their loss could represent a substantial exposure.
Items to track are the devices, who has them, what tasks they perform, the security features installed, and what software the company needs to maintain adequate system and network CONDUCT PERIODIC AUDITS security. Informing employees of audits helps resolve ● Some companies view the loss of crucial privacy issues, deters fraud, and reduces errors. information as a distant, unlikely threat. MONITOR SYSTEM ACTIVITIES Auditors should regularly test system controls and computer security officer (CSO) - An employee periodically browse system usage files looking for independent of the information system function ● The control implications of moving from who monitors the system, disseminates centralized computer systems to Internet- Risk analysis and management software packages suspicious activities. information about improper system uses and their based review computer and network security measures, consequences, and reports to top management. systems are not fully understood. detect illegal access, test for weaknesses and EMPLOY A COMPUTER SECURITY OFFICER belief system - System that describes how a ● Many companies do not realize that vulnerabilities, report weaknesses found, and suggest AND A CHIEF COMPLIANCE OFFICER chief compliance officer (CCO) - An employee company creates value, helps employees information is a strategic resource and that improvements responsible for all the compliance tasks understand management’s vision, communicates protecting it must be a strategic requirement associated with SOX and other laws and company core values, and inspires employees to regulatory rulings. ● Productivity and cost pressures motivate live by those values. USE RESPONSIBILITY ACCOUNTING SYSTEMS management to forgo time-consuming control forensic investigators - Individuals who boundary system - System that helps employees measures. specialize in fraud, most of whom have act ethically by setting boundaries on employee Responsibility - include budgets, quotas, schedules, specialized training with law enforcement behavior. standard costs, and quality standards; reports comparing agencies such as the FBI or IRS or have preventive controls - Controls that deter diagnostic control system - System that actual and planned performance; and procedures for professional certifications such as Certified Fraud problems before they arise. ENGAGE FORENSIC SPECIALISTS Examiner (CFE). measures, monitors, and compares actual investigating and correcting significant variances. detective controls - Controls designed to company progress to budgets and performance Internal controls perform three important discover control problems that were not Organizations have not adequately protected computer forensics specialists - Computer goals. functions: prevented. data for several reasons: experts who discover, extract, safeguard, and interactive control system - System that helps corrective controls - Controls that identify and IMPLEMENT EFFECTIVE SUPERVISION document computer evidence such that its managers to focus subordinates’ attention on key correct problems as well as correct and recover INSTALL FRAUD DETECTION SOFTWARE authenticity, accuracy, and integrity will not strategic issues and to be more involved in their from the resulting errors succumb to legal challenges Effective supervision involves training and decisions. assisting employees, monitoring their neural networks - Computing systems that Information is available to an unprecedented imitate the brain’s learning process by using a performance, correcting errors, and number of workers network of interconnected processors that perform overseeing employees who have access to multiple operations simultaneously and interact WHY THREATS TO ACCOUNTING assets dynamically Information on distributed computer networks INFORMATION SYSTEMS ARE is hard to control INCREASING PERFORM INTERNAL CONTROL EVALUATIONS IMPLEMENT A FRAUD HOTLINE Customers and suppliers have access to Internal control effectiveness is measured each other’s systems and data using a formal or a self-assessment evaluation. fraud hotline - A phone number employees can call to anonymously report fraud and abuse. four levers of control to help internal controls - The processes and procedures Internal controls are often segregated into two threat/event - Any potential adverse MONITORING management reconcile the conflict between implemented to provide reasonable assurance that control occurrence or unwanted event that could categories: creativity and controls. objectives are met injure the AIS or the organization. general controls - Controls designed to make exposure/impact - The potential dollar loss Foreign Corrupt Practices Act (FCPA) sure an organization’s information system and should a particular threat become a reality. control environment is stable and well managed. capture and exchange the information needed to conduct, manage, and control the organization’s Legislation passed to prevent companies from likelihood/risk - The probability that a threat operations. application controls - Controls that prevent, will come to pass. bribing foreign officials to obtain business; also detect, and correct transaction errors and fraud in requires all publicly owned corporations application programs. maintain a system of internal accounting The primary purpose of an accounting information controls. system (AIS) is to gather, record, process, store, summarize, and communicate
Sarbanes–Oxley Act (SOX)
Overview of Control information about an organization.
