380 likes | 493 Views
Enterprise System and Risk Controls. Chapter 14. Chapter Learning Objectives. Describe the relationship between enterprise risks, opportunities, and controls Explain the levels at which enterprise risks occur Use the REA pattern to identify sources of enterprise risk
E N D
Enterprise System andRisk Controls Chapter 14
Chapter Learning Objectives • Describe the relationship between enterprise risks, opportunities, and controls • Explain the levels at which enterprise risks occur • Use the REA pattern to identify sources of enterprise risk • Identify specific controls to prevent, detect, and recover from enterprise risks
The Relationship between Risks, Opportunities, and Controls • Risks • any exposure to the chance of injury or loss • Opportunities and Objectives • Controls • A control is an activity performed to minimize or eliminate a risk.
Internal Control Systems • Congress passed the Sarbanes-Oxley Act requiring publicly traded companies to issue reports on their internal control systems along with their annual financial reports • Management responsibility for internal controls • Reporting considerations • Auditors requirements • SAS No. 94 • COSO
High Materiality of Risk Likelihood Of Loss Low Large Small Size of Potential Impact Materiality and Risk
COSO Internal Control Integrated Framework • The Committee of Sponsoring Organizations (COSO) • COSO’s components: • Control environment • Risk assessment • Control Activities • Information and communication • Monitoring
Control Environment • Control environment sets the tone of the organization • The control environment includes: • Integrity and ethical behavior • Commitment to competence • Board of directors and audit committee participation • Management philosophy and operating style • Organization structure • Assignment of authority and responsibility • Human resource policies and practices
Risk Assessment • Risk assessment identifies and analyzes the relevant risks associated with the organization achieving its objectives.
Control Activities • Policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives • Objectives • Preventive controls • Detective controls • Corrective controls • Error versus Irregularity
Information and Communication • The information system consists of the methods and records used to record, maintain, and report enterprise events. • The information system should • Identify and record all business events on a timely basis. • Describe each event in sufficient detail. • Measure the proper monetary value of each event. • Determine the time period in which events occurred. • Present properly the events and related disclosures in the financial statements.
Information and Communication • Provides an understanding of individual roles and responsibilities pertaining to internal controls. • Open communication channels • Includes the policy manuals, accounting manuals, and financial reporting manuals
Monitoring • Assessing the quality of internal control performance over time • Assessing the design and operation of controls on a timely basis and taking corrective actions as needed • Performance reviews provide meansfor monitoring
Risk Identification • Economy Risks • Industry Risks • Enterprise Risks • Business Process Risks • Information Process Risks
Controls for Economy/Industry Risks • Economy and industry risks can be very difficult to control • Diversify to multiple industries • Use hedges and derivatives • Be outwardly focused • Pay attention to industry and economy trends and market demands
Controls for Enterprise Risks • Respond quickly to drops in perceived brand quality or firm reputation • Purchase insurance • Use sound personnel practices • Set a strong “tone at the top” • Create contingency plans to minimize business interruptions
Controls for Business Process Risks • Resources • Resource Risks • Theft, Loss, Waste, or Damage • Obsolescence • Resource Risk Controls • Separation of Duties (preventive) • Physical counts and Reconciliations (primarily detective; may help prevent loss too) • Insurance (corrective) • Asset tracking devices (primarily detective; however, often help prevent loss too)
Controls for Business Process Risks • Instigation Event Risks • Failure to inform customers of product features • Mistakes in ads or promotions • Unnecessary/unwanted sales call presentations • Customer can’t find information needed • Inability to track results of marketing efforts • Unproductive salespeople • Failure to identify need for input resources in timely manner • Requisitioning unnecessary or wrong resources • Inability to find source for needed resources • Failure to approve valid requisitions • Requisitioning items for which budget is unavailable
Controls for Business Process Risks • Controls for Instigation Event Risks • Accurate querying of a complete information system with adequate data entry controls combined with the procedural controls provides effective means for controlling instigation event risks
