Professional Documents
Culture Documents
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 314
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In 1977, Congress passed the Foreign Corrupt
Practices Act, and to the surprise of the profession, this
act incorporated language from an AICPA
pronouncement.
• The primary purpose of the act was to prevent the
bribery of foreign officials to obtain business.
• A significant effect was to require that corporations
maintain good systems of internal accounting control.
– Generated significant interest among management, accountants,
and auditors in designing and evaluating internal control
systems.
– The resulting internal control improvements weren’t sufficient.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• In the late 1990s and early 2000s, a series
of multi-million-dollar accounting frauds
made headlines.
– The impact on financial markets was
substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002
(aka, SOX).
• Applies to publicly held companies and their
auditors
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• The intent of SOX is to:
– Prevent financial statement fraud
– Make financial reports more transparent
– Protect investors
– Strengthen internal controls in publicly-held
companies
– Punish executives who perpetrate fraud
• SOX has had a material impact on the way
boards of directors, management, and
accountants operate.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting
Oversight Board (PCAOB) to oversee the auditing
profession.
• Has five members, three of whom cannot be
CPAs.
• Charges fees to firms to fund the PCAOB.
• Sets and enforces auditing, quality control,
ethics, independence, and other standards
relating to audit reports.
• Currently recognizes FASB statements as
being generally accepted.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
– New rules for audit committees
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• If management willfully and knowingly violates the
• certification,
Important they canofbe:
aspects SOX include:
– Imprisoned up to 20 years.
– Creation of the Public Company Accounting Oversight
– Fined up to $5 million.
Board (PCAOB) to oversee the auditing profession.
• Management and directors cannot receive loans that would not
– New rules for
be available auditors
to people outside the company.
•– New
They rules for auditoncommittees
must disclose a rapid and current basis material
changes to their financial condition.
– New rules for management
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES
• New internal ACT
control requirements:
– Section 404 of SOX requires companies to issue a
• report accompanying the financial statements that:
Important aspects of SOX include:
• States management is responsible for
– Creation of the Public Company
establishing Accounting
and maintaining Oversight
an adequate internal
Board (PCAOB) to oversee
control structure the
and auditing profession.
procedures.
– New rules for
• Contains
auditorsmanagement’s assessment of the
company’s internal controls.
– New rules for audit committees
• Attests to the accuracy of the internal controls,
– New rules forincluding
management
disclosures of significant defects or
– New internalmaterial
controlnoncompliance
requirements found during the tests.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Important aspects of SOX include:
– Creation of the Public Company Accounting Oversight
Board (PCAOB) to oversee the auditing profession.
– New rules for auditors
• SOX also requires that the auditor attests to and reports
– New rules for audit committees
on management’s internal control assessment.
– New• rules
Eachfor management
audit report must describe the scope of the
auditor’scontrol
– New internal internal requirements
control tests.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• After the passage of SOX, the SEC further
mandated that:
– Management must base its evaluation on a
recognized control framework, developed using a
due-process procedure that allows for public
comment. The most likely framework is the COSO
model discussed later in the chapter.
– The report must contain a statement identifying the
framework used.
– Management must disclose any and all material
internal control weaknesses.
– Management cannot conclude that the company has
effective internal control if there are any material
weaknesses.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of Control
– Many people feel
• Communicates there core
company is a values
basictoconflict
employees and
between creativity
inspires and
them to live controls.
by them.
• Draws attention to how the organization creates value.
– Robert Simons has espoused four levers of
• Helps employees understand management’s intended
controls to help companies reconcile this
direction.
conflict:
• Must be broad enough to appeal to all levels.
• A concise belief system
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES
• Helps employees act ethicallyACT
by setting limits beyond
which they must not pass.
• Levers
• Does ofnotControl
create rules and standard operating
procedures that can stifle creativity.