Concepts INFORMATION AND COMMUNICATION
Legislation intended to prevent financial Introduction audit trail - A path that allows a transaction to be statement fraud, make financial reports more traced through a data processing system from transparent, provide protection to investors, point of origin to output or backward from output to 1.systems administrator - Person strengthen internal controls at public three principles apply: point of origin. responsible for making sure a system COBIT 5 is based on the following five key principles of IT governance and companies, and punish executives who operates smoothly and efficiently. perpetrate fraud. 1. Obtain or generate relevant, high-quality management. 2.network manager - Person who ensures information to support internal control. that the organization’s networks operate 2. Internally communicate the information, Public Company Accounting Oversight Board properly. (PCAOB) including objectives and responsibilities, necessary to support the other components of 3.security management - People that make internal control. sure systems are secure and protected from COBIT FRAMEWORK -A board created by SOX that regulates the internal and external threats. 1. Meeting stakeholder needs. COBIT 5 helps users 3. Communicate relevant internal control matters auditing profession; created as part of SOX. to external parties. 4.change management - Process of making customize business processes and procedures to Control Objectives for Information and Related sure changes are made smoothly and create an information system that adds value to its Technology (COBIT) - A security and control framework efficiently and do not negatively affect the stakeholders. It also allows the company to create that allows (1) management to benchmark the security and the proper balance between risk and reward. control practices of IT environments, (2) users of IT Communicate Information and Monitor system. 5. users - People who record transactions, SEGREGATION OF ACCOUNTING DUTIES Authority and responsibility services to be assured that adequate security and control Control Processes should be divided clearly among the following authorize data processing, and use system 2. Covering the enterprise end-to-end. COBIT exist, and (3) auditors to substantiate their internal control Separating the accounting functions of output. 5 does not just focus on the IT operation, it functions: integrates all IT functions and processes into opinions and advise on IT security and control matters. Control Frameworks authorization, custody, and recording to minimize an employee’s ability to commit 6.systems analysts - People who help users companywide functions and processes. fraud. determine their information needs and design 3. Applying a single, integrated framework. systems to meet those needs. COBIT 5 can be aligned at a high level with other COSO’S INTERNAL CONTROL 7.Programmers - People who use the standards and frameworks so that an overarching FRAMEWORK SEGREGATION OF DUTIES analysts’ design to create and test computer framework for IT governance and management is programs. created. Committee of Sponsoring Organizations SEGREGATION OF SYSTEMS DUTIES 8.computer operators - People who operate (COSO) - A privatesector group consisting of general authorization - The authorization 4. Enabling a holistic approach. COBIT 5 provides the company’s computers. the American Accounting Association, the given employees to handle routine a holistic approach that results in effective Implementing control procedures to clearly AICPA, the Institute of Internal Auditors, the transactions without special approval. 9. information system library - Corporate governance and management of all IT functions in divide authority and responsibility within the Institute of Management Accountants, and the databases, files, and programs stored and the company. information system function. Financial Executives Institute. managed by the system librarian. specific authorization - Special approval an 5. Separating governance from employee needs in order to be allowed to 10.data control group - People who ensure Internal Control—Integrated Framework management. COBIT 5 distinguishes Important systems development controls that source data is approved, monitor the flow between governance and management. (IC) - A COSO framework that defines internal controls and provides guidance for evaluating CHAPTER 7- handle a transaction. PROJECT DEVELOPMENT AND include the following: of work, reconcile input and output, handle and enhancing internal control systems. Control and Accounting digital signature - A means of electronically ACQUISITION CONTROLS input errors, and distribute systems output. 