Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
HAPTER 6
Romney/Steinbart
1 of 315
INTRODUCTION
Questions to be addressed in this chapter:
What are the basic internal control concepts, and why are
computer control and security important?
What is the difference between the COBIT, COSO, and ERM
control frameworks?
What are the major elements in the internal environment of a
company?
What are the four types of control objectives that companies
need to set?
What events affect uncertainty, and how can they be identified?
How is the Enterprise Risk Management model used to assess
and respond to risk?
What control activities are commonly used in companies?
How do organizations communicate information and monitor
control processes?
Romney/Steinbart
2 of 315
INTRODUCTION
Why AIS threats are increasing
Control risks have increased in the last few years
because:
There are computers and servers everywhere, and
information is available to an unprecedented number of
workers.
Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems.
Wide area networks are giving customers and suppliers
access to each others systems and data, making
confidentiality a major concern.
Romney/Steinbart
3 of 315
INTRODUCTION
Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
Computer control problems are often underestimated and
downplayed.
Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internetbased system are not always fully understood.
Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
Productivity and cost pressures may motivate management to
forego time-consuming control measures.
Romney/Steinbart
4 of 315
INTRODUCTION
Some vocabulary terms for this chapter:
A threat is any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
The exposure or impact of the threat is the
potential dollar loss that would occur if the
threat becomes a reality.
The likelihood is the probability that the
threat will occur.
2008 Prentice Hall Business Publishing
Romney/Steinbart
5 of 315
INTRODUCTION
Control and security are important
Companies are now recognizing the problems and
taking positive steps to achieve better control,
including:
Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security
policies.
Making controls a part of the applications development
process.
Moving sensitive data to more secure environments.
Romney/Steinbart
6 of 315
INTRODUCTION
To use IT in achieving control objectives,
accountants must:
Understand how to protect systems from
threats.
Have a good understanding of IT and its
capabilities and risks.
Romney/Steinbart
7 of 315
INTRODUCTION
Control objectives are the same regardless of
the data processing method, but a computerbased AIS requires different internal control
policies and procedures because:
Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
Segregation of duties must be achieved differently in
an AIS.
Computers provide opportunities for enhancement of
some internal controls.
2008 Prentice Hall Business Publishing
Romney/Steinbart
8 of 315
INTRODUCTION
One of the primary objectives of an AIS is to
control a business organization.
Accountants must help by designing effective control
systems and auditing or reviewing control systems
already in place to ensure their effectiveness.
Romney/Steinbart
9 of 315
INTRODUCTION
It is much easier to build controls into a
system during the initial stage than to add
them after the fact.
Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.
Romney/Steinbart
10 of 315
Romney/Steinbart
11 of 315
Romney/Steinbart
12 of 315
Romney/Steinbart
13 of 315
Romney/Steinbart
14 of 315
Romney/Steinbart
15 of 315
Romney/Steinbart
16 of 315
Romney/Steinbart
17 of 315
Romney/Steinbart
18 of 315
Romney/Steinbart
19 of 315
Romney/Steinbart
20 of 315
Romney/Steinbart
21 of 315
Romney/Steinbart
22 of 315
Romney/Steinbart
23 of 315
Romney/Steinbart
24 of 315
Romney/Steinbart
25 of 315
Romney/Steinbart
26 of 315
Romney/Steinbart
27 of 315
Romney/Steinbart
28 of 315
Romney/Steinbart
29 of 315
Romney/Steinbart
30 of 315
Romney/Steinbart
31 of 315
Romney/Steinbart
32 of 315
Romney/Steinbart
33 of 315
Romney/Steinbart
34 of 315
Romney/Steinbart
35 of 315
Romney/Steinbart
36 of 315
Romney/Steinbart
37 of 315
Romney/Steinbart
38 of 315
Romney/Steinbart
39 of 315
Romney/Steinbart
40 of 315
Levers of Control
A boundary system
Romney/Steinbart
41 of 315
AProvides
concise feedback
belief system
to enable management to adjust and
Afine-tune.
boundary system
A diagnostic control system
Romney/Steinbart
42 of 315
Levers of Control
Romney/Steinbart
43 of 315
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
The COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
44 of 315
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
The COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
45 of 315
CONTROL FRAMEWORKS
COBIT framework
Also know as the Control Objectives for
Information and Related Technology
framework.
Developed by the Information Systems Audit
and Control Foundation (ISACF).
A framework of generally applicable
information systems security and control
practices for IT control.
2008 Prentice Hall Business Publishing
Romney/Steinbart
46 of 315
CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and
control practices of IT environments.
Users of IT services to be assured that
adequate security and control exists.
Auditors to substantiate their opinions on
internal control and advise on IT security and
control matters.
Romney/Steinbart
47 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
48 of 315
CONTROL FRAMEWORKS
The framework addresses the issue of
control from three vantage points or
dimensions:
Business objectives
IT resources Includes:
People
Application systems
Technology
Facilities
Data
Romney/Steinbart
49 of 315
CONTROL FRAMEWORKS
The framework addresses the issue of
control from three vantage points or
dimensions:
Business objectives
IT resources
IT processes Broken into four domains:
Romney/Steinbart
50 of 315
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different
sources into a single framework.
It is having a big impact on the IS profession.
Helps managers to learn how to balance risk and
control investment in an IS environment.
Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate.
Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.
2008 Prentice Hall Business Publishing
Romney/Steinbart
51 of 315
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Three of
the most important are:
The COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
52 of 315
CONTROL FRAMEWORKS
COSOs internal control framework
The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of:
Romney/Steinbart
53 of 315
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal
Control Integrated Framework:
Defines internal controls.
Provides guidance for evaluating and
enhancing internal control systems.
Widely accepted as the authority on internal
controls.
Incorporated into policies, rules, and
regulations used to control business activities.
2008 Prentice Hall Business Publishing
Romney/Steinbart
54 of 315
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
Romney/Steinbart
55 of 315
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
Romney/Steinbart
56 of 315
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
Romney/Steinbart
57 of 315
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
-
Control environment
Control activities
Risk assessment
Information and communication
Romney/Steinbart
58 of 315
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
-
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
Romney/Steinbart
59 of 315
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Three
of the most important are:
The COBIT framework
The COSO internal control framework
COSOs Enterprise Risk Management
framework (ERM)
2008 Prentice Hall Business Publishing
Romney/Steinbart
60 of 315
CONTROL FRAMEWORKS
Nine years after COSO issued the preceding
framework, it began investigating how to
effectively identify, assess, and manage risk so
organizations could improve the risk
management process.
Result: Enterprise Risk Manage Integrated
Framework (ERM)
An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterprise
risk management.
2008 Prentice Hall Business Publishing
Romney/Steinbart
61 of 315
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
Avoid adverse publicity and damage to the entitys
reputation.
2008 Prentice Hall Business Publishing
Romney/Steinbart
62 of 315
CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entitys board of
directors, management, and other personnel.
Applied in strategy setting and across the
enterprise.
To identify potential events that may affect the
entity.
And manage risk to be within its risk appetite.
In order to provide reasonable assurance of
the achievement of entity objectives.
