Control and Accounting

Information Systems
 INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of
a company?
– What are the four types of control objectives that
companies need to set?
– What events affect uncertainty, and how can they be
identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?
 INTRODUCTION
• Why AIS threats are increasing
– Control risks have increased in the last few years
because:
• There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
• Distributed computer networks make data available to
many users, and these networks are harder to control
than centralized mainframe systems.
• Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern.
 INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the
following reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or
Internet-based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.
 INTRODUCTION
• Some vocabulary terms for this
chapter:
– A threat is any potential adverse
occurrence or unwanted event that could
injure the AIS or the organization.
– The exposure or impact of the threat is
the potential dollar loss that would occur if
the threat becomes a reality.
– The likelihood is the probability that the
threat will occur.
 INTRODUCTION
• Control and security are important
– Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
• Devoting full-time staff to security and control concerns.
• Educating employees about control measures.
• Establishing and enforcing formal information security
policies.
• Making controls a part of the applications development
process.
• Moving sensitive data to more secure environments.
 INTRODUCTION
• To use IT in achieving control
objectives, accountants must:
– Understand how to protect systems from
threats.
– Have a good understanding of IT and its
capabilities and risks.
• Achieving adequate security and control
over the information resources of an
organization should be a top
management priority.
 INTRODUCTION
• Control objectives are the same regardless of
the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because:
– Computer processing may reduce clerical errors
but increase risks of unauthorized access or
modification of data files.
– Segregation of duties must be achieved
differently in an AIS.
– Computers provide opportunities for enhancement
of some internal controls.
 INTRODUCTION
• One of the primary objectives of an AIS is to
control a business organization.
– Accountants must help by designing effective
control systems and auditing or reviewing control
systems already in place to ensure their
effectiveness.
• Management expects accountants to be
control consultants by:
– Taking a proactive approach to eliminating system
threats; and
– Detecting, correcting, and recovering from threats
when they do occur.
 INTRODUCTION
• It is much easier to build controls into a
system during the initial stage than to
add them after the fact.
• Consequently, accountants and control
experts should be members of the
teams that develop or modify
information systems.
OVERVIEW OF CONTROL CONCEPTS
• In today’s dynamic business environment,
companies must react quickly to changing
conditions and markets, including steps to:
– Hire creative and innovative employees.
– Give these employees power and flexibility to:
• Satisfy changing customer demands;
• Pursue new opportunities to add value to the organization;
and
• Implement process improvements.
• At the same time, the company needs control
systems so they are not exposed to excessive
risks or behaviors that could harm their
reputation for honesty and integrity.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
• This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately
and fairly reflect company assets.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with IFRS/IAS
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with IFRS/IAS.
– Operational efficiency is promoted and improved.
• This objective includes ensuring that company receipts
and expenditures are made in accordance with
management and directors’ authorizations.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is
encouraged.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is the process implemented by the
board of directors, management, and those under
their direction to provide reasonable assurance that
the following control objectives are achieved:
– Assets (including data) are safeguarded.
– Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
– Accurate and reliable information is provided.
– There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
– Operational efficiency is promoted and improved.
– Adherence to prescribed managerial policies is encouraged.
– The organization complies with applicable laws and
regulations.
OVERVIEW OF CONTROL CONCEPTS
• Internal control is a process because:
– It permeates an organization’s operating activities.
– It is an integral part of basic management
activities.
• Internal control provides reasonable, rather
than absolute, assurance, because complete
assurance is difficult or impossible to achieve
and prohibitively expensive.
OVERVIEW OF CONTROL CONCEPTS
• Internal control systems have inherent
limitations, including:
– They are susceptible to errors and poor decisions.
– They can be overridden by management or by
collusion of two or more employees.
• Internal control objectives are often at odds
with each other.
– EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three
important functions:
– Preventive controls
• Deter problems before they arise.
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three
important functions:
– Preventive controls
– Detective controls
• Discover problems quickly when they do arise.
OVERVIEW OF CONTROL CONCEPTS
• Internal controls perform three
important functions:
– Preventive controls
– Detective controls
– Corrective controls
• Remedy problems that have occurred by:
– Identifying the cause;
– Correcting the resulting errors; and
– Modifying the system to prevent future
problems of this sort.
OVERVIEW OF CONTROL CONCEPTS
• Internal controls are often classified
as:
– General controls • Those designed to make sure an organization’s
control environment is stable and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.
OVERVIEW OF CONTROL CONCEPTS
• Internal controls are often classified
as:
– General controls
– Application controls • Prevent, detect, and correct transaction errors an
fraud.
• Concerned with accuracy, completeness, validity
and authorization of the data captured, entered
into the system, processed, stored, transmitted to
other systems, and reported.
OVERVIEW OF CONTROL CONCEPTS
• An effective system of internal controls
should exist in all organizations to:
– Help them achieve their missions and goals.
– Minimize surprises.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession,
this act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management,
accountants, and auditors in designing and evaluating internal
control systems.
– The resulting internal control improvements weren’t
sufficient.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In the late 1990s and early 2000s, a
series of multi-million-dollar accounting
frauds made headlines.
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of
2002 (aka, SOX).
• Applies to publicly held companies and their
auditors.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-
held companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the
way boards of directors, management,
and accountants operate.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the
auditing profession.
• Has five members, three of whom cannot be
CPAs.
• Charges fees to firms to fund the PCAOB.
• Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
• Currently recognizes FASB statements as being
generally accepted.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
– New rules for auditors
• They must report specific information to the company’s audit
committee, such as:
– Critical accounting policies and practices
– Alternative GAAP treatments
– Auditor-management disagreements
• Audit partners must be rotated periodically.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
– New rules for auditors
• Auditors cannot perform certain non-audit services, such as:
– Bookkeeping
– Information systems design and implementation
– Internal audit outsourcing services
– Management functions
– Human resource services
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
– New rules for auditors
• Permissible non-audit services must be approved by the board of
directors and disclosed to investors.
• Cannot audit a company if a member of top management was
employed by the auditor and worked on the company’s audit in the
past 12 months.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
– New rules for auditors
– New rules for audit committees
• Members must be on the company’s board of
directors and must otherwise be independent of
the company.
• One member must be a financial expert.
• The committee hires, compensates, and
oversees the auditors, and the auditors report
directly to the committee.
SOX AND THE FOREIGN CORRUPT
• The CEO and CFO must certify that:
PRACTICES
– The financial ACT
statements and disclosures are fairly presented,
• Important aspects
were reviewed of SOX and
by management, include:
are not misleading.
– Management
– Creation of the Public Company
is responsible Accounting
for internal controls.
– The auditors
Oversight Board
were(PCAOB)
advised of to
anyoversee the auditing
material internal control
weaknesses or fraud.
profession.
– Any significant changes to controls after management’s
– New rules for
evaluation auditors
were disclosed and corrected.
– New rules for audit committees
– New rules for management
SOX AND THE FOREIGN CORRUPT
PRACTICES
• If management ACT violates the certification, they
willfully and knowingly
• Important
can be: aspects of SOX include:
– Imprisoned up to 20 years
– Creation of the Public Company Accounting
– Fined up to Tshs.5 million
Oversight Board (PCAOB) to oversee the auditing
• Management and directors cannot receive loans that would not be
profession.
available to people outside the company.
•– New rulesdisclose
They must for auditors
on a rapid and current basis material changes
– New
to theirrules forcondition.
financial audit committees
– New rules for management
SOX AND
• NewTHE
internalFOREIGN CORRUPT
control requirements:
–PRACTICES
Section 404 of SOXACTrequires companies to issue a report
• Importantaccompanying
aspects of SOX include:
the financial statements that:
• States management is responsible for establishing
– Creation of and
themaintaining
Public Company Accounting
an adequate internal control
Oversight Board (PCAOB)
structure to oversee the auditing
and procedures.
profession.• Contains management’s assessment of the
– New rules forcompany’s
auditorsinternal controls.
• Attests to the accuracy of the internal controls,
– New rules for auditdisclosures
including committees of significant defects or material
– New rules for management
noncompliance found during the tests.
– New internal control requirements
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
– New• rules for requires
SOX also auditors that the auditor attests to and reports on
management’s internal control assessment.
– New• rules for audit committees
Each audit report must describe the scope of the auditor’s
– New rules for
internal management
control tests.
– New internal control requirements
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying
the framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many people feel
• Communicates there is a basic conflict
company core values to employees and
between
inspirescreativity
them to live byand
thosecontrols.
values.
• Draws attention to how the organization creates value.
– Robert Simons has espoused four levers of
• Helps employees understand management’s intended
controls to help companies reconcile this
direction.
conflict:
• Must be broad enough to appeal to all levels.
• A concise belief system
SOX •AND THE FOREIGN CORRUPT
Helps employees act ethically by setting limits beyond which
they PRACTICES
must not pass. ACT
• Levers
• Doesof Control
not create rules and standard operating procedures
that can stifle creativity.
– Many peopleemployees
• Encourages feel there to thinkisand
a basic conflict
act creatively to solve
between
problemscreativity
and meet customerand controls.
needs as long as they operate
within limits such as:
– Robert Simons
– Meeting has espoused four levers of
minimum standards of performance
controls to help
– Shunning companies
off-limits activities reconcile this
conflict:
– Avoiding actions that could damage the company’s
reputation.
• A concise belief system
• A boundary system
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of control
– Many people
• Ensures feel
efficient andthere
effectiveis a basic of
achievement conflict
important
controls.
between creativity and controls.
• This system measures company progress by comparing
– Robert
actualSimons
to planned has espoused four levers of
performance.
controls to helptrack
• Helps managers companies reconcile
critical performance thisand
outcomes
monitor performance of individuals, departments, and
conflict:
locations.
•• AProvides
concisefeedback
belief to
system
enable management to adjust and fine-
• Atune.
boundary system
• A diagnostic control system
SOX AND
• HelpsTHE FOREIGN
top-level CORRUPT
managers with high-level activities that
PRACTICES ACT
demand frequent and regular attention. Examples:
– Developing company strategy.
• Levers– of Control
Setting company objectives.
– Many– people feel and
Understanding there is athreats
assessing basicandconflict
risks.
between creativity and controls.
– Monitoring changes in competitive conditions and
emerging technologies.
– Robert Simonsresponses
– Developing has espoused
and actionfour levers
plans to of
proactively
controls
dealto help
with thesecompanies reconcile this
high-level issues.
• Also helps managers focus the attention of subordinates on
conflict:
key strategic issues and to be more involved in their
• A decisions.
concise belief system
• •A Data
boundary system
from this system are best interpreted and discussed in
• face-to-face meetings.
A diagnostic control system
• An interactive control system
CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies
develop good internal control
systems. Three of the most
important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies
develop good internal control
systems. Three of the most
important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
CONTROL FRAMEWORKS
• COBIT framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems
Audit and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
CONTROL FRAMEWORKS
• The COBIT framework allows:
– Management to benchmark security and
control practices of IT environments.
– Users of IT services to be assured that
adequate security and control exists.
– Auditors to substantiate their opinions on
internal control and advise on IT security
and control matters.
 • To satisfy business objectives,
information must conform to
CONTROL FRAMEWORKS certain criteria referred to as
“business requirements for
• The framework addressesinformation.”
the issue of
control from three vantage points or
• The criteria are divided into seven
distinct yet overlapping categories
dimensions: that map into COSO objectives:
– Effectiveness (relevant,
– Business objectives
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
CONTROL FRAMEWORKS
• The framework addresses the issue of
control from three vantage points or
dimensions:
– Business objectives
– IT resources • Includes:
• People
• Application systems
• Technology
• Facilities
• Data
CONTROL FRAMEWORKS
• The framework addresses the issue of
control from three vantage points or
dimensions:
– Business objectives
– IT resources
– IT processes • Broken into four domains:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
CONTROL FRAMEWORKS
• COBIT consolidates standards from 36
different sources into a single framework.
• It is having a big impact on the IS profession.
– Helps managers to learn how to balance risk and
control investment in an IS environment.
– Provides users with greater assurance that
security and IT controls provided by internal and
third parties are adequate.
– Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.
CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
CONTROL FRAMEWORKS
• COSO’s internal control framework
– The Committee of Sponsoring
Organizations (COSO) is a private sector
group consisting of:
• The American Accounting Association
• The AICPA
• The Institute of Internal Auditors
• The Institute of Management Accountants
• The Financial Executives Institute
CONTROL FRAMEWORKS
• In 1992, COSO issued the Internal
Control Integrated Framework:
– Defines internal controls.
– Provides guidance for evaluating and
enhancing internal control systems.
– Widely accepted as the authority on
internal controls.
– Incorporated into policies, rules, and
regulations used to control business
activities.
CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
• The core of any business is its people.
• Their integrity, ethical values, and competence make up
the foundation on which everything else rests.
CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
- Control activities
• Policies and procedures must be established and
executed to ensure that actions identified by
management as necessary to address risks are, in fact,
carried out.
CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
• The organization must be aware of and deal with the risks
it faces.
• It must set objectives for its diverse activities and
establish mechanisms to identify, analyze, and manage
the related risks.
CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
• Information and communications systems surround the
control activities.
• They enable the organization’s people to capture and
exchange information needed to conduct, manage, and
control its operations.
CONTROL FRAMEWORKS
• COSO’s internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring
• The entire process must be monitored and modified as
necessary.
CONTROL FRAMEWORKS
• A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
– The COBIT framework
– The COSO internal control framework
– COSO’s Enterprise Risk Management
framework (ERM)
CONTROL FRAMEWORKS
• Nine years after COSO issued the preceding
framework, it began investigating how to
effectively identify, assess, and manage risk
so organizations could improve the risk
management process.
• Result: Enterprise Risk Manage Integrated
Framework (ERM)
– An enhanced corporate governance document.
– Expands on elements of preceding framework.
– Provides a focus on the broader subject of
enterprise risk management.
CONTROL FRAMEWORKS
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
– Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to
take and resources to allocate to overcome or
mitigate risk.
– Avoid adverse publicity and damage to the entity’s
reputation.
CONTROL FRAMEWORKS
• ERM defines risk management as:
– A process effected by an entity’s board of
directors, management, and other
personnel.
– Applied in strategy setting and across the
enterprise.
– To identify potential events that may
affect the entity.
– And manage risk to be within its risk
appetite.
– In order to provide reasonable assurance of
the achievement of entity objectives.
CONTROL FRAMEWORKS
• Basic principles behind ERM:
– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• The possibility that something will happen to:
– Adversely affect the ability to create value; or
– Erode existing value.
CONTROL FRAMEWORKS
• Basic principles behind ERM:
– Companies are formed to create value for
owners.
– Management must decide how much
uncertainty they will accept.
– Uncertainty can result in:
• Risk
• Opportunity
• The possibility that something will happen to positively
affect the ability to create or preserve value.
CONTROL FRAMEWORKS
– The framework should help management
manage uncertainty and its associated risk
to build and preserve value.
– To maximize value, a company must balance
its growth and return objectives and risks
with efficient and effective use of company
resources.
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
CONTROL FRAMEWORKS
• Columns at the top
represent the four types
of objectives that
management must meet to
achieve company goals.
– Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support the
company’s mission.
CONTROL FRAMEWORKS
• Columns at the top
represent the four types
of objectives that
management must meet to
achieve company goals.
– Strategic objectives
– Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and profitability
goals
– Safeguarding assets
CONTROL FRAMEWORKS
• Reporting objectives help ensure
the accuracy, completeness, and
• Columns
reliabilityat the top
of internal and external
represent the four
company reports types
of both a
financial and non-financial nature.
of objectives that
• Improve decision-making and
management must meet to
monitor company activities and
achieve company
performance goals.
more efficiently.
– Strategic objectives
– Operations objectives
– Reporting objectives
CONTROL FRAMEWORKS
• • Columns at the
Compliance top help the
objectives
represent the four
company comply types
with applicable
laws and regulations.
of objectives that
– External parties often set the
management must meet to
compliance rules.
achieve company
– Companies goals.
in the same
– Strategic objectives
industry often have similar
– Operations
concerns inobjectives
this area.
– Reporting objectives
– Compliance objectives
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of
the progress the company is
making in achieving them.
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
• The tone or culture of the
company.
• Provides discipline and structure
and is the foundation for all other
components.
• Essentially, the same as control
environment in the COSO internal
control framework.
 CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
– Objective setting