– Many people feel there is a basic conflict
• Encourages employees to think and act creatively to
between creativity
solve problems and and
meet controls.
customer needs as long as
they operate within limits such as:
– Robert Simons has espoused four levers of
– Meeting minimum standards of performance
controls to help
– Shunning companies
off-limits activitiesreconcile this
conflict:
– Avoiding actions that could damage the company’s
reputation.
• A concise belief system
• A boundary system
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 314
SOX AND THE FOREIGN CORRUPT
PRACTICES ACT
• Levers of Control
– Many
• Ensures
people feeland
efficient there is a achievement
effective basic conflict
of important
controls.
between creativity and controls.
• This system measures company progress by comparing
– Robert
actualSimons has
to planned espoused four levers of
performance.
• Helps to
controls managers track critical performance
help companies reconcile outcomes
this
and monitor performance of individuals, departments,
conflict:
and locations.
•• AProvides
concise feedback
belief system
to enable management to adjust and
• Afine-tune.
boundary system
• A diagnostic control system
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 314
SOX AND THE FOREIGN CORRUPT
• Helps top-level
PRACTICES ACT
managers with high-level activities that
demand frequent and regular attention. Examples:
– Developing company strategy.
• Levers– of Control
Setting company objectives.
– Many– people feel there
Understanding is a basic
and assessing conflict
threats and risks.
between– Monitoring
creativity and incontrols.
changes competitive conditions and
emerging technologies.
– Robert Simons has
– Developing espoused
responses fourplans
and action levers
to of
controlsproactively
to help deal
companies
with these reconcile this
high-level issues.
• Also helps managers focus the attention of subordinates
conflict:
on key strategic issues and to be more involved in their
• A concise belief system
decisions.
• •A boundary system
Data from this system are best interpreted and
discussed in face-to-face meetings.
• A diagnostic control system
• An interactive control system
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 43 of 314
CONTROL FRAMEWORKS
• COBIT Framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 314
• To satisfy business objectives,
CONTROL FRAMEWORKS
information must conform to
certain criteria referred to as
“business requirements for
• The framework addresses information.”
the issue of
• The criteria are divided into
control from three vantage
sevenpoints oroverlapping
distinct yet
dimensions: categories that map into COSO
objectives:
– Business objectives – Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 314
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 314
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
management must meet to
• Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Operations objectives
– Reporting objectives
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 314
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
management must meet to
– External parties often set
achieve company goals.
the compliance rules.
– –Strategic objectives
Companies in the same
– Operations objectives
industry often have similar
– Reporting
concerns in this area.
objectives
– Compliance objectives
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 314
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 74 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 75 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 76 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 77 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 80 of 314
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
• The horizontal rows are
– Share
eight related risk and
– Accept
control components,
• Management
including: takes an entity-wide
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
– Event identification
costs-benefits of alternate
responses.
– Risk assessment
– Risk response
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 81 of 314
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows
management’s
are
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
– Internal environment
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 82 of 314
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •TheInformation
horizontalmust rows beare
able to
flowrelated
eight throughriskall levels
and and
functions in the company as
control
well ascomponents,
flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their role and
Objective importance in
setting
– ERM
Eventand how these
identification
responsibilities relate to those
– Risk assessment
of others.
– Risk response
• Has a corresponding element
– in
Control activities
the COSO internal control
– framework.
Information and
communication
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 83 of 314
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
risks of
Control business processes provides little context for
Framework
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
– Which
widely adopted
controlas the principal
systems way to
are most important.
– Whether
evaluate they adequately
internal controlsdeal
as with risk.
required by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 86 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 87 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 88 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 89 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 90 of 314
INTERNAL ENVIRONMENT
• The most critical component
of the ERM and the internal
control framework.
• Is the foundation on which the
other seven components rest.
• Influences how organizations:
– Establish strategies and
objectives
– Structure business activities
– Identify, access, and respond
to risk
• A deficient internal control
environment often results in
risk management and control
breakdowns.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 91 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 92 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 93 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 94 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 95 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 96 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 97 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 98 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 99 of 314
INTERNAL ENVIRONMENT
• Public companies must have an audit
committee, composed entirely of independent,
outside directors.