2008 Prentice Hall Business Publishing
Romney/Steinbart
63 of 315
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for
owners.
Management must decide how much
uncertainty they will accept.
Uncertainty can result in:
Risk
Romney/Steinbart
64 of 315
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for
owners.
Management must decide how much
uncertainty they will accept.
Uncertainty can result in:
Risk
Opportunity
Romney/Steinbart
65 of 315
CONTROL FRAMEWORKS
The framework should help management
manage uncertainty and its associated risk to
build and preserve value.
To maximize value, a company must balance
its growth and return objectives and risks with
efficient and effective use of company
resources.
Romney/Steinbart
66 of 315
CONTROL FRAMEWORKS
COSO developed a
model to illustrate
the elements of
ERM.
Romney/Steinbart
67 of 315
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
Strategic objectives
Romney/Steinbart
68 of 315
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
Strategic objectives
Operations objectives
Romney/Steinbart
69 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
70 of 315
CONTROL FRAMEWORKS
Compliance
objectives
help the
Columns
at the
top
company the
comply
represent
fourwith
types of
applicable laws and
objectives
that
regulations.
management
must meet to
External parties often set
achieve
company goals.
the compliance
rules.
Strategic
objectives
Companies
in the same
Operations
objectives
industry often
have similar
concerns
in this area.
Reporting
objectives
Compliance objectives
Romney/Steinbart
71 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
72 of 315
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Romney/Steinbart
73 of 315
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
Romney/Steinbart
74 of 315
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
Business unit
Romney/Steinbart
75 of 315
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
Business unit
Subsidiary
Romney/Steinbart
76 of 315
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment
Romney/Steinbart
77 of 315
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment
Objective setting
Romney/Steinbart
78 of 315
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment
Objective setting
Event identification
Requires management to identify events that may affect the companys
ability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment and
response); or
Opportunities (positive-impact events that influence strategy and
objective-setting processes).
Romney/Steinbart
79 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
80 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
81 of 315
CONTROL FRAMEWORKS
Tohorizontal
implement rows
managements
The
are
riskrelated
responses,
eight
risk control
and policies
and procedures are established
control
components,
and implemented
throughout
including:
the various levels and
functions
of the organization.
Internal environment
Corresponds
to the control
Objective setting
activities element in the COSO
Event identification
internal
control framework.
Risk assessment
Risk response
Control activities
Romney/Steinbart
82 of 315
CONTROL FRAMEWORKS
Romney/Steinbart
83 of 315
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control
ERM processes
must be
components,
monitored on an ongoing basis
including:
and modified as needed.
Internal environment
Accomplished
with ongoing
Objective setting
management
activities and
separate
evaluations.
Event identification
Deficiencies
are reported to
Risk assessment
management.
Risk response
Corresponding module in
Controlinternal
activitiescontrol
COSO
Information and
framework.
communication
Monitoring
Romney/Steinbart
84 of 315
CONTROL FRAMEWORKS
The ERM model is
three-dimensional.
Means that each of
the eight risk and
control elements are
applied to the four
objectives in the
entire company
and/or one of its
subunits.
2008 Prentice Hall Business Publishing
Romney/Steinbart
85 of 315
CONTROL FRAMEWORKS
ERM
Framework
Vs. the
Examining
controls without
first Internal
examining purposes and
risks of
business processes provides little context for
Control
Framework
evaluating the results.
The
internal
control
framework has been
Makes
it difficult
to know:
Which
controlas
systems
are most important.
widely
adopted
the principal
way to
Whether
they adequately
risk. by SOX.
evaluate
internal
controlsdeal
as with
required
Whether important control systems are missing.
However,
there are issues with it.
It has too narrow of a focus.
Romney/Steinbart
86 of 315
CONTROL FRAMEWORKS
ERM framework vs. the internal control
framework
The internal control framework has been
widely adopted as the principal way to
May contribute to systems with
evaluate internal controls
as required by SOX.
many controls to protect
However, there are issues
with
it. that are no longer
against
risks
important.
It has too narrow of a focus.
Focusing on controls first has an inherent bias
toward past problems and concerns.
Romney/Steinbart
87 of 315
CONTROL FRAMEWORKS
These issues led to COSOs development of the
ERM framework.
Takes a risk-based, rather than controls-based,
approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSOs internal
control framework and contains three additional
elements:
Setting objectives.
Identifying positive and negative events that may affect the
companys ability to implement strategy and achieve
objectives.
Developing a response to assessed risk.
2008 Prentice Hall Business Publishing
Romney/Steinbart
88 of 315
CONTROL FRAMEWORKS
Controls are flexible and relevant because
they are linked to current organizational
objectives.
ERM also recognizes more options than
simply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.
Romney/Steinbart
89 of 315
CONTROL FRAMEWORKS
Over time, ERM will probably become the
most widely adopted risk and control
model.
Consequently, its eight components are
the topic of the remainder of the chapter.
Romney/Steinbart
90 of 315
INTERNAL ENVIRONMENT
The most critical component
of the ERM and the internal
control framework.
Is the foundation on which the
other seven components rest.
Influences how organizations:
Establish strategies and
objectives
Structure business activities
Identify, access, and respond
to risk
Romney/Steinbart
91 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
92 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and
risk appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
93 of 315
INTERNAL ENVIRONMENT
Managements philosophy, operating style,
and risk appetite
An organizations management has shared beliefs
and attitudes about risk.
That philosophy affects everything the organization
does, long- and short-term, and affects their
communications.
Companies also have a risk appetite, which is the
amount of risk a company is willing to accept to
achieve its goals and objectives.
That appetite needs to be in alignment with company
strategy.
2008 Prentice Hall Business Publishing
Romney/Steinbart
94 of 315
INTERNAL ENVIRONMENT
The more responsible managements
philosophy and operating style, the more
likely employees will behave responsibly.
This philosophy must be clearly
communicated to all employees; it is not
enough to give lip service.
Management must back up words with
actions; if they show little concern for internal
controls, then neither will employees.
Romney/Steinbart
95 of 315
INTERNAL ENVIRONMENT
This component can be assessed by asking
questions such as:
Does management take undue business risks or
assess potential risks and rewards before acting?
Does management attempt to manipulate
performance measures such as net income?
Does management pressure employees to achieve
results regardless of methods or do they demand
ethical behavior?
Romney/Steinbart
96 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
97 of 315
INTERNAL ENVIRONMENT
The board of directors
An active and involved board of directors
plays an important role in internal control.
They should:
Oversee management
Scrutinize managements plans, performance, and
activities
Approve company strategy
Review financial results
Annually review the companys security policy
Interact with internal and external auditors
2008 Prentice Hall Business Publishing
Romney/Steinbart
98 of 315
INTERNAL ENVIRONMENT
Directors should possess management,
technical, or other expertise, knowledge,
or experience, as well as a willingness to
advocate for shareholders.
At least a majority should be independent,
outside directors not affiliated with the
company or any of its subsidiaries.
Romney/Steinbart
99 of 315
INTERNAL ENVIRONMENT
Public companies must have an audit
committee, composed entirely of independent,
outside directors.
