threat

Download Report

Transcript threat 

Control and Accounting Information
Systems
Chapter 7
Copyright © Pearson Education Limited 2015.
7-1
Learning Objectives
• Explain basic control concepts and why computer control and security are important.
• Compare and contrast the COBIT, COSO, and ERM control frameworks.
• Describe the major elements in the internal environment of a company.
• Describe the four types of control objectives that companies need to set.
• Describe the events that affect uncertainty and the techniques used to identify them.
• Explain how to assess and respond to risk using the Enterprise Risk Management model.
• Describe control activities commonly used in companies.
• Describe how to communicate information and monitor control processes in organizations.
Copyright © Pearson Education Limited 2015.
7-2
Why Is Control Needed?
• Any potential adverse occurrence or unwanted event
that could be injurious to either the accounting
information system or the organization is referred to
as a threat or an event.
• The potential dollar loss should a particular threat
become a reality is referred to as the exposure or
impact of the threat.
• The probability that the threat will happen is the
likelihood associated with the threat
Copyright © Pearson Education Limited 2015.
7-3
A Primary Objective of an AIS
• Is to control the organization so the organization
can achieve its objectives
• Management expects accountants to:
▫ Take a proactive approach to eliminating system
threats.
▫ Detect, correct, and recover from threats when
they occur.
Copyright © Pearson Education Limited 2015.
7-4
Internal Controls
• Processes implemented to provide assurance
that the following objectives are achieved:
▫
▫
▫
▫
Safeguard assets
Maintain sufficient records
Provide accurate and reliable information
Prepare financial reports according to established
criteria
▫ Promote and improve operational efficiency
▫ Encourage adherence with management policies
▫ Comply with laws and regulations
Copyright © Pearson Education Limited 2015.
7-5
Functions of Internal Controls
• Preventive controls
▫ Deter problems from occurring
• Detective controls
▫ Discover problems that are not prevented
• Corrective controls
▫ Identify and correct problems; correct and recover
from the problems
Copyright © Pearson Education Limited 2015.
7-6
Two Categories of Internal Controls
• General controls
▫ Make sure an organization’s control environment is
stable and well managed. Examples include security;
IT infrastructure; and software acquisition,
development, and maintenance controls
• Application controls
▫ Prevent, detect, and correct transaction errors and
fraud in application programs. They are concerned
with the accuracy, completeness, validity, and
authorization of the data captured, stored, transmitted
to other systems, and reported
Copyright © Pearson Education Limited 2015.
7-7
Control Frameworks
• COBIT
▫ Framework for IT control
• COSO
▫ Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
▫ Expands COSO framework taking a risk-based
approach
Copyright © Pearson Education Limited 2015.
7-8
COBIT Framework
• Current framework version is COBIT5
• The benefit of a standard framework for IT
controls is that it allows:
▫
▫
▫
Management to benchmark their environments
and compare it to other organizations
Because the framework is comprehensive, it
provides assurances that IT security and controls
exist
Allows auditors to substantiate their internal
control opinions
Copyright © Pearson Education Limited 2015.
7-9
COBIT Framework (cont)
• Based on the following principles:
▫
▫
▫
▫
▫
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single, integrated framework
Enabling a holistic approach
Separating governance from management
Copyright © Pearson Education Limited 2015.
7-10
COBIT5 Separates Governance from
Management
See page 219 for details
Copyright © Pearson Education Limited 2015.
7-11
Components of COSO Frameworks
COSO
• Control (internal)
environment
• Risk assessment
• Control activities
• Information and
communication
• Monitoring
Copyright © Pearson Education Limited 2015.
COSO-ERM
•
•
•
•
•
•
•
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and
communication
• Monitoring
7-12
Internal Environment
• Management’s philosophy, operating style, and
risk appetite
• Commitment to integrity, ethical values, and
competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards
Copyright © Pearson Education Limited 2015.
7-13
Objective Setting
• Strategic objectives
▫ High-level goals
• Operations objectives
▫ Effectiveness and efficiency of operations
• Reporting objectives
▫ Improve decision making and monitor
performance
• Compliance objectives
▫ Compliance with applicable laws and regulations
Copyright © Pearson Education Limited 2015.
7-14
Event Identification
Identifying incidents both external and internal to
the organization that could affect the achievement
of the organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Copyright © Pearson Education Limited 2015.
7-15
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
Copyright © Pearson Education Limited 2015.
7-16
Risk Response
• Reduce
▫ Implement effective internal control
• Accept
▫ Do nothing, accept likelihood and impact of risk
• Share
▫ Buy insurance, outsource, or hedging transactions
(對沖交易)
• Avoid
▫ Do not engage in the activity
Copyright © Pearson Education Limited 2015.
7-17
Control Activities
• Proper authorization of transactions and
activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance
Copyright © Pearson Education Limited 2015.
7-18
Segregation of Duties
Copyright © Pearson Education Limited 2015.
7-19
Monitoring
• Perform internal control evaluations (e.g., internal
audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g.,
budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Copyright © Pearson Education Limited 2015.
7-20
Key Terms
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Threat or Event
Exposure or impact
Likelihood
Internal controls
Preventive controls
Detective controls
Corrective controls
General controls
Application controls
Belief system
Boundary system
Diagnostic control system
Interactive control system
Audit committee
Copyright © Pearson Education Limited 2015.
• Foreign Corrupt Practices Act
(FCPA)
• Sarbanes-Oxley Act (SOX)
• Public Company Accounting
Oversight Board (PCAOB)
• Control Objectives for
Information and Related
Technology (COBIT)
• Committee of Sponsoring
Organizations (COSO)
• Internal control-integrated
framework (IC)
• Enterprise Risk Management
Integrated Framework (ERM)
• Internal environment
7-21
Key Terms (continued)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Risk appetite
Policy and procedures manual
Background check
Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Event
Inherent risk
Residual risk
Expected loss
Control activities
Authorization
Digital signature
Copyright © Pearson Education Limited 2015.
• Specific authorization
• General authorization
• Segregation of accounting
duties
• Collusion
• Segregation of systems duties
• Systems administrator
• Network manager
• Security management
• Change management
• Users
• Systems analysts
• Programmers
• Computer operators
• Information system library 7-22
Key Terms (continued)
•
•
•
•
•
•
•
Data control group
Steering committee
Strategic master plan
Project development plan
Project milestones
Data processing schedule
System performance
measurements
• Throughput
• Utilization
• Response time
Copyright © Pearson Education Limited 2015.
•
•
•
•
•
•
•
•
•
•
Postimplementation review
Systems integrator
Analytical review
Audit trail
Computer security officer
(CSO)
Chief compliance officer (CCO)
Forensic investigators
Computer forensics specialists
Neural networks
Fraud hotline
7-23