romney_ch06.ppt

C

HAPTER 6

INTRODUCTION

• Questions to be addressed in this chapter:

– What are the basic internal control concepts, and why are

computer control and security important?

– What is the difference between the COBIT, COSO, and ERM

control frameworks?

– What are the major elements in the internal environment of a

company?

– What are the four types of control objectives that companies

need to set?

– What events affect uncertainty, and how can they be identified?

– How is the Enterprise Risk Management model used to assess

and respond to risk?

– What control activities are commonly used in companies?

– How do organizations communicate information and monitor

INTRODUCTION

•

Why AIS threats are increasing

– Control risks have increased in the last few years

because:

• There are computers and servers everywhere, and

information is available to an unprecedented number of

workers.

• Distributed computer networks make data available to many

users, and these networks are harder to control than

centralized mainframe systems.

• Wide area networks are giving customers and suppliers

access to each other’s systems and data, making

INTRODUCTION

• Historically, many organizations have not adequately

protected their data due to one or more of the following

reasons:

– Computer control problems are often underestimated and

downplayed.

– Control implications of moving from centralized, host-based

computer systems to those of a networked system or

Internet-based system are not always fully understood.

– Companies have not realized that data is a strategic resource

and that data security must be a strategic requirement.

INTRODUCTION

• Some vocabulary terms for this chapter:

– A

threat

is any potential adverse occurrence

or unwanted event that could injure the AIS or

the organization.

– The

exposure

or

impact

of the threat is the

potential dollar loss that would occur if the

threat becomes a reality.

INTRODUCTION

•

Control and security are important

– Companies are now recognizing the problems and

taking positive steps to achieve better control,

including:

• Devoting full-time staff to security and control concerns.

• Educating employees about control measures.

• Establishing and enforcing formal information security

policies.

• Making controls a part of the applications development

process.

INTRODUCTION

• To use IT in achieving control objectives,

accountants must:

– Understand how to protect systems from

threats.

– Have a good understanding of IT and its

capabilities and risks.

• Achieving adequate security and control

over the information resources of an

INTRODUCTION

• Control objectives are the same regardless of

the data processing method, but a

computer-based AIS requires different internal control

policies and procedures because:

– Computer processing may reduce clerical errors but

increase risks of unauthorized access or modification

of data files.

– Segregation of duties must be achieved differently in

an AIS.

INTRODUCTION

• One of the primary objectives of an AIS is to

control a business organization.

– Accountants must help by designing effective control

systems and auditing or reviewing control systems

already in place to ensure their effectiveness.

• Management expects accountants to be control

consultants by:

– Taking a proactive approach to eliminating system

threats; and

INTRODUCTION

• It is much easier to build controls into a

system during the initial stage than to add

them after the fact.

• Consequently, accountants and control

experts should be members of the teams

that develop or modify information

OVERVIEW OF CONTROL CONCEPTS

• In today’s dynamic business environment,

companies must react quickly to changing

conditions and markets, including steps to:

– Hire creative and innovative employees.

– Give these employees power and flexibility to:

• Satisfy changing customer demands;

• Pursue new opportunities to add value to the organization;

and

• Implement process improvements.

• At the same time, the company needs control

systems so they are not exposed to excessive

risks or behaviors that could harm their

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

–

Assets (including data) are safeguarded.

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets.

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets.

– Accurate and reliable information is provided.

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets.

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.

–

Operational efficiency is promoted and improved.

•

This objective includes ensuring that company

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets.

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.

OVERVIEW OF CONTROL CONCEPTS

•

Internal control is the process implemented by the

board of directors, management, and those under their

direction to provide reasonable assurance that the

following control objectives are achieved:

– Assets (including data) are safeguarded.

– Records are maintained in sufficient detail to accurately and

fairly reflect company assets.

– Accurate and reliable information is provided.

– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.

– Operational efficiency is promoted and improved.

– Adherence to prescribed managerial policies is encouraged.

OVERVIEW OF CONTROL CONCEPTS

• Internal control is a

process

because:

– It permeates an organization’s operating activities.

– It is an integral part of basic management activities.

• Internal control provides

reasonable

, rather than

absolute, assurance, because complete

OVERVIEW OF CONTROL CONCEPTS

• Internal control systems have inherent

limitations, including:

– They are susceptible to errors and poor decisions.

– They can be overridden by management or by

collusion of two or more employees.