The audit committee oversees:
The companys internal control structure;
Its financial reporting process; and
Its compliance with laws, regulations, and standards.
Romney/Steinbart
100 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
101 of 315
INTERNAL ENVIRONMENT
Commitment to integrity, ethical values,
and competence
Management must create an organizational
culture that stresses integrity and commitment
to both ethical values and competence.
Ethical standards of behavior make for good
business.
Tone at the top is everything.
Employees will watch the actions of the CEO, and
the message of those actions (good or bad) will
tend to permeate the organization.
2008 Prentice Hall Business Publishing
Romney/Steinbart
102 of 315
INTERNAL ENVIRONMENT
Companies can endorse integrity as a basic
operating principle by actively teaching and
requiring it.
Management should:
Make it clear that honest reports are more important than
favorable ones.
Romney/Steinbart
103 of 315
INTERNAL ENVIRONMENT
Management should not assume that employees
would always act honestly.
Consistently reward and encourage honesty.
Give verbal labels to honest and dishonest acts.
The combination of these two will produce more
consistent moral behavior.
Romney/Steinbart
104 of 315
INTERNAL ENVIRONMENT
Management should develop clearly stated
policies that explicitly describe honest and
dishonest behaviors, often in the form of a
written code of conduct.
In particular, such a code would cover issues that are
uncertain or unclear.
Dishonesty often appears when situations are gray
and employees rationalize the most expedient action
as opposed to making a right vs. wrong choice.
Romney/Steinbart
105 of 315
INTERNAL ENVIRONMENT
SOX only requires a code of ethics for senior
financial management. However, the ACFE
suggests that companies create a code of
conduct for all employees:
Should be written at a fifth-grade level.
Should be reviewed annually with employees and
signed.
This approach helps employees keep themselves out
of trouble.
Helps the company if they need to take legal action
against the employee.
2008 Prentice Hall Business Publishing
Romney/Steinbart
106 of 315
INTERNAL ENVIRONMENT
Management should require employees to report
dishonest, illegal, or unethical behavior and discipline
employees who knowingly fail to report.
Reports of dishonest acts should be thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when possible, so that other
employees are clear about consequences.
Romney/Steinbart
107 of 315
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs
and boundaries systems, can be used to
create the kind of commitment to integrity
an organization wants.
Requires more than lip service and signing
forms.
Must be systems in which top management
actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
2008 Prentice Hall Business Publishing
Romney/Steinbart
108 of 315
INTERNAL ENVIRONMENT
Management should require employees to
report dishonest, illegal, or unethical
behavior and discipline employees who
knowingly fail to report.
Reports of dishonest acts should be
thoroughly investigated.
Those found guilty should be dismissed.
Prosecution should be undertaken when
possible, so that other employees are clear
about consequences.
2008 Prentice Hall Business Publishing
Romney/Steinbart
109 of 315
INTERNAL ENVIRONMENT
Companies must make a commitment to
competence.
Begins with having competent employees.
Varies with each job but is a function of
knowledge, experience, training, and skills.
Romney/Steinbart
110 of 315
INTERNAL ENVIRONMENT
The levers of control, particularly beliefs
and boundary systems, can be used to
create the kind of commitment to integrity
an organization wants.
Requires more than lip service and signing
forms.
Must be systems in which top management
actively participates in order to:
Demonstrate the importance of the system.
Create buy-in and a team spirit.
2008 Prentice Hall Business Publishing
Romney/Steinbart
111 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
112 of 315
INTERNAL ENVIRONMENT
Organizational structure
A companys organizational structure defines
its lines of authority, responsibility, and
reporting.
Provides the overall framework for planning,
directing, executing, controlling, and monitoring its
operations.
Romney/Steinbart
113 of 315
INTERNAL ENVIRONMENT
Important aspects or organizational structure:
Romney/Steinbart
114 of 315
INTERNAL ENVIRONMENT
Statistically, fraud occurs more frequently
in organizations with complex structures.
The structures may unintentionally impede
communication and clear assignment of
responsibility, making fraud easier to commit
and conceal; or
The structure may be intentionally complex to
facilitate the fraud.
Romney/Steinbart
115 of 315
INTERNAL ENVIRONMENT
In todays business world, the hierarchical
organizations with many layers of management
are giving way to flatter organizations with selfdirected work teams.
Team members are empowered to make decisions
without multiple layers of approvals.
Emphasis is on continuous improvement rather than
on regular evaluations.
These changes have a significant impact on the
nature and type of controls needed.
Romney/Steinbart
116 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
117 of 315
INTERNAL ENVIRONMENT
Methods of assigning authority and
responsibility
Management should make sure:
Employees understand the entitys objectives.
Authority and responsibility for business objectives is
assigned to specific departments and individuals.
Romney/Steinbart
118 of 315
INTERNAL ENVIRONMENT
Authority and responsibility are assigned through:
Romney/Steinbart
119 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
120 of 315
INTERNAL ENVIRONMENT
Human resources standards
Employees are both the companys greatest control
strength and the greatest control weakness.
Organizations can implement human resource
policies and practices with respect to hiring, training,
compensating, evaluating, counseling, promoting, and
discharging employees that send messages about the
level of competence and ethical behavior required.
Policies on working conditions, incentives, and career
advancement can powerfully encourage efficiency
and loyalty and reduce the organizations vulnerability.
Romney/Steinbart
121 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
122 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
123 of 315
INTERNAL ENVIRONMENT
Hiring
Should be based on educational background,
relevant work experience, past achievements,
honesty and integrity, and how well
candidates meet written job requirements.
Employees should undergo a formal, in-depth
employment interview.
Resumes, reference letters, and thorough
background checks are critical.
2008 Prentice Hall Business Publishing
Romney/Steinbart
124 of 315
INTERNAL ENVIRONMENT
Background checks can involve:
Verifying education and experience.
Talking with references.
Checking for criminal records, credit issues, and other
publicly available data.
Note that you must have the employees or
candidates written permission to conduct a
background check, but that permission does not need
to have an expiration date.
Background checks are important because recent
studies show that about 50% of resumes have been
falsified or embellished.
2008 Prentice Hall Business Publishing
Romney/Steinbart
125 of 315
INTERNAL ENVIRONMENT
Sometimes professional firms are hired to do the
background checks because applicants are
becoming more aggressive in their deceptions.
Some get phony degrees from online diploma mills.
A Pennsylvania district attorney recently filed suit against a
Texas university for issuing an MBA to the DAs 6-year-old
black cat.
Romney/Steinbart
126 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
127 of 315
INTERNAL ENVIRONMENT
Compensating
Employees should be paid a fair and
competitive wage.
Poorly compensated employees are more
likely to feel the resentment and financial
pressures that lead to fraud.
Appropriate incentives can motivate and
reinforce outstanding performance.
Romney/Steinbart
128 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
129 of 315
INTERNAL ENVIRONMENT
Policies on training
Training programs should familiarize new employees
with:
Their responsibilities.
Expected performance and behavior.
Company policies, procedures, history, culture, and operating
style.
