Ch7 AIS

Exposure/impact
potential dollar loss should a particular threat become a reality
General Controls
controls designed to make sure an organizations information system and control environment is stable and well managed
Application controls
controls that prevent detect and correct transaction erros and fraud in application programs
Belief system
system that describes how a company creates value
boundary system
helps employees act ethically by setting boundaries on employee behavior
diagnostic control system
measures monitors and cmpares actual company progress to budgets and performance goals
Interactive control system
helps managers to focus subordinates attention on key strategic issues and to be more involced in their decisions
SOX
intedned to prevent financial statement fraud, make reports more transparent, provide protection to investors strengthen internal controls an dpunish executives
Foreign Corrupt Practices Act
passed to prevent companies from bribing foreign officials
Public Company Accounting Oversight Board
board created by SOX that regulates the auditing profession; created as part of SOX
COBIT
Control Objectives for Information and Related Tech
Cobit allows
management to benchmark security and control practices of IT environments
Users to be assured that adequate IT security and controls exist
auditors to substantiate their internal control opinions and to advise on IT security and control matters
COBIT 5 Key Principles
Meeting stakeholder needs
Covering the enterprise end to end
Applying a single integrated framework
Seperating governance from management
Enabling a holistic approach
Management Process of COBIT
APO-Align plan and organize
BAI-Build acquire and implemet
DSS-Deliver service and support
MEA-Monitor evaluate and assess
In 1992 COSO issued
Internal Control-Integrated Framework

WHICH IS WIDELY accepted as the authority on internal controls and is incorporated into policies rules and regulations used to control business activities

To improve risk management process COSO developed a second control framework called
Enterprise Risk Management(ERM)
COSO The Internal Environment
or company culture, influences how organizations establish strategies and objectives, structure business activities, and identify assess and respond to risk
Philosophy operating style and risk appetite
risk appetite is the amount of risk a company is willing to take to achieve its goals
Commitment to integrity ethical values and competence
organizations need a culture that stresses integrity and commitment to ethical values and competence
Internal control oversight by the board of directors
SOX requires public companies to have an audit committee
Responsible for financial reporting regulatory compliance internal control and hiring and overseeing internal and external auditors
Organizational structure
Companys org structure provides a framework for planning executing controlling and monitroing operations.
Methods of Assigning authority and responsibility
Policy and procedures manual
explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties
HR standards that attract develop and retain competent individuals
one of greatest control strength-honest individuals
one of greatest control weakness-dishonest employees

use background checks
compensate well
Train well
manage disgrunteled employees well
When dischargin, remove access to sensitive places
EEs should sign confidentiality agreement
MAKE SURE TO REPORT OR PROSECUTE PERPETRATORS

COSE Objective Setting
Management determines what the company hopes to achieve
strategic objectives
high level goals that are aligned with the company’s mission, support it and create shareholder value are set first
operations objectives
deal with the effectiveness and efficiency of company operations, determine how to allocate resources. Reflect management preferences judgements and style and are a key factor in corporate success
reporting objectives
help ensure accuracy completeness and reliability of company reports
compliance objectives
help the company comply with all applicable laws and regulations
COSO Event Identification
Event- incident or occurence emanating from internal or external sources that affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both.
COSO Risk Assessment and Risk Response
During objective setting process management must specify their objectives clearly enough for risks to be identified and assessed
inherent risk
susceptibility of a set of accounts or transaction to significant control problems in the absence of internal controls
Residual risk
the risk that remains after management implements internal controls or some other response to risk; companies should assess inherent risk develop a response and then assess residual risk
Management can respond to risk in one of four ways
REDUCE liklihood and impact of risk by effectinve internal controls

ACCEPT likelihood and impact of risk

SHARE risk or transfer it to someone else by buying insurance outsourcing an activity or entering into hedging transaction

AVOID risk by not engaging in the activity that produces the risk. May require the company to sell a division exit a product line or not expand as anticipated

Expected Loss
mathematical product of the potential dollar loss that would occur should a threat become a reality and the risk of probability the threat will occur

Expected loss = impact*likelihood

COSO Control Activities
policies procedures and rules that provide reasonable assurance that control objectives are met and risk responses are carried out. It is managements responsibility to develop a secure and adequately controlled system
management must make sure that
controls are slected and developed to help reduce risks to an acceptable level
appropriate general controls are selected and developed over technology
control activities are implemented and followed as specified in company policies and procedures
proper authorization of transactions and activiites
Authorization
establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by singing, initializing or entering an authroization code on a document or record
Digital signature
electronoic signatrure that cant be forged
specific authorization
special approval an employee need in order to be allowed to handle a transaction
general authorization
authroization given employees to handle routine transactions without special approval
Segregation of duties
Segregation of accounting duties
Authorization-approving transactions

Recording- preparing source documents;entering data into computer systems;maintaining journals etc.

Custody-handling cash tools inventory or fixed assets recieving incoming customer checks writing checks

All seperated

Collusion
cooperation between two or more people in an effort to thwart internal controls
Segreagation of Systems Duties
for this we segregate the following
Systems administration – system adminstrators make sure all info system components operate smoothly and efficiently

Network management- ensure that devices are linked to the organizations internal and external networks

Security management- makes sure the systems are secure

Change management – process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability security etc

COSO Internal Control Model
Control Environment

Risk Assessment

Control activities

Info and communication

Monitoring