• Ensures that management implements a process to formulate strategic,

operations, reporting, and compliance objectives that support the company’s
mission and are consistent with the company’s tolerance for risk.
• Strategic objectives are set first as a foundation for the other three.
• The objectives provide guidance to companies as they identify risk-creating
events and assess and respond to those risks.
 CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
– Objective setting
– Event identification
• Requires management to identify events that may affect the company’s
ability to implement its strategy and achieve its objectives.
• Management must then determine whether these events represent:
– Risks (negative-impact events requiring assessment and response); or
– Opportunities (positive-impact events that influence strategy and
objective-setting processes).
 • Identified risks are assessed to
determine how to manage them
and how they affect the

CONTROL FRAMEWORKS
company’s ability to achieve its
objectives.
• Qualitative
• The horizontal rows are
and quantitative
methods are used to assess risks
eight related risk and
individually and by category in
control components,
terms of:
including:
– Likelihood
– Internal
– Positiveenvironment
and negative impact
– Objective
– Effect onsetting
other organizational
– Event identification
units
Risk assessment
• – Risks are analyzed on an
inherent and a residual basis.
• Corresponds to the risk
assessment element in COSO’s
internal control framework.
 • Management aligns identified risks
with the company’s tolerance for risk
by choosing to:

CONTROL FRAMEWORKS
– Avoid
– Reduce
• The horizontal rows are
– Share
eight
– Accept
related risk and
control components,
• Management takes an entity-wide or
including:
portfolio view of risks in assessing the
– Internal
likelihood environment
of the risks, their potential
– Objective
impact, setting
and costs-benefits of
– Eventresponses.
alternate identification
– Risk assessment
– Risk response
CONTROL FRAMEWORKS
• •TheTo horizontal rows are risk
implement management’s
eight related
responses, riskpolicies
control and and
procedures are established and
control components,
implemented throughout the
including:
various levels and functions of the
– Internal environment
organization.
•– Objective setting
Corresponds to the control
– Event identification
activities element in the COSO
– internal control framework.
Risk assessment
– Risk response
– Control activities
 • Information about the company
and ERM components must be
identified, captured, and