• Internal control objectives are often at odds with

each other.

OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:

–

Preventive controls

OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:

– Preventive controls

–

Detective controls

OVERVIEW OF CONTROL CONCEPTS

• Internal controls perform three important

functions:

– Preventive controls

– Detective controls

–

_{Corrective controls}

•

Remedy problems that have occurred by:

–

Identifying the cause;

–

Correcting the resulting errors; and

OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:

–

General controls

•

Those designed to make sure an

organization’s control environment is stable

and well managed.

•

They apply to all sizes and types of systems.

OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:

– General controls

–

Application controls

•

Prevent, detect, and correct transaction errors

and fraud.

•

Concerned with accuracy, completeness,

validity, and authorization of the data captured,

entered into the system, processed, stored,

OVERVIEW OF CONTROL CONCEPTS

• An effective system of internal controls

should exist in all organizations to:

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• In 1977, Congress passed the Foreign Corrupt

Practices Act, and to the surprise of the profession, this

act incorporated language from an AICPA

pronouncement.

• The primary purpose of the act was to prevent the

bribery of foreign officials to obtain business.

• A significant effect was to require that corporations

maintain good systems of internal accounting control.

– Generated significant interest among management, accountants,

and auditors in designing and evaluating internal control

systems.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• In the late 1990s and early 2000s, a series

of multi-million-dollar accounting frauds

made headlines.

– The impact on financial markets was

substantial, and Congress responded with

passage of the

Sarbanes-Oxley Act

of 2002

(aka,

SOX

).

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• The intent of SOX is to:

– Prevent financial statement fraud

– Make financial reports more transparent

– Protect investors

– Strengthen internal controls in publicly-held

companies

– Punish executives who perpetrate fraud

• SOX has had a material impact on the way

boards of directors, management, and

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

–

Creation of the Public Company Accounting

Oversight Board (PCAOB) to oversee the auditing

profession.

•

Has five members, three of whom cannot be

CPAs.

•

Charges fees to firms to fund the PCAOB.

•

Sets and enforces auditing, quality control,

ethics, independence, and other standards

relating to audit reports.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

–

New rules for auditors

•

They must report specific information to the company’s audit

committee, such as:

–

Critical accounting policies and practices

–

Alternative GAAP treatments

–

Auditor-management disagreements

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

–

New rules for auditors

•

Auditors cannot perform certain non-audit services, such as:

–

Bookkeeping

–

Information systems design and implementation

–

Internal audit outsourcing services

–

Management functions

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

–

New rules for auditors

•

Permissible non-audit services must be approved by the

board of directors and disclosed to investors.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

– New rules for auditors

–

New rules for audit committees

•

Members must be on the company’s board

of directors and must otherwise be

independent of the company.

•

One member must be a financial expert.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

– New rules for auditors

– New rules for audit committees

–

New rules for management

•

The CEO and CFO must certify that:

–

The financial statements and disclosures are fairly

presented, were reviewed by management, and are not

misleading.

–

Management is responsible for internal controls.

–

The auditors were advised of any material internal control

weaknesses or fraud.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

– New rules for auditors

– New rules for audit committees

–

New rules for management

•

If management willfully and knowingly violates the

certification, they can be:

–

Imprisoned up to 20 years

–

Fined up to $5 million

•

Management and directors cannot receive loans that would not

be available to people outside the company.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

– New rules for auditors

– New rules for audit committees

– New rules for management

–

New internal control requirements

•

New internal control requirements:

–

Section 404 of SOX requires companies to issue a

report accompanying the financial statements that:

•

States management is responsible for

establishing and maintaining an adequate internal

control structure and procedures.

•

Contains management’s assessment of the

company’s internal controls.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• Important aspects of SOX include:

– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.

– New rules for auditors

– New rules for audit committees

– New rules for management

–

New internal control requirements

•

SOX also requires that the auditor attests to and reports

on management’s internal control assessment.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

• After the passage of SOX, the SEC further

mandated that:

– Management must base its evaluation on a

recognized control framework, developed using a

due-process procedure that allows for public

comment. The most likely framework is the COSO

model discussed later in the chapter.

– The report must contain a statement identifying the

framework used.

– Management must disclose any and all material

internal control weaknesses.

– Management cannot conclude that the company has

effective internal control if there are any material

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

•

Levers of control

– Many people feel there is a basic conflict

between creativity and controls.

