Professional Documents
Culture Documents
Chapter 7: Risk Exposures and The Internal Control Structure
Chapter 7: Risk Exposures and The Internal Control Structure
Internal Control
Internal Control is a state that
management strives to achieve to
provide reasonable assurance that the
firms objectives will be achieved
These controls encompass all the
measures and practices that are used
to counteract exposures to risks
The control framework is called the
Internal Control Structure
Control
Environment
Risk
Assessment
Control
Activities
Activities related
to Financial
Reporting
Monitoring
Activities related
to Information
Processing
General
Controls
Figure 7-1
Information
&
Communication
Application
Controls
Control Environment
The Control Environment establishes the tone
of a company, influencing the control
consciousness of its employees
It is comprised of seven components:
Highlights of CE Components - I
Management Philosophy and Operating
Style
Does management emphasize short-term
profits and operating goals over long-term
goals?
Is management dominated by one or a few
individuals?
What type of business risks does management
take and how are these risks managed?
Is management conservative or aggressive
toward selecting from available alternative
accounting principles?
Figure 7-2
Highlights of CE Components - II
Organization Structure
Is an up-to-date organization chart prepared,
showing the names of key personnel?
Is the information systems function
separated from incompatible functions?
How is the accounting department
organized?
Is the internal audit function separate and
distinct from accounting?
Do subordinate managers report to more than
one supervisor?
Highlights of CE Components - IV
Human Resource Policies and Practices
Are new personnel indoctrinated with respect to
Internal Controls, Ethics Policies, and Corporate Code
of Conduct?
Is the company in compliance with the ADA? The
EEOA?
Are Grievance Procedures to manage conflict in force?
Does the company maintain a sound Employee
Relations program?
Do employees work in a safe, healthy environment?
Are Counseling Programs available to employees?
Are proper Separation Programs in force for
employees who leave the firm?
Are critical employees Bonded?
Figure 7-2 Continued
Risk Assessment
Top management must be directly
involved in Business Risk Assessment.
This involves the Identification and
Analysis of Relevant Risks that may
prevent the attainment of Company-wide
Objectives and Objectives of
Organizational Units and the formation of
a plan to determine how to manage the
risks.
Control Activities - I
Control Activities as related to Financial
Reporting may be classified according to their
intended uses in a system:
Preventive Controls block adverse events, such as
errors or losses, from occurring
Detective Controls discover the occurrence of
adverse events such as operational inefficiency
Corrective controls are designed to remedy problems
discovered through detective controls
Security Measures are intended to provide adequate
safeguards over access to and use of assets and data
records
Control Activities - II
Control Activities relating to Information
Processing may also be classified according
to where they will be applied within the system
General controls are those controls that pertain to
all activities involving a firms AIS and assets
Application controls relate to specific accounting
tasks or transactions
Risk
Business firms face risks that reduce the
chances of achieving their control objectives.
Risk exposures arise from internal sources,
such as employees, as well as external
sources, such as computer hackers.
Risk assessment consists of identifying
relevant risks, analyzing the extent of
exposure to those risks, and managing risks
by proposing effective control procedures.
Figure 7-4
Types of Risks
Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence and Natural
Disasters
Problem Conditions
Affecting Risk Exposures
Collusion (both internal and external), which
is the cooperation of two or more people for a
fraudulent purpose, is difficult to counteract
even with sound control procedures
Lack of Enforcement Management may not
prosecute wrongdoers because of the
potential embarrassment
Computer crime poses very high degrees
of risk, and fraudulent activities are difficult
to detect
Computer Crime
Computer crime (computer abuse) is the
use of a computer to deceive for personal
gain.
Due to the proliferation of networks and
personal computers, computer crime is
expected to significantly increase both in
frequency and amount of loss.
It is speculated that a relatively small
proportion of computer crime gets detected
and an even smaller proportion gets reported.
Examples of Computer
Crime
Theft of Computer Hardware &
Software
Unauthorized Use of Computer
Facilities for Personal Use
Fraudulent Modification or Use of
Data or Programs
Processing is Concentrated
Audit Trails may be Undermined
Human Judgment is bypassed
Data are stored in Device-Oriented rather than
Human-Oriented forms
Invisible Data
Stored data are Erasable
Data are stored in a Compressed form
Stored data are relatively accessible
Feasibility of Controls
Audit Considerations
Cost-Benefit Considerations
Determine Specific Computer Resources Subject to Control
Determine all Potential Threats to the companys Computer
System
Assess the Relevant Risks to which the firm is exposed
Measure the Extent of each Relevant Risk exposure in dollar
terms
Multiply the Estimated Effect of each Relevant Risk Exposure
by the Estimated Frequency of Occurrence over a Reasonable
Period, such as a year
Compute the Cost of Installing and Maintaining a Control that
is to Counter each Relevant Risk Exposure
Compare the Benefits against the Costs of Each Control
Legislation
The Foreign Corrupt Practices Act of 1977
Of the Federal Legislation governing the
use of computers, The Computer Fraud and
Abuse Act of 1984 (amended in 1986) is
perhaps the most important
This act makes it a federal crime to intentionally
access a computer for such purposes as: (1)
obtaining top-secret military information,
personal, financial or credit information
(2) committing a fraud
(3) altering or destroying federal information
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Data recorded in
paper source
documents
Data sometimes
captured without
use of source
documents
Printed copies of
source documents
prepared by
computer systems
Figure 7-6
Characteristics
Computer-based System
Characteristics
Risk Exposures
Compensating
Controls
Processing steps
performed by CPU
blindly in accordance
with program
instructions
Processing steps
Processing steps
among various clerks in concentrated within
separate departments
computer CPU
Outputs reviewed by
users of computer
system; carefully
developed computer
processing programs
Restricted access to
computer facilities;
clear procedure for
authorizing changes to
programs
Printed journals and
other analyses
Processing performed
relatively slowly
Processing steps
performed by clerks
who possess judgment
Processing performed
very rapidly
Unauthorized
manipulation of data
and theft of assets can
occur on larger scale
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Data compressed
on magnetic
media (e.g.,
tapes, disks)
Data may be
accessed by
unauthorized
persons or stolen
Security measures
at points of access
and over data
library
Data stored in
invisible,
eraseable,
computer-readable
form
Stored data
accessible on a
piece-meal basis
at various
locations
Data are
temporarily
unusable by
humans, and
might possibly be
lost
Data may be
accessed by
unauthorized
persons
Computer-based System
Characteristics
Characteristics
Outputs
generated
laboriously and
usually in small
volumes
Outputs usually in
hard-copy form
Outputs generated
quickly and neatly,
often in large
volumes
Risk Exposures
Inaccuracies may
be buried in
impressive-looking
outputs that users
accept on faith
Outputs provided Information stored
in various forms,
on magnetic
including soft-copy media is subject to
displays and voice modification (only
responses
hard copy
provides
permanent record)
Compensating
Controls
Reviews by users
of outputs,
including the
checking of
amounts
Backup of files;
periodic printing of
stored files onto
hard-copy records
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Relatively simple,
inexpensive, and
mobile
Relatively
complex,
expensive, and in
fixed locations
Business
operations may be
intentionally or
unintentionally
interrupted; data
or hardware may
be destroyed;
operations may be
delayed through
inefficiencies
Backup of data
and power supply
and equipment;
preventive
maintenance of
equipment;
restrictions on
access to
computer
facilities;
documentation of
equipment usage
and processing
procedures
Copyright 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.