsibility for business objectives is assigned to specific departments and individuals. – Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives. – Management: • Must be sure to identify who is responsible for the IS security policy. • Should monitor results so decisions can be reviewed and, if necessary, overruled.
119.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 315 INTERNAL ENVIRONMENT • Authority and responsibility are assigned through: – Formal job descriptions – Employee training – Operating plans, schedules, and budgets – Codes of conduct that define ethical behavior, acceptable practices, regulatory requirements, and conflicts of interest – Written policies and procedures manuals (a good job reference and job training tool) which covers: • Proper business practices • Knowledge and experience needed by key personnel • Resources provided to carry out duties • Policies and procedures for handling particular transactions • The organization’s chart of accounts • Sample copies of forms and documents
120.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 120 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
121.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 121 of 315 INTERNAL ENVIRONMENT • Human resources standards – Employees are both the company’s greatest control strength and the greatest control weakness. – Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required. – Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.
122.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
123.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 123 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
124.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 315 INTERNAL ENVIRONMENT • Hiring – Should be based on educational background, relevant work experience, past achievements, honesty and integrity, and how well candidates meet written job requirements. – Employees should undergo a formal, in-depth employment interview. – Resumes, reference letters, and thorough background checks are critical.
125.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 315 INTERNAL ENVIRONMENT • Background checks can involve: – Verifying education and experience. – Talking with references. – Checking for criminal records, credit issues, and other publicly available data. – Note that you must have the employee’s or candidate’s written permission to conduct a background check, but that permission does not need to have an expiration date. – Background checks are important because recent studies show that about 50% of resumes have been falsified or embellished.
126.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 126 of 315 INTERNAL ENVIRONMENT • Sometimes professional firms are hired to do the background checks because applicants are becoming more aggressive in their deceptions. – Some get phony degrees from online “diploma mills.” • A Pennsylvania district attorney recently filed suit against a Texas “university” for issuing an MBA to the DA’s 6-year-old black cat. – Others actually hack (or hire someone to hack) into the systems of universities to create or alter transcripts and other academic data. • No employee should be exempted from background checks. Anyone from the custodian to the company president is capable of committing fraud, sabotage, etc.
127.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 127 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
128.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 128 of 315 INTERNAL ENVIRONMENT • Compensating – Employees should be paid a fair and competitive wage. – Poorly compensated employees are more likely to feel the resentment and financial pressures that lead to fraud. – Appropriate incentives can motivate and reinforce outstanding performance.
129.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 129 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
130.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 315 INTERNAL ENVIRONMENT • Policies on training – Training programs should familiarize new employees with: • Their responsibilities. • Expected performance and behavior. • Company policies, procedures, history, culture, and operating style. – Training needs to be ongoing, not just one time. – Companies who shortchange training are more likely to experience security breaches and fraud.
131.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 131 of 315 INTERNAL ENVIRONMENT – Many believe employee training and education are the most important elements of fraud prevention and security programs. – Fraud is less likely to occur when employees believe security is everyone’s business. – An ideal corporate culture exists when: • Employees are proud of their company and protective of its assets. • They believe fraud hurts everyone and that they therefore have a responsibility to report it.
132.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 315 INTERNAL ENVIRONMENT • These cultures do not just happen. They must be created, taught, and practiced, and the following training should be provided: – Fraud awareness • Employees should be aware of fraud’s prevalence and dangers, why people do it, and how to deter and detect it. – Ethical considerations • The company should promote ethical standards in its practice and its literature. • Acceptable and unacceptable behavior should be defined and labeled, leaving as little gray area as possible.
133.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 315 INTERNAL ENVIRONMENT – Punishment for fraud and unethical behavior. • Employees should know the consequences (e.g., reprimand, dismissal, prosecution) of bad behavior. • Should be disseminated as a consequence rather than a threat. • EXAMPLE: “Using a computer to steal or commit fraud is a federal crime, and anyone doing so faces immediate dismissal and/or prosecution.” • The company should display notices of program and data ownership and advise employees of the penalties of misuse.
134.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 134 of 315 INTERNAL ENVIRONMENT • Training can take place through: – Informal discussions – Formal meetings – Periodic memos – Written guidelines – Codes of ethics – Circulating reports of unethical behavior and its consequences – Promoting security and fraud training programs
135.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 135 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
136.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 136 of 315 INTERNAL ENVIRONMENT • Evaluating and promoting – Do periodic performance appraisals to help employees understand their strengths and weaknesses. – Base promotions on performance and qualifications.