1. A steering committee guides and The basic principles behind ERM are as Information Systems signing a document with data that cannot be oversees systems development and forged. acquisition. follows: 2. A strategic master plan is developed and updated yearly to Authorization - Establishing policies for align an organization’s information system with its business ● Companies are formed to create value for employees to follow and then empowering strategies. It shows the projects that must be completed, and their owners COSO’S ENTERPRISE RISK them to perform certain organizational CHANGE MANAGEMENT CONTROLS it addresses the company’s hardware, software, personnel, MANAGEMENT FRAMEWORK functions. Authorizations are often Organizations modify existing systems to and infrastructure requirements. ● Management must decide how much documented by signing, initializing, or reflect new business practices and to take uncertainty it will accept as it creates value 3. A project development plan shows the tasks to be Enterprise Risk Management—Integrated entering an authorization code on a document advantage ● Uncertainty results in risk, which is the performed, who will perform them, project costs, completion Framework (ERM) - A COSO framework that or record. of IT advancements. possibility that something negatively affects dates, and project milestones—significant points when the company’s ability to create or preserve improves the risk management process by expanding (adds three additional elements) progress is reviewed and actual and estimated completion value. PROPER AUTHORIZATION OF times are compared. Each project is assigned to a manager ● Uncertainty results in opportunity, which is COSO’s Internal Control—Integrated. TRANSACTIONS AND ACTIVITIES and team who are responsible for its success or failure. the possibility that something positively affects the company’s ability to create or preserve 4. A data processing schedule shows when value. DESIGN AND USE OF DOCUMENTS AND each task should be performed. ● The ERM framework can manage THE ENTERPRISE RISK MANAGEMENT RECORDS uncertainty as well as create and preserve FRAMEWORK VERSUS THE INTERNAL 5. System performance measurements are established to evaluate value. CONTROL FRAMEWORK The Internal Environment Control Activities Their form and content should be as simple the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), as possible, minimize errors, and facilitate and response time (how long it takes for the system to respond). The more comprehensive ERM framework takes a risk-based rather review and verification. Documents that Policies, procedures, and rules that provide initiate a transaction should contain a space 6. A postimplementation review is performed after a than a reasonable assurance that control development project is completed to controls-based approach. for authorizations objectives are met and risk responses are determine whether the anticipated benefits were carried out. achieved. ERM adds three additional elements to COSO’s IC framework: Objective Setting and -setting objectives Event Identification Control procedures fall into the following categories: -identifying events that may affect the SAFEGUARD ASSETS, RECORDS, AND company 1. Proper authorization of transactions and activities DATA -developing a response to assessed risk. EVENT IDENTIFICATION OBJECTIVE SETTING 2. Segregation of duties ● Protect records and documents. internal environment - The company culture The ERM model also recognizes that risk, in 3. Project development and acquisition controls it is important to: ● Create and enforce appropriate policies and that is the foundation for all other ERM addition to being Event - A positive or negative incident or procedures. components, as it influences how 4. Change management controls -controlled, EXTERNAL INFLUENCES strategic objectives - High-level goals that occurrence from internal or external sources ● Maintain accurate records of all assets. organizations establish strategies and -can be accepted, objectives; structure business activities; and are aligned with and support the company’s that affects the implementation of strategy or 5. Design and use of documents and records ● Restrict access to assets include requirements imposed by stock -avoided, identify, assess, and respond to risk. mission and create shareholder value the achievement of objectives. 6. Safeguarding assets, records, and data exchanges, the Financial Accounting -diversified, Standards Board (FASB), the PCAOB, and operations objectives - Objectives that deal 7. Independent checks on performance -shared, or the SEC. with the effectiveness and efficiency of transferred. requirements company operations and determine how to INDEPENDENT CHECKS ON imposed by regulatory agencies, such as allocate resources. Likelihood and impact must be considered PERFORMANCE those for banks, utilities, and insurance together. As ESTIMATE LIKELIHOOD AND IMPACT MANAGEMENT’S PHILOSOPHY, companies. reporting objectives - Objectives to help either increases, both the materiality of the done by someone other than the person who OPERATING STYLE, AND RISK APPETITE HUMAN RESOURCES STANDARDS THAT ensure the accuracy, completeness, and event and the need to protect against it rise. performs ATTRACT, DEVELOP, AND RETAIN reliability of company reports; improve the original operation, help ensure that risk appetite - The amount of risk a company When preventive controls fail, detective COMPETENT INDIVIDUALS decision making; and monitor company transactions are processed accurately is willing to accept to achieve its goals and IDENTIFY CONTROLS controls are essential for discovering the activities and performance. objectives. To avoid undue risk, risk appetite problem must be in alignment with company strategy. 