2Learning ObjectivesLO#1 Explain essential control concepts and why a code of ethics and internal controls are important.LO#2 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework.LO#3 Describe the overall COBIT framework and its implications for IT governance.LO#4 Describe other governance frameworks related to information systems management and security.
3Ethics, Sarbanes Oxley Act 2002 and Corporate Governance LO# 1Ethics, Sarbanes Oxley Act 2002 and Corporate GovernanceThe Need for a Code of EthicsEthical behavior prompted by a code of ethics can be considered a form of internal control.Employees with different culture backgrounds are likely to have different valuesMany professional associations have developed codes of ethics to assist professionals in selecting among decisions that are not clearly right or wrong.
4LO# 1Sarbanes Oxley Act 2002SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting.Established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms.PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls.
5LO# 1Corporate GovernanceA set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders.Promotes accountability, fairness, and transparency in the organization’s relationship with its stakeholders.
6Overview of Control Concepts LO# 1Overview of Control ConceptsThree main functions of internal control:Preventive controls deter problems before they arise. (Authorization)Detective controls find problems when they arise. (Bank reconciliations and monthly trial balances)Corrective controls fix problems that have been identified. (Backup files to recover corrupted data)Computerized environment:General controls pertain to enterprise-wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, etc.Application controls are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions.
7Commonly used Internal Control Frameworks LO# 2Commonly used Internal Control FrameworksThe SEC requires management to evaluate internal controls based on a recognized control frameworkCOSO Internal Control framework-COSO-Committee of Sponsoring Organizations of the Treadway Commission.-AAA, AICPA, FEI, IIA, and IMA-The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for evaluating, reporting, and improving internal control.
8Commonly used Internal Control Frameworks LO# 2Commonly used Internal Control FrameworksCOSO 2.0COSO ERM framework: focuses on the strategic alignment of the firm’s mission with its risk appetite.Control Objectives for Information and related Technology (COBIT): a control framework for the governance and management of enterprise IT.Information Technology Infrastructure Library (ITIL): a set of concepts and practices for IT service management.International Organization for Standardization (ISO) Series: address information security issues.
9COSO Internal Control Framework (COSO 2.0) LO# 2COSO Internal Control Framework (COSO 2.0)Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control.Internal control can provide reasonable assurance, not absolute assurance, to an entity’s management and board.Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories.Internal control is adaptable to the entity structure.
10COSO Internal Control Framework (COSO 2.0) LO# 2COSO Internal Control Framework (COSO 2.0)Three categories of objectives:Operations Objectives – effectiveness and efficiency of a firm’s operations on financial performance goals and safeguarding assetsReporting Objectives – reliability of reporting, including internal and external financial and non-financial reportingCompliance Objectives – adherence to applicable laws and regulations
11COSO 2.0 Five components of internal control: Control Environment LO# 2COSO 2.0Five components of internal control:Control EnvironmentRisk Assessment Control Activities Information and Communication Monitoring Activities
13COSO Enterprise Risk Management—Integrated Framework LO# 2COSO Enterprise Risk Management—Integrated FrameworkFour categories of objectives:Strategic — high-level goals, aligned with and supporting the firm’s mission and visionOperations — effectiveness and efficiency of operationsReporting — reliability of internal and external reportingCompliance — compliance with applicable laws and regulations
14COSO Enterprise Risk Management—Integrated Framework LO# 2COSO Enterprise Risk Management—Integrated FrameworkEight components of internal control:Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring
15Risk Assessment and Risk Response LO# 2Risk Assessment and Risk ResponseInherent risk : It exists already before management takes any actions to address it.Control risk : the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system.Residual risk: the product of inherent risk and control risk(1) Reduce risks by designing effective business processes and implementing internal controls.(2) Share risks by outsourcing business processes, buying insurance, or entering into hedging transactions.(3) Avoid risks by not engaging in the activities that would produce the risk.(4) Accept risk by relying on natural offsets of the risk within a portfolio, or allowing the likelihood and impact of the risk.
16Risk Assessment and Risk Response LO# 2Risk Assessment and Risk ResponseCost and benefit analysis is important in determining whether to implement an internal control.The benefits of an internal control should exceed its costs.One way to measure the benefits of a control is using the estimated impact of a risk times the decreased likelihood if the control is implemented.Expected benefit of an internal control = Impact X Decreased Likelihood
17LO# 2Control ActivitiesPhysical Controls: mainly manual but could involve the physical use of computing technology.IT controls: processes that provide assurance for information and help to mitigate risks associated with the use of technology.-- IT general controls (ITGC)-- IT application controls
18LO# 3COBIT FrameworkCOBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance and management.Governance:firm objectives: evaluating stakeholder needssetting direction through decision makingmonitoring performance, compliance and progressManagement:activities: planning, building, running and monitoring
19LO# 3COBIT FrameworkProvides a business focus to align business and IT objectives;Defines the scope and ownership of IT process and control;Is consistent with accepted IT good practices and standards;Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; andMeets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.
20Information Technology Infrastructure Library (ITIL) A de facto standard in Europe for the best practices in IT infrastructure management and service delivery.ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives.ITIL adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories.
21International Organization for Standardization (ISO) 27000 Series The ISO series of standards are designed to address information security issues.ISO series, particularly ISO and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines.The main objective of the ISO series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS).