Upload
reginald-dorsey
View
214
Download
0
Embed Size (px)
Citation preview
INTRODUCTIONWhy AIS threats are increasing
Control risks have increased in the last few years because: There are computers and servers everywhere, and
information is available to an unprecedented number of workers.
Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.
Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
INTRODUCTIONSome vocabulary terms for this chapter:
A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.
The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality.
The likelihood is the probability that the threat will occur.
OVERVIEW OF CONTROL CONCEPTSInternal controls perform three important
functions:Preventive controls
•Deter problems before they arise.
OVERVIEW OF CONTROL CONCEPTSInternal controls perform three important
functions:Preventive controlsDetective controls
•Discover problems quickly when they do arise.
OVERVIEW OF CONTROL CONCEPTSInternal controls perform three important
functions:Preventive controlsDetective controlsCorrective controls
• Remedy problems that have occurred by:– Identifying the cause;– Correcting the resulting errors; and– Modifying the system to prevent
future problems of this sort.
OVERVIEW OF CONTROL CONCEPTSInternal controls are often classified as:
General controls
• Those designed to make sure an organization’s control environment is stable and well managed.
• They apply to all sizes and types of systems.
• Examples: Security management controls.
OVERVIEW OF CONTROL CONCEPTSInternal controls are often classified as:
General controlsApplication controls
• Prevent, detect, and correct transaction errors and fraud.
• Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
OVERVIEW OF CONTROL CONCEPTS
An effective system of internal controls should exist in all organizations to:Help them achieve their missions and goals.Minimize surprises.
CONTROL FRAMEWORKSA number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:The COBIT frameworkThe COSO internal control frameworkCOSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKSCOSO’s internal control framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute
CONTROL FRAMEWORKSIn 1992, COSO issued the Internal Control
Integrated Framework:Defines internal controls.Provides guidance for evaluating and
enhancing internal control systems.Widely accepted as the authority on internal
controls.Incorporated into policies, rules, and
regulations used to control business activities.
CONTROL FRAMEWORKSCOSO’s internal control model has five
crucial components:- Control environment
•The core of any business is its people.•Their integrity, ethical values, and competence
make up the foundation on which everything else rests.
CONTROL FRAMEWORKSCOSO’s internal control model has five
crucial components:- Control environment- Control activities
• Policies and procedures must be established and executed to ensure that actions identified by
management as necessary to address risks are, in fact, carried out.
CONTROL FRAMEWORKSCOSO’s internal control model has five
crucial components:- Control environment- Control activities- Risk assessment
• The organization must be aware of and deal with the risks it faces.
• It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and
manage the related risks.
CONTROL FRAMEWORKSCOSO’s internal control model has five
crucial components:- Control environment- Control activities- Risk assessment- Information and communication
• Information and communications systems surround the control activities.
• They enable the organization’s people to capture and exchange information needed to conduct,
manage, and control its operations.
CONTROL FRAMEWORKSCOSO’s internal control model has five
crucial components:- Control environment- Control activities- Risk assessment- Information and communication- Monitoring
•The entire process must be monitored and modified as necessary.
RISK ASSESSMENT AND RISK RESPONSECompanies should:Assess inherent riskDevelop a responseThen assess residual risk
The ERM model indicates four ways to respond to risk:Reduce it
•The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.
RISK ASSESSMENT AND RISK RESPONSECompanies should:
Assess inherent riskDevelop a responseThen assess residual risk
The ERM model indicates four ways to respond to risk:Reduce itAccept it
•Don’t act to prevent or mitigate it.
RISK ASSESSMENT AND RISK RESPONSECompanies should:Assess inherent riskDevelop a responseThen assess residual risk
The ERM model indicates four ways to respond to risk:Reduce itAccept itShare it
•Transfer some of it to others via activities such as insurance, outsourcing, or hedging.
RISK ASSESSMENT AND RISK RESPONSECompanies should:
Assess inherent riskDevelop a responseThen assess residual risk
The ERM model indicates four ways to respond to risk:Reduce itAccept itShare itAvoid it
• Don’t engage in the activity that produces it.