1.HIRING compliance objectives - Objectives to help the company comply with all applicable laws expected loss - The mathematical product of ● Top-level reviews. background check - An investigation of a and Risk Assessment and Risk the potential dollar loss that would occur ESTIMATE COSTS AND BENEFITS should a threat become a reality (called ● Analytical reviews prospective or current employee that involves regulations. verifying their educational and work Response impact or exposure) and the risk or probability ● Reconciliation of independently maintained records. COMMITMENT TO INTEGRITY, ETHICAL experience, talking to references, checking for that the threat will occur (called likelihood). ● Comparison of actual quantities with recorded VALUES, AND COMPETENCE a criminal record or credit problems, and amounts. inherent risk - The susceptibility of a set of In evaluating internal controls, management examining other publicly available information. DETERMINE COST/BENEFIT ● Double-entry accounting. accounts or transactions to significant control must consider factors other than those in the endorse integrity by: INTERNAL CONTROL OVERSIGHT BY THE EFFECTIVENESS problems in the absence of internal control. expected cost/benefit calculation. ● Independent review. BOARD OF DIRECTORS 2.COMPENSATING, EVALUATING, AND ● Actively teaching and requiring it PROMOTING residual risk - The risk that remains after Risks not reduced must be accepted, shared, IMPLEMENT CONTROL OR ACCEPT, ● Avoiding unrealistic expectations or incentives that audit committee - The outside, independent management implements internal controls or or avoided. Risk can be accepted if it is within motivate dishonest or illegal acts SHARE, OR AVOID THE RISK board of director members responsible for 3.TRAINING some other response to risk the company’s risk tolerance range. ● Consistently rewarding honesty and giving verbal financial reporting, regulatory compliance, labels to honest and dishonest internal control, and hiring and overseeing behavior 4.MANAGING DISGRUNTLED EMPLOYEES Management can respond to risk in one of internal and external auditors. ● Developing a written code of conduct that explicitly four ways: describes honest and dishonest behaviors 5.DISCHARGING ● Requiring employees to report dishonest or illegal ORGANIZATIONAL STRUCTURE ● Reduce. Reduce the likelihood and impact acts and disciplining employees who of risk by implementing an effective system knowingly fail to report them 6.VACATIONS AND ROTATION OF DUTIES of internal controls. ● Making a commitment to competence provides a framework for planning, executing, controlling, and monitoring operations include: 7.CONFIDENTIALITY AGREEMENTS AND ● Accept. Accept the likelihood and impact of ● Centralization or decentralization of FIDELITY BOND INSURANCE the risk authority ● A direct or matrix reporting relationship ● Organization by industry, product line, 8.PROSECUTE AND INCARCERATE Most fraud is not reported or prosecuted ● Share. Share risk or transfer it to someone location, or marketing network PERPETRATORS for several reasons: else by buying insurance, outsourcing an ● How allocation of responsibility affects activity, or entering into hedging transactions. information requirements 1. Companies are reluctant to report fraud ● Organization of and lines of authority for because it can be a public relations ● Avoid. Avoid risk by not engaging in the accounting, auditing, and information system disaster activity that produces the risk. This may functions 2. Law enforcement and the courts are busy require with violent crimes and have less time and the company to sell a division, exit a product ● Size and nature of company activities interest for computer crimes in which no line, or not expand as anticipated. physical harm occurs. METHODS OF ASSIGNING AUTHORITY AND RESPONSIBILITY 3. Fraud is difficult, costly, and time- consuming to investigate and prosecute 4. Many law enforcement officials, lawyers, Authority and responsibility are assigned and and judges lack the computer skills needed communicated using formal job to descriptions, employee training, operating investigate and prosecute computer schedules, budgets, a code of conduct, crimes. and written policies and procedures 5. Fraud sentences are often light
policy and procedures manual - A
document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.