Romney/Steinbart
130 of 315
INTERNAL ENVIRONMENT
Many believe employee training and
education are the most important elements of
fraud prevention and security programs.
Fraud is less likely to occur when employees
believe security is everyones business.
An ideal corporate culture exists when:
Employees are proud of their company and
protective of its assets.
They believe fraud hurts everyone and that they
therefore have a responsibility to report it.
2008 Prentice Hall Business Publishing
Romney/Steinbart
131 of 315
INTERNAL ENVIRONMENT
These cultures do not just happen. They must
be created, taught, and practiced, and the
following training should be provided:
Fraud awareness
Employees should be aware of frauds prevalence and
dangers, why people do it, and how to deter and detect it.
Ethical considerations
The company should promote ethical standards in its
practice and its literature.
Acceptable and unacceptable behavior should be defined
and labeled, leaving as little gray area as possible.
Romney/Steinbart
132 of 315
INTERNAL ENVIRONMENT
Punishment for fraud and unethical behavior.
Employees should know the consequences (e.g.,
reprimand, dismissal, prosecution) of bad behavior.
Should be disseminated as a consequence rather
than a threat.
EXAMPLE: Using a computer to steal or commit
fraud is a federal crime, and anyone doing so
faces immediate dismissal and/or prosecution.
The company should display notices of program
and data ownership and advise employees of the
penalties of misuse.
Romney/Steinbart
133 of 315
INTERNAL ENVIRONMENT
Training can take place through:
Informal discussions
Formal meetings
Periodic memos
Written guidelines
Codes of ethics
Circulating reports of unethical behavior and
its consequences
Promoting security and fraud training
programs
2008 Prentice Hall Business Publishing
Romney/Steinbart
134 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
135 of 315
INTERNAL ENVIRONMENT
Evaluating and promoting
Do periodic performance appraisals to help
employees understand their strengths and
weaknesses.
Base promotions on performance and
qualifications.
Romney/Steinbart
136 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
137 of 315
INTERNAL ENVIRONMENT
Discharging
Fired employees are disgruntled employees.
Disgruntled employees are more likely to
commit a sabotage or fraud against the
company.
Employees who are terminated (whether
voluntary or involuntary) should be removed
from sensitive jobs immediately and denied
access to information systems.
2008 Prentice Hall Business Publishing
Romney/Steinbart
138 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
139 of 315
INTERNAL ENVIRONMENT
Managing disgruntled employees
Disgruntled employees may be isolated and/or
unhappy, but are much likelier fraud candidates than
satisfied employees.
The organization can try to reduce the employees
pressures through grievance channels and
counseling.
Difficult to do because many employees feel that seeking
counseling will stigmatize them in their jobs.
Romney/Steinbart
140 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
141 of 315
INTERNAL ENVIRONMENT
Vacations and rotation of duties
Some fraud schemes, such as lapping and
kiting, cannot continue without the constant
attention of the perpetrator.
Mandatory vacations or rotation of duties can
prevent these frauds or lead to early
detection.
These measures will only be effective if
someone else is doing the job while the usual
employee is elsewhere.
2008 Prentice Hall Business Publishing
Romney/Steinbart
142 of 315
INTERNAL ENVIRONMENT
The following policies and procedures are
important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality insurance and fidelity bonds
Romney/Steinbart
143 of 315
INTERNAL ENVIRONMENT
Confidentiality agreements and fidelity
bond insurance
Employees, suppliers, and contractors should
be required to sign and abide by
nondisclosure or confidentiality agreements.
Key employees should have fidelity bond
insurance coverage to protect the company
against losses from fraudulent acts by those
employees.
2008 Prentice Hall Business Publishing
Romney/Steinbart
144 of 315
INTERNAL ENVIRONMENT
In addition to the preceding policies, the
company should seek prosecution and
incarceration of hackers and fraud perpetrators
Most fraud cases and hacker attacks go
unreported. They are not prosecuted for several
reasons.
Companies fear:
Public relations nightmares
Copycat attacks
Romney/Steinbart
145 of 315
INTERNAL ENVIRONMENT
Law enforcement officials and courts are busy with
violent crimes and may regard teen hacking as
childish pranks.
Fraud is difficult, costly, and time-consuming to
investigate and prosecute.
Law enforcement officials, lawyers, and judges often
lack the computer skills needed to investigate,
prosecute, and evaluate computer crimes.
When cases are prosecuted and a conviction
obtained, penalties are often very light. Judges often
regard the perps as model citizens.
2008 Prentice Hall Business Publishing
Romney/Steinbart
146 of 315
INTERNAL ENVIRONMENT
Internal environment consists of the following:
Managements philosophy, operating style, and risk
appetite
The board of directors
Commitment to integrity, ethical values, and
competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
Romney/Steinbart
147 of 315
INTERNAL ENVIRONMENT
External influences
External influences that affect the control
environment include requirements imposed
by:
FASB
PCAOB
SEC
Insurance commissions
Regulatory agencies for banks, utilities, etc.
Romney/Steinbart
148 of 315
OBJECTIVE SETTING
Objective setting is the
second ERM
component.
It must precede many
of the other six
components.
For example, you must
set objectives before
you can define events
that affect your ability
to achieve objectives
Romney/Steinbart
149 of 315
OBJECTIVE SETTING
Top management, with board approval, must
articulate why the company exists and what it
hopes to achieve.
Often referred to as the corporate vision or mission.
Romney/Steinbart
150 of 315
OBJECTIVE SETTING
Objectives set at the corporate level are
linked to and integrated with a cascading
series of sub-objectives in the various subunits.
For each set of objectives:
Critical success factors (what has to go right)
must be defined.
Performance measures should be established
to determine whether the objectives are met.
2008 Prentice Hall Business Publishing
Romney/Steinbart
151 of 315
OBJECTIVE SETTING
Objective-setting process proceeds as follows:
First, set strategic objectives, the high-level goals that
support the companys mission and create value for
shareholders.
To meet these objectives, identify alternative ways of
accomplishing them.
For each alternative, identify and assess risks and
implications.
Formulate a corporate strategy.
Then set operations, compliance, and reporting
objectives.
2008 Prentice Hall Business Publishing
Romney/Steinbart
152 of 315
OBJECTIVE SETTING
As a rule of thumb:
The mission and strategic objectives are
stable.
The strategy and other objectives are more
dynamic:
Must be adapted to changing conditions.
Must be realigned with strategic objectives.
Romney/Steinbart
153 of 315
OBJECTIVE SETTING
Operations objectives:
Are a product of management preferences,
judgments, and style.
Vary significantly among entities:
One may adopt technology; another waits until the
bugs are worked out.
Romney/Steinbart
154 of 315
OBJECTIVE SETTING
Compliance and reporting objectives:
Many are imposed by external entities, e.g.:
Reports to IRS or to EPA
Financial reports that comply with GAAP
Romney/Steinbart
155 of 315
EVENT IDENTIFICATION
Events are:
Incidents or occurrences that
emanate from internal or
external sources.
That affect implementation of
strategy or achievement of
objectives.
Impact can be positive,
negative, or both.
