Académique Documents
Professionnel Documents
Culture Documents
INTRODUCTION
Distributed computer networks make data available to many users, and these
networks are harder to control than centralized mainframe systems.
Wide area networks are giving customers and suppliers access to each
others systems and data, making confidentiality a major concern.
Historically, many organizations have not adequately protected their data due to one or
more of the following reasons:
Companies have not realized that data is a strategic resource and that data security
must be a strategic requirement.
Productivity and cost pressures may motivate management to forego timeconsuming control measures.
A threat is any potential adverse occurrence or unwanted event that could injure
the AIS or the organization.
The exposure or impact of the threat is the potential dollar loss that would occur if
the threat becomes a reality.
As an accountant, we must:
Achieving adequate security and control over the information resources of an organization
should be a top management priority.
Ex.
Although computer processing may reduce clerical errors, it may increase risks of
unauthorized access or modification of data files.
It is much easier to build controls into a system during the initial stage than to add them
after the fact.
Consequently, accountants and control experts should be members of the teams that
develop or modify information systems.
At the same time, the company needs control systems so they are not exposed to
excessive risks or behaviors that could harm their reputation for honesty and integrity.
Internal control is the process implemented by the board of directors, management, and
those under their direction to provide reasonable assurance that the following control
objectives are achieved:
This objective includes ensuring that company receipts and expenditures are
made in accordance with management and directors authorizations.
Internal control provides reasonable, rather than absolute, assurance, because complete
assurance is difficult or impossible to achieve and prohibitively expensive.
Preventive controls
Detective controls
Corrective controls
General controls
They apply to all sizes and types of systems, from large to complex
mainframe systems to client server systems to desktop/laptop computer
systems
Application controls
Minimize surprises.
In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the
profession, this act incorporated language from an AICPA pronouncement.
The primary purpose of the act was to prevent the bribery of foreign officials to obtain
business.
A significant effect was to require that corporations maintain good systems of internal
accounting control.
In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made
headlines.
The impact on financial markets was substantial, and Congress responded with
passage of the Sarbanes-Oxley Act of 2002 (aka, SOX).
Protect investors
SOX has had a material impact on the way boards of directors, management, and
accountants operate.
Sets and enforces auditing, quality control, ethics, independence, and other
standards relating to audit reports.
Auditor-management disagreements
Bookkeeping
Management functions
The committee hires, compensates, and oversees the auditors, and the
auditors report directly to the committee.
The financial statements and disclosures are fairly presented, were reviewed
by management, and are not misleading.
If management willfully and knowingly violates the certification, they can be:
Imprisoned up to 20 years
Fined up to $5 million
Management and directors cannot receive loans that would not be available
to people outside the company.
They must disclose on a rapid and current basis material changes to their
financial condition.
SOX also requires that the auditor attests to and reports on managements
internal control assessment.
Each audit report must describe the scope of the auditors internal control
tests.
Management must disclose any and all material internal control weaknesses.
Management cannot conclude that the company has effective internal control if
there are any material weaknesses.
Levers of control
A boundary system
Does not create rules and standard operating procedures that can stifle
creativity and innitiative.
Data from this system are best interpreted and discussed in face-toface meetings.
CONTROL FRAMEWORKS
A number of frameworks have been developed to help companies develop good internal
control systems. Three of the most important are:
Also know as the Control Objectives for Information and Related Technology
framework.
The framework addresses the issue of control from three vantage points or dimensions:
Business objectives
The criteria are divided into seven distinct yet overlapping categories that
map into COSO objectives:
Efficiency
Confidentiality
Integrity
Availability
Reliability
IT resources
Includes:
People
Application systems
Technology
Facilities
Data
IT processes
Monitoring
Provides users with greater assurance that security and IT controls provided by
internal and third parties are adequate.
The AICPA
Incorporated into policies, rules, and regulations used to control business activities.
Control environment
Control activities
Risk assessment
The organization must be aware of and deal with the risks it faces.