– Robert Simons has espoused four levers of

controls to help companies reconcile this

conflict:

•

A concise belief system

•

Communicates company core values to employees and

inspires them to live by those values.

•

Draws attention to how the organization creates value.

•

Helps employees understand management’s intended

direction.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

•

Levers of Control

– Many people feel there is a basic conflict

between creativity and controls.

– Robert Simons has espoused four levers of

controls to help companies reconcile this

conflict:

• A concise belief system

•

A boundary system

•

Helps employees act ethically by setting limits beyond

which they must not pass.

•

Does not create rules and standard operating

procedures that can stifle creativity.

•

Encourages employees to think and act creatively to

solve problems and meet customer needs as long as

they operate within limits such as:

–

Meeting minimum standards of performance

–

Shunning off-limits activities

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

•

Levers of control

– Many people feel there is a basic conflict

between creativity and controls.

– Robert Simons has espoused four levers of

controls to help companies reconcile this

conflict:

• A concise belief system

• A boundary system

•

A diagnostic control system

•

Ensures efficient and effective achievement of important

controls.

•

This system measures company progress by comparing

actual to planned performance.

•

Helps managers track critical performance outcomes

and monitor performance of individuals, departments,

and locations.

SOX AND THE FOREIGN CORRUPT

PRACTICES ACT

•

Levers of Control

– Many people feel there is a basic conflict

between creativity and controls.

– Robert Simons has espoused four levers of

controls to help companies reconcile this

conflict:

• A concise belief system

• A boundary system

• A diagnostic control system

•

An interactive control system

•

Helps top-level managers with high-level activities that

demand frequent and regular attention. Examples:

–

Developing company strategy.

–

Setting company objectives.

–

Understanding and assessing threats and risks.

–

Monitoring changes in competitive conditions and

emerging technologies.

–

Developing responses and action plans to

proactively deal with these high-level issues.

•

Also helps managers focus the attention of

subordinates on key strategic issues and to be more

involved in their decisions.

CONTROL FRAMEWORKS

• A number of frameworks have been

developed to help companies develop

good internal control systems. Three

of the most important are:

– The COBIT framework

– The COSO internal control framework

– COSO’s Enterprise Risk Management

CONTROL FRAMEWORKS

• A number of frameworks have been

developed to help companies develop

good internal control systems. Three

of the most important are:

–

The COBIT framework

– The COSO internal control framework

– COSO’s Enterprise Risk Management

CONTROL FRAMEWORKS

•

COBIT framework

– Also know as the

Control Objectives for

Information and Related Technology

framework.

– Developed by the Information Systems Audit

and Control Foundation (ISACF).

– A framework of generally applicable

CONTROL FRAMEWORKS

• The COBIT framework allows:

– Management to benchmark security and

control practices of IT environments.

– Users of IT services to be assured that

adequate security and control exists.

– Auditors to substantiate their opinions on

CONTROL FRAMEWORKS

• The framework addresses the issue of

control from three vantage points or

dimensions:

–

Business objectives

•

To satisfy business objectives,

information must conform to

certain criteria referred to as

“business requirements for

information.”

•

The criteria are divided into

seven distinct yet overlapping

categories that map into COSO

objectives:

–

Effectiveness (relevant,

pertinent, and timely)

–

Efficiency

–

Confidentiality

–

Integrity

–

Availability

CONTROL FRAMEWORKS

• The framework addresses the issue of

control from three vantage points or

dimensions:

– Business objectives

–

_{IT resources}

•

Includes:

•

People

•

Application systems

•

Technology

•

Facilities

CONTROL FRAMEWORKS

• The framework addresses the issue of

control from three vantage points or

dimensions:

– Business objectives

– IT resources

–

IT processes

•

Broken into four domains:

–

Planning and organization

–

Acquisition and implementation

–

Delivery and support

CONTROL FRAMEWORKS

• COBIT consolidates standards from 36 different

sources into a single framework.

• It is having a big impact on the IS profession.

– Helps managers to learn how to balance risk and

control investment in an IS environment.

– Provides users with greater assurance that security

and IT controls provided by internal and third parties

are adequate.

– Guides auditors as they substantiate their opinions

and provide advice to management on internal

CONTROL FRAMEWORKS

• A number of frameworks have been

developed to help companies develop

good internal control systems. Three of

the most important are:

– The COBIT framework

–

_{The COSO internal control framework}

CONTROL FRAMEWORKS

•

COSO’s internal control framework

– The Committee of Sponsoring Organizations

(COSO) is a private sector group consisting

of:

• The American Accounting Association

• The AICPA

• The Institute of Internal Auditors

CONTROL FRAMEWORKS

• In 1992, COSO issued the

Internal

Control Integrated Framework

:

– Defines internal controls.