CONTROL FRAMEWORKS
communicated so employees can
fulfill their responsibilities.
• •The horizontal
Information mustrows are
be able to flow
through all levels and functions in
eight related risk and
the company as well as flowing to
control
and from components,
external parties.
•including:
Employees should understand
Internal
– their environment
role and importance in ERM
Objective
– and how thesesetting
responsibilities
– relate
Eventtoidentification
those of others.
• – Has
Riskaassessment
corresponding element in
– the
Risk COSO internal control
response
– framework.
Control activities
– Information and
communication
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
•control components,
ERM processes must be
monitored on an ongoing basis
including:
and modified as needed.
– Internal environment
• Accomplished with ongoing
– Objective setting
management activities and
– Event identification
separate evaluations.
•– Risk assessment
Deficiencies are reported to
– Risk response
management.
•– Control activities
Corresponding module in COSO
– Information
internal controland
framework.
communication
– Monitoring
CONTROL FRAMEWORKS
• The ERM model is
three-dimensional.
• Means that each of
the eight risk and
control elements
are applied to the
four objectives in
the entire company
and/or one of its
subunits.
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs.firstthe
controls without Internal
examining purposes and risks of
Control Framework
business
results.
processes provides little context for evaluating the

– The internal
• Makes it difficultcontrol
to know: framework has been
widely adopted
– Which as the
control systems areprincipal way to
most important.
evaluate internal controls as required by
– Whether they adequately deal with risk.
– Whether important control systems are missing.
SOX. However, there are issues with it.
• It has too narrow of a focus.
CONTROL FRAMEWORKS
• ERM framework vs. the internal
control framework
– The internal control framework has been
widely adopted as the principal way to
• May contribute to systems with
evaluate internal controls as required by
many controls to protect against
SOX. However, there risks
arethat
issues
are nowith
longer it.
important.
• It has too narrow of a focus.
• Focusing on controls first has an inherent
bias toward past problems and concerns.
CONTROL FRAMEWORKS
• These issues led to COSO’s development of
the ERM framework.
– Takes a risk-based, rather than controls-based,
approach to the organization.
– Oriented toward future and constant change.
– Incorporates rather than replaces COSO’s internal
control framework and contains three additional
elements:
• Setting objectives.
• Identifying positive and negative events that may affect
the company’s ability to implement strategy and achieve
objectives.
• Developing a response to assessed risk.
CONTROL FRAMEWORKS
– Controls are flexible and relevant because
they are linked to current organizational
objectives.
– ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it,
sharing it, or transferring it.
CONTROL FRAMEWORKS
• Over time, ERM will probably become
the most widely adopted risk and
control model.
• Consequently, its eight components are
the topic of the remainder of the
chapter.
INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which
the other seven components
rest.
• Influences how
organizations:
– Establish strategies and
objectives
– Structure business
activities
– Identify, access, and
respond to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and
risk appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• Management’s philosophy, operating style,
and risk appetite
– An organization’s management has shared beliefs
and attitudes about risk.
– That philosophy affects everything the
organization does, long- and short-term, and
affects their communications.
– Companies also have a risk appetite, which is the
amount of risk a company is willing to accept to
achieve its goals and objectives.
– That appetite needs to be in alignment with
company strategy.
INTERNAL ENVIRONMENT
– The more responsible management’s
philosophy and operating style, the more
likely employees will behave responsibly.
– This philosophy must be clearly
communicated to all employees; it is not
enough to give lip service.
– Management must back up words with
actions; if they show little concern for
internal controls, then neither will
employees.
INTERNAL ENVIRONMENT
– This component can be assessed by asking
questions such as:
• Does management take undue business risks or
assess potential risks and rewards before
acting?
• Does management attempt to manipulate
performance measures such as net income?
• Does management pressure employees to
achieve results regardless of methods or do
they demand ethical behavior?
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• The board of directors
– An active and involved board of directors
plays an important role in internal control.
– They should:
• Oversee management
• Scrutinize management’s plans, performance,
and activities
• Approve company strategy
• Review financial results
• Annually review the company’s security policy
• Interact with internal and external auditors
INTERNAL ENVIRONMENT
• Directors should possess management,
technical, or other expertise,
knowledge, or experience, as well as a
willingness to advocate for
shareholders.
• At least a majority should be
independent, outside directors not
affiliated with the company or any of
its subsidiaries.
INTERNAL ENVIRONMENT
Public companies must have an audit
•
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process; and
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and
practices to the audit committee.
– Provides an independent review of management’s
actions.
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• Commitment to integrity, ethical
values, and competence
– Management must create an organizational
culture that stresses integrity and
commitment to both ethical values and
competence.
• Ethical standards of behavior make for good
business.
• Tone at the top is everything.
• Employees will watch the actions of the CEO,
and the message of those actions (good or bad)
will tend to permeate the organization.
INTERNAL ENVIRONMENT
Companies can endorse integrity as a basic
•
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important
than favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives, or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.
INTERNAL ENVIRONMENT
• Management should not assume that
employees would always act honestly.
– Consistently reward and encourage honesty.
– Give verbal labels to honest and dishonest acts.
– The combination of these two will produce more
consistent moral behavior.
INTERNAL ENVIRONMENT
• Management should develop clearly stated
policies that explicitly describe honest and
dishonest behaviors, often in the form of a
written code of conduct.
– In particular, such a code would cover issues that
are uncertain or unclear.
– Dishonesty often appears when situations are gray
and employees rationalize the most expedient
action as opposed to making a right vs. wrong
choice.
INTERNAL ENVIRONMENT
• SOX only requires a code of ethics for senior
financial management. However, the ACFE
suggests that companies create a code of
conduct for all employees:
– Should be written at a fifth-grade level.
– Should be reviewed annually with employees and
signed.
– This approach helps employees keep themselves
out of trouble.
– Helps the company if they need to take legal
action against the employee.
INTERNAL ENVIRONMENT
•Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that
other employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge,
experience, training, and skills.
INTERNAL ENVIRONMENT
• The levers of control, particularly
beliefs and boundaries systems, can be
used to create the kind of commitment
to integrity an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
• Management should require employees
to report dishonest, illegal, or unethical
behavior and discipline employees who
knowingly fail to report.
– Reports of dishonest acts should be
thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when
possible, so that other employees are clear
about consequences.
INTERNAL ENVIRONMENT
• Companies must make a commitment to
competence.
– Begins with having competent employees.
– Varies with each job but is a function of
knowledge, experience, training, and skills.
INTERNAL ENVIRONMENT
• The levers of control, particularly
beliefs and boundary systems, can be
used to create the kind of commitment
to integrity an organization wants.
– Requires more than lip service and signing
forms.
– Must be systems in which top management
actively participates in order to:
• Demonstrate the importance of the system.
• Create buy-in and a team spirit.
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• Organizational structure
– A company’s organizational structure
defines its lines of authority, responsibility,
and reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring
its operations.
INTERNAL ENVIRONMENT
• Important aspects or organizational
structure:
– Degree of centralization or decentralization.
– Assignment of responsibility for specific tasks.
– Direct-reporting relationships or matrix structure.
– Organization by industry, product, geographic
location, marketing network.
– How the responsibility allocation affects
management’s information needs.
– Organization of accounting and IS functions.
– Size and nature of company activities.
INTERNAL ENVIRONMENT
• Statistically, fraud occurs more
frequently in organizations with complex
structures.
– The structures may unintentionally impede
communication and clear assignment of
responsibility, making fraud easier to
commit and conceal; or
– The structure may be intentionally complex
to facilitate the fraud.
INTERNAL ENVIRONMENT
• In today’s business world, the hierarchical
organizations with many layers of management
are giving way to flatter organizations with
self-directed work teams.
– Team members are empowered to make decisions
without multiple layers of approvals.
– Emphasis is on continuous improvement rather than
on regular evaluations.
– These changes have a significant impact on the
nature and type of controls needed.
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
Methods of assigning authority and
•
responsibility
– Management should make sure:
• Employees understand the entity’s objectives.
• Authority and responsibility for business objectives is
assigned to specific departments and individuals.
– Ownership of responsibility encourages employees
to take initiative in solving problems and holds
them accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS
security policy.
• Should monitor results so decisions can be reviewed and,
if necessary, overruled.
INTERNAL ENVIRONMENT
Authority and responsibility are assigned through:
•
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job
reference and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular
transactions
• The organization’s chart of accounts
• Sample copies of forms and documents
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• Human resources standards
– Employees are both the company’s greatest control
strength and the greatest control weakness.
– Organizations can implement human resource
policies and practices with respect to hiring,
training, compensating, evaluating, counseling,
promoting, and discharging employees that send
