TRACK PURCHASED SOFTWARE AND
MOBILE DEVICES
COBIT 5 is based on the following five key
principles of IT governance and
management.
1. Meeting stakeholder needs. COBIT 5 helps users
customize business processes and procedures to
create an information system that adds value to its
stakeholders. It also allows the company to create
the proper balance between risk and reward.
2. Covering the enterprise end-to-end. COBIT
5 does not just focus on the IT operation, it
integrates all IT functions and processes into
companywide functions and processes.
3. Applying a single, integrated framework.
COBIT 5 can be aligned at a high level with other
standards and frameworks so that an overarching
framework for IT governance and management is
created.
4. Enabling a holistic approach. COBIT 5 provides
a holistic approach that results in effective
governance and management of all IT functions in
the company.
5. Separating governance from
management. COBIT 5 distinguishes
between governance and management.
The basic principles behind ERM are as
follows:
● Companies are formed to create value for
their owners
● Management must decide how much
uncertainty it will accept as it creates value
● Uncertainty results in risk, which is the
possibility that something negatively affects
the company’s ability to create or preserve
value.
● Uncertainty results in opportunity, which is
the possibility that something positively affects
the company’s ability to create or preserve
value.
● The ERM framework can manage
uncertainty as well as create and preserve
value.
The more comprehensive ERM framework takes a risk-based rather
COBIT FRAMEWORK
Control Objectives for Information and Related
Technology (COBIT) - A security and control framework
that allows (1) management to benchmark the security and
control practices of IT environments, (2) users of IT
services to be assured that adequate security and control
exist, and (3) auditors to substantiate their internal control
opinions and advise on IT security and control matters.
COSO’S INTERNAL CONTROL
FRAMEWORK
Committee of Sponsoring Organizations
(COSO) - A privatesector group consisting of
the American Accounting Association, the
AICPA, the Institute of Internal Auditors, the
Institute of Management Accountants, and the
Financial Executives Institute.
Internal Control—Integrated Framework
(IC) - A COSO framework that defines internal
controls and provides guidance for evaluating
and enhancing internal control systems.
COSO’S ENTERPRISE RISK
MANAGEMENT FRAMEWORK
Enterprise Risk Management—Integrated
Framework (ERM) - A COSO framework that
improves the risk management process by
expanding (adds three additional elements)
COSO’s Internal Control—Integrated.
THE ENTERPRISE RISK MANAGEMENT
FRAMEWORK VERSUS THE INTERNAL
CONTROL FRAMEWORK
than a
controls-based approach.
ERM adds three additional elements to
COSO’s IC framework:
-setting objectives
-identifying events that may affect the
company
-developing a response to assessed risk.
The ERM model also recognizes that risk, in
addition to being
-controlled,
-can be accepted,
-avoided,
-diversified,
-shared, or
transferred.
MANAGEMENT’S PHILOSOPHY,
OPERATING STYLE, AND RISK APPETITE
risk appetite - The amount of risk a company
is willing to accept to achieve its goals and
objectives. To avoid undue risk, risk appetite
must be in alignment with company strategy.
COMMITMENT TO INTEGRITY, ETHICAL
VALUES, AND COMPETENCE
endorse integrity by:
● Actively teaching and requiring it
● Avoiding unrealistic expectations or incentives that
motivate dishonest or illegal acts
● Consistently rewarding honesty and giving verbal
labels to honest and dishonest
behavior
● Developing a written code of conduct that explicitly
describes honest and dishonest
behaviors
● Requiring employees to report dishonest or illegal
acts and disciplining employees who
knowingly fail to report them
● Making a commitment to competence
belief system - System that describes how a
company creates value, helps employees
understand management’s vision, communicates
company core values, and inspires employees to
live by those values.
boundary system - System that helps employees
act ethically by setting boundaries on employee
behavior.
diagnostic control system - System that
measures, monitors, and compares actual
company progress to budgets and performance
goals.
interactive control system - System that helps
managers to focus subordinates’ attention on key
strategic issues and to be more involved in their
decisions.
management reconcile the conflict between
Foreign Corrupt Practices Act (FCPA)
Legislation passed to prevent companies from
bribing foreign officials to obtain business; also
requires all publicly owned corporations
maintain a system of internal accounting
controls.
Sarbanes–Oxley Act (SOX)
Legislation intended to prevent financial
statement fraud, make financial reports more
transparent, provide protection to investors,
strengthen internal controls at public
companies, and punish executives who
perpetrate fraud.