Controls for Business Process Risks • Mutual Commitment Event Risks • Failure to accept desirable, valid sale orders • Acceptance of undesirable or invalid sale orders • Commitment with an unrealistic delivery date • Commitment to provide goods/services at unprofitable price • Failure to place desirable, valid purchase orders • Placement of undesirable or invalid purchase orders • Failure to provide adequate lead time to vendors • Failure to obtain lowest possible cost for highest possible quality • Controls • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Decrement Event Risks • Failure to ship goods in response to valid sale order • Shipment of goods not ordered or not authorized • Shipment of goods to or by invalid agent • Poor packaging used in shipment • Shipment via a poor carrier or route • Lost sales due to untimely shipments • Failure to pay for goods received in a timely manner • Duplicating payment for same purchase • Failure to take advantage of early payment discounts • Controls for Economic Decrement Event Risks • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Increment Event Risks • Failure to receive cash as result of sale • Accepting duplicate cash receipts for same sale • Failure to deposit cash into bank in timely manner • Depositing cash into wrong bank account • Failure to receive goods in response to purchase order • Receipt of goods not ordered • Receipt of wrong goods or incorrect quantity of goods • Damage of goods during receiving process • Controls for Economic Increment Event Risks • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Business Process Risks • Economic Decrement Reversal Event Risks • Failure to accept goods for legitimate sale return • Acceptance of goods for illegitimate sale return • Approval of sale return by unauthorized employee • Recording sale return that didn’t occur • Economic Decrement Reversal Event Risks • Failure to return unsatisfactory goods • Return of goods that enterprise needed • Approval of purchase return by unauthorized employee • Recording purchase return that didn’t occur • Controls • Procedural controls PLUS effective querying of a good information system with adequate data entry controls
Controls for Information Process Risks • System Resource Risks and Controls • Physical access controls • Logical access controls
Controls for Information Process Risks • Terminal identification codes • Prevent access by unauthorized terminals over communication lines • Encryption • Protects highly sensitive and confidential data • Process of encoding data entered into the system, storing or transmitting the data in coded form, and then decoding the data upon its use or arrival at its destination
Controls for Information Process Risks • System Failure Protection • Proper maintenance of equipment and facilities • Operate equipment in appropriate physical environment • Backup system components • Power source failures may also result in business interruptions and loss of data
Controls for Information Process Risks • System Failure Protection • Virus protection (anti-virus) software • Firewalls • Combinations of hardware and software used to shield a computer or network from unauthorized users or from file transfers of unauthorized types
Controls for Information Process Risks • Software Processing Controls • General software controls • System Development and Maintenance Procedures • Care in specifying requirements • Use of test data to verify accuracy of programs • Separation of duties between programmers, system analysts, data control group, and operations personnel • Network Operating System (NOS) controls • Application software controls
Controls for Information Process Risks • Application Controls • Data Input Controls • Event processing rules • should be built into systems to verify the prescribed rules are followed
Controls for Information Process Risks • Application Controls • Data Entry Verification • Closed Loop Verification • Key Verification (also called rekeying) • Input data is entered twice
Controls for Information Process Risks • Application Controls • Edit checks • Field Edit Checks control field level data • Check Digit • Completeness check • Default Value • Field or Mode check • Range (limit) check • Validity/ set check
Controls for Information Process Risks • Application Controls • Edit checks • Record Edit Checks control record level data • Master Reference check (file-based system) • Referential Integrity (database system) • Reasonableness check • Valid Sign check
Controls for Information Process Risks • Application Controls • Edit checks • Batch Edit Checks control batches of events • Sequence check • Transaction Type check • Batch Control totals • Hash Control total • Financial/Numeric total • Record Count Control total
Controls for Information Process Risks • Application Controls • File Controls • Devices or techniques to verify the correct file is updated and to prevent inadvertent destruction or inappropriate use of files • External file labels • Internal file labels • Lockout procedures • Read-only file designation • File protection rings
Controls for Information Process Risks • Application Controls • Data Loss and File Reconstruction Capability • Maintain backup or duplicate copies of current data files, programs, and documentation • File reconstruction • Batch process file reconstruction • Grandparent-parent-child approach • Real-time process file reconstruction
Batch processing and file reconstruction Batch Processing
Real-time processing and file reconstruction Real-time Processing Real-time File Reconstruction
Summary • Controlling enterprise risk is crucial for long-term enterprise success. • Controls over the enterprise information system are as important as procedural controls over the enterprise activities • The REA ontology may be used as guidance for considering risk areas and developing controls for those risks • Preventive controls should always be the goal; where prevention is impossible or impractical, then detection and correction should be employed • Detection and correction should also be employed as secondary controls (as backup) even when preventive controls are in place
Chapter 14 End of Chapter