– The audit committee oversees:
• The company’s internal control structure;
• Its financial reporting process;
• Its compliance with laws, regulations, and standards.
– Works with the corporation’s external and internal
auditors.
• Hires, compensates, and oversees the auditors.
• Auditors report all critical accounting policies and practices to
the audit committee.
– Provides an independent review of management’s
actions.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 100 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 101 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 102 of 314
INTERNAL ENVIRONMENT
• Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
– Management should:
• Make it clear that honest reports are more important than
favorable ones.
– Management should avoid:
• Unrealistic expectations, incentives or temptations.
• Attitude of earnings or revenue at any price.
• Overly aggressive sales practices.
• Unfair or unethical negotiation practices.
• Implied kickback offers.
• Excessive bonuses.
• Bonus plans with upper and lower cutoffs.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 103 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 104 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 105 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 106 of 314
INTERNAL ENVIRONMENT
• Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
– Reports of dishonest acts should be thoroughly investigated.
– Those found guilty should be dismissed.
– Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
• Companies must make a commitment to competence.
– Begins with having competent employees.
– Varies with each job but is a function of knowledge, experience,
training, and skills.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 107 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 108 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 109 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 110 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 111 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 112 of 314
INTERNAL ENVIRONMENT
• Organizational Structure
– A company’s organizational structure defines
its lines of authority, responsibility, and
reporting.
• Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 113 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 114 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 115 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 116 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 117 of 314
INTERNAL ENVIRONMENT
• Methods of Assigning Authority and
Responsibility
– Management should make sure:
• Employees understand the entity’s objectives
• Authority and responsibility for business objectives is
assigned to specific departments and individuals
– Ownership of responsibility encourages employees to
take initiative in solving problems and holds them
accountable for achieving objectives.
– Management:
• Must be sure to identify who is responsible for the IS security
policy.
• Should monitor results so decisions can be reviewed and, if
necessary, overruled.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 118 of 314
INTERNAL ENVIRONMENT
• Authority and responsibility are assigned through:
– Formal job descriptions
– Employee training
– Operating plans, schedules, and budgets
– Codes of conduct that define ethical behavior, acceptable
practices, regulatory requirements, and conflicts of interest
– Written policies and procedures manuals (a good job reference
and job training tool) which covers:
• Proper business practices
• Knowledge and experience needed by key personnel
• Resources provided to carry out duties
• Policies and procedures for handling particular transactions
• The organization’s chart of accounts
• Sample copies of forms and documents
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 119 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 120 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 121 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 122 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 123 of 314
INTERNAL ENVIRONMENT
• Hiring
– Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
– Employees should undergo a formal, in-depth
employment interview.
– Resumes, reference letters, and thorough
background checks are critical.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 124 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 125 of 314
INTERNAL ENVIRONMENT
• Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
– Some get phony degrees from online “diploma mills.”
• A Pennsylvania district attorney recently filed suit against a
Texas “university” for issuing an MBA to the DA’s 6-year-old
black cat.
– Others actually hack (or hire someone to hack) into
the systems of universities to create or alter
transcripts and other academic data.
• No employee should be exempted from
background checks. Anyone from the custodian
to the company president is capable of
committing fraud, sabotage, etc
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 126 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 127 of 314
INTERNAL ENVIRONMENT
• Compensating
– Employees should be paid a fair and
competitive wage.
– Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
– Appropriate incentives can motivate and
reinforce outstanding performance.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 128 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 129 of 314
INTERNAL ENVIRONMENT
• Policies on Training
– Training programs should familiarize new employees
with:
• Their responsibilities.
• Expected performance and behavior.
• Company policies, procedures, history, culture, and operating
style.
– Training needs to be ongoing, not just one-time.
– Companies who shortchange training are more likely
to experience security breaches and fraud.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 130 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 131 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 132 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 133 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 134 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 135 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 136 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 137 of 314
INTERNAL ENVIRONMENT
• Discharging
– Fired employees are disgruntled employees.
– Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
– Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 138 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 139 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 141 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 143 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 144 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 145 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 146 of 314
INTERNAL ENVIRONMENT
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 147 of 314
INTERNAL ENVIRONMENT
• External influences
– External influences that affect the control
environment include requirements imposed
by:
• FASB
• PCAOB
• SEC
• Insurance commissions
• Regulatory agencies for banks, utilities, etc.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 148 of 314
OBJECTIVE SETTING
• Objective setting is the
second ERM
component.
• It must precede many
of the other six
components.
• For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 149 of 314
OBJECTIVE SETTING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 150 of 314
OBJECTIVE SETTING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 151 of 314
OBJECTIVE SETTING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 152 of 314
OBJECTIVE SETTING
• As a rule of thumb:
– The mission and strategic objectives are
stable.
– The strategy and other objectives are more
dynamic:
• Must be adapted to changing conditions.
• Must be realigned with strategic objectives.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 153 of 314
OBJECTIVE SETTING
• Operations objectives:
– Are a product of management preferences,
judgments, and style
– Vary significantly among entities:
• One may adopt technology; another waits until the
bugs are worked out.
– Are influenced by and must be relevant to the
industry, economic conditions, and
competitive pressures.
– Give clear direction for resource allocation—a
key success factor.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 154 of 314
OBJECTIVE SETTING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 155 of 314
EVENT IDENTIFICATION
• Events are:
– Incidents or occurrences that
emanate from internal or
external sources
– That affect implementation of
strategy or achievement of
objectives.
– Impact can be positive,
negative, or both.
– Events can range from
obvious to obscure.
– Effects can range from
inconsequential to highly
significant.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 156 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 157 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 158 of 314
EVENT IDENTIFICATION
• Availability of capital; lower or higher costs of
capital
• Lower barriers to entry, resulting in new
• Some of thesecompetition
factors include:
• Price movements up or down
– External factors:
• Ability to issue credit and possibility of default
• Economic• factors
Concentration of competitors, customers, or
vendors
• Presence or absence of liquidity
• Movements in the financial markets or
currency fluctuations
• Rising or lowering unemployment rates
• Mergers or acquisitions
• Potential regulatory, contractual, or criminal
legal liability
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 159 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 160 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 161 of 314
EVENT IDENTIFICATION
• Changing demographics, social
mores, family structures, and
• Some of these factors include:
work/life priorities
• Consumer behavior that
– External factors: changes demand for products
• Economic factors and services or creates new
buying opportunities
• Natural environment
• Corporate citizenship
• Political factors • Privacy
• Social factors • Terrorism
• Human resource issues
causing production shortages
or stoppages
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 162 of 314
EVENT IDENTIFICATION
• New e-business technologies
• Some of these factors thatinclude:
lower infrastructure costs
or increase demand for IT-
– External factors: based services
• Economic factors • Emerging technology
• Increased or decreased
• Natural environment
availability of data
• Political factors • Interruptions or down time
• Social factors caused by external parties
• Technological factors
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 163 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 164 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 165 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 166 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 168 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 169 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 170 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 171 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 172 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 173 of 314
EVENT IDENTIFICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 175 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• The fourth and fifth
components of
COSO’s ERM model
are risk assessment
and risk response.
• COSO indicates
there are two types
• The risk that remains after
ofmanagement
risk: implements internal
–controls
Inherent riskother form of
or some
–response
Residualto risk.
risk
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 176 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk: • The most effective way to reduce
– Reduce it the likelihood and impact of risk is
to implement an effective system of
internal controls.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 177 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Don’t act to prevent or mitigate
it.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 178 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
– Reduce it
– Accept it • Transfer some of it to others via
– Share it activities such as insurance,
outsourcing, or hedging.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 179 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Companies should:
– Assess inherent risk
– Develop a response
– Then assess residual risk
• The ERM model indicates four ways to respond
to risk:
• Don’t engage in the activity that
– Reduce it produces it.