It must set objectives for its diverse activities and establish mechanisms to
identify, analyze, and manage the related risks.
Monitoring
Nine years after COSO issued the preceding framework, it began investigating how to
effectively identify, assess, and manage risk so organizations could improve the risk
management process.
Intent of ERM is to achieve all goals of the internal control framework and help the
organization:
Provide reasonable assurance that company objectives and goals are achieved and
problems and surprises are minimized.
Assess risks continuously and identify steps to take and resources to allocate to
overcome or mitigate risk.
Risk
Opportunity
The framework should help management manage uncertainty and its associated
risk to build and preserve value.
To maximize value, a company must balance its growth and return objectives and
risks with efficient and effective use of company resources.
Columns at the top represent the four types of objectives that management must meet
to achieve company goals.
Strategic objectives
Operations objectives
Strategic objectives are high-level goals that are aligned with and support the
companys mission.
Safeguarding assets
Reporting objectives
Compliance objectives
Compliance objectives help the company comply with applicable laws and
regulations.
Companies in the same industry often have similar concerns in this area.
ERM can provide reasonable assurance that reporting and compliance objectives will be
achieved because companies have control over them.
However, strategic and operations objectives are sometimes at the mercy of external
events that the company cant control.
Therefore, in these areas, the only reasonable assurance the ERM can provide is that
management and directors are informed on a timely basis of the progress the company is
making in achieving them.
Entire company
Division
Business unit
Subsidiary
The horizontal rows are eight related risk and control components, including:
Internal environment
Provides discipline and structure and is the foundation for all other
components.
Objective setting
Strategic objectives are set first as a foundation for the other three.
Event identification
Risk assessment
Identified risks are assessed to determine how to manage them and how they
affect the companys ability to achieve its objectives.
Qualitative and quantitative methods are used to assess risks individually and
by category in terms of:
Likelihood
Risk response
Management aligns identified risks with the companys tolerance for risk by
choosing to:
Avoid
Reduce
Share
Accept
Control activities
Information must be able to flow through all levels and functions in the
company as well as flowing to and from external parties.
Employees should understand their role and importance in ERM and how
these responsibilities relate to those of others.
Monitoring
Means that each of the eight risk and control elements are applied to the four objectives in
the entire company and/or one of its subunits.
The internal control framework has been widely adopted as the principal way to
evaluate internal controls as required by SOX. However, there are issues with it.
Incorporates rather than replaces COSOs internal control framework and contains
three additional elements:
Setting objectives.
Identifying positive and negative events that may affect the companys
ability to implement strategy and achieve objectives.
CONTROL FRAMEWORKS
Controls are flexible and relevant because they are linked to current organizational
objectives.
ERM also recognizes more options than simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing it, or transferring it.
Over time, ERM will probably become the most widely adopted risk and control model.
Consequently, its eight components are the topic of the remainder of the chapter.
INTERNAL ENVIRONMENT
The most critical component of the ERM and the internal control framework.
A deficient internal control environment often results in risk management and control
breakdowns.
That philosophy affects everything the organization does, long- and short-term, and
affects their communications.
Companies also have a risk appetite, which is the amount of risk a company is
willing to accept to achieve its goals and objectives.
The more responsible managements philosophy and operating style, the more
likely employees will behave responsibly.
Management must back up words with actions; if they show little concern for
internal controls, then neither will employees.
Does management take undue business risks or assess potential risks and
rewards before acting?
An active and involved board of directors plays an important role in internal control.
They should:
Oversee management
At least a majority should be independent, outside directors not affiliated with the
company or any of its subsidiaries.
Auditors report all critical accounting policies and practices to the audit
committee.
Employees will watch the actions of the CEO, and the message of those
actions (good or bad) will tend to permeate the organization.
Companies can endorse integrity as a basic operating principle by actively teaching and
requiring it.
Management should:
Make it clear that honest reports are more important than favorable ones.
Excessive bonuses.
Management should not assume that employees would always act honestly.
The combination of these two will produce more consistent moral behavior.
Management should develop clearly stated policies that explicitly describe honest and
dishonest behaviors, often in the form of a written code of conduct.
In particular, such a code would cover issues that are uncertain or unclear.
Dishonesty often appears when situations are gray and employees rationalize the
most expedient action as opposed to making a right vs. wrong choice.
SOX only requires a code of ethics for senior financial management. However, the ACFE
suggests that companies create a code of conduct for all employees:
Helps the company if they need to take legal action against the employee.
Prosecution should be undertaken when possible, so that other employees are clear
about consequences.
Varies with each job but is a function of knowledge, experience, training, and skills.
The levers of control, particularly beliefs and boundaries systems, can be used to create
the kind of commitment to integrity an organization wants.
Prosecution should be undertaken when possible, so that other employees are clear
about consequences.
Varies with each job but is a function of knowledge, experience, training, and skills.
The levers of control, particularly beliefs and boundary systems, can be used to create the
kind of commitment to integrity an organization wants.
Organizational structure
In todays business world, the hierarchical organizations with many layers of management
are giving way to flatter organizations with self-directed work teams.
These changes have a significant impact on the nature and type of controls needed.
Management:
Employee training
Written policies and procedures manuals (a good job reference and job training tool)
which covers:
Employees are both the companys greatest control strength and the greatest
control weakness.
Organizations can implement human resource policies and practices with respect to
hiring, training, compensating, evaluating, counseling, promoting, and discharging
employees that send messages about the level of competence and ethical behavior
required.
Hiring
Checking for criminal records, credit issues, and other publicly available data.
Note that you must have the employees or candidates written permission to
conduct a background check, but that permission does not need to have an
expiration date.
Background checks are important because recent studies show that about 50% of
resumes have been falsified or embellished.
Sometimes professional firms are hired to do the background checks because applicants
are becoming more aggressive in their deceptions.
Others actually hack (or hire someone to hack) into the systems of universities to
create or alter transcripts and other academic data.
No employee should be exempted from background checks. Anyone from the custodian to
the company president is capable of committing fraud, sabotage, etc.
Compensating
Poorly compensated employees are more likely to feel the resentment and financial
pressures that lead to fraud.
Training
Discharging
Policies on training
Their responsibilities.
Many believe employee training and education are the most important elements of
fraud prevention and security programs.
Fraud is less likely to occur when employees believe security is everyones business.
They believe fraud hurts everyone and that they therefore have a
responsibility to report it.
These cultures do not just happen. They must be created, taught, and practiced, and the
following training should be provided:
Fraud awareness
Ethical considerations
The company should promote ethical standards in its practice and its
literature.
The company should display notices of program and data ownership and
advise employees of the penalties of misuse.
Informal discussions
Formal meetings
Periodic memos
Written guidelines
Codes of ethics
Discharging
Disgruntled employees are more likely to commit a sabotage or fraud against the
company.
Disgruntled employees may be isolated and/or unhappy, but are much likelier fraud
candidates than satisfied employees.
The organization can try to reduce the employees pressures through grievance
channels and counseling.
Disgruntled employees should not be allowed to continue in jobs where they could
harm the organization.
Some fraud schemes, such as lapping and kiting, cannot continue without the
constant attention of the perpetrator.
Mandatory vacations or rotation of duties can prevent these frauds or lead to early
detection.
These measures will only be effective if someone else is doing the job while the
usual employee is elsewhere.
Key employees should have fidelity bond insurance coverage to protect the
company against losses from fraudulent acts by those employees.
In addition to the preceding policies, the company should seek prosecution and
incarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go unreported. They are not prosecuted for several
reasons.
Companies fear:
Copycat attacks
Law enforcement officials and courts are busy with violent crimes and may regard
teen hacking as childish pranks.