messages about the level of competence and
ethical behavior required.
– Policies on working conditions, incentives, and
career advancement can powerfully encourage
efficiency and loyalty and reduce the
organization’s vulnerability.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Hiring
– Should be based on educational background,
relevant work experience, past
achievements, honesty and integrity, and
how well candidates meet written job
requirements.
– Employees should undergo a formal, in-
depth employment interview.
– Resumes, reference letters, and thorough
background checks are critical.
INTERNAL ENVIRONMENT
• Background checks can involve:
– Verifying education and experience.
– Talking with references.
– Checking for criminal records, credit issues, and
other publicly available data.
– Note that you must have the employee’s or
candidate’s written permission to conduct a
background check, but that permission does not
need to have an expiration date.
– Background checks are important because recent
studies show that about 50% of resumes have
been falsified or embellished.
INTERNAL ENVIRONMENT
•Sometimes professional firms are hired to do
the background checks because applicants are
becoming more aggressive in their deceptions.
– Some get phony degrees from online “diploma
mills.”
• A Pennsylvania district attorney recently filed suit
against a Texas “university” for issuing an MBA to the
DA’s 6-year-old black cat.
– Others actually hack (or hire someone to hack)
into the systems of universities to create or alter
transcripts and other academic data.
• No employee should be exempted from
background checks. Anyone from the
custodian to the company president is capable
of committing fraud, sabotage, etc.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Compensating
– Employees should be paid a fair and
competitive wage.
– Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
– Appropriate incentives can motivate and
reinforce outstanding performance.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Policies on training
– Training programs should familiarize new
employees with:
• Their responsibilities.
• Expected performance and behavior.
• Company policies, procedures, history, culture, and
operating style.
– Training needs to be ongoing, not just one time.
– Companies who shortchange training are more
likely to experience security breaches and fraud.
INTERNAL ENVIRONMENT
– Many believe employee training and
education are the most important elements
of fraud prevention and security programs.
– Fraud is less likely to occur when employees
believe security is everyone’s business.
– An ideal corporate culture exists when:
• Employees are proud of their company and
protective of its assets.
• They believe fraud hurts everyone and that
they therefore have a responsibility to report
it.
INTERNAL ENVIRONMENT
• These cultures do not just happen. They must
be created, taught, and practiced, and the
following training should be provided:
– Fraud awareness
• Employees should be aware of fraud’s prevalence and
dangers, why people do it, and how to deter and detect it.
– Ethical considerations
• The company should promote ethical standards in its
practice and its literature.
• Acceptable and unacceptable behavior should be defined
and labeled, leaving as little gray area as possible.
INTERNAL ENVIRONMENT
– Punishment for fraud and unethical
behavior.
• Employees should know the consequences (e.g.,
reprimand, dismissal, prosecution) of bad
behavior.
• Should be disseminated as a consequence rather
than a threat.
• EXAMPLE: “Using a computer to steal or commit
fraud is a federal crime, and anyone doing so
faces immediate dismissal and/or prosecution.”
• The company should display notices of program
and data ownership and advise employees of the
penalties of misuse.
INTERNAL ENVIRONMENT
• Training can take place through:
– Informal discussions
– Formal meetings
– Periodic memos
– Written guidelines
– Codes of ethics
– Circulating reports of unethical behavior
and its consequences
– Promoting security and fraud training
programs
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Evaluating and promoting
– Do periodic performance appraisals to help
employees understand their strengths and
weaknesses.
– Base promotions on performance and
qualifications.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Discharging
– Fired employees are disgruntled employees.
– Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
– Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Managing disgruntled employees
– Disgruntled employees may be isolated and/or
unhappy, but are much likelier fraud candidates
than satisfied employees.
– The organization can try to reduce the employee’s
pressures through grievance channels and
counseling.
• Difficult to do because many employees feel that seeking
counseling will stigmatize them in their jobs.
– Disgruntled employees should not be allowed to
continue in jobs where they could harm the
organization.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Vacations and rotation of duties
– Some fraud schemes, such as lapping and
kiting, cannot continue without the constant
attention of the perpetrator.
– Mandatory vacations or rotation of duties
can prevent these frauds or lead to early
detection.
– These measures will only be effective if
someone else is doing the job while the
usual employee is elsewhere.
INTERNAL ENVIRONMENT
• The following policies and procedures are
important:
– Hiring
– Compensating
– Training
– Evaluating and promoting
– Discharging
– Managing disgruntled employees
– Vacations and rotation of duties
– Confidentiality insurance and fidelity bonds
INTERNAL ENVIRONMENT
• Confidentiality agreements and fidelity
bond insurance
– Employees, suppliers, and contractors
should be required to sign and abide by
nondisclosure or confidentiality
agreements.
– Key employees should have fidelity bond
insurance coverage to protect the company
against losses from fraudulent acts by
those employees.
INTERNAL ENVIRONMENT
• In addition to the preceding policies, the
company should seek prosecution and
incarceration of hackers and fraud
perpetrators
• Most fraud cases and hacker attacks go
unreported. They are not prosecuted for
several reasons.
– Companies fear:
• Public relations nightmares
• Copycat attacks
– But unreported fraud and intrusions create a false
sense of security.
INTERNAL ENVIRONMENT
– Law enforcement officials and courts are busy
with violent crimes and may regard teen hacking as
“childish pranks.”
– Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
– Law enforcement officials, lawyers, and judges
often lack the computer skills needed to
investigate, prosecute, and evaluate computer
crimes.
– When cases are prosecuted and a conviction
obtained, penalties are often very light. Judges
often regard the perps as “model citizens.”
INTERNAL ENVIRONMENT
• Internal environment consists of the
following:
– Management’s philosophy, operating style, and risk
appetite
– The board of directors
– Commitment to integrity, ethical values, and
competence
– Organizational structure
– Methods of assigning authority and responsibility
– Human resource standards
– External influences
INTERNAL ENVIRONMENT
• External influences
– External influences that affect the control
environment include requirements imposed
by:
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.
OBJECTIVE SETTING
• Objective setting is
the second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your
ability to achieve
objectives
 OBJECTIVE SETTING
• Top management, with board approval, must
articulate why the company exists and what it
hopes to achieve.
– Often referred to as the corporate vision or
mission.
• Uses the mission statement as a base from
which to set corporate objectives.
• The objectives:
– Need to be easy to understand and measure.
– Should be prioritized.
– Should be aligned with the company’s risk appetite.
 OBJECTIVE SETTING
• Objectives set at the corporate level
are linked to and integrated with a
cascading series of sub-objectives in
the various sub-units.
• For each set of objectives:
– Critical success factors (what has to go
right) must be defined.
– Performance measures should be
established to determine whether the
objectives are met.
 OBJECTIVE SETTING
• Objective-setting process proceeds as
follows:
– First, set strategic objectives, the high-level goals
that support the company’s mission and create
value for shareholders.
– To meet these objectives, identify alternative
ways of accomplishing them.
– For each alternative, identify and assess risks and
implications.
– Formulate a corporate strategy.
– Then set operations, compliance, and reporting
objectives.
 OBJECTIVE SETTING
• As a rule of thumb:
– The mission and strategic objectives are
stable.
– The strategy and other objectives are
more dynamic:
• Must be adapted to changing conditions.
• Must be realigned with strategic objectives.
 OBJECTIVE SETTING
• Operations objectives:
– Are a product of management preferences,
judgments, and style.
– Vary significantly among entities:
• One may adopt technology; another waits until
the bugs are worked out.
– Are influenced by and must be relevant to
the industry, economic conditions, and
competitive pressures.
– Give clear direction for resource allocation
—a key success factor.
 OBJECTIVE SETTING
• Compliance and reporting objectives:
– Many are imposed by external entities, e.g.:
• Reports to IRS or to EPA
• Financial reports that comply with GAAP
– A company’s reputation can be impacted
significantly (for better or worse) by the
quality of its compliance.
EVENT IDENTIFICATION
Events are:
•
– Incidents or occurrences
that emanate from internal
or external sources.
– That affect implementation
of strategy or achievement
of objectives.
– Impact can be positive,
negative, or both.
– Events can range from
obvious to obscure.
– Effects can range from
inconsequential to highly
significant.
EVENT IDENTIFICATION
• By their nature, events represent
uncertainty:
– Will they occur?
– If so, when?
– And what will the impact be?
– Will they trigger another event?
– Will they happen individually or
concurrently?
EVENT IDENTIFICATION
• Management must do its best to anticipate all
possible events—positive or negative—that
might affect the company:
– Try to determine which are most and least likely.
– Understand the interrelationships of events.
• COSO identified many internal and external
factors that could influence events and
affect a company’s ability to implement
strategy and achieve objectives.
EVENT IDENTIFICATION
• Availability of capital; lower or higher costs of
• Some of these factors
capital
include:
• Lower barriers to entry, resulting in new
– External factors: competition
• Economic factors • Price movements up or down
• Ability to issue credit and possibility of default
• Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or currency
fluctuations
• Rising or lowering unemployment rates
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal legal
liability
EVENT IDENTIFICATION
• Some of these factors include:
– External factors:
• Economic factors
• Natural environment
• Natural disasters such as fires,
floods, or earthquakes
• Emissions and waste
• Energy restrictions or shortages
• Restrictions limiting development
EVENT IDENTIFICATION
• Some of these factors include:
– External factors:
• Economic factors
• Natural environment
• Political factors • Election of government officials