– Accept it • May require:
– Share it – Sale of a division
– Avoid it – Exiting a product line
– Canceling an expansion plan
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 180 of 314
RISK ASSESSMENT AND RISK
RESPONSE
• Accountants:
– Help management design effective controls to
reduce inherent risk
– Evaluate internal control systems to ensure
they are operating effectively
– Assess and reduce inherent risk using the risk
assessment and response strategy
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 181 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 182 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate Likelihood
and Impact Estimate the impact of potential
– Some events pose loss from each threat
more risk because they
are more probable than Identify set of controls to
others. guard against threat
– Some events pose
more risk because their Estimate costs and benefits
dollar impact would be from instituting controls
more significant.
– Likelihood and impact Is it
must be considered Avoid,
cost- No share, or
together: beneficial
accept
to protect
– If either increases, the system risk
materiality of the event
and the need to protect Yes
against it rises. Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 183 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Identify Controls
Estimate the impact of potential
– Management must loss from each threat
identify one or more
controls that will Identify set of controls to
guard against threat
protect the
company from each Estimate costs and benefits
event. from instituting controls
– In evaluating
Is it
benefits of each cost- No
Avoid,
share, or
control procedure, beneficial
to protect accept
consider system risk
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 184 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• All other factors equal:
– A preventive control is Estimate the impact of potential
better than a detective loss from each threat
one.
– However, if preventive Identify set of controls to
controls fail, detective guard against threat
controls are needed to
discover the problem, Estimate costs and benefits
and corrective controls from instituting controls
are needed to recover.
– Consequently, the three
complement each other, Is it
Avoid,
cost- No
and a good internal beneficial share, or
control system should to protect accept
have all three. system risk
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 185 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Estimate Costs and
Benefits Estimate the impact of potential
loss from each threat
– It would be cost-
prohibitive to create an Identify set of controls to
internal control system guard against threat
that provided foolproof
protection against all Estimate costs and benefits
events. from instituting controls
– Also, some controls
negatively affect Is it
Avoid,
operational efficiency, cost- No share, or
beneficial
and too many controls to protect accept
can make it very system risk
inefficient. Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 186 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The benefits of an internal
control procedure must Estimate the impact of potential
exceed its costs. loss from each threat
• Benefits can be hard to
quantify, but include: Identify set of controls to
– Increased sales and guard against threat
productivity
– Reduced losses Estimate costs and benefits
– Better integration with from instituting controls
customers and
suppliers Is it
Avoid,
– Increased customer cost- No share, or
beneficial
loyalty to protect accept
– Competitive system risk
advantages
Yes
– Lower insurance Reduce risk by implementing set of
premiums controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 187 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Costs are usually
easier to measure Estimate the impact of potential
loss from each threat
than benefits.
• Primary cost is Identify set of controls to
guard against threat
personnel, including:
– Time to perform control Estimate costs and benefits
procedures from instituting controls
– Costs of hiring
additional employees to Is it
Avoid,
effectively segregate cost- No share, or
beneficial
duties to protect accept
– Costs of programming system risk
controls into a system Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 188 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Other costs of a poor
control system include: Estimate the impact of potential
– Lost sales loss from each threat
– Lower productivity
Identify set of controls to
– Drop in stock price if guard against threat
security problems arise
– Shareholder or Estimate costs and benefits
regulator lawsuits from instituting controls
– Fines and penalties
imposed by
governmental agencies Is it
cost-
Avoid,
No share, or
beneficial
to protect accept
system risk
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 189 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• The expected loss
Estimate the impact of potential
related to a risk is loss from each threat
measured as:
– Expected loss = Identify set of controls to
impact x likelihood guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 190 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Determine Cost-
Benefit Effectiveness Estimate the impact of potential
loss from each threat
– After estimating
benefits and costs, Identify set of controls to
management guard against threat
determines if the control
is cost beneficial, i.e., is Estimate costs and benefits
the cost of from instituting controls
implementing a control
procedure less than the Is it
change in expected cost- Avoid,
beneficia No share, or
loss that would be l accept
attributable to the to protect risk
system
change?