Public Company Accounting Oversight Board
(PCAOB)
-A board created by SOX that regulates the
auditing profession; created as part of SOX.
internal environment - The company culture
that is the foundation for all other ERM
components, as it influences how
organizations establish strategies and
objectives; structure business activities; and
identify, assess, and respond to risk.
HUMAN RESOURCES STANDARDS THAT
ATTRACT, DEVELOP, AND RETAIN
INTERNAL CONTROL OVERSIGHT BY THE
BOARD OF DIRECTORS 2.COMPENSATING, EVALUATING, AND
audit committee - The outside, independent
board of director members responsible for
financial reporting, regulatory compliance,
internal control, and hiring and overseeing
4.MANAGING DISGRUNTLED EMPLOYEES
internal and external auditors.
ORGANIZATIONAL STRUCTURE
6.VACATIONS AND ROTATION OF DUTIES
provides a framework for planning, executing,
controlling, and monitoring operations include:
7.CONFIDENTIALITY AGREEMENTS AND
● Centralization or decentralization of
authority
● A direct or matrix reporting relationship
● Organization by industry, product line,
location, or marketing network
● How allocation of responsibility affects
information requirements
● Organization of and lines of authority for
accounting, auditing, and information system
functions
● Size and nature of company activities
METHODS OF ASSIGNING AUTHORITY
AND RESPONSIBILITY
Authority and responsibility are assigned and
communicated using formal job
descriptions, employee training, operating
schedules, budgets, a code of conduct,
and written policies and procedures
policy and procedures manual - A
document that explains proper business
practices, describes needed knowledge and
experience, explains document procedures,
explains how to handle transactions, and lists
the resources provided to carry out specific
duties.
preventive controls - Controls that deter
problems before they arise.
detective controls - Controls designed to
Internal controls perform three important discover control problems that were not
functions: prevented.
corrective controls - Controls that identify and
correct problems as well as correct and recover
from the resulting errors
Information is available to an unprecedented
Information on distributed computer networks
Customers and suppliers have access to
each other’s systems and data
four levers of control to help internal controls - The processes and procedures
Internal controls are often segregated into two
implemented to provide reasonable assurance that control
categories:
creativity and controls. objectives are met
general controls - Controls designed to make
sure an organization’s information system and
control environment is stable and well managed.
application controls - Controls that prevent,
detect, and correct transaction errors and fraud in
application programs.
Overview of Control
Concepts
Control Frameworks
The Internal Environment
Objective Setting and
Event Identification
OBJECTIVE SETTING
EXTERNAL INFLUENCES strategic objectives - High-level goals that
are aligned with and support the company’s
include requirements imposed by stock
mission and create shareholder value
exchanges, the Financial Accounting
Standards Board (FASB), the PCAOB, and operations objectives - Objectives that deal
the SEC. with the effectiveness and efficiency of
requirements company operations and determine how to
imposed by regulatory agencies, such as allocate resources.
those for banks, utilities, and insurance
companies. reporting objectives - Objectives to help
ensure the accuracy, completeness, and
reliability of company reports; improve
COMPETENT INDIVIDUALS decision making; and monitor company
activities and performance.
1.HIRING compliance objectives - Objectives to help
the company comply with all applicable laws
background check - An investigation of a and
prospective or current employee that involves regulations.
verifying their educational and work
experience, talking to references, checking for
a criminal record or credit problems, and
examining other publicly available information.
PROMOTING
3.TRAINING
5.DISCHARGING
● Accept. Accept the likelihood and impact of
FIDELITY BOND INSURANCE
8.PROSECUTE AND INCARCERATE Most fraud is not reported or prosecuted
PERPETRATORS for several reasons:
1. Companies are reluctant to report fraud
because it can be a public relations
disaster
2. Law enforcement and the courts are busy
with violent crimes and have less time and
interest for computer crimes in which no
physical harm occurs.
3. Fraud is difficult, costly, and time-
consuming to investigate and prosecute
4. Many law enforcement officials, lawyers,
and judges lack the computer skills needed
to
investigate and prosecute computer
crimes.
5. Fraud sentences are often light
their loss could represent a substantial exposure.
Items to track are the devices, who has them,
what tasks they perform, the security features
installed, and what software the company needs
to maintain adequate system and network CONDUCT PERIODIC AUDITS
security.