with new agendas
• New laws and regulations
• Public policy, including higher or
lower taxes
• Regulation affecting the
company’s ability to compete
EVENT IDENTIFICATION • Changing demographics, social
mores, family structures, and
• Some of these factorswork/life
include:
priorities
– External factors: • Consumer behavior that changes
demand for products and services
• Economic factors or creates new buying
• Natural environment opportunities
• Corporate citizenship
• Political factors
• Privacy
• Social factors • Terrorism
• Human resource issues causing
production shortages or
stoppages
EVENT IDENTIFICATION
• New e-business technologies that
• Some of these factors include: costs or
lower infrastructure
increase demand for IT-based
– External factors: services
• Economic factors • Emerging technology
• Increased or decreased
• Natural environment
availability of data
• Political factors
• Interruptions or down time caused
• Social factors by external parties
• Technological factors
EVENT IDENTIFICATION
• Some of these factors include:
– Internal factors:
• Infrastructure
• Inadequate access or poor allocation of capital
• Availability and capability of company assets
• Complexity of systems
EVENT IDENTIFICATION
• Some of these factors include:
– Internal factors:
• Infrastructure
• Personnel
• Employee skills and capability
• Employees acting dishonestly or unethically
• Workplace accidents, health or safety concerns
• Strikes or expiration of labor agreements
EVENT IDENTIFICATION
• Some of these factors include:
– Internal factors:
• Infrastructure
• Personnel
• Process
• Process modification without proper change
management procedures
• Poorly designed processes
• Process execution errors
• Suppliers cannot deliver quality goods on time
EVENT IDENTIFICATION
• Some of these factors include:
– Internal factors:
• Infrastructure
• Personnel
• Process
• Technology
• Insufficient capacity to handle peak IT usages
• Security breaches
• Data or system unavailability from internal factors
• Inadequate data integrity
• Poor systems selection/development
• Inadequately maintained systems
EVENT IDENTIFICATION
• Lists can help management identify factors,
evaluate their importance, and examine those
that can affect objectives.
• Identifying events at the activity and entity
levels allows companies to focus their risk
assessment on major business units or
functions and align their risk tolerance and
risk appetite.
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential
events
• Often produced by special software that can tailor
lists to an industry, activity, or process.
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential events
– Perform an internal analysis
• An internal committee analyzes events, contacting
appropriate insiders and outsiders for input.
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
• Appropriate transactions, activities, and events are
monitored and compared to predefined criteria to
determine when action is needed.
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
– Conduct workshops and interviews
• Employee knowledge and expertise is gathered in
structured discussions or individual interviews.
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
• Examine data on prior events to identify trends and
– Conductcauses
workshops and interviews
that help identify possible events.
– Perform data mining and analysis
EVENT IDENTIFICATION
• Companies usually use two or more of
the following techniques together to
identify events:
– Use comprehensive lists of potential events
– Perform an internal analysis
– Monitor leading events and trigger points
– Conduct workshops
• Analyze internal andand interviews
external factors that affect
inputs, processes, and outputs to identify events that
– Perform
mightdata
help ormining and
hinder the analysis
process.
– Analyze processes
RISK ASSESSMENT AND RISK RESPONSE
• The fourth and
fifth components
of COSO’s ERM
model are risk
assessment and
risk response.
• The risk that exists before
COSO indicates
• management takes any steps to
there
control are two
the likelihood or impact of a
types of risk:
risk.
– Inherent risk
RISK ASSESSMENT AND RISK RESPONSE
• The fourth and
fifth components
of COSO’s ERM
model are risk
assessment and
risk response.
• COSO indicates
there are two
• The risk that remains after
management implements internal
types ofsome
controls or risk:
other form of
Inherent
–response to risk.risk
– Residual risk
RISK ASSESSMENT AND RISK RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to
respond to risk:
• The most effective way to reduce the
– Reduce it likelihood and impact of risk is to
implement an effective system of
internal controls.
RISK ASSESSMENT AND RISK RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to
respond to risk:
– Reduce it
– Accept it • Don’t act to prevent or mitigate it.
RISK ASSESSMENT AND RISK RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to
respond to risk:
– Reduce it
– Accept it
• Transfer some of it to others via
– Share it activities such as insurance,
outsourcing, or hedging.
RISK ASSESSMENT AND RISK RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to
respond to risk:
– Reduce it • Don’t engage in the activity that
produces it.
– Accept it • May require:
– Share it – Sale of a division
– Avoid it – Exiting a product line
– Canceling an expansion plan
RISK ASSESSMENT AND RISK RESPONSE
• Accountants:
– Help management design effective controls
to reduce inherent risk.
– Evaluate internal control systems to ensure
they are operating effectively.
– Assess and reduce inherent risk using the
risk assessment and response strategy.
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Event
Estimate the impact of potential
identification loss from each threat
– The first step in risk
Identify set of controls to
assessment and guard against threat
response strategy is
event identification, Estimate costs and benefits
which we have already from instituting controls
discussed.
Avoid,
Is it
cost- share,
No
beneficial or
to protect
system accept
risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Estimate likelihood
and impact Estimate the impact of potential
– Some events pose loss from each threat
more risk because
they are more Identify set of controls to
probable than others. guard against threat
– Some events pose
more risk because Estimate costs and benefits
their dollar impact from instituting controls
would be more
significant. Avoid,
– Likelihood and impact Is it
cost- share,
must be considered No
beneficial or
together: to protect
system accept
– If either increases, risk
the materiality of the Yes
event and the need to Reduce risk by implementing set of
protect against it controls to guard against threat
rises.
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Identify controls
Estimate the impact of potential
– Management must loss from each threat
identify one or more
controls that will Identify set of controls to
protect the company guard against threat
from each event.
Estimate costs and benefits
– In evaluating benefits from instituting controls
of each control
procedure, consider Is it
Avoid,
effectiveness and cost- share,
No
timing.
beneficial or
to protect
system accept
risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• All other factors
equal: Estimate the impact of potential
– A preventive control is loss from each threat
better than a
detective one. Identify set of controls to
– However, if preventive guard against threat
controls fail,
detective controls are Estimate costs and benefits
needed to discover from instituting controls
the problem, and
corrective controls Avoid,
are needed to recover. Is it
cost- share,
– Consequently, the No
beneficial or
three complement to protect
accept
each other, and a good
system
risk
internal control Yes
system should have all Reduce risk by implementing set of
three. controls to guard against threat
– Similarly, a company
should use all four
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Estimate costs and
benefits Estimate the impact of potential
loss from each threat
– It would be cost-
prohibitive to create Identify set of controls to
an internal control guard against threat
system that provided
foolproof protection Estimate costs and benefits
against all events. from instituting controls
– Also, some controls
negatively affect Is it
Avoid,
operational efficiency, cost-
No
share,
and too many controls beneficial
to protect
or
can make it very system accept
inefficient. risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• The benefits of an
internal control Estimate the impact of potential
procedure must loss from each threat
exceed its costs.
Identify set of controls to
• Benefits can be hard guard against threat
to quantify, but
include: Estimate costs and benefits
– Increased sales and from instituting controls
productivity
– Reduced losses Avoid,
– Better integration with Is it
share,
cost-
customers and suppliers No
– Increased customer
beneficial or
to protect
loyalty system accept
– Competitive advantages risk
– Lower insurance Yes
Reduce risk by implementing set of
premiums controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Costs are usually
easier to measure Estimate the impact of potential
loss from each threat
than benefits.
• Primary cost is Identify set of controls to
personnel, including: guard against threat
– Time to perform
Estimate costs and benefits
control procedures from instituting controls
– Costs of hiring
additional employees Avoid,
to effectively
Is it
cost- share,
No
segregate duties beneficial or
to protect
– Costs of programming system accept
controls into a system risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Other costs of a poor
control system Estimate the impact of potential
include: loss from each threat
– Lost sales
– Lower productivity Identify set of controls to
guard against threat
– Drop in stock price if
security problems
Estimate costs and benefits
arise
from instituting controls
– Shareholder or
regulator lawsuits
Avoid,
– Fines and penalties Is it
share,
imposed by cost-
No
governmental agencies
beneficial or
to protect
system accept
risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• The expected loss
related to a risk is Estimate the impact of potential
loss from each threat
measured as:
– Expected loss = Identify set of controls to
impact x likelihood guard against threat
• The value of a Estimate costs and benefits
control procedure from instituting controls
is the difference
between: Is it
cost-
Avoid,
share,
– Expected loss with No
beneficial or
control procedure to protect
system accept
– Expected loss without risk
it Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Determine cost-
benefit Estimate the impact of potential
loss from each threat
effectiveness
– After estimating Identify set of controls to
benefits and costs, guard against threat
management
determines if the Estimate costs and benefits
control is cost from instituting controls
beneficial, i.e., is the
cost of implementing a Is it Avoid,
control procedure less cost- share,
benefici No
than the change in or
expected loss that al accept
to protect
would be attributable system risk
to the change? Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• In evaluating costs
and benefits, Estimate the impact of potential
management must loss from each threat
consider factors
other than those in Identify set of controls to
the expected benefit guard against threat