Law enforcement officials, lawyers, and judges often lack the computer skills
needed to investigate, prosecute, and evaluate computer crimes.
When cases are prosecuted and a conviction obtained, penalties are often very
light. Judges often regard the perps as model citizens.
External influences
External influences that affect the control environment include requirements
imposed by:
FASB
PCAOB
SEC
Insurance commissions
OBJECTIVE SETTING
For example, you must set objectives before you can define events that affect your ability
to achieve objectives
Top management, with board approval, must articulate why the company exists and what
it hopes to achieve.
Uses the mission statement as a base from which to set corporate objectives.
The objectives:
Should be prioritized.
Objectives set at the corporate level are linked to and integrated with a cascading series
of sub-objectives in the various sub-units.
First, set strategic objectives, the high-level goals that support the companys
mission and create value for shareholders.
As a rule of thumb:
Operations objectives:
One may adopt technology; another waits until the bugs are worked out.
Are influenced by and must be relevant to the industry, economic conditions, and
competitive pressures.
EVENT IDENTIFICATION
Events are:
If so, when?
COSO identified many internal and external factors that could influence events and affect
a companys ability to implement strategy and achieve objectives.
External factors:
Economic factors
Mergers or acquisitions
Natural environment
Political factors
Social factors
Corporate citizenship
Privacy
Terrorism
Technological factors
Emerging technology
Internal factors:
Infrastructure
Complexity of systems
Personnel
Process
Technology
Security breaches
Lists can help management identify factors, evaluate their importance, and examine those
that can affect objectives.
Identifying events at the activity and entity levels allows companies to focus their risk
assessment on major business units or functions and align their risk tolerance and risk
appetite.
Companies usually use two or more of the following techniques together to identify
events:
Examine data on prior events to identify trends and causes that help identify
possible events.
Analyze processes
Analyze internal and external factors that affect inputs, processes, and
outputs to identify events that might help or hinder the process.
The fourth and fifth components of COSOs ERM model are risk assessment and risk
response.
Inherent risk
Residual risk
The risk that exists before management takes any steps to control the
likelihood or impact of a risk.
Companies should:
Develop a response
Reduce it
Accept it
The most effective way to reduce the likelihood and impact of risk is to
implement an effective system of internal controls.
Share it
Avoid it
May require:
Sale of a division
Accountants:
Assess and reduce inherent risk using the risk assessment and response strategy.
Event identification
The first step in risk assessment and response strategy is event identification, which
we have already discussed.
Some events pose more risk because they are more probable than others.
Some events pose more risk because their dollar impact would be more significant.
If either increases, the materiality of the event and the need to protect against it
rises.
Identify controls
Management must identify one or more controls that will protect the company from
each event.
However, if preventive controls fail, detective controls are needed to discover the
problem, and corrective controls are needed to recover.
Consequently, the three complement each other, and a good internal control
system should have all three.
Also, some controls negatively affect operational efficiency, and too many controls
can make it very inefficient.
Reduced losses
Competitive advantages
Lost sales
Lower productivity
After estimating benefits and costs, management determines if the control is cost
beneficial, i.e., is the cost of implementing a control procedure less than the change
in expected loss that would be attributable to the change?
In evaluating costs and benefits, management must consider factors other than those in
the expected benefit calculation.
Hobby Hole is trying to decide whether to install a motion detector system in its
warehouse to reduce the probability of a catastrophic theft.
Local crime statistics suggest that the probability of a catastrophic theft at Hobby
Hole is 12%.
Companies with motion detectors only have about a .5% probability of catastrophic
theft.
The present value of purchasing and installing a motion detector system and paying
future security costs is estimated to be about $43,000.
When controls are cost effective, they should be implemented so risk can be
reduced.
If the risk is within the companys risk tolerance, they will typically accept the risk.
A reduce or share response is used to bring residual risk into an acceptable risk
tolerance range.