Informing employees of audits helps resolve
● Some companies view the loss of crucial privacy issues, deters fraud, and reduces errors.
information as a distant, unlikely threat. MONITOR SYSTEM ACTIVITIES Auditors should regularly test system controls and computer security officer (CSO) - An employee
periodically browse system usage files looking for independent of the information system function
● The control implications of moving from who monitors the system, disseminates
centralized computer systems to Internet- Risk analysis and management software packages suspicious activities.
information about improper system uses and their
based review computer and network security measures, consequences, and reports to top management.
systems are not fully understood. detect illegal access, test for weaknesses and EMPLOY A COMPUTER SECURITY OFFICER
● Many companies do not realize that vulnerabilities, report weaknesses found, and suggest AND A CHIEF COMPLIANCE OFFICER
chief compliance officer (CCO) - An employee
information is a strategic resource and that improvements responsible for all the compliance tasks
protecting it must be a strategic requirement associated with SOX and other laws and
regulatory rulings.
● Productivity and cost pressures motivate
USE RESPONSIBILITY ACCOUNTING SYSTEMS
management to forgo time-consuming control
forensic investigators - Individuals who
measures.
specialize in fraud, most of whom have
Responsibility - include budgets, quotas, schedules, specialized training with law enforcement
standard costs, and quality standards; reports comparing agencies such as the FBI or IRS or have
actual and planned performance; and procedures for professional certifications such as Certified Fraud
ENGAGE FORENSIC SPECIALISTS Examiner (CFE).
investigating and correcting significant variances.
Organizations have not adequately protected computer forensics specialists - Computer
data for several reasons: experts who discover, extract, safeguard, and
IMPLEMENT EFFECTIVE SUPERVISION document computer evidence such that its
INSTALL FRAUD DETECTION SOFTWARE authenticity, accuracy, and integrity will not
succumb to legal challenges
Effective supervision involves training and
assisting employees, monitoring their neural networks - Computing systems that
imitate the brain’s learning process by using a
performance, correcting errors, and
number of workers network of interconnected processors that perform
overseeing employees who have access to
multiple operations simultaneously and interact
WHY THREATS TO ACCOUNTING assets dynamically
INFORMATION SYSTEMS ARE
is hard to control
INCREASING PERFORM INTERNAL CONTROL EVALUATIONS
IMPLEMENT A FRAUD HOTLINE
Internal control effectiveness is measured
using a formal or a self-assessment evaluation.
fraud hotline - A phone number employees can
call to anonymously report fraud and abuse.
threat/event - Any potential adverse MONITORING
occurrence or unwanted event that could
injure the AIS or the organization.
exposure/impact - The potential dollar loss
should a particular threat become a reality.
capture and exchange the information needed
to conduct, manage, and control the organization’s
likelihood/risk - The probability that a threat operations.
will come to pass.
The primary purpose of an accounting information
system (AIS) is to gather, record, process,
store, summarize, and communicate
information about an organization.
INFORMATION AND COMMUNICATION
Introduction audit trail - A path that allows a transaction to be
traced through a data processing system from
point of origin to output or backward from output to 1.systems administrator - Person
three principles apply: point of origin. responsible for making sure a system
operates smoothly and efficiently.
1. Obtain or generate relevant, high-quality
2.network manager - Person who ensures
information to support internal control. that the organization’s networks operate
2. Internally communicate the information,
properly.
including objectives and responsibilities,
necessary to support the other components of 3.security management - People that make
internal control. sure systems are secure and protected from
internal and external threats.
3. Communicate relevant internal control matters
to external parties.
4.change management - Process of making
sure changes are made smoothly and
efficiently and do not negatively affect the
Communicate Information and Monitor system.
5. users - People who record transactions,
SEGREGATION OF ACCOUNTING DUTIES Authority and responsibility
Control Processes should be divided clearly among the following
authorize data processing, and use system
Separating the accounting functions of output.
functions:
authorization, custody, and recording to
minimize an employee’s ability to commit 6.systems analysts - People who help users
fraud. determine their information needs and design
systems to meet those needs.
7.Programmers - People who use the
SEGREGATION OF DUTIES analysts’ design to create and test computer
programs.
SEGREGATION OF SYSTEMS DUTIES 8.computer operators - People who operate
general authorization - The authorization
the company’s computers.
given employees to handle routine
Implementing control procedures to clearly
transactions without special approval. 9. information system library - Corporate
divide authority and responsibility within the
databases, files, and programs stored and
information system function.
managed by the system librarian.
specific authorization - Special approval an
employee needs in order to be allowed to 10.data control group - People who ensure
Important systems development controls that source data is approved, monitor the flow
CHAPTER 7- handle a transaction.
