Pertemuan 15 Business and Information Process Rules, Risks, and Controls Matakuliah: M0034 /Informasi dan Proses Bisnis Tahun: 2005 Versi: 01/05

Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Menjelaskan hubungan resiko, peluang dan pengendalian proses bisnis

Outline Materi Hubungan antara Resiko, Peluang, dan Pengendalian Sistem Pengendalian Internal Filosofi Pengendalian Internal dengan perspektif TI Proses Pengembangan Sistem Pengendalian Internal Jenis-jenis resiko pengolahan Informasi pada Proses Bisnis

By Hollander, Denna, Cherrington PowerPoint slides by: Bruce W. MacLean, Faculty of Management, Dalhousie University Accounting, Information Technology, and Business Solutions, 2nd Edition Irwin/McGraw-Hill  The McGraw-Hill Companies, Inc., 2000 CHAPTER 5 Business and Information Process Rules, Risks, and Controls

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Objectives ä Describe the relationship between risks, opportunities, and controls ä Explain each of the components of an internal control system ä Discuss weaknesses in the traditional control philosophy ä Outline a control philosophy applicable to an informational technology environment ä Describe types of business and information process risks

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill The Relationship between Risks, Opportunities, and Controls n Risks ä A risk is any exposure to the chance of injury or loss. n Opportunities and Objectives ä Opportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity. n Controls ä A control is an activity we perform to minimize or eliminate a risk.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Internal Control Systems n Internal controls encompass a set of rules, policies, and procedures an organization implements to provide reasonable assurance that: ä (a) its financial reports are reliable, ä (b) its operations are effective and efficient, and ä (c) its activities comply with applicable laws and regulations. n These represent the three main objectives of the internal control system. n The organization's board of directors, management, and other personnel are responsible for the internal control system.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Entire Organization Data Processing environment Event Occurrence Information Processes Administrativ e Controls Accounting Controls Preventive, Detective, and Corrective Controls Input, Processing, and Output Controls Control Environment General Controls Application Controls Control Environment IT/Human Controls Business Event Controls Information Processing Controls Control Classification Schemes

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Disk or Tape Master Files “Non-Complex” Information Systems Batch Input Update Process Batch Output

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill “Complex” Information System Architectures

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Control Environment n Control environment sets the tone of the organization, which influences the control consciousness of its people. This foundation provides discipline and structure upon which all other components of internal control are built. n The control environment includes the following areas: ä Integrity and ethical behavior ä Commitment to competence ä Board of directors and audit committee participation ä Management philosophy and operating style ä Organization structure ä Assignment of authority and responsibility ä Human resource policies and practices

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Likelihood Of Loss Size of Potential Impact High Low Small Large Materiality Risk Materiality and Risk

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Risk Assessment n Risk assessment identifies and analyzes the relevant risks associated with the organization achieving its objectives. n Risk assessment forms the basis for determining what risks need to be controlled and the controls required to manage them.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Control Activities n Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels. n Control Usage - Prevent, Detect, and Correct ä Control activities may be classified by their use C whether they are used to prevent, detect, or recover from errors or irregularities. The purpose of each control is evident by its name. –Preventive controls focus on preventing an error or irregularity. –Detective controls focus on identifying when an error or irregularity has occurred. –Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Control Activities n Physical controls include security over the assets themselves, limiting access to the assets to only authorized people, and periodically reconciling the quantities on hand with the quantities recorded in the organization’s records. n Information processing controls are used to check accuracy, completeness, and authorization of transactions. ä General controls cover data center operations, systems software acquisition and maintenance, access security, and application systems development and maintenance. ä Application controls apply to the processing of a specific application, like running a computer program to prepare employee's payroll checks each month.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Control Activities n Performance Reviews ä Performance reviews are any reviews of an entity’s performance. ä Some of the more common reviews: –compare actual data to budgeted data or prior period data, –operating data to financial data, and –data within and across various units, subdivisions, or functional areas of the organization.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Information and Communication n The information system consists of the methods and records used to record, maintain, and report the events of an entity, as well as to maintain accountability for the related assets, liabilities, and equity. The quality of the system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. n The information system should do each of the following to provide accurate and complete information in the accounting system and correctly report the results of operations: ä Identify and record all business events on a timely basis. ä Describe each event in sufficient detail. ä Measure the proper monetary value of each event. ä Determine the time period in which events occurred. ä Present properly the events and related disclosures in the financial statements.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Information and Communication n The communication aspect of this component deals with providing an understanding of individual roles and responsibilities pertaining to internal controls. n People should understand how their activities relate to the work of others and how exceptions should be reported to higher levels of management. n Open communication channels help insure that exceptions are reported and acted upon. n Communication also includes the policy manuals, accounting manuals, and financial reporting manuals.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Monitoring n Monitoring is the process of assessing the quality of internal control performance over time. n Monitoring involves assessing the design and operation of controls on a timely basis and taking corrective actions as needed. ä This process is accomplished by ongoing monitoring activities by management as they question reports that differ significantly from their knowledge of operations.

 The McGraw-Hill Companies, Inc., 2000 Irwin/McGraw-Hill Control Environment Sub-elements of Control Environment Accounting System Objectives That Must Be Satisfied Control Procedures Categories of Control Procedures Management philosophy and operating style Organizational structure Audit Committee Methods to communicate the assignment of authority and responsibility Management control methods Internal Audit function Personnel policies and procedures External Influences Validity Authorization Completeness Valuation Classification Timing Posting and summarization Adequate separation of duties Proper authorization of transactions and activities Adequate documents and records Physical control over assets and records Independent checks on performance Traditional Internal Control Environment

Berlanjut ke Pertemuan 16