– Provides guidance for evaluating and

enhancing internal control systems.

– Widely accepted as the authority on internal

controls.

– Incorporated into policies, rules, and

CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:

-

Control environment

•

The core of any business is its people.

CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:

- Control environment

-

Control activities

•

Policies and procedures must be established and

executed to ensure that actions identified by

CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:

- Control environment

- Control activities

-

_{Risk assessment}

•

The organization must be aware of and deal with the

risks it faces.

CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:

- Control environment

- Control activities

- Risk assessment

-

Information and communication

•

Information and communications systems surround the

control activities.

CONTROL FRAMEWORKS

• COSO’s internal control model has five

crucial components:

- Control environment

- Control activities

- Risk assessment

- Information and communication

-

Monitoring

CONTROL FRAMEWORKS

• A number of frameworks have been

developed to help companies develop

good internal control systems. Three

of the most important are:

– The COBIT framework

– The COSO internal control framework

CONTROL FRAMEWORKS

• Nine years after COSO issued the preceding

framework, it began investigating how to

effectively identify, assess, and manage risk so

organizations could improve the risk

management process.

• Result: Enterprise Risk Manage Integrated

Framework (ERM)

– An enhanced corporate governance document.

– Expands on elements of preceding framework.

CONTROL FRAMEWORKS

• Intent of ERM is to achieve all goals of the

internal control framework and help the

organization:

– Provide reasonable assurance that company

objectives and goals are achieved and problems and

surprises are minimized.

– Achieve its financial and performance targets.

– Assess risks continuously and identify steps to take

and resources to allocate to overcome or mitigate

risk.

CONTROL FRAMEWORKS

• ERM defines risk management as:

– A process effected by an entity’s board of

directors, management, and other personnel.

– Applied in strategy setting and across the

enterprise.

– To identify potential events that may affect the

entity.

– And manage risk to be within its risk appetite.

– In order to provide reasonable assurance of

CONTROL FRAMEWORKS

• Basic principles behind ERM:

– Companies are formed to create value for

owners.

– Management must decide how much

uncertainty they will accept.

– Uncertainty can result in:

•

Risk

•

The possibility that something will happen to:

–

Adversely affect the ability to create value; or

CONTROL FRAMEWORKS

• Basic principles behind ERM:

– Companies are formed to create value for

owners.

– Management must decide how much

uncertainty they will accept.

– Uncertainty can result in:

• Risk

•

Opportunity

CONTROL FRAMEWORKS

– The framework should help management

manage uncertainty and its associated risk to

build and preserve value.

– To maximize value, a company must balance

its growth and return objectives and risks with

efficient and effective use of company

CONTROL FRAMEWORKS

CONTROL FRAMEWORKS

• Columns at the top

represent the four types of

objectives

that

management must meet to

achieve company goals.

–

Strategic objectives

CONTROL FRAMEWORKS

• Columns at the top

represent the four types of

objectives

that

management must meet to

achieve company goals.

– Strategic objectives

–

Operations objectives

•

Operations objectives deal with

effectiveness and efficiency of

company operations, such as:

–

Performance and

profitability goals

CONTROL FRAMEWORKS

• Columns at the top

represent the four types of

objectives

that

management must meet to

achieve company goals.

– Strategic objectives

– Operations objectives

–

Reporting objectives

•

Reporting objectives help

ensure the accuracy,

completeness, and reliability of

internal and external company

reports of both a financial and

non-financial nature.

CONTROL FRAMEWORKS

• Columns at the top

represent the four types of

objectives

that

management must meet to

achieve company goals.

– Strategic objectives

– Operations objectives

– Reporting objectives

–

Compliance objectives

•

Compliance objectives help the

company comply with

applicable laws and

regulations.

–

External parties often set

the compliance rules.

CONTROL FRAMEWORKS

• ERM can provide reasonable

assurance that reporting and

compliance objectives will be

achieved because companies

have control over them.

• However, strategic and

operations objectives are

sometimes at the mercy of

external events that the

company can’t control.