PROJECT DEVELOPMENT AND include the following: of work, reconcile input and output, handle
Control and Accounting digital signature - A means of electronically
ACQUISITION CONTROLS input errors, and distribute systems output.
1. A steering committee guides and
Information Systems signing a document with data that cannot be oversees systems development and
forged. acquisition.
2. A strategic master plan is developed and updated yearly to
Authorization - Establishing policies for align an organization’s information system with its business
employees to follow and then empowering strategies. It shows the projects that must be completed, and
them to perform certain organizational CHANGE MANAGEMENT CONTROLS
it addresses the company’s hardware, software, personnel,
functions. Authorizations are often Organizations modify existing systems to and infrastructure requirements.
documented by signing, initializing, or reflect new business practices and to take
3. A project development plan shows the tasks to be
entering an authorization code on a document advantage
performed, who will perform them, project costs, completion
or record. of IT advancements.
dates, and project milestones—significant points when
progress is reviewed and actual and estimated completion
PROPER AUTHORIZATION OF times are compared. Each project is assigned to a manager
TRANSACTIONS AND ACTIVITIES and team who are responsible for its success or failure.
4. A data processing schedule shows when
DESIGN AND USE OF DOCUMENTS AND each task should be performed.
RECORDS
5. System performance measurements are established to evaluate
Control Activities Their form and content should be as simple the system. Common measurements include throughput (output
per unit of time), utilization (percentage of time the system is used),
as possible, minimize errors, and facilitate and response time (how long it takes for the system to respond).
review and verification. Documents that
Policies, procedures, and rules that provide initiate a transaction should contain a space 6. A postimplementation review is performed after a
reasonable assurance that control development project is completed to
for authorizations
objectives are met and risk responses are determine whether the anticipated benefits were
carried out. achieved.
Control procedures fall into the following
categories:
SAFEGUARD ASSETS, RECORDS, AND
1. Proper authorization of transactions and activities DATA
EVENT IDENTIFICATION
2. Segregation of duties ● Protect records and documents.
3. Project development and acquisition controls it is important to: ● Create and enforce appropriate policies and
Event - A positive or negative incident or procedures.
4. Change management controls
occurrence from internal or external sources ● Maintain accurate records of all assets.
that affects the implementation of strategy or 5. Design and use of documents and records ● Restrict access to assets
the achievement of objectives. 6. Safeguarding assets, records, and data
7. Independent checks on performance
INDEPENDENT CHECKS ON
Likelihood and impact must be considered PERFORMANCE
together. As
ESTIMATE LIKELIHOOD AND IMPACT
either increases, both the materiality of the done by someone other than the person who
event and the need to protect against it rise. performs
the original operation, help ensure that
When preventive controls fail, detective
transactions are processed accurately
IDENTIFY CONTROLS controls are essential for discovering the
problem
expected loss - The mathematical product of ● Top-level reviews.
Risk Assessment and Risk the potential dollar loss that would occur
ESTIMATE COSTS AND BENEFITS should a threat become a reality (called ● Analytical reviews
Response impact or exposure) and the risk or probability ● Reconciliation of independently maintained records.
that the threat will occur (called likelihood). ● Comparison of actual quantities with recorded
amounts.
inherent risk - The susceptibility of a set of In evaluating internal controls, management
DETERMINE COST/BENEFIT ● Double-entry accounting.
accounts or transactions to significant control must consider factors other than those in the
EFFECTIVENESS
problems in the absence of internal control. expected cost/benefit calculation. ● Independent review.
residual risk - The risk that remains after Risks not reduced must be accepted, shared,
IMPLEMENT CONTROL OR ACCEPT,
management implements internal controls or or avoided. Risk can be accepted if it is within
SHARE, OR AVOID THE RISK
some other response to risk the company’s risk tolerance range.
Management can respond to risk in one of
four ways:
● Reduce. Reduce the likelihood and impact
of risk by implementing an effective system
of internal controls.
the risk
● Share. Share risk or transfer it to someone
else by buying insurance, outsourcing an
activity, or entering into hedging transactions.
● Avoid. Avoid risk by not engaging in the
activity that produces the risk. This may
require
the company to sell a division, exit a product
line, or not expand as anticipated.