CONTROL ACTIVITIES
Control activities are policies, procedures, and rules that provide reasonable assurance
that managements control objectives are met and their risk responses are carried out.
CONTROL ACTIVITIES
Controls are much more effective when built in on the front end.
Management must also establish a set of procedures to ensure control compliance and
enforcement.
Usually, the purview of the information security officer and the operations staff.
CONTROL ACTIVITIES
More people are on vacation and fewer around to mind the store.
Segregation of duties
Management lacks the time and resources to supervise each employee activity and
decision.
Employees who process transactions should verify the presence of the appropriate
authorizations.
Auditors review transactions for proper authorization, as their absence indicates a possible
control problem.
General authorization
Special authorization
Management should have written policies for both types of authorization and for all types
of transactions.
Segregation of duties
Good internal control requires that no single employee be given too much
responsibility over business transactions or processes.
Duplicate billings
Therefore, anyone who has unrestricted access to the computer, its programs, and
live data could have the opportunity to perpetrate and conceal fraud.
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Use design provided by the systems analysts to write the computer programs
for the information system.
Computer operations
Ensure that data are input properly, correctly processed, and needed output
is produced.
Help users determine their information needs and design systems to meet
those needs.
Programming
Systems analysts
Users
Ensures that all aspects of the system are secure and protected from internal
and external threats.
Change management
Ensures that all applicable devices are linked to the organizations internal
and external networks and that the networks operate continuously and
properly.
Data control
Allowing a person to do two or more jobs exposes the company to the possibility of
fraud.
In addition to adequate segregation of duties, organizations should ensure that the people
who design, develop, implement, and operate the IS are qualified and well trained.
Its important to have a formal, appropriate, and proven methodology to govern the
development, acquisition, implementation, and maintenance of information systems
and related technologies.
User involvement
Analysis
Design
Testing
Implementation
Conversion
Examples abound of poorly managed projects that have wasted large sums of money
because certain basic principles of project management control were ignored.
Each year, the board and top management should prepare and approve the
plan and its supporting budget.
Project controls
Project costs
Each project should be assigned to a manager and team who are responsible
for its success or failure.
Steering committee
Post-implementation review
To simplify and improve systems development, some companies hire a systems integrator
a vendor who uses common standards and manages the development effort using their
own personnel and those of the client and other vendors.
Many companies rely on the integrators assurance that the project will be
completed on time.
These third-party systems development projects are subject to the same cost
overruns and missed deadlines as systems developed internally.
When using systems integrators, companies should adhere to the same basic rules used
for project management of internal projects. In addition, they should:
Explicit deadlines
Should include department managers from all units that will use the
system.
Change management is the process of making sure that the changes do not
negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
Proper design and use of documents and records helps ensure accurate and
complete recording of all relevant transaction data.
Those used to transfer assets should have a space for the receiving partys
signature.
Correcting errors.
When people consider safeguarding assets, they most often think of cash and
physical assets, such as inventory and equipment.
According to the ACFEs 2004 National Fraud Survey, theft of information made up
only 17.3% of non-cash misappropriations; however, the median cost of an
information theft was $340,000. This cost was 126% higher than the next most
costly non-asset theft. (Equipment theft had a median cost of $150,000.)
Many people mistakenly believe that the greatest risks companies face are from outsiders.
However, employees pose a much greater risk when it comes to loss of data because:
Trying to fix hardware or software without appropriate expertise (i.e., when in doubt,
unplug it).
These actions can result in crashed networks, corrupt data, and hardware and software
malfunctions.
Companies also face significant risks from customers and vendors that have access to
company data.
Many steps can be taken to safeguard both information and physical assets from theft,
unauthorized use, and vandalism. Chapters 7 and 8 discuss computer-based controls. In
addition, it is important to:
Use cash registers, safes, lockboxes, and safe deposit boxes to limit
access to cash, securities, and paper assets.
Internal checks to ensure that transactions are processed accurately are an important
control element.