Events can range from
obvious to obscure.
Effects can range from
inconsequential to highly
significant.
Romney/Steinbart
156 of 315
EVENT IDENTIFICATION
By their nature, events represent
uncertainty:
Will they occur?
If so, when?
And what will the impact be?
Will they trigger another event?
Will they happen individually or concurrently?
Romney/Steinbart
157 of 315
EVENT IDENTIFICATION
Management must do its best to anticipate all
possible eventspositive or negativethat
might affect the company:
Try to determine which are most and least likely.
Understand the interrelationships of events.
Romney/Steinbart
158 of 315
Availability
of capital; lower or higher costs of
EVENT
IDENTIFICATION
capital
Lower barriers to entry, resulting in new
competition
Price movements up or down
External factors:
Ability to issue credit and possibility of default
Economic
factors
Concentration of competitors, customers, or
vendors
Presence or absence of liquidity
Movements in the financial markets or
currency fluctuations
Rising or lowering unemployment rates
Mergers or acquisitions
Potential regulatory, contractual, or criminal
legal liability
Romney/Steinbart
159 of 315
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Romney/Steinbart
160 of 315
EVENT IDENTIFICATION
Some of these factors include:
External factors:
Economic factors
Natural environment
Political factors Election of government
Romney/Steinbart
161 of 315
EVENT IDENTIFICATION
Economic factors
Natural environment
Political factors
Social factors
Romney/Steinbart
162 of 315
EVENT IDENTIFICATION
Economic factors
Natural environment
Political factors
Social factors
Technological factors
Romney/Steinbart
163 of 315
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Romney/Steinbart
164 of 315
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Romney/Steinbart
165 of 315
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Romney/Steinbart
166 of 315
EVENT IDENTIFICATION
Some of these factors include:
Internal factors:
Infrastructure
Personnel
Process
Technology
Romney/Steinbart
167 of 315
EVENT IDENTIFICATION
Lists can help management identify factors,
evaluate their importance, and examine those
that can affect objectives.
Identifying events at the activity and entity levels
allows companies to focus their risk assessment
on major business units or functions and align
their risk tolerance and risk appetite.
Romney/Steinbart
168 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential
events
Romney/Steinbart
169 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential events
Perform an internal analysis
Romney/Steinbart
170 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Appropriate transactions, activities, and events
are monitored and compared to predefined
criteria to determine when action is needed.
Romney/Steinbart
171 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Conduct workshops and interviews
Employee knowledge and expertise is gathered in
structured discussions or individual interviews.
Romney/Steinbart
172 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor
leading events and trigger points
Examine data on prior events to identify trends
causes that help
possible events.
Conductand
workshops
andidentify
interviews
Perform data mining and analysis
Romney/Steinbart
173 of 315
EVENT IDENTIFICATION
Companies usually use two or more of the
following techniques together to identify
events:
Use comprehensive lists of potential events
Perform an internal analysis
Monitor leading events and trigger points
Analyze
internal and
external
factors that affect
Conduct
workshops
and
interviews
inputs, processes, and outputs to identify events
Perform
and analysis
thatdata
mightmining
help or hinder
the process.
Analyze processes
2008 Prentice Hall Business Publishing
Romney/Steinbart
174 of 315
Romney/Steinbart
175 of 315
Romney/Steinbart
176 of 315
Romney/Steinbart
177 of 315
Romney/Steinbart
178 of 315
Romney/Steinbart
179 of 315
Reduce it
Accept it
Share it
Avoid it
Romney/Steinbart
180 of 315
Romney/Steinbart
181 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Event
identification
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
182 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Estimate likelihood
and impact
Some events pose
more risk because they
are more probable than
others.
Some events pose
more risk because their
dollar impact would be
more significant.
Likelihood and impact
must be considered
together:
If either increases, the
materiality of the event
and the need to protect
against it rises.
2008 Prentice Hall Business Publishing
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
183 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Identify controls
Management must
identify one or more
controls that will protect
the company from each
event.
In evaluating benefits of
each control procedure,
consider effectiveness
and timing.
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
184 of 315
RISK ASSESSMENT
AND RISK RESPONSE
All other factors equal:
A preventive control is
better than a detective
one.
However, if preventive
controls fail, detective
controls are needed to
discover the problem,
and corrective controls
are needed to recover.
Consequently, the three
complement each other,
and a good internal
control system should
have all three.
Similarly, a company
should use all four
levers of control.
2008 Prentice Hall Business Publishing
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
185 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Estimate costs and
benefits
It would be costprohibitive to create an
internal control system
that provided foolproof
protection against all
events.
Also, some controls
negatively affect
operational efficiency,
and too many controls
can make it very
inefficient.
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
186 of 315
RISK ASSESSMENT
AND RISK RESPONSE
The benefits of an
internal control
procedure must
exceed its costs.
Benefits can be hard
to quantify, but include:
Increased sales and
productivity
Reduced losses
Better integration with
customers and suppliers
Increased customer loyalty
Competitive advantages
Lower insurance
premiums
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
187 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Costs are usually
easier to measure
than benefits.
Primary cost is
personnel, including:
Time to perform control
procedures
Costs of hiring
additional employees to
effectively segregate
duties
Costs of programming
controls into a system
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
188 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Other costs of a poor
control system include:
Lost sales
Lower productivity
Drop in stock price if
security problems arise
Shareholder or
regulator lawsuits
Fines and penalties
imposed by
governmental agencies
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
189 of 315
RISK ASSESSMENT
AND RISK RESPONSE
The value of a
control procedure
is the difference
between:
Expected loss with
control procedure
Expected loss without it
No
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
190 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Determine costbenefit effectiveness
After estimating
benefits and costs,
management
determines if the control
is cost beneficial, i.e., is
the cost of
implementing a control
procedure less than the
change in expected
loss that would be
attributable to the
change?
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
191 of 315
RISK ASSESSMENT
AND RISK RESPONSE
In evaluating costs and
benefits, management
must consider factors
other than those in the
expected benefit
calculation.
If an event threatens an
organizations existence, it
may be worthwhile to
institute controls even if
costs exceed expected
benefits.
The additional cost can be
viewed as a catastrophic
loss insurance premium.
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
192 of 315
Romney/Steinbart
193 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Implement the
control or avoid,
share, or accept the
risk
When controls are cost
effective, they should
be implemented so risk
can be reduced.
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
194 of 315
RISK ASSESSMENT
AND RISK RESPONSE
Risks that are not
reduced must be
accepted, shared, or
avoided.
If the risk is within the
companys risk tolerance,
they will typically accept
the risk.
A reduce or share
response is used to bring
residual risk into an
acceptable risk tolerance
range.
An avoid response is
typically only used when
there is no way to costeffectively bring risk into
an acceptable risk
tolerance range.
2008 Prentice Hall Business Publishing
No
to protect
system
Avoid,
share, or
accept
risk
Yes
Romney/Steinbart
195 of 315
CONTROL ACTIVITIES
The sixth component of
COSOs ERM model.
Control activities are
policies, procedures,
and rules that provide
reasonable assurance
that managements
control objectives are
met and their risk
responses are carried
out.