calculation. Estimate costs and benefits

– If an event threatens an from instituting controls
organization’s existence,
it may be worthwhile to Is it
institute controls even if Avoid,
costs exceed expected cost- share,
benefits. benefici No
or
– The additional cost can al accept
be viewed as a to protect
catastrophic loss system risk
Yes
insurance premium. Reduce risk by implementing set of
controls to guard against threat
 • Expected Loss without control procedure = Tshs.800,000 x .12 =
Tshs.96,000.
• Expected loss with control procedure = Tshs.800,000 x .005 = Tshs.4,000.

RISK ASSESSMENT AND RISK RESPONSE

• Estimated value of control procedure = Tshs.96,000 - Tshs.4,000 =
• Let’s go through
Tshs.92,000.
an example:
• Estimated cost of control procedure = Tshs.43,000 (given).
– Hobby Hole is trying to decide whether to install a
• Benefits exceed costs by Tshs.92,000 - Tshs.43,000 = Tshs.49,000.
motion detector system in its warehouse to reduce
• Inthe
this probability of ashould
case, Hobby Hole catastrophic theft.
probably install the motion detectors.
– A catastrophic theft could result in losses of
Tshs.800,000.
– Local crime statistics suggest that the probability
of a catastrophic theft at Hobby Hole is 12%.
– Companies with motion detectors only have about a
.5% probability of catastrophic theft.
– The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about Tshs.43,000.
– Should Hobby Hole install the motion detectors?
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Implement the
Estimate the impact of potential
control or avoid, loss from each threat
share, or accept the
risk Identify set of controls to
guard against threat
– When controls are
cost effective, they Estimate costs and benefits
should be implemented from instituting controls
so risk can be Is it Avoid,
reduced. cost- share,
benefici No
or
al accept
to protect
system risk
Yes
Reduce risk by implementing set of
controls to guard against threat
 Identify the events or threats
that confront the company
RISK ASSESSMENT
AND RISK RESPONSE Estimate the likelihood or
probability of each event occurring
• Risks that are not
reduced must be Estimate the impact of potential
accepted, shared, or loss from each threat
avoided.
– If the risk is within the Identify set of controls to
company’s risk tolerance, guard against threat
they will typically accept
the risk. Estimate costs and benefits
– A reduce or share from instituting controls
response is used to bring
residual risk into an Is it
acceptable risk tolerance Avoid,
cost- share,
range. No
– An avoid response is benefici or
typically only used when al accept
there is no way to cost- to protect
system risk
effectively bring risk Yes
into an acceptable risk Reduce risk by implementing set of
tolerance range. controls to guard against threat
CONTROL ACTIVITIES
• The sixth component
of COSO’s ERM
model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.
 CONTROL ACTIVITIES
• It is management’s responsibility to develop a
secure and adequately controlled system.
– Controls are much more effective when built in on
the front end.
– Consequently, systems analysts, designers, and end
users should be involved in designing adequate
computer-based control systems.
• Management must also establish a set of
procedures to ensure control compliance and
enforcement.
– Usually, the purview of the information security
officer and the operations staff.
 CONTROL ACTIVITIES
• It is critical that controls be in place
during the year-end holiday season. A
disproportionate amount of computer
fraud and security break-ins occur
during this time because:
– More people are on vacation and fewer
around to mind the store.
– Students are not tied up with school.
– Counterculture hackers may be lonely.
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
• Proper authorization of transactions
and activities
– Management lacks the time and resources
to supervise each employee activity and
decision.
– Consequently, they establish policies and
empower employees to perform activities
within policy.
– This empowerment is called authorization
and is an important part of an organization’s
control procedures.
 CONTROL ACTIVITIES
• Authorizations are often documented by
signing initializing, or entering an
authorization code.
• Computer systems can record digital
signatures as a means of signing a document.
• Employees who process transactions should
verify the presence of the appropriate
authorizations.
• Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.
 CONTROL ACTIVITIES
• Typically at least two levels of authorization:
– General authorization
• Management authorizes employees to handle routine
transactions without special approval.
– Special authorization
• For activities or transactions that are of significant
consequences, management review and approval is
required.
• Might apply to sales, capital expenditures, or
write-offs over a particular dollar limit.
• Management should have written policies for
both types of authorization and for all types
of transactions.
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no
single employee be given too much
responsibility over business transactions or
processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems
function
 CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no
single employee be given too much
responsibility over business transactions or
processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems
function
 CONTROL ACTIVITIES

• To learn a little about segregation of

duties, let’s first meet Bill.
 CONTROL ACTIVITIES

• Bill is in charge of a pile of the

organization’s money—let’s say
Tshs.1,000.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Bill also keeps the books for that

money.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Bill has a date tonight, and he’s a little desperate

to impress that special someone, so he takes
Tshs.100 of the cash. (Thinks he’s only borrowing
it, you know.)
 CONTROL ACTIVITIES

Ledger

Tshs.900

• Bill also records an entry in the books to show

that Tshs.100 was spent for some “legitimate”
purpose. Now the balance in the books is
Tshs.900.
 CONTROL ACTIVITIES

Ledger

Tshs.900

• How will Bill ever get caught at his

theft?
 CONTROL ACTIVITIES

• Now let’s change the story. Bill is in

charge of the pile of cash.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• But Mary keeps the books.

• This arrangement is a form of segregation of
duties.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Bill gets in a pinch again and takes

Tshs.100 of the organization’s cash.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• How will Bill get caught?

 CONTROL ACTIVITIES
• Segregation of accounting duties
– Effective segregation of accounting duties is
achieved when the following functions are
separated:
• Authorization—Approving transactions and decisions.
• Recording—Preparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations;
and preparing performance reports.
• Custody—Handling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organization’s bank account.
– If any two of the preceding functions are the
responsibility of one person, then problems can
arise.
 CONTROL
CUSTODIAL FUNCTIONS
ACTIVITIES
RECORDING FUNCTIONS
• Handling cash • Preparing source documents
• Handling inventories, tools, • Maintaining journals, ledgers,
or fixed assets or other files
• Writing checks • Preparing reconciliations
• Receiving checks in mail • Preparing performance
reports

• EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
recording for those receipts can AUTHORIZATION
steal some of the cash and falsify accounts to
conceal the theft. FUNCTIONS
• • Authorization of
SOLUTION: The pink fence (segregation of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
 • EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that he
has authorized can authorize

CONTROL
CUSTODIAL FUNCTIONS
ACTIVITIES fictitious transactions and then
steal the payments.
RECORDING FUNCTIONS
• SOLUTION: The green fence
• Handling cash • Preparing source documents
(segregation of custody and
• Handling inventories, tools, • Maintaining journals,
authorization) preventsledgers,
or fixed assets or other files
employees from authorizing
• Writing checks • fictitious
Preparing or reconciliations
inaccurate
• Receiving checks in mail • transactions as a means of
Preparing performance
concealing
reports a theft.

AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
• EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep records
related to the transactions can

CONTROL ACTIVITIES
authorize and record fictitious
payments that might, for
CUSTODIAL RECORDING FUNCTIONS
example, be sentFUNCTIONS
to the
• Handlinghome
employee’s cash address or • Preparing source documents
• Handling
the address of a shell
inventories, tools, • Maintaining journals, ledgers,
company
or fixedheassets
creates. or other files
• • Writing checks
SOLUTION: The purple fence • Preparing reconciliations
(segregation
• Receivingofchecks
recording and
in mail • Preparing performance
authorization) prevents reports
employees from falsifying
records to cover up inaccurate
or false transactions that were
inappropriately authorized.

AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
 CONTROL ACTIVITIES
• In a system that incorporates an
effective separation of duties, it should
be difficult for any single employee to
commit embezzlement successfully.
• But when two or more people collude,
then segregation of duties becomes
impotent and controls are overridden.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• If this happens . . .
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Then segregation of duties is out the