137.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 137 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
138.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 138 of 315 INTERNAL ENVIRONMENT • Discharging – Fired employees are disgruntled employees. – Disgruntled employees are more likely to commit a sabotage or fraud against the company. – Employees who are terminated (whether voluntary or involuntary) should be removed from sensitive jobs immediately and denied access to information systems.
139.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 139 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
140.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 140 of 315 INTERNAL ENVIRONMENT • Managing disgruntled employees – Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud candidates than satisfied employees. – The organization can try to reduce the employee’s pressures through grievance channels and counseling. • Difficult to do because many employees feel that seeking counseling will stigmatize them in their jobs. – Disgruntled employees should not be allowed to continue in jobs where they could harm the organization.
141.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 141 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
142.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 142 of 315 INTERNAL ENVIRONMENT • Vacations and rotation of duties – Some fraud schemes, such as lapping and kiting, cannot continue without the constant attention of the perpetrator. – Mandatory vacations or rotation of duties can prevent these frauds or lead to early detection. – These measures will only be effective if someone else is doing the job while the usual employee is elsewhere.
143.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 143 of 315 INTERNAL ENVIRONMENT • The following policies and procedures are important: – Hiring – Compensating – Training – Evaluating and promoting – Discharging – Managing disgruntled employees – Vacations and rotation of duties – Confidentiality insurance and fidelity bonds
144.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 144 of 315 INTERNAL ENVIRONMENT • Confidentiality agreements and fidelity bond insurance – Employees, suppliers, and contractors should be required to sign and abide by nondisclosure or confidentiality agreements. – Key employees should have fidelity bond insurance coverage to protect the company against losses from fraudulent acts by those employees.
145.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 145 of 315 INTERNAL ENVIRONMENT • In addition to the preceding policies, the company should seek prosecution and incarceration of hackers and fraud perpetrators • Most fraud cases and hacker attacks go unreported. They are not prosecuted for several reasons. – Companies fear: • Public relations nightmares • Copycat attacks – But unreported fraud and intrusions create a false sense of security.
146.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 146 of 315 INTERNAL ENVIRONMENT – Law enforcement officials and courts are busy with violent crimes and may regard teen hacking as “childish pranks.” – Fraud is difficult, costly, and time-consuming to investigate and prosecute. – Law enforcement officials, lawyers, and judges often lack the computer skills needed to investigate, prosecute, and evaluate computer crimes. – When cases are prosecuted and a conviction obtained, penalties are often very light. Judges often regard the perps as “model citizens.”
147.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 147 of 315 INTERNAL ENVIRONMENT • Internal environment consists of the following: – Management’s philosophy, operating style, and risk appetite – The board of directors – Commitment to integrity, ethical values, and competence – Organizational structure – Methods of assigning authority and responsibility – Human resource standards – External influences
148.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 148 of 315 INTERNAL ENVIRONMENT • External influences – External influences that affect the control environment include requirements imposed by: • FASB • PCAOB • SEC • Insurance commissions • Regulatory agencies for banks, utilities, etc.
149.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 149 of 315 OBJECTIVE SETTING • Objective setting is the second ERM component. • It must precede many of the other six components. • For example, you must set objectives before you can define events that affect your ability to achieve objectives
150.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 150 of 315 OBJECTIVE SETTING • Top management, with board approval, must articulate why the company exists and what it hopes to achieve. – Often referred to as the corporate vision or mission. • Uses the mission statement as a base from which to set corporate objectives. • The objectives: – Need to be easy to understand and measure. – Should be prioritized. – Should be aligned with the company’s risk appetite.
151.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 151 of 315 OBJECTIVE SETTING • Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub- units. • For each set of objectives: – Critical success factors (what has to go right) must be defined. – Performance measures should be established to determine whether the objectives are met.
152.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 152 of 315 OBJECTIVE SETTING • Objective-setting process proceeds as follows: – First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders. – To meet these objectives, identify alternative ways of accomplishing them. – For each alternative, identify and assess risks and implications. – Formulate a corporate strategy. – Then set operations, compliance, and reporting objectives.
153.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 153 of 315 OBJECTIVE SETTING • As a rule of thumb: – The mission and strategic objectives are stable. – The strategy and other objectives are more dynamic: • Must be adapted to changing conditions. • Must be realigned with strategic objectives.