Romney/Steinbart
196 of 315
CONTROL ACTIVITIES
It is managements responsibility to develop a
secure and adequately controlled system.
Controls are much more effective when built in on the
front end.
Consequently, systems analysts, designers, and end
users should be involved in designing adequate
computer-based control systems.
Romney/Steinbart
197 of 315
CONTROL ACTIVITIES
It is critical that controls be in place during
the year-end holiday season. A
disproportionate amount of computer
fraud and security break-ins occur during
this time because:
More people are on vacation and fewer
around to mind the store.
Students are not tied up with school.
Counterculture hackers may be lonely.
2008 Prentice Hall Business Publishing
Romney/Steinbart
198 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
199 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
200 of 315
CONTROL ACTIVITIES
Proper authorization of transactions
and activities
Management lacks the time and resources to
supervise each employee activity and
decision.
Consequently, they establish policies and
empower employees to perform activities
within policy.
This empowerment is called authorization
and is an important part of an organizations
control procedures.
2008 Prentice Hall Business Publishing
Romney/Steinbart
201 of 315
CONTROL ACTIVITIES
Authorizations are often documented by signing
initializing, or entering an authorization code.
Computer systems can record digital
signatures as a means of signing a document.
Employees who process transactions should
verify the presence of the appropriate
authorizations.
Auditors review transactions for proper
authorization, as their absence indicates a
possible control problem.
2008 Prentice Hall Business Publishing
Romney/Steinbart
202 of 315
CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorization
Management authorizes employees to handle routine
transactions without special approval.
Special authorization
For activities or transactions that are of significant
consequences, management review and approval is required.
Might apply to sales, capital expenditures, or
write-offs over a particular dollar limit.
Romney/Steinbart
203 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
204 of 315
CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
Segregation of duties is discussed in two
sections:
Segregation of accounting duties
Segregation of duties within the systems function
2008 Prentice Hall Business Publishing
Romney/Steinbart
205 of 315
CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes.
An employee should not be in a position to
commit and conceal fraud or unintentional
errors.
Segregation of duties is discussed in two
sections:
Segregation of accounting duties
Segregation of duties within the systems function
2008 Prentice Hall Business Publishing
Romney/Steinbart
206 of 315
CONTROL ACTIVITIES
Romney/Steinbart
207 of 315
CONTROL ACTIVITIES
Romney/Steinbart
208 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
209 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
210 of 315
CONTROL ACTIVITIES
Ledger
$900
Romney/Steinbart
211 of 315
CONTROL ACTIVITIES
Ledger
$900
Romney/Steinbart
212 of 315
CONTROL ACTIVITIES
Romney/Steinbart
213 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
214 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
215 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
216 of 315
CONTROL ACTIVITIES
Segregation of accounting duties
Effective segregation of accounting duties is achieved
when the following functions are separated:
AuthorizationApproving transactions and decisions.
RecordingPreparing source documents; maintaining
journals, ledgers, or other files; preparing reconciliations; and
preparing performance reports.
CustodyHandling cash, maintaining an inventory
storeroom, receiving incoming customer checks, writing
checks on the organizations bank account.
Romney/Steinbart
217 of 315
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
RECORDING FUNCTIONS
Preparing source
documents
Maintaining journals,
ledgers, or other files
Preparing reconciliations
Preparing performance
reports
EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the
AUTHORIZATION
recording for those receipts can
steal some of the cash and falsify accounts to
FUNCTIONS
conceal the theft.
Authorization of
SOLUTION: The pink fence (segregation
of custody and recording) prevents
transactions
employees from falsifying records
to conceal theft of assets entrusted to them.
Romney/Steinbart
218 of 315
EXAMPLE OF PROBLEM: A
person who has custody of
checks for transactions that
he has authorized can
authorize fictitious
transactions and then steal
RECORDING
the payments.FUNCTIONS
Preparing source
SOLUTION:
The green fence
documents of custody and
(segregation
Maintaining journals,
authorization)
prevents
ledgers, orfrom
otherauthorizing
files
employees
fictitious
orreconciliations
inaccurate
Preparing
transactions
as a means of
Preparing performance
concealing
a theft.
reports
CONTROL ACTIVITIES
CUSTODIAL FUNCTIONS
Handling cash
Handling inventories, tools,
or fixed assets
Writing checks
Receiving checks in mail
AUTHORIZATION
FUNCTIONS
Authorization of
transactions
2008 Prentice Hall Business Publishing
Romney/Steinbart
219 of 315
EXAMPLE OF PROBLEM: A
person who can authorize a
transaction and keep
records related to the
transactions can authorize
and record fictitious
CUSTODIAL
FUNCTIONS
payments
that might,
for
Handling
cashto the
example,
be sent
employees
addresstools,
Handlinghome
inventories,
or the
address
of a shell
or fixed
assets
company
creates.
Writinghe
checks
SOLUTION:
purple
ReceivingThe
checks
in mail
fence (segregation of
CONTROL ACTIVITIES
RECORDING FUNCTIONS
Preparing source
documents
Maintaining journals,
ledgers, or other files
Preparing reconciliations
Preparing performance
reports
Romney/Steinbart
220 of 315
CONTROL ACTIVITIES
In a system that incorporates an effective
separation of duties, it should be difficult
for any single employee to commit
embezzlement successfully.
But when two or more people collude,
then segregation of duties becomes
impotent and controls are overridden.
Romney/Steinbart
221 of 315
CONTROL ACTIVITIES
Ledger
$1,000
If this happens . . .
2008 Prentice Hall Business Publishing
Romney/Steinbart
222 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
223 of 315
CONTROL ACTIVITIES
Employees can collude with other employees or
with customers or vendors.
The most frequent form of employee/vendor
collusions include:
Billing at inflated prices
Performing substandard work and receiving full
payment
Payment for non-performance
Duplicate billings
Improperly funneling more work to or purchasing
more goods from a colluding company
2008 Prentice Hall Business Publishing
Romney/Steinbart
224 of 315
CONTROL ACTIVITIES
The most frequent form of
employee/customer collusions include:
Unauthorized loans or insurance payments
Receipt of assets or services at unauthorized
discount prices
Forgiveness of amounts owed
Unauthorized extension of due dates
Romney/Steinbart
225 of 315
CONTROL ACTIVITIES
Segregation of duties
Good internal control requires that no single
employee be given too much responsibility over
business transactions or processes.
An employee should not be in a position to commit
and conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties
Segregation of duties within the systems function
Romney/Steinbart
226 of 315
CONTROL ACTIVITIES
Segregation of duties within the
systems function
In a highly integrated information system,
procedures once performed by separate
individuals are combined.
Therefore, anyone who has unrestricted
access to the computer, its programs, and live
data could have the opportunity to perpetrate
and conceal fraud.
To combat this threat, organizations must
implement effective segregation of duties
within the IS function.
2008 Prentice Hall Business Publishing
Romney/Steinbart
227 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Romney/Steinbart
228 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Romney/Steinbart
229 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Romney/Steinbart
230 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Romney/Steinbart
231 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Users Record transactions, authorize
data to be processed, and use
system output.