window. Collusion overrides segregation.
 CONTROL ACTIVITIES
• Employees can collude with other employees
or with customers or vendors.
• The most frequent form of employee/vendor
collusions include:
– Billing at inflated prices
– Performing substandard work and receiving full
payment
– Payment for non-performance
– Duplicate billings
– Improperly funneling more work to or purchasing
more goods from a colluding company
 CONTROL ACTIVITIES
• The most frequent form of
employee/customer collusions include:
– Unauthorized loans or insurance payments
– Receipt of assets or services at
unauthorized discount prices
– Forgiveness of amounts owed
– Unauthorized extension of due dates
 CONTROL ACTIVITIES
• Segregation of duties
– Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
– An employee should not be in a position to commit
and conceal fraud or unintentional errors.
– Segregation of duties is discussed in two sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
 CONTROL ACTIVITIES
• Segregation of duties within the
systems function
– In a highly integrated information system,
procedures once performed by separate
individuals are combined.
– Therefore, anyone who has unrestricted
access to the computer, its programs, and
live data could have the opportunity to
perpetrate and conceal fraud.
– To combat this threat, organizations must
implement effective segregation of duties
within the IS function.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
• Responsible for ensuring that the
different parts of an information
system operate smoothly and
efficiently.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
• Ensures that all applicable devices are
linked to the organization’s internal and
external networks and that the networks
operate continuously and properly.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management •
Ensures that all aspects of the
– Security management system are secure and protected
from internal and external threats.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management • Manages changes to the
– Change management organization’s information system
to ensure they are made smoothly
and efficiently and to prevent errors
and fraud.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users • Record transactions, authorize data
to be processed, and use system
output.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users • Help users determine their
– Systems analysts information needs and design
systems to meet those needs.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programming • Use design provided by the
systems analysts to write the
computer programs for the
information system.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programming • Run the software on the company’s
– Computer operations computers.
• Ensure that data are input properly,
correctly processed, and needed
output is produced.
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
– Change management
– Users
– Systems analysts • Maintains custody of corporate
– Programming databases, files, and programs in a
– Computer operations separate storage area.
– Information systems library
 CONTROL ACTIVITIES
• Authority and responsibility must be divided clearly
among the following functions:
– Systems administration
– Network management
– Security management
• Ensures that source data have
– Change managementbeen properly approved.
– Users • Monitors the flow of work through
– Systems analysts the computer.
• Reconciles input and output.
– Programming
• Maintains a record of input errors to
– Computer operations
ensure their correction and
– Information systems library
resubmission.
– Data control •
Distributes system output.
 CONTROL ACTIVITIES
• It is important that different people perform
the preceding functions.
– Allowing a person to do two or more jobs exposes
the company to the possibility of fraud.
• In addition to adequate segregation of duties,
organizations should ensure that the people
who design, develop, implement, and operate
the IS are qualified and well trained.
• The same holds true for systems security
personnel.
 CONTROL ACTIVITIES
• Generally, control procedures fall into one of
the following categories:
– Proper authorization of transactions and activities
– Segregation of duties
– Project development and acquisition controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
•Project development and acquisition controls
– It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
• Should contain appropriate controls for:
– Management review and approval
– User involvement
– Analysis
– Design
– Testing
– Implementation
– Conversion
• Should make it possible for management to trace
information inputs from source to disposition and vice
versa (the audit trail).
 CONTROL ACTIVITIES
• Examples abound of poorly managed
projects that have wasted large sums of
money because certain basic principles
of project management control were
ignored.
 • A multi-year strategic plan
should align the organization’s
information system with its
CONTROL ACTIVITIES business strategies and show
the projects that must be
• The following basic principles of control should be
completed to achieve long-range
applied to systems development
goals.in order to reduce
the potential for cost overruns
• Shouldand project
address failure
hardware,
and to improve the efficiency and effectiveness
software, personnel, and of
the IS: infrastructure requirements.
– Strategic master plan • Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
• Should be evaluated several
times a year to ensure the
organization can acquire needed
components and maintain
existing ones.
 • A project development plan shows
how a project will be completed,
including:
CONTROL ACTIVITIES • Modules or tasks to be
performed
• The following basic principles of control should be
• Who will perform them
applied to systems development in order to reduce
• Anticipated completion dates
the potential for cost overruns and project failure
• Project costs
and to improve the efficiency and effectiveness of
• Project milestones should be
the IS: specified—points when progress is
– Strategic master plan reviewed and actual completion
– Project controls times are compared to estimates.
• Each project should be assigned to a
manager and team who are
responsible for its success or failure.
• At project completion, a project
evaluation of the team members
should be performed.
 CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce
the potential for cost overruns and project failure
and to improve the efficiency and effectiveness of
the IS:
– Strategic master plan
– Project controls
– Data processing schedule
• Data processing tasks should be
organized according to a schedule
to maximize the use of scarce
computer resources.
 CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce
the potential for cost overruns and project failure
and to improve the efficiency and effectiveness of
the IS:
– Strategic master plan
– Project controls
– Data processing schedule
• A steering committee should
– Steering committee guide and oversee systems
development and acquisition.
 CONTROL ACTIVITIES
• To be evaluated properly, a
• The following basic principles of control should be
system should be assessed with
applied to systems development in order to reduce
measures such as:
the potential for cost overruns and project
– Throughput failure
(output per unit
and to improve the efficiency and effectiveness of
of time)
the IS: – Utilization (percent of time it
– Strategic master plan is used productively)
– Project controls – Response time (how long it
– Data processing schedule takes to respond)
– Steering committee
– System performance measurements
 CONTROL ACTIVITIES
• The following basic principles of control should be
applied to systems development in order to reduce
the potential for cost overruns and project failure
and to improve the efficiency and effectiveness of
the IS:
• A review should be performed
– Strategic master plan
after a development project is
– Project controls completed to determine if the
– Data processing schedule anticipated benefits were
– Steering committee achieved.
– • Helps control project
System performance measurements
– Post-implementation review development activities and
encourage accurate and
objective initial cost and benefit
estimates.
 CONTROL ACTIVITIES
• To simplify and improve systems development,
some companies hire a systems integrator—a
vendor who uses common standards and
manages the development effort using their
own personnel and those of the client and
other vendors.
– Many companies rely on the integrator’s assurance
that the project will be completed on time.
– Unfortunately, the integrator is often wrong.
– These third-party systems development projects
are subject to the same cost overruns and missed
deadlines as systems developed internally.
 CONTROL ACTIVITIES
• Before third parties bid, provide clear specifications,
• When using systems integrators,
including:
companies should
– Exact adhere
descriptions to theof same
and definitions the system
– Explicit deadlines
basic rules used for project
– Precise acceptance criteria
management
• Although of
it’s internal projects.
expensive to develop In
these specifications,
addition,it they should:
will save money in the end.

– Develop clear specifications

 • A sponsors committee should monitor third-party
development projects.
– Established by the CIO and chaired by the

CONTROL ACTIVITIES
project’s internal champion.
– Should include department managers from all
• When using –systems
units that will integrators,
use the system.
Should establish formal procedures for measuring
companies should adhere
and reporting projectto the same
status.
basic rules used for project
– Best approach is to:
• Divide project into manageable tasks.
management of internal
• Assign projects. In
responsibility for each task.
addition, they •should:
Meet on a regular basis (at least monthly) to
review progress and assess quality.
– Develop clear specifications
– Monitor the systems integration project
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
• Change management controls
– Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
– Change management is the process of making sure
that the changes do not negatively affect:
• Systems reliability
• Security
• Confidentiality
• Integrity
• Availability
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
•Design and use of adequate documents and
records
– Proper design and use of documents and records
helps ensure accurate and complete recording of
all relevant transaction data.
– Form and content should be kept as simple as
possible to:
• Promote efficient record keeping
• Minimize recording errors
• Facilitate review and verification
– Documents that initiate a transaction should
contain a space for authorization.
– Those used to transfer assets should have a space
for the receiving party’s signature.
 CONTROL ACTIVITIES
• Documents should be sequentially pre-
numbered:
– To reduce likelihood that they would be used
fraudulently.
– To help ensure that all valid transactions are
recorded.
• A good audit trail facilitates:
– Tracing individual transactions through the system.
– Correcting errors.
– Verifying system output.
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES
• Safeguard assets, records, and data
– When people consider safeguarding assets, they
most often think of cash and physical assets, such
as inventory and equipment.
– Another company asset that needs to be protected
is information.
– According to the ACFE’s 2004 National Fraud
Survey, theft of information made up only 17.3%
of non-cash misappropriations; however, the
median cost of an information theft was
Tshs.340,000. This cost was 126% higher than the
next most costly non-asset theft. (Equipment
theft had a median cost of Tshs.150,000.)
 CONTROL ACTIVITIES
• Many people mistakenly believe that the
greatest risks companies face are from
outsiders.
• However, employees pose a much
greater risk when it comes to loss of
data because:
– They know the system and its weaknesses
better.
– They are better able to hide their illegal
acts.
 CONTROL ACTIVITIES
• Insiders also create less-intentional threats
to systems, including:
– Accidentally deleting company data.
– Turning viruses loose.
– Trying to fix hardware or software without
appropriate expertise (i.e., when in doubt, unplug
it).
• These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
• Companies also face significant risks from
customers and vendors that have access to
company data.
 CONTROL ACTIVITIES
• Many steps can be taken to safeguard
both information and physical assets
from theft, unauthorized use, and
vandalism. Chapters 7 and 8 discuss
computer-based controls. In addition, it
is important to:
– Maintain accurate records of all assets
• Periodically reconcile recorded amounts to
physical counts.
 CONTROL ACTIVITIES
• Many steps can be taken to safeguard
both information and physical assets
from theft, unauthorized use, and
vandalism. Chapters• 7Use
and 8 discuss
restricted storage areas for
inventories and equipment.
computer-based controls.
• Use cash In addition,
registers, safes, it
is important to: lockboxes, and safe deposit
boxes to limit access to cash,
– Maintain accurate records of all
securities, and assets
paper assets.
• Periodically reconcile recorded amounts to
physical counts
• Restrict access to assets
 CONTROL ACTIVITIES
• Many steps can be taken to safeguard
both information and physical assets
from theft, unauthorized use, and
vandalism. Chapters• 7Use
and 8 discuss
fireproof storage areas,
computer-based controls. In cabinets,
locked filing addition,backupitof
is important to: files (including copies at off-site
locations).
– Maintain accurate records of alltoassets
• Limit access blank checks and
• Periodically reconcile recorded amounts
documents to
to authorized
physical counts personnel.
• Restrict access to assets
• Protect records and documents
 CONTROL ACTIVITIES
• Generally, control procedures fall into
one of the following categories:
– Proper authorization of transactions and
activities
– Segregation of duties
– Project development and acquisition
controls
– Change management controls
– Design and use of documents and records
– Safeguard assets, records, and data
– Independent checks on performance
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Let’s look at Bill and Mary again. Assume that Bill

stole cash but Mary did NOT alter the books.
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Can Bill’s theft be discovered if an independent

party doesn’t compare a count of the cash to
what’s recorded on the books?
 CONTROL ACTIVITIES