• Therefore, in these areas, the

only reasonable assurance the

ERM can provide is that

CONTROL FRAMEWORKS

• Columns on the

right represent the

company’s units:

CONTROL FRAMEWORKS

• Columns on the

right represent the

company’s units:

CONTROL FRAMEWORKS

• Columns on the

right represent the

company’s units:

– Entire company

– Division

CONTROL FRAMEWORKS

• Columns on the

right represent the

company’s units:

– Entire company

– Division

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

–

Internal environment

•

The tone or culture of the

company.

•

Provides discipline and

structure and is the foundation

for all other components.

•

Essentially, the same as

control

environment

in the COSO

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

–

Objective setting

•

Ensures that management implements a process to formulate

strategic, operations, reporting, and compliance objectives that

support the company’s mission and are consistent with the company’s

tolerance for risk.

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

–

Event identification

•

Requires management to identify events that may affect the company’s

ability to implement its strategy and achieve its objectives.

•

Management must then determine whether these events represent:

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

– Event identification

–

Risk assessment

•

Identified risks are assessed to

determine how to manage them

and how they affect the

company’s ability to achieve its

objectives.

•

Qualitative and quantitative

methods are used to assess

risks individually and by

category in terms of:

–

Likelihood

–

Positive and negative

impact

–

Effect on other

organizational units

•

Risks are analyzed on an

inherent and a residual basis.

•

Corresponds to the risk

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

– Event identification

– Risk assessment

–

Risk response

•

Management aligns identified risks

with the company’s tolerance for

risk by choosing to:

–

Avoid

–

Reduce

–

Share

–

Accept

•

Management takes an entity-wide

or portfolio view of risks in

assessing the likelihood of the

risks, their potential impact, and

costs-benefits of alternate

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

– Event identification

– Risk assessment

– Risk response

–

Control activities

•

To implement management’s

risk responses, control policies

and procedures are established

and implemented throughout

the various levels and

functions of the organization.

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

– Event identification

– Risk assessment

– Risk response

– Control activities

–

Information and

communication

•

Information about the company

and ERM components must be

identified, captured, and

communicated so employees

can fulfill their responsibilities.

•

Information must be able to

flow through all levels and

functions in the company as

well as flowing to and from

external parties.

•

Employees should understand

their role and importance in

ERM and how these

responsibilities relate to those

of others.

CONTROL FRAMEWORKS

• The horizontal rows are

eight related risk and

control components,

including:

– Internal environment

– Objective setting

– Event identification

– Risk assessment

– Risk response

– Control activities

– Information and

communication

•

ERM processes must be

monitored on an ongoing basis

and modified as needed.

•

Accomplished with ongoing

management activities and

separate evaluations.

•

Deficiencies are reported to

management.

CONTROL FRAMEWORKS

• The ERM model is

three-dimensional.

• Means that each of

the eight risk and

control elements are

applied to the four

objectives in the

entire company and/

or one of its

CONTROL FRAMEWORKS

•

ERM Framework Vs. the Internal

Control Framework

– The internal control framework has been

widely adopted as the principal way to

evaluate internal controls as required by SOX.

However, there are issues with it.

•

It has too narrow of a focus.

•

Examining controls without first examining purposes and

risks of business processes provides little context for

evaluating the results.

•

Makes it difficult to know:

–

Which control systems are most important.

–

Whether they adequately deal with risk.

CONTROL FRAMEWORKS

•

ERM framework vs. the internal control

framework

– The internal control framework has been

widely adopted as the principal way to

evaluate internal controls as required by SOX.

However, there are issues with it.

• It has too narrow of a focus.

•

Focusing on controls first has an inherent bias

toward past problems and concerns.

•

May contribute to systems with

many controls to protect

CONTROL FRAMEWORKS

• These issues led to COSO’s development of the

ERM framework.

– Takes a risk-based, rather than controls-based,

approach to the organization.

– Oriented toward future and constant change.

– Incorporates rather than replaces COSO’s internal

control framework and contains three additional

elements:

• Setting objectives.

• Identifying positive and negative events that may affect the

company’s ability to implement strategy and achieve

objectives.

CONTROL FRAMEWORKS

– Controls are flexible and relevant because

they are linked to current organizational

objectives.

– ERM also recognizes more options than

simply controlling risk, which include

CONTROL FRAMEWORKS

• Over time, ERM will probably become the

most widely adopted risk and control

model.

INTERNAL ENVIRONMENT

• The most critical component

of the ERM and the internal

control framework.