Romney/Steinbart
232 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Users
Help users determine their
information needs and design
Systems analysts
systems to meet those needs.
Romney/Steinbart
233 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming Use design provided by the
systems analysts to write the
computer programs for the
information system.
Romney/Steinbart
234 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Romney/Steinbart
235 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Security management
Change management
Users
Maintains custody of corporate
Systems analysts
databases, files, and programs in
Programming
a separate storage area.
Computer operations
Information systems library
Romney/Steinbart
236 of 315
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly
among the following functions:
Systems administration
Network management
Ensures that source data have
Security management
been properly approved.
Change management
Monitors the flow of work
Users
through the computer.
Systems analysts
Reconciles input and output.
Programming
Maintains a record of input
Computer operations
errors to ensure their correction
Information systemsand
library
resubmission.
Data control Distributes system output.
Romney/Steinbart
237 of 315
CONTROL ACTIVITIES
It is important that different people perform the
preceding functions.
Allowing a person to do two or more jobs exposes the
company to the possibility of fraud.
Romney/Steinbart
238 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one of the
following categories:
Romney/Steinbart
239 of 315
CONTROL ACTIVITIES
Project development and acquisition controls
Its important to have a formal, appropriate, and proven
methodology to govern the development, acquisition,
implementation, and maintenance of information systems and
related technologies.
Should contain appropriate controls for:
Management review and approval
User involvement
Analysis
Design
Testing
Implementation
Conversion
Should make it possible for management to trace information
inputs from source to disposition and vice versa (the audit
trail).
2008 Prentice Hall Business Publishing
Romney/Steinbart
240 of 315
CONTROL ACTIVITIES
Examples abound of poorly managed
projects that have wasted large sums of
money because certain basic principles of
project management control were ignored.
Romney/Steinbart
241 of 315
CONTROL ACTIVITIES
Romney/Steinbart
242 of 315
CONTROL ACTIVITIES
Romney/Steinbart
243 of 315
CONTROL ACTIVITIES
The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
Strategic master plan
Project controls
Data processing schedule
Data processing tasks should
be organized according to a
schedule to maximize the use
of scarce computer resources.
Romney/Steinbart
244 of 315
CONTROL ACTIVITIES
The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
Romney/Steinbart
245 of 315
CONTROL ACTIVITIES
To
evaluated
properly,
The following basic principles
of be
control
should
be a
system should be assessed
applied to systems development
in order to reduce the
with measures such as:
potential for cost overruns andproject failure and to
Throughput (output per
improve the efficiency and effectiveness
of the IS:
unit of time)
Romney/Steinbart
246 of 315
CONTROL ACTIVITIES
The following basic principles of control should be
applied to systems development in order to reduce the
potential for cost overruns and project failure and to
improve the efficiency and effectiveness of the IS:
Romney/Steinbart
247 of 315
CONTROL ACTIVITIES
To simplify and improve systems development,
some companies hire a systems integratora
vendor who uses common standards and
manages the development effort using their own
personnel and those of the client and other
vendors.
Many companies rely on the integrators assurance
that the project will be completed on time.
Unfortunately, the integrator is often wrong.
These third-party systems development projects are
subject to the same cost overruns and missed
deadlines as systems developed internally.
2008 Prentice Hall Business Publishing
Romney/Steinbart
248 of 315
CONTROL ACTIVITIES
should:
Develop clear specifications
Romney/Steinbart
249 of 315
CONTROL ACTIVITIES
Romney/Steinbart
250 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
251 of 315
CONTROL ACTIVITIES
Change management controls
Organizations constantly modify their information
systems to reflect new business practices and take
advantage of information technology advances.
Change management is the process of making sure
that the changes do not negatively affect:
Systems reliability
Security
Confidentiality
Integrity
Availability
Romney/Steinbart
252 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
253 of 315
CONTROL ACTIVITIES
Design and use of adequate documents and
records
Proper design and use of documents and records
helps ensure accurate and complete recording of all
relevant transaction data.
Form and content should be kept as simple as
possible to:
Promote efficient record keeping
Minimize recording errors
Facilitate review and verification
Romney/Steinbart
254 of 315
CONTROL ACTIVITIES
Documents should be sequentially prenumbered:
To reduce likelihood that they would be used
fraudulently.
To help ensure that all valid transactions are
recorded.
Romney/Steinbart
255 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
256 of 315
CONTROL ACTIVITIES
Safeguard assets, records, and data
When people consider safeguarding assets, they
most often think of cash and physical assets, such as
inventory and equipment.
Another company asset that needs to be protected is
information.
According to the ACFEs 2004 National Fraud Survey,
theft of information made up only 17.3% of non-cash
misappropriations; however, the median cost of an
information theft was $340,000. This cost was 126%
higher than the next most costly non-asset theft.
(Equipment theft had a median cost of $150,000.)
2008 Prentice Hall Business Publishing
Romney/Steinbart
257 of 315
CONTROL ACTIVITIES
Many people mistakenly believe that the
greatest risks companies face are from
outsiders.
However, employees pose a much greater
risk when it comes to loss of data
because:
They know the system and its weaknesses
better.
They are better able to hide their illegal acts.
2008 Prentice Hall Business Publishing
Romney/Steinbart
258 of 315
CONTROL ACTIVITIES
Insiders also create less-intentional threats to
systems, including:
Accidentally deleting company data.
Turning viruses loose.
Trying to fix hardware or software without appropriate
expertise (i.e., when in doubt, unplug it).
Romney/Steinbart
259 of 315
CONTROL ACTIVITIES
Many steps can be taken to safeguard
both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters 7 and 8 discuss computer-based
controls. In addition, it is important to:
Maintain accurate records of all assets
Periodically reconcile recorded amounts to
physical counts.
Romney/Steinbart
260 of 315
CONTROL ACTIVITIES
Many steps can be taken to safeguard
both information and physical assets from
theft, unauthorized use, and vandalism.
Use restricted
storage areas
Chapters 7 and 8 discuss
computer-based
for inventories and equipment.
controls. In addition, it Use
is important
cash registers,to:
safes,
lockboxes,
and safe deposit
Maintain accurate records
of all assets
Periodically reconcile
physical counts
Restrict access to assets
Romney/Steinbart
261 of 315
CONTROL ACTIVITIES
Many steps can be taken to safeguard
both information and physical assets from
theft, unauthorized use, and vandalism.
Chapters 7 and 8 discuss
Use computer-based
fireproof storage areas,
locked
filing cabinets,
controls. In addition, it is
important
to: backup
Romney/Steinbart
262 of 315
CONTROL ACTIVITIES
Generally, control procedures fall into one
of the following categories:
Proper authorization of transactions and
activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguard assets, records, and data
Independent checks on performance
2008 Prentice Hall Business Publishing
Romney/Steinbart
263 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
264 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
265 of 315
CONTROL ACTIVITIES
Ledger
$1,000
Romney/Steinbart
266 of 315
CONTROL ACTIVITIES
Internal checks to ensure that transactions
are processed accurately are an important
control element.