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 191 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• In evaluating costs and
benefits, management Estimate the impact of potential
must consider factors other loss from each threat
than those in the expected
benefit calculation.
Identify set of controls to
– If an event threatens an guard against threat
organization’s
existence, it may be Estimate costs and benefits
worthwhile to institute from instituting controls
controls even if costs
exceed expected
benefits. Is it
cost- Avoid,
– The additional cost can beneficia No share, or
be viewed as a l accept
catastrophic loss to protect risk
system
insurance premium.
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 192 of 314
• Expected Loss without control procedure = $800,000 x .12 = $96,000.
• Expected RISK
loss withASSESSMENT ANDx RISK
control procedure = $800,000 .005 = $4,000.
• Estimated value of control procedure = $96,000 - $4,000 = $92,000.
•
RESPONSE
Estimated cost of control procedure = $43,000 (given).
• Benefits exceed costs by $92,000 - $43,000 = $49,000.
• Let’s go through an example:
• In this case, Hobby Hole should probably install the motion detectors.
– Hobby Hole is trying to decide whether to install a
motion detector system in its warehouse to reduce the
probability of a catastrophic theft.
– A catastrophic theft could result in losses of $800,000.
– Local crime statistics suggest that the probability of a
catastrophic theft at Hobby Hole is 12%.
– Companies with motion detectors only have about a
.5% probability of catastrophic theft.
– The present value of purchasing and installing a
motion detector system and paying future security
costs is estimated to be about $43,000.
– Should Hobby Hole install the motion detectors?
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 193 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Implement the
Estimate the impact of potential
Control or Avoid, loss from each threat
Share, or Accept the
Risk Identify set of controls to
guard against threat
– When controls are cost
effective, they should Estimate costs and benefits
be implemented so risk from instituting controls
can be reduced.
Is it
cost- Avoid,
beneficia No share, or
l accept
to protect risk
system
Yes
Reduce risk by implementing set of
controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 194 of 314
Identify the events or threats
RISK ASSESSMENT that confront the company
AND RISK RESPONSE
Estimate the likelihood or
probability of each event occurring
• Risks that are not reduced
must be accepted, shared, Estimate the impact of potential
or avoided. loss from each threat
– If the risk is within the
company’s risk Identify set of controls to
tolerance, they will guard against threat
typically accept the risk.
– A reduce or share Estimate costs and benefits
response is used to from instituting controls
bring residual risk into
an acceptable risk Is it
tolerance range. cost- Avoid,
– An avoid response is beneficia No share, or
typically only used l accept
to protect risk
when there is no way to system
cost-effectively bring Yes
risk into an acceptable Reduce risk by implementing set of
risk tolerance range. controls to guard against threat
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 195 of 314
CONTROL ACTIVITIES
• The sixth component of
COSO’s ERM model.
• Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that management’s
control objectives are
met and their risk
responses are carried
out.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 196 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 197 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 198 of 314
CONTROL ACTIVITIES
• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 205 of 314
CONTROL ACTIVITIES
• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
– An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
– Segregation of duties is discussed in two
sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 206 of 314
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 210 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 211 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 212 of 314
CONTROL ACTIVITIES
Ledger
$900
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 215 of 314
CONTROL ACTIVITIES
Ledger
$1,000
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 217 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 218 of 314
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS RECORDING FUNCTIONS
• Handling cash • Preparing source
• Handling inventories, tools, documents
or fixed assets • Maintaining journals,
• Writing checks ledgers, or other files
• Receiving checks in mail • Preparing reconciliations
• Preparing performance
reports
• EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can steal some of the cash and falsify accounts to
conceal the theft. FUNCTIONS
• SOLUTION: The pink fence• (segregation
Authorization of
of custody and recording) prevents
transactions
employees from falsifying records to conceal theft of assets entrusted to them.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 219 of 314
• EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that
CONTROL ACTIVITIES he has authorized can
authorize fictitious
transactions and then steal
CUSTODIAL FUNCTIONS RECORDING
the payments.FUNCTIONS
• Handling cash •• Preparing source
SOLUTION: The green
• Handling inventories, tools, documents
fence (segregation of
or fixed assets • Maintaining
custody and journals,
authorization)
• Writing checks ledgers, or
prevents other files
employees from
• Receiving checks in mail • authorizing fictitious or
Preparing reconciliations
• inaccurate transactions as a
Preparing performance
means
reportsof concealing a theft.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 220 of 314
• EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the CONTROL ACTIVITIES
transactions can authorize
and record fictitious
CUSTODIAL
payments FUNCTIONS
that might, for RECORDING FUNCTIONS
• Handling
example, be sent
cashto the • Preparing source
employee’s
• Handlinghome addresstools,
inventories, documents
or the address
or fixed of a shell
assets • Maintaining journals,
company he creates. ledgers, or other files
• Writing checks
• SOLUTION: The purple • Preparing reconciliations
• Receiving checks in mail
fence (segregation of • Preparing performance
recording and authorization) reports
prevents employees from
falsifying records to cover
up inaccurate or false
transactions that were
inappropriately authorized.
AUTHORIZATION
FUNCTIONS
• Authorization of
transactions
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 221 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 222 of 314
CONTROL ACTIVITIES
Ledger
$1,000
• If this happens . . .
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 223 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 224 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 225 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 226 of 314
CONTROL ACTIVITIES
• Segregation of Duties
– Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
– An employee should not be in a position to commit
and conceal fraud or unintentional errors.
– Segregation of duties is discussed in two sections:
• Segregation of accounting duties
• Segregation of duties within the systems function
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 227 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 228 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 229 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 230 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 231 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 232 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 233 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 234 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 235 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 236 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 237 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 238 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 239 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 240 of 314
CONTROL ACTIVITIES
• Project Development and Acquisition Controls
– It’s important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
• Should contain appropriate controls for:
– Management review and approval
– User involvement
– Analysis
– Design
– Testing
– Implementation
– Conversion
• Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 241 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 242 of 314
• A multi-year strategic plan
should align the organization’s
CONTROL ACTIVITIES
information system with its
business strategies and show
the projects that must be
• The following basic principles completed
of control to
should
achievebelong-
applied to systems development in goals.
range order to reduce the
potential for cost overruns and project
• Should failurehardware,
address and to
improve the efficiency and effectiveness of the IS:
software, personnel, and
– Strategic master plan infrastructure requirements.
• Each year, the board and top
management should prepare
and approve the plan and its
supporting budget.
• Should be evaluated several
times a year to ensure the
organization can acquire
needed components and
maintain existing ones.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 243 of 314
• A project development plan shows
how a project will be completed,
CONTROL ACTIVITIES
including:
• Modules or tasks to be
• The following basic principles of performed
control should be
applied to systems development • Who will perform
in order them
to reduce the
potential for cost overruns and•project
Anticipated
failurecompletion
and to dates
• Project costs
improve the efficiency and effectiveness of the IS:
• Project milestones should be
– Strategic master plan
specified—points when progress
– Project controls is reviewed and actual completion
times are compared to estimates
• Each project should be assigned
to a manager and team who are
responsible for its success or
failure.
• At project completion, a project
evaluation of the team members
should be performed.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 244 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 245 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 246 of 314
CONTROL ACTIVITIES
• To
• The following basic principles of be evaluated
control properly,
should be a
system should be assessed
applied to systems development in order to reduce the
with measures such as:
potential for cost overruns and project failure and to
– Throughput (output per
improve the efficiency and effectiveness of the IS:
unit of time)
– Strategic master plan – Utilization (percent of time
– Project controls it is used productively)
– Data processing schedule – Response time (how long it
– Steering committee takes to respond)
– System performance measurements
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 247 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 249 of 314
CONTROL ACTIVITIES
• Before third parties bid, provide clear
• When using systems
specifications, integrators,
including:
companies should
– Exact adhere
descriptions andto the same
definitions of the system
– Explicit deadlines
basic rules used for project management
– Precise acceptance criteria
of internal projects.