• Is the foundation on which the

other seven components rest.

• Influences how organizations:

– Establish strategies and

objectives

– Structure business activities

– Identify, access, and respond

to risk

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

– The board of directors

– Commitment to integrity, ethical values, and

competence

– Organizational structure

– Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

–

Management’s philosophy, operating style, and

risk appetite

– The board of directors

– Commitment to integrity, ethical values, and

competence

– Organizational structure

– Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

•

Management’s philosophy, operating style,

and risk appetite

– An organization’s management has shared beliefs

and attitudes about risk.

– That philosophy affects everything the organization

does, long- and short-term, and affects their

communications.

– Companies also have a

risk appetite

, which is the

amount of risk a company is willing to accept to

achieve its goals and objectives.

INTERNAL ENVIRONMENT

– The more responsible management’s

philosophy and operating style, the more

likely employees will behave responsibly.

– This philosophy must be clearly

communicated to all employees; it is not

enough to give lip service.

– Management must back up words with

INTERNAL ENVIRONMENT

– This component can be assessed by asking

questions such as:

• Does management take undue business risks or

assess potential risks and rewards before acting?

• Does management attempt to manipulate

performance measures such as net income?

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

–

The board of directors

– Commitment to integrity, ethical values, and

competence

– Organizational structure

– Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

•

The board of directors

– An active and involved board of directors

plays an important role in internal control.

– They should:

• Oversee management

• Scrutinize management’s plans, performance, and

activities

• Approve company strategy

• Review financial results

INTERNAL ENVIRONMENT

• Directors should possess management,

technical, or other expertise, knowledge,

or experience, as well as a willingness to

advocate for shareholders.

• At least a majority should be independent,

outside directors not affiliated with the

INTERNAL ENVIRONMENT

• Public companies must have an

audit

committee

, composed entirely of independent,

outside directors.

– The audit committee oversees:

• The company’s internal control structure;

• Its financial reporting process; and

• Its compliance with laws, regulations, and standards.

– Works with the corporation’s external and internal

auditors.

• Hires, compensates, and oversees the auditors.

• Auditors report all critical accounting policies and practices to

the audit committee.

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

– The board of directors

–

Commitment to integrity, ethical values, and

competence

– Organizational structure

– Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

•

Commitment to integrity, ethical values,

and competence

– Management must create an organizational

culture that stresses integrity and commitment

to both ethical values and competence.

• Ethical standards of behavior make for good

business.

• Tone at the top is everything.

INTERNAL ENVIRONMENT

• Companies can endorse integrity as a basic

operating principle by actively teaching and

requiring it.

– Management should:

• Make it clear that honest reports are more important than

favorable ones.

– Management should avoid:

• Unrealistic expectations, incentives, or temptations.

• Attitude of earnings or revenue at any price.

• Overly aggressive sales practices.

• Unfair or unethical negotiation practices.

• Implied kickback offers.

• Excessive bonuses.

INTERNAL ENVIRONMENT

• Management should not assume that employees

would always act honestly.

– Consistently reward and encourage honesty.

– Give verbal labels to honest and dishonest acts.

– The combination of these two will produce more

INTERNAL ENVIRONMENT

• Management should develop clearly stated

policies that explicitly describe honest and

dishonest behaviors, often in the form of a

written code of conduct.

– In particular, such a code would cover issues that are

uncertain or unclear.

INTERNAL ENVIRONMENT

• SOX only requires a code of ethics for senior

financial management. However, the ACFE

suggests that companies create a code of

conduct for all employees:

– Should be written at a fifth-grade level.

– Should be reviewed annually with employees and

signed.

– This approach helps employees keep themselves out

of trouble.

INTERNAL ENVIRONMENT

• Management should require employees to report

dishonest, illegal, or unethical behavior and discipline

employees who knowingly fail to report.

– Reports of dishonest acts should be thoroughly investigated.

– Those found guilty should be dismissed.

– Prosecution should be undertaken when possible, so that other

employees are clear about consequences.

• Companies must make a commitment to competence.

– Begins with having competent employees.

INTERNAL ENVIRONMENT

• The levers of control, particularly beliefs

and boundaries systems, can be used to

create the kind of commitment to integrity

an organization wants.

– Requires more than lip service and signing

forms.

– Must be

systems

in which top management

actively participates in order to:

INTERNAL ENVIRONMENT

• Management should require employees to

report dishonest, illegal, or unethical

behavior and discipline employees who

knowingly fail to report.