These checks should be performed by
someone independent of the party(ies)
responsible for the activities.
Romney/Steinbart
267 of 315
CONTROL ACTIVITIES
The following independent checks are
typically used:
Top-level reviews
Romney/Steinbart
268 of 315
CONTROL ACTIVITIES
The following independent checks are
typically used:
Top-level reviews
Analytical reviews
Romney/Steinbart
269 of 315
CONTROL ACTIVITIES
Reconciliation of independently
maintained sets of records
Romney/Steinbart
270 of 315
CONTROL ACTIVITIES
The following independent checks are
typically used: Periodically, count significant assets
Romney/Steinbart
271 of 315
CONTROL ACTIVITIES
The following independent checks are
typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained
sets of records
Comparison of actual quantities
Ensure that with
debitsrecorded
equal
credits.
amounts
Double-entry accounting
2008 Prentice Hall Business Publishing
Romney/Steinbart
272 of 315
CONTROL ACTIVITIES
The following independent checks are
typically used:
Top-level reviews
Analytical reviews
Reconciliation of independently maintained
sets of records
Comparison of actual quantities with recorded
After one person processes a
amounts
transaction, another reviews
their work.
Double-entry accounting
Independent review
2008 Prentice Hall Business Publishing
Romney/Steinbart
273 of 315
Romney/Steinbart
274 of 315
Romney/Steinbart
275 of 315
Romney/Steinbart
276 of 315
Romney/Steinbart
277 of 315
Romney/Steinbart
278 of 315
MONITORING
The eighth
component of
COSOs ERM
model.
Monitoring can be
accomplished with a
series of ongoing
events or by
separate
evaluations.
2008 Prentice Hall Business Publishing
Romney/Steinbart
279 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
280 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
281 of 315
MONITORING
Perform ERM evaluation
Can measure ERM effectiveness through a
formal evaluation or through a selfassessment process.
A special group can be assembled to conduct
the evaluation or it can be done by internal
auditing.
Romney/Steinbart
282 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
283 of 315
MONITORING
Implement effective supervision
Involves:
Romney/Steinbart
284 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
285 of 315
MONITORING
Use responsibility accounting
Includes use of:
Budgets, quotas, schedules, standard costs, and
quality standards;
Performance reports that compare actual with
planned performance and highlight variances; and
Procedures for investigating significant variances
and taking timely actions to correct adverse
conditions.
Romney/Steinbart
286 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
287 of 315
MONITORING
Monitor system activities
Risk analysis and management software
packages are available to:
Romney/Steinbart
288 of 315
MONITORING
Cost parameters can be entered to
balance acceptable levels of risk tolerance
and cost-effectiveness.
Software is also available to monitor and
combat viruses, spyware, spam, pop-up
ads, and to prevent browsers from being
hijacked.
Also helps companies recover from frauds
and malicious actions and restore systems
to pre-incident status.
2008 Prentice Hall Business Publishing
Romney/Steinbart
289 of 315
MONITORING
System transactions and activities should be
recorded in a log which indicates who accessed
what data, when, and from which terminal.
Logs should be reviewed frequently to monitor
system activity and trace any problems to their
source.
Data collected can be used to:
Romney/Steinbart
290 of 315
MONITORING
Companies that monitor system activities need to ensure
they do not violate employee privacy rights.
Employers cannot discreetly observe communications of
employees when those employees have a reasonable
expectation of privacy.
Employers must therefore ensure that employees realize
their business communications are not private. One
way to accomplish that objective is to have written
policies that employees agree to in writing which indicate:
The technology employees use on the job belongs to the
company.
Emails received on company computers are not private and can
be read by supervisory personnel.
Employees should not use technology in any way to contribute to
a hostile work environment.
2008 Prentice Hall Business Publishing
Romney/Steinbart
291 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
292 of 315
MONITORING
Track purchased software
The Business Software Alliance (BSA) aggressively
tracks down and fines companies who violate
software license agreements.
To comply with copyrights, companies should
periodically conduct software audits to ensure that.
There are enough licenses for all users; and
The company is not paying for more licenses than needed.
Romney/Steinbart
293 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
294 of 315
MONITORING
Conduct periodic audits
To monitor risk and detect fraud and errors,
the company should have periodic:
External audits
Internal audits
Special network security audits
Romney/Steinbart
295 of 315
MONITORING
Again, care should be exercised that
employees privacy rights are not violated.
Therefore, inform employees that auditors
will conduct random surveillance, which:
Avoids privacy violations
Creates a perception of detection that can
deter crime and reduce errors
Romney/Steinbart
296 of 315
MONITORING
Internal auditing involves:
Reviewing the reliability and integrity of
financial and operating information.
Providing an appraisal of internal control
effectiveness.
Assessing employee compliance with
management policies and procedures and
applicable laws and regulations.
Evaluating the efficiency and effectiveness of
management.
2008 Prentice Hall Business Publishing
Romney/Steinbart
297 of 315
MONITORING
Internal audits can detect:
Excess overtime
Under-used assets
Obsolete inventory
Padded expense reimbursements
Excessively loose budgets and quotas
Poorly justified capital expenditures
Production bottlenecks
Romney/Steinbart
298 of 315
MONITORING
Internal auditing should be
organizationally independent of the
accounting and operating functions.
The head should report to the audit
committee of the board of directors rather
than to the controller or CFO.
Romney/Steinbart
299 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
300 of 315
MONITORING
Employ a computer security officer and
computer consultants
The computer security officer (CSO) is in
charge of AIS security
Should be independent of the IS function
Should report to the COO or CEO
Romney/Steinbart
301 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
302 of 315
MONITORING
Engage forensic specialists
Forensic accountants specialize in fraud
detection and investigation.
Now one of the fastest growing areas of
accounting due to:
SOX
SAS-99
Boards of Directors demanding that forensic accounting
be an ongoing part of the financial reporting and
corporate governance process.
Romney/Steinbart
303 of 315
MONITORING
Most forensic accountants are CPAs and may
have received special training with the FBI, CIA,
or other law enforcement agencies.
In particular demand are those with the necessary
computer skills to ferret out and combat fraudsters
who use sophisticated technology to perpetrate their
crimes.
The Association of Certified Fraud Examiners (ACFE)
has created a professional certification program for
fraud examiners.
Romney/Steinbart
304 of 315
MONITORING
Management may also need to call on
computer forensic specialists for help.
They assist in discovering, extracting,
safeguarding, and documenting computer
evidence so that its authenticity, accuracy,
and integrity will not succumb to legal
challenges.
Romney/Steinbart
305 of 315
MONITORING
Common incidents investigated by
computer forensic experts include:
Improper internet usage
Fraud
Sabotage
Loss, theft, or corruption of data
Retrieving information from emails and
databases that users thought they had erased
Determining who performed certain actions on
a computer
2008 Prentice Hall Business Publishing
Romney/Steinbart
306 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
307 of 315
MONITORING
Install fraud detection software
People who commit fraud tend to follow certain patterns and
leave behind clues.
Software has been developed to seek out these fraud
symptoms.
Some