• May require:– Sale of a division– Exiting a product line– Canceling an expansion plan
RISK ASSESSMENT AND RISK RESPONSE
Accountants:Help management design effective controls to
reduce inherent risk.Evaluate internal control systems to ensure
they are operating effectively.Assess and reduce inherent risk using the risk
assessment and response strategy.
RISK ASSESSMENT AND RISK RESPONSE
Event identificationThe first step in risk
assessment and response strategy is event identification, which we have already discussed.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSEEstimate likelihood
and impactSome events pose
more risk because they are more probable than others.
Some events pose more risk because their dollar impact would be more significant.
Likelihood and impact must be considered together:
If either increases, the materiality of the event and the need to protect against it rises.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Identify controlsManagement must
identify one or more controls that will protect the company from each event.
In evaluating benefits of each control procedure, consider effectiveness and timing.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
All other factors equal:
A preventive control is better than a detective
one.However, if preventive
controls fail, detective controls are needed to discover the problem,
and corrective controls are needed to recover.
Consequently, the three complement
each other, and a good internal control system
should have all three.Similarly, a company
should use all four levers of control.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Estimate costs and benefitsIt would be cost-
prohibitive to create an internal control system that provided foolproof protection against all events.
Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
The benefits of an internal control procedure must exceed its costs.
Benefits can be hard to quantify,
but include:Increased sales and
productivityReduced lossesBetter integration with
customers and suppliers
Increased customer loyalty
Competitive advantagesLower insurance
premiums
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Costs are usually easier to measure
than benefits.Primary cost is
personnel, including:Time to perform
control proceduresCosts of hiring
additional employees to effectively
segregate dutiesCosts of programming
controls into a system
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Other costs of a poor control system
include:Lost salesLower productivityDrop in stock price if
security problems arise
Shareholder or regulator lawsuits
Fines and penalties imposed by
governmental agencies
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
The expected loss related to a risk is
measured as:Expected loss =
impact x likelihoodThe value of a
control procedure is the difference
between:Expected loss with
control procedureExpected loss without
it
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficialto protect
system
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Determine cost-benefit
effectivenessAfter estimating
benefits and costs, management
determines if the control is cost
beneficial, i.e., is the cost of implementing a control procedure
less than the change in expected loss that
would be attributable to the change?
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficial
to protectsystem
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation. If an event threatens an
organization’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits.
The additional cost can be viewed as a catastrophic loss insurance premium.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficial
to protectsystem
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSELet’s go through an example:Hobby Hole is trying to decide whether to install
a motion detector system in its warehouse to reduce the probability of a catastrophic theft.
A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .5% probability of catastrophic theft.
The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.
Should Hobby Hole install the motion detectors?
• Expected Loss without control procedure = $800,000 x .12 = $96,000.
• Expected loss with control procedure = $800,000 x .005 = $4,000.
• Estimated value of control procedure = $96,000 - $4,000 = $92,000.
• Estimated cost of control procedure = $43,000 (given).• Benefits exceed costs by $92,000 - $43,000 = $49,000.• In this case, Hobby Hole should probably install the motion
detectors.
RISK ASSESSMENT AND RISK RESPONSE
Implement the control or avoid, share, or accept
the riskWhen controls are
cost effective, they should be
implemented so risk can be reduced.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficial
to protectsystem
Avoid, share,
or accept
riskYes
No
RISK ASSESSMENT AND RISK RESPONSE
Risks that are not reduced must be
accepted, shared, or avoided.
If the risk is within the company’s risk
tolerance, they will typically accept the
risk.A reduce or share
response is used to bring residual risk into
an acceptable risk tolerance range.
An avoid response is typically only used
when there is no way to cost-effectively bring
risk into an acceptable risk tolerance range.
Identify the events or threatsthat confront the company
Estimate the likelihood orprobability of each event occurring
Estimate the impact of potentialloss from each threat
Identify set of controls toguard against threat
Estimate costs and benefitsfrom instituting controls
Reduce risk by implementing set ofcontrols to guard against threat
Is itcost-
beneficial
to protectsystem
Avoid, share,
or accept
risk
Yes
No