– Reports of dishonest acts should be

thoroughly investigated.

– Those found guilty should be dismissed.

– Prosecution should be undertaken when

INTERNAL ENVIRONMENT

• Companies must make a commitment to

competence.

– Begins with having competent employees.

– Varies with each job but is a function of

INTERNAL ENVIRONMENT

• The levers of control, particularly beliefs

and boundary systems, can be used to

create the kind of commitment to integrity

an organization wants.

– Requires more than lip service and signing

forms.

– Must be

systems

in which top management

actively participates in order to:

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

– The board of directors

– Commitment to integrity, ethical values, and

competence

–

Organizational structure

– Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

•

Organizational structure

– A company’s organizational structure defines

its lines of authority, responsibility, and

reporting.

• Provides the overall framework for planning,

INTERNAL ENVIRONMENT

• Important aspects or organizational structure:

– Degree of centralization or decentralization.

– Assignment of responsibility for specific tasks.

– Direct-reporting relationships or matrix structure.

– Organization by industry, product, geographic

location, marketing network.

– How the responsibility allocation affects

management’s information needs.

INTERNAL ENVIRONMENT

• Statistically, fraud occurs more frequently

in organizations with complex structures.

– The structures may unintentionally impede

communication and clear assignment of

responsibility, making fraud easier to commit

and conceal; or

INTERNAL ENVIRONMENT

• In today’s business world, the hierarchical

organizations with many layers of management

are giving way to flatter organizations with

self-directed work teams.

– Team members are empowered to make decisions

without multiple layers of approvals.

– Emphasis is on continuous improvement rather than

on regular evaluations.

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

– The board of directors

– Commitment to integrity, ethical values, and

competence

– Organizational structure

–

Methods of assigning authority and responsibility

– Human resource standards

INTERNAL ENVIRONMENT

•

_{Methods of assigning authority and}

responsibility

– Management should make sure:

• Employees understand the entity’s objectives.

• Authority and responsibility for business objectives is

assigned to specific departments and individuals.

– Ownership of responsibility encourages employees to

take initiative in solving problems and holds them

accountable for achieving objectives.

– Management:

• Must be sure to identify who is responsible for the IS security

policy.

INTERNAL ENVIRONMENT

• Authority and responsibility are assigned through:

– Formal job descriptions

– Employee training

– Operating plans, schedules, and budgets

– Codes of conduct that define ethical behavior, acceptable

practices, regulatory requirements, and conflicts of interest

– Written policies and procedures manuals (a good job reference

and job training tool) which covers:

• Proper business practices

• Knowledge and experience needed by key personnel

• Resources provided to carry out duties

• Policies and procedures for handling particular transactions

• The organization’s chart of accounts

INTERNAL ENVIRONMENT

• Internal environment consists of the following:

– Management’s philosophy, operating style, and risk

appetite

– The board of directors

– Commitment to integrity, ethical values, and

competence

– Organizational structure

– Methods of assigning authority and responsibility

INTERNAL ENVIRONMENT

•

Human resources standards

– Employees are both the company’s greatest control

strength and the greatest control weakness.

– Organizations can implement human resource

policies and practices with respect to hiring, training,

compensating, evaluating, counseling, promoting, and

discharging employees that send messages about the

level of competence and ethical behavior required.

– Policies on working conditions, incentives, and career

advancement can powerfully encourage efficiency

INTERNAL ENVIRONMENT

• The following policies and procedures are

important:

– Hiring

– Compensating

– Training

– Evaluating and promoting

– Discharging

– Managing disgruntled employees

– Vacations and rotation of duties

INTERNAL ENVIRONMENT

• The following policies and procedures are

important:

–

Hiring

– Compensating

– Training

– Evaluating and promoting

– Discharging

– Managing disgruntled employees

– Vacations and rotation of duties

INTERNAL ENVIRONMENT

• Hiring

– Should be based on educational background,

relevant work experience, past achievements,

honesty and integrity, and how well

candidates meet written job requirements.

– Employees should undergo a formal, in-depth

employment interview.

INTERNAL ENVIRONMENT

• Background checks can involve:

– Verifying education and experience.

– Talking with references.

– Checking for criminal records, credit issues, and other

publicly available data.

– Note that you must have the employee’s or

candidate’s written permission to conduct a

background check, but that permission does not need

to have an expiration date.