154.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 154 of 315 OBJECTIVE SETTING • Operations objectives: – Are a product of management preferences, judgments, and style. – Vary significantly among entities: • One may adopt technology; another waits until the bugs are worked out. – Are influenced by and must be relevant to the industry, economic conditions, and competitive pressures. – Give clear direction for resource allocation—a key success factor.
155.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 155 of 315 OBJECTIVE SETTING • Compliance and reporting objectives: – Many are imposed by external entities, e.g.: • Reports to IRS or to EPA • Financial reports that comply with GAAP – A company’s reputation can be impacted significantly (for better or worse) by the quality of its compliance.
156.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 156 of 315 EVENT IDENTIFICATION • Events are: – Incidents or occurrences that emanate from internal or external sources. – That affect implementation of strategy or achievement of objectives. – Impact can be positive, negative, or both. – Events can range from obvious to obscure. – Effects can range from inconsequential to highly significant.
157.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 157 of 315 EVENT IDENTIFICATION • By their nature, events represent uncertainty: – Will they occur? – If so, when? – And what will the impact be? – Will they trigger another event? – Will they happen individually or concurrently?
158.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 158 of 315 EVENT IDENTIFICATION • Management must do its best to anticipate all possible events—positive or negative—that might affect the company: – Try to determine which are most and least likely. – Understand the interrelationships of events. • COSO identified many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives.
159.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 159 of 315 EVENT IDENTIFICATION • Some of these factors include: – External factors: • Economic factors • Availability of capital; lower or higher costs of capital • Lower barriers to entry, resulting in new competition • Price movements up or down • Ability to issue credit and possibility of default • Concentration of competitors, customers, or vendors • Presence or absence of liquidity • Movements in the financial markets or currency fluctuations • Rising or lowering unemployment rates • Mergers or acquisitions • Potential regulatory, contractual, or criminal legal liability
160.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 160 of 315 EVENT IDENTIFICATION • Some of these factors include: – External factors: • Economic factors • Natural environment • Natural disasters such as fires, floods, or earthquakes • Emissions and waste • Energy restrictions or shortages • Restrictions limiting development
161.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 161 of 315 EVENT IDENTIFICATION • Some of these factors include: – External factors: • Economic factors • Natural environment • Political factors • Election of government officials with new agendas • New laws and regulations • Public policy, including higher or lower taxes • Regulation affecting the company’s ability to compete
162.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 162 of 315 EVENT IDENTIFICATION • Some of these factors include: – External factors: • Economic factors • Natural environment • Political factors • Social factors • Changing demographics, social mores, family structures, and work/life priorities • Consumer behavior that changes demand for products and services or creates new buying opportunities • Corporate citizenship • Privacy • Terrorism • Human resource issues causing production shortages or stoppages
163.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 163 of 315 EVENT IDENTIFICATION • Some of these factors include: – External factors: • Economic factors • Natural environment • Political factors • Social factors • Technological factors • New e-business technologies that lower infrastructure costs or increase demand for IT- based services • Emerging technology • Increased or decreased availability of data • Interruptions or down time caused by external parties
164.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 164 of 315 EVENT IDENTIFICATION • Some of these factors include: – Internal factors: • Infrastructure • Inadequate access or poor allocation of capital • Availability and capability of company assets • Complexity of systems
165.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 165 of 315 EVENT IDENTIFICATION • Some of these factors include: – Internal factors: • Infrastructure • Personnel • Employee skills and capability • Employees acting dishonestly or unethically • Workplace accidents, health or safety concerns • Strikes or expiration of labor agreements
166.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 166 of 315 EVENT IDENTIFICATION • Some of these factors include: – Internal factors: • Infrastructure • Personnel • Process • Process modification without proper change management procedures • Poorly designed processes • Process execution errors • Suppliers cannot deliver quality goods on time
167.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 167 of 315 EVENT IDENTIFICATION • Some of these factors include: – Internal factors: • Infrastructure • Personnel • Process • Technology • Insufficient capacity to handle peak IT usages • Security breaches • Data or system unavailability from internal factors • Inadequate data integrity • Poor systems selection/development • Inadequately maintained systems
168.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 168 of 315 EVENT IDENTIFICATION • Lists can help management identify factors, evaluate their importance, and examine those that can affect objectives. • Identifying events at the activity and entity levels allows companies to focus their risk assessment on major business units or functions and align their risk tolerance and risk appetite.