Ledger

Tshs.1,000

• Segregation of duties only has value when

supplemented by independent checks.
 CONTROL ACTIVITIES
• Internal checks to ensure that
transactions are processed accurately
are an important control element.
• These checks should be performed by
someone independent of the party(ies)
responsible for the activities.
 CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
• Management at all levels should monitor company results
and periodically compare actual performance to:
– Planned performance as shown in budgets, targets, and
forecasts
– Prior-period performance
– The performance of competitors
 CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
• Examinations of relationships between different sets of data.
• EXAMPLE: If credit sales increased significantly during the
period and there were no changes in credit policy, then bad
debt expense should probably have increased also.
• Management should periodically analyze and review data
relationships to detect fraud and other business problems.
 CONTROL ACTIVITIES
• Check the accuracy and completeness of records by
• The following independent checks are
reconciling them with other records that should have the
same balance.
typically used:
• EXAMPLES:
– Bank reconciliations
– Top-level reviews
– Comparing accounts payable control account to sum of
– Analytical reviews
subsidiary accounts.
– Reconciliation of independently maintained
sets of records
 CONTROL ACTIVITIES
• The following independent checks are
typically used:• Periodically, count significant assets and
reconcile the count to company records.
– Top-level reviews
• EXAMPLE: Annual physical inventory.
– Analytical reviews
• High-dollar items and critical components
should be counted more frequently.
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with
recorded amounts
 CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with
• Ensure that debits equal credits.
recorded amounts
– Double-entry accounting
 CONTROL ACTIVITIES
• The following independent checks are
typically used:
– Top-level reviews
– Analytical reviews
– Reconciliation of independently maintained
sets of records
– Comparison of actual quantities with
recorded amounts • After one person processes a
transaction, another reviews
– Double-entry accounting
their work.
– Independent review
INFORMATION AND COMMUNICATION
•The seventh component of
COSO’s ERM model.
• The primary purpose of the AIS
is to gather, record, process,
store, summarize, and
communicate information about
an organization.
• So accountants must understand
how:
– Transactions are initiated
– Data are captured in or
converted to machine-
readable form
– Computer files are accessed
and updated
– Data are processed
– Information is reported to
internal and external parties
INFORMATION AND COMMUNICATION
• Accountants must also understand the
accounting records and procedures,
supporting documents, and specific
financial statement accounts involved in
processing and reporting transactions.
• The preceding items facilitate an audit
trail which allows for transactions to be
traced from origin to financial
statements and vice versa.
INFORMATION AND COMMUNICATION
• According to the AICPA, an AIS has
five primary objectives:
– Identify and record all valid transactions.
– Properly classify transactions.
– Record transactions at their proper
monetary value.
– Record transactions in the proper
accounting period.
– Properly present transactions and related
disclosures in the financial statements.
 INFORMATION AND COMMUNICATION
• How to safeguard information and physical assets:
– Create and enforce appropriate policies and procedures.
– Maintain accurate records of all assets.
– Restrict access to assets.
– Protect records and documents.
INFORMATION AND COMMUNICATION
• Accounting systems generally consist of
several accounting subsystems, each designed
to process transactions of a particular type.
• Though they differ with respect to the type
of transactions processed, all accounting
subsystems follow the same sequence of
procedures, referred to as accounting cycles.
• The five major accounting cycles and their
related control objectives and procedures are
detailed in Chapters 10–14.
MONITORING
• The eighth
component of
COSO’s ERM
model.
• Monitoring can be
accomplished with
a series of ongoing
events or by
separate
evaluations.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer, a Chief
Compliance Officer, and security consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Perform ERM evaluation
– Can measure ERM effectiveness through a
formal evaluation or through a self-
assessment process.
– A special group can be assembled to
conduct the evaluation or it can be done by
internal auditing.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Implement effective supervision
– Involves:
• Training and assisting employees;
• Monitoring their performance;
• Correcting errors; and
• Safeguarding assets by overseeing employees
with access.
– Especially important in organizations that:
• Can’t afford elaborate responsibility reporting;
or
• Are too small for segregation of duties.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Use responsibility accounting
– Includes use of:
• Budgets, quotas, schedules, standard costs, and
quality standards;
• Performance reports that compare actual with
planned performance and highlight variances;
and
• Procedures for investigating significant
variances and taking timely actions to correct
adverse conditions.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Monitor system activities
– Risk analysis and management software
packages are available to:
• Review computer and network security
measures;
• Detect illegal entry into systems;
• Test for weaknesses and vulnerabilities;
• Report weaknesses found; and
• Suggest improvements.
 MONITORING
• Cost parameters can be entered to
balance acceptable levels of risk
tolerance and cost-effectiveness.
• Software is also available to monitor
and combat viruses, spyware, spam, pop-
up ads, and to prevent browsers from
being hijacked.
• Also helps companies recover from
frauds and malicious actions and restore
systems to pre-incident status.
 MONITORING
• System transactions and activities should be
recorded in a log which indicates who
accessed what data, when, and from which
terminal.
• Logs should be reviewed frequently to monitor
system activity and trace any problems to
their source.
• Data collected can be used to:
– Evaluate employee productivity;
– Control company costs;
– Fight corporate espionage and other attacks; and
– Comply with legal requirements.
 MONITORING
• Companies that monitor system activities need to
ensure they do not violate employee privacy rights.
• Employers cannot discreetly observe communications
of employees when those employees have a
“reasonable expectation of privacy.”
• Employers must therefore ensure that employees
realize their business communications are not
“private.” One way to accomplish that objective is to
have written policies that employees agree to in
writing which indicate:
– The technology employees use on the job belongs to the
company.
– Emails received on company computers are not private and
can be read by supervisory personnel.
– Employees should not use technology in any way to contribute
to a hostile work environment.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Track purchased software
– The Business Software Alliance (BSA) aggressively
tracks down and fines companies who violate
software license agreements.
– To comply with copyrights, companies should
periodically conduct software audits to ensure
that.
• There are enough licenses for all users; and
• The company is not paying for more licenses than needed.
– Employees should be informed of the consequences
of using unlicensed software.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Conduct periodic audits
– To monitor risk and detect fraud and
errors, the company should have periodic:
• External audits
• Internal audits
• Special network security audits
– Auditors should test system controls and
browse system usage files looking for
suspicious activities (discussed in Chapter
9).
 MONITORING
• Again, care should be exercised that
employees’ privacy rights are not
violated.
• Therefore, inform employees that
auditors will conduct random
surveillance, which:
– Avoids privacy violations
– Creates a “perception of detection” that
can deter crime and reduce errors
 MONITORING
• Internal auditing involves:
– Reviewing the reliability and integrity of
financial and operating information.
– Providing an appraisal of internal control
effectiveness.
– Assessing employee compliance with
management policies and procedures and
applicable laws and regulations.
– Evaluating the efficiency and effectiveness
of management.
 MONITORING
• Internal audits can detect:
– Excess overtime
– Under-used assets
– Obsolete inventory
– Padded expense reimbursements
– Excessively loose budgets and quotas
– Poorly justified capital expenditures
– Production bottlenecks
 MONITORING
• Internal auditing should be
organizationally independent of the
accounting and operating functions.
• The head should report to the audit
committee of the board of directors
rather than to the controller or CFO.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Employ a computer security officer
and computer consultants
– The computer security officer (CSO) is in
charge of AIS security
• Should be independent of the IS function
• Should report to the COO or CEO
– Many companies also use outside computer
consultants or in-house teams to test and
evaluate their security procedures and
computer systems.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Engage forensic specialists
– Forensic accountants specialize in fraud
detection and investigation.
• Now one of the fastest growing areas of
accounting due to:
– SOX
– SAS-99
– Boards of Directors demanding that forensic
accounting be an ongoing part of the financial
reporting and corporate governance process.
 MONITORING
• Most forensic accountants are CPAs and may
have received special training with the FBI,
CIA, or other law enforcement agencies.
– In particular demand are those with the necessary
computer skills to ferret out and combat
fraudsters who use sophisticated technology to
perpetrate their crimes.
– The Association of Certified Fraud Examiners
(ACFE) has created a professional certification
program for fraud examiners.
 MONITORING
• Management may also need to call on
computer forensic specialists for help.
• They assist in discovering, extracting,
safeguarding, and documenting
computer evidence so that its
authenticity, accuracy, and integrity will
not succumb to legal challenges.
 MONITORING
• Common incidents investigated by
computer forensic experts include:
– Improper internet usage
– Fraud
– Sabotage
– Loss, theft, or corruption of data
– Retrieving information from emails and
databases that users thought they had
erased
– Determining who performed certain actions
on a computer
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Install fraud detection software
– People who commit fraud tend to follow certain patterns and
leave behind clues.
– Software has been developed to seek out these fraud
symptoms.
– Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are
very accurate in identifying suspected fraud.
– For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a
neural network would probably flag at least one of the
transactions immediately as suspicious.
– These networks and other recent advances in fraud
detection software are significantly reducing the incidences
of credit card fraud.
 MONITORING
• Key methods of monitoring performance
include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
 MONITORING
• Implement a fraud hotline
– People who witness fraudulent behavior are
often torn between conflicting feelings.
• They want to protect company assets and
report fraud perpetrators.
• But they are uncomfortable in the
whistleblower role and find it easier to remain
silent.
– They are particularly reluctant to report if
they know of others who have suffered
repercussions from doing so.
 MONITORING
• SOX mandates that companies set up
mechanisms for employees to anonymously
report abuses such as fraud.
– An effective way to comply with the law and
resolve employee concerns is to provide access to
an anonymous hotline.
– Anonymous reporting can be accomplished through:
• Phone lines
• Web-based reporting
• Anonymous emails
• Snail mail
 MONITORING
• Outsourcing is available through a number of third
parties and offers several benefits, including:
– Increased confidence on the part of employee that
his/her report is truly anonymous.
– 24/7 availability.
– Often have multilingual capabilities—an important plus
for multinational organizations.
– The outsourcer may be able to do follow up with the
employee if additional information is needed after the
initial contact.
– The employee can be advised of the outcome of his
report.
– Low cost.
 MONITORING
• A downside to anonymous reporting
mechanisms is that they will produce a
significant amount of petty or slanderous
reports that do not require investigation.
• The ACFE’s 2004 Report to the Nation
indicates that companies without fraud
hotlines had median fraud losses that were
140% higher than companies that had fraud
hotlines.
•
SUMMARY
In this chapter, you’ve learned about basic internal control
concepts and why computer control and security are so
important.
• You’ve learned about the similarities and differences
between the COBIT, COSO, and ERM control frameworks.
• You’ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
• You’ve also learned about events that affect uncertainty
and how these events can be identified.
• You’ve explored how the Enterprise Risk Management
model is used to assess and respond to risk, as well as the
control activities that are commonly used in companies.
• Finally, you’ve learned how organizations communicate
information and monitor control processes.