Top-level reviews
Prior-period performance
Analytical reviews
EXAMPLE: If credit sales increased significantly during the period and there
were no changes in credit policy, then bad debt expense should probably
have increased also.
EXAMPLES:
Bank reconciliations
Double-entry accounting
Independent review
The primary purpose of the AIS is to gather, record, process, store, summarize, and
communicate information about an organization.
Accountants must also understand the accounting records and procedures, supporting
documents, and specific financial statement accounts involved in processing and reporting
transactions.
The preceding items facilitate an audit trail which allows for transactions to be traced from
origin to financial statements and vice versa.
Though they differ with respect to the type of transactions processed, all accounting
subsystems follow the same sequence of procedures, referred to as accounting cycles.
MONITORING
MONITORING
Can measure ERM effectiveness through a formal evaluation or through a selfassessment process.
Involves:
Suggest improvements.
Cost parameters can be entered to balance acceptable levels of risk tolerance and costeffectiveness.
Software is also available to monitor and combat viruses, spyware, spam, pop-up ads, and
to prevent browsers from being hijacked.
Also helps companies recover from frauds and malicious actions and restore systems to
pre-incident status.
System transactions and activities should be recorded in a log which indicates who
accessed what data, when, and from which terminal.
Logs should be reviewed frequently to monitor system activity and trace any problems to
their source.
Companies that monitor system activities need to ensure they do not violate employee
privacy rights.
Employers must therefore ensure that employees realize their business communications
are not private. One way to accomplish that objective is to have written policies that
employees agree to in writing which indicate:
Emails received on company computers are not private and can be read by
supervisory personnel.
Employees should not use technology in any way to contribute to a hostile work
environment.
The Business Software Alliance (BSA) aggressively tracks down and fines companies
who violate software license agreements.
To monitor risk and detect fraud and errors, the company should have periodic:
External audits
Internal audits
Auditors should test system controls and browse system usage files looking for
suspicious activities (discussed in Chapter 9).
Again, care should be exercised that employees privacy rights are not violated.
Therefore, inform employees that auditors will conduct random surveillance, which:
Creates a perception of detection that can deter crime and reduce errors
Excess overtime
Under-used assets
Obsolete inventory
Production bottlenecks
The head should report to the audit committee of the board of directors rather than to the
controller or CFO.
Many companies also use outside computer consultants or in-house teams to test
and evaluate their security procedures and computer systems.
SOX
SAS-99
Most forensic accountants are CPAs and may have received special training with the FBI,
CIA, or other law enforcement agencies.
In particular demand are those with the necessary computer skills to ferret out and
combat fraudsters who use sophisticated technology to perpetrate their crimes.
Management may also need to call on computer forensic specialists for help.
Fraud
Sabotage
Retrieving information from emails and databases that users thought they had
erased
People who commit fraud tend to follow certain patterns and leave behind clues.
Some companies employ neural networks (programs that mimic the brain and
have learning capabilities), which are very accurate in identifying suspected fraud.
For example, if a husband and wife were each using the same credit card in two
different stores at the same time, a neural network would probably flag at least one
of the transactions immediately as suspicious.
These networks and other recent advances in fraud detection software are
significantly reducing the incidences of credit card fraud.
People who witness fraudulent behavior are often torn between conflicting feelings.
But they are uncomfortable in the whistleblower role and find it easier to
remain silent.
They are particularly reluctant to report if they know of others who have suffered
repercussions from doing so.
MONITORING
SOX mandates that companies set up mechanisms for employees to anonymously report
abuses such as fraud.
An effective way to comply with the law and resolve employee concerns is to
provide access to an anonymous hotline.
Phone lines
Web-based reporting
Anonymous emails
Snail mail
Outsourcing is available through a number of third parties and offers several benefits,
including:
24/7 availability.
Low cost.
The ACFEs 2004 Report to the Nation indicates that companies without fraud hotlines had
median fraud losses that were 140% higher than companies that had fraud hotlines.