169.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 169 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events • Often produced by special software that can tailor lists to an industry, activity, or process.
170.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 170 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events – Perform an internal analysis • An internal committee analyzes events, contacting appropriate insiders and outsiders for input.
171.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 171 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events – Perform an internal analysis – Monitor leading events and trigger points • Appropriate transactions, activities, and events are monitored and compared to predefined criteria to determine when action is needed.
172.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 172 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events – Perform an internal analysis – Monitor leading events and trigger points – Conduct workshops and interviews • Employee knowledge and expertise is gathered in structured discussions or individual interviews.
173.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 173 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events – Perform an internal analysis – Monitor leading events and trigger points – Conduct workshops and interviews – Perform data mining and analysis • Examine data on prior events to identify trends and causes that help identify possible events.
174.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 174 of 315 EVENT IDENTIFICATION • Companies usually use two or more of the following techniques together to identify events: – Use comprehensive lists of potential events – Perform an internal analysis – Monitor leading events and trigger points – Conduct workshops and interviews – Perform data mining and analysis – Analyze processes • Analyze internal and external factors that affect inputs, processes, and outputs to identify events that might help or hinder the process.
175.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 175 of 315 RISK ASSESSMENT AND RISK RESPONSE • The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. • COSO indicates there are two types of risk: – Inherent risk • The risk that exists before management takes any steps to control the likelihood or impact of a risk.
176.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 176 of 315 RISK ASSESSMENT AND RISK RESPONSE • The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. • COSO indicates there are two types of risk: – Inherent risk – Residual risk • The risk that remains after management implements internal controls or some other form of response to risk.
177.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 177 of 315 RISK ASSESSMENT AND RISK RESPONSE • Companies should: – Assess inherent risk – Develop a response – Then assess residual risk • The ERM model indicates four ways to respond to risk: – Reduce it • The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.
178.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 178 of 315 RISK ASSESSMENT AND RISK RESPONSE • Companies should: – Assess inherent risk – Develop a response – Then assess residual risk • The ERM model indicates four ways to respond to risk: – Reduce it – Accept it • Don’t act to prevent or mitigate it.
179.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 179 of 315 RISK ASSESSMENT AND RISK RESPONSE • Companies should: – Assess inherent risk – Develop a response – Then assess residual risk • The ERM model indicates four ways to respond to risk: – Reduce it – Accept it – Share it • Transfer some of it to others via activities such as insurance, outsourcing, or hedging.
180.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 180 of 315 RISK ASSESSMENT AND RISK RESPONSE • Companies should: – Assess inherent risk – Develop a response – Then assess residual risk • The ERM model indicates four ways to respond to risk: – Reduce it – Accept it – Share it – Avoid it • Don’t engage in the activity that produces it. • May require: – Sale of a division – Exiting a product line – Canceling an expansion plan
181.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 181 of 315 RISK ASSESSMENT AND RISK RESPONSE • Accountants: – Help management design effective controls to reduce inherent risk. – Evaluate internal control systems to ensure they are operating effectively. – Assess and reduce inherent risk using the risk assessment and response strategy.
182.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 182 of 315 RISK ASSESSMENT AND RISK RESPONSE • Event identification – The first step in risk assessment and response strategy is event identification, which we have already discussed. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No
183.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 183 of 315 RISK ASSESSMENT AND RISK RESPONSE • Estimate likelihood and impact – Some events pose more risk because they are more probable than others. – Some events pose more risk because their dollar impact would be more significant. – Likelihood and impact must be considered together: – If either increases, the materiality of the event and the need to protect against it rises. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No
184.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 184 of 315 RISK ASSESSMENT AND RISK RESPONSE • Identify controls – Management must identify one or more controls that will protect the company from each event. – In evaluating benefits of each control procedure, consider effectiveness and timing. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No
185.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 185 of 315 RISK ASSESSMENT AND RISK RESPONSE • All other factors equal: – A preventive control is better than a detective one. – However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover. – Consequently, the three complement each other, and a good internal control system should have all three. – Similarly, a company should use all four levers of control. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No
186.
© 2008 Prentice
Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 186 of 315 RISK ASSESSMENT AND RISK RESPONSE • Estimate costs and benefits – It would be cost- prohibitive to create an internal control system that provided foolproof protection against all events. – Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No
Télécharger maintenant