Professional Documents
Culture Documents
7-1
Learning Objectives
Explain basic control concepts and explain why computer control and security
are important.
Compare and contrast the COBIT, COSO, and ERM control frameworks.
Describe the four types of control objectives that companies need to set.
Describe the events that affect uncertainty and the techniques used to identify
them.
Explain how to assess and respond to risk using the Enterprise Risk
Management (ERM) model.
7-2
Internal Control
System to provide reasonable assurance that
objectives are met such as:
Safeguard assets.
7-3
Internal Control
Functions
Categories
Preventive
Deter problems
Detective
Discover problems
Corrective
Correct problems
General
Overall IC system and
processes
Application
Transactions are
processed correctly
7-4
7-5
7-6
7-7
Business objectives
IT resources
IT processes
7-8
Internal Control
Enterprise Risk Management Model
Setting objectives
Event identification
Risk assessment
Can be controlled but also
Accepted
Diversified
Shared
Transferred
7-9
Control Environment
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
7-10
ERMObjective Setting
Strategic
Operational
Reporting
Compliance
7-11
ERMEvent Identification
an incident or occurrence emanating from internal
or external sources that affects implementation of
strategy or achievement of objectives.
7-12
Risk Assessment
Identify Risk
Types of Risk
Inherent
Risk that exists before any plans are made to control it
Residual
Remaining risk after controls are in place to reduce it
7-13
ERMRisk Response
Reduce
Accept
Share
Avoid
7-14
Event/Risk/Response Model
7-15
Control Activities
Policies and procedures to provide reasonable
assurance that control objectives are met:
Segregation of duties
7-16
Separate:
Authorization
Approving transactions and decisions
Recording
Preparing source documents
Entering data into an AIS
Maintaining accounting records
Custody
Handling cash, inventory, fixed assets
Receiving incoming checks
Writing checks
7-17
Gather
Record
Process
Summarize
Communicate
7-18
Monitoring
Effective supervision.
7-19
System administration
Network management
Security management
Change management
Users
Systems analysts
Programmers
Computer operators
Information system librarian
Data control
7-20