We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAmari Hoston
Modified about 1 year ago
Copyright © Pearson Education Limited Control and Accounting Information Systems Chapter 7 7-1
Copyright © Pearson Education Limited Learning Objectives Explain basic control concepts and why computer control and security are important. Compare and contrast the COBIT, COSO, and ERM control frameworks. Describe the major elements in the internal environment of a company. Describe the four types of control objectives that companies need to set. Describe the events that affect uncertainty and the techniques used to identify them. Explain how to assess and respond to risk using the Enterprise Risk Management model. Describe control activities commonly used in companies. Describe how to communicate information and monitor control processes in organizations. 7-2
Copyright © Pearson Education Limited Why Is Control Needed? Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event. The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat. The probability that the threat will happen is the likelihood associated with the threat 7-3
Copyright © Pearson Education Limited A Primary Objective of an AIS Is to control the organization so the organization can achieve its objectives Management expects accountants to: ▫Take a proactive approach to eliminating system threats. ▫Detect, correct, and recover from threats when they occur. 7-4
Copyright © Pearson Education Limited Internal Controls Processes implemented to provide assurance that the following objectives are achieved: ▫Safeguard assets ▫Maintain sufficient records ▫Provide accurate and reliable information ▫Prepare financial reports according to established criteria ▫Promote and improve operational efficiency ▫Encourage adherence with management policies ▫Comply with laws and regulations 7-5
Copyright © Pearson Education Limited Functions of Internal Controls Preventive controls ▫Deter problems from occurring Detective controls ▫Discover problems that are not prevented Corrective controls ▫Identify and correct problems; correct and recover from the problems 7-6
Copyright © Pearson Education Limited Two Categories of Internal Controls General controls ▫Make sure an organization’s control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls Application controls ▫Prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, stored, transmitted to other systems, and reported 7-7
Copyright © Pearson Education Limited Control Frameworks COBIT ▫Framework for IT control COSO ▫Framework for enterprise internal controls (control-based approach) COSO-ERM ▫Expands COSO framework taking a risk-based approach 7-8
Copyright © Pearson Education Limited COBIT Framework Current framework version is COBIT5 The benefit of a standard framework for IT controls is that it allows: ▫Management to benchmark their environments and compare it to other organizations ▫Because the framework is comprehensive, it provides assurances that IT security and controls exist ▫Allows auditors to substantiate their internal control opinions 7-9
Copyright © Pearson Education Limited COBIT Framework (cont) Based on the following principles: ▫Meeting stakeholder needs ▫Covering the enterprise end-to-end ▫Applying a single, integrated framework ▫Enabling a holistic approach ▫Separating governance from management 7-10
Copyright © Pearson Education Limited COBIT5 Separates Governance from Management 7-11 See page 219 for details
Copyright © Pearson Education Limited Components of COSO Frameworks COSOCOSO-ERM Control (internal) environment Risk assessment Control activities Information and communication Monitoring Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring 7-12
Copyright © Pearson Education Limited Internal Environment Management’s philosophy, operating style, and risk appetite Commitment to integrity, ethical values, and competence Internal control oversight by Board of Directors Organizing structure Methods of assigning authority and responsibility Human resource standards 7-13
Copyright © Pearson Education Limited Objective Setting Strategic objectives ▫High-level goals Operations objectives ▫Effectiveness and efficiency of operations Reporting objectives ▫Improve decision making and monitor performance Compliance objectives ▫Compliance with applicable laws and regulations 7-14
Copyright © Pearson Education Limited Event Identification Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives Key Management Questions: What could go wrong? How can it go wrong? What is the potential harm? What can be done about it? 7-15
Copyright © Pearson Education Limited Risk Assessment Risk is assessed from two perspectives: Likelihood ▫Probability that the event will occur Impact ▫Estimate potential loss if event occurs Types of risk Inherent ▫Risk that exists before plans are made to control it Residual ▫Risk that is left over after you control it 7-16
Copyright © Pearson Education Limited Risk Response Reduce ▫Implement effective internal control Accept ▫Do nothing, accept likelihood and impact of risk Share ▫Buy insurance, outsource, or hedging transactions ( 對沖交易 ) Avoid ▫Do not engage in the activity 7-17