• While In toaddition,
it’s expensive they
develop these
should: specifications, it will save money in the end.
– Develop clear specifications
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 250 of 314
• A sponsors committee should monitor third-party
development projects.
CONTROL ACTIVITIES
– Established by the CIO and chaired by the
project’s internal champion.
– Should include department managers from all
• When using systems integrators,
units that will use the system.
– Should establish formal procedures for
companies should adhere
measuring to the
and reporting same
project status.
basic rules used
– Best for project
approach is to: management
• Divide project into manageable tasks.
of internal projects. In addition, they
• Assign responsibility for each task.
should: • Meet on a regular basis (at least monthly)
– Develop clear specifications
to review progress and assess quality.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 251 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 253 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 255 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 256 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 258 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 259 of 314
CONTROL ACTIVITIES
• Insiders also create less-intentional threats to
systems, including:
– Accidentally deleting company data
– Turning viruses loose
– Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
• These actions can result in crashed networks,
corrupt data, and hardware and software
malfunctions.
• Companies also face significant risks from
customers and vendors that have access to
company data.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 260 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 261 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 262 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 263 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 265 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 266 of 314
CONTROL ACTIVITIES
Ledger
$1,000
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 267 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 268 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 269 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 271 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 272 of 314
CONTROL ACTIVITIES
– Double-entry accounting
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 273 of 314
CONTROL ACTIVITIES
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 274 of 314
INFORMATION AND COMMUNICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 275 of 314
INFORMATION AND COMMUNICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 277 of 314
INFORMATION AND COMMUNICATION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 278 of 314
MONITORING
• The eighth
component of
COSO’s ERM
model.
• Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 279 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 280 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 281 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 282 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 283 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 284 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 285 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 286 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 287 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 288 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 290 of 314
MONITORING
• Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
• Employers cannot discreetly observe communications of
employees when those employees have a “reasonable
expectation of privacy.”
• Employers must therefore ensure that employees realize
their business communications are not “private.” One way
to accomplish that objective is to have written policies that
employees agree to in writing which indicate:
– The technology employees use on the job belongs to the
company.
– Emails received on company computers are not private and can
be read by supervisory personnel.
– Employees should not use technology in any way to contribute to
a hostile work environment.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 291 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 292 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 293 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 294 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 295 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 296 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 297 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 298 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 299 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 300 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 302 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 303 of 314
MONITORING
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
– In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
– The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
• Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 304 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 305 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 306 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 307 of 314
MONITORING
• Install Fraud Detection Software
– People who commit fraud tend to follow certain patterns and
leave behind clues.
– Software has been developed to seek out these fraud symptoms.
– Some companies employ neural networks (programs that
mimic the brain and have learning capabilities) which are very
accurate in identifying suspected fraud.
– For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
– These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 308 of 314
MONITORING
• Key methods of monitoring performance include:
– Perform ERM evaluation
– Implement effective supervision
– Use responsibility accounting
– Monitor system activities
– Track purchased software
– Conduct periodic audits
– Employ a computer security officer and security
consultants
– Engage forensic specialists
– Install fraud detection software
– Implement a fraud hotline
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 309 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 310 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 311 of 314
MONITORING
• Outsourcing is available through a number of third
parties and offers several benefits, including:
– Increased confidence on the part of employee that his/her
report is truly anonymous.
– 24/7 availability.
– Often have multilingual capabilities—an important plus for
multinational organizations.
– The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
– The employee can be advised of the outcome of his report.
– Low cost.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 312 of 314
MONITORING
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 313 of 314
SUMMARY
• In this chapter, you’ve learned about basic internal control
concepts and why computer control and security are so
important.
• You’ve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
• You’ve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
• You’ve also learned about events that affect uncertainty and
how these events can be identified.
• You’ve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
• Finally, you’ve learned how organizations communicate
information and monitor control processes.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 314 of 314