Copyright © Pearson Education Limited Control Activities Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguarding assets, records, and data Independent checks on performance 7-18
Copyright © Pearson Education Limited Segregation of Duties 7-19
Copyright © Pearson Education Limited Monitoring Perform internal control evaluations (e.g., internal audit) Implement effective supervision Use responsibility accounting systems (e.g., budgets) Monitor system activities Track purchased software and mobile devices Conduct periodic audits (e.g., external, internal, network security) Employ computer security officer Engage forensic specialists Install fraud detection software Implement fraud hotline 7-20
Copyright © Pearson Education Limited Key Terms Threat or Event Exposure or impact Likelihood Internal controls Preventive controls Detective controls Corrective controls General controls Application controls Belief system Boundary system Diagnostic control system Interactive control system Audit committee Foreign Corrupt Practices Act (FCPA) Sarbanes-Oxley Act (SOX) Public Company Accounting Oversight Board (PCAOB) Control Objectives for Information and Related Technology (COBIT) Committee of Sponsoring Organizations (COSO) Internal control-integrated framework (IC) Enterprise Risk Management Integrated Framework (ERM) Internal environment 7-21
Copyright © Pearson Education Limited Key Terms (continued) Risk appetite Policy and procedures manual Background check Strategic objectives Operations objectives Reporting objectives Compliance objectives Event Inherent risk Residual risk Expected loss Control activities Authorization Digital signature Specific authorization General authorization Segregation of accounting duties Collusion Segregation of systems duties Systems administrator Network manager Security management Change management Users Systems analysts Programmers Computer operators Information system library 7-22
Copyright © Pearson Education Limited Key Terms (continued) Data control group Steering committee Strategic master plan Project development plan Project milestones Data processing schedule System performance measurements Throughput Utilization Response time Postimplementation review Systems integrator Analytical review Audit trail Computer security officer (CSO) Chief compliance officer (CCO) Forensic investigators Computer forensics specialists Neural networks Fraud hotline 7-23
Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University.
An overview of COSOs 2013 update to the Internal Control – Integrated Framework COSO changes coming in 2014 January 7, 2014.
Internal Control Chapter 7 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
Department of Internal Audit An Internal Control Overview By ETSU Department of Internal Audit.
Internal Controls… They Are Not For Wimps Presented by: Billy Morehead, Ph.D., CPA, CGFM, CPM AGA Past National President and Associate Professor of Accountancy.
March 2011 Created by: Margie Harvey & Dorraine Teitsch.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
1 Are You Ready for IT Control Identification & Testing? The Institute of Internal Auditors February 10, 2004 Moderator: Xenia Ley Parker, CIA, CISA, CFSA.
INTERNAL CONTROL BASED ON THE COSO REPORT. Objective COSO C OBI T To use COSO, the Corporate Governance model, and C OBI T, the Information Technology.
Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012.
0 May 2013 Internal Control–Integrated Framework.
Workshop: Governance, Risk, Compliance (GRC) & Identity Management , 09:00-12:30, Track: Workshop I Dr. Horst Walther, Kuppinger Cole + Partner.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Federal Information System Controls Audit Manual (FISCAM)
Lori A. Brown, Seton Hall University Nikita Williams, TCS Education System Christopher Myers, Holland & Knight Compliance 101: A Guide to Building Effective.
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Audit Planning With Analytical Procedures, Risk, and Materiality Edward A. Dion County Auditor's Office.
© John Beveridge CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007.
FINANCIAL & BUSINESS SERVICES Welcome & Thank you for Attending Financial and Business Services Internal Controls Workshop.
Safety Risk Management Managing Risk in the N.A.S. Mark ONeil NATCA Safety and Technology Department.
Organizational Governance Embracing Internal Audits Role.
Date. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
Audit Considerations for your 11i implementation Richard Byrom Oracle Applications Consultant UKOUG November 2004.
1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley.
Internal Control Workshop Kenneth Wilson, Associate Comptroller Deb Martin, Internal Auditor.
Internal Control Integrated Framework An Overview.. Prepared by Wael F. Bibi,JCPA,CPA,CIA Bibi Consulting,Inc. COSOs Source: COSOs.
1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP.
1 Systems Engineering A Way of Thinking A Way of Doing Business Enabling Organized Transition from Need to Product August 1997 Systems Engineering Technical.
© 2016 SlidePlayer.com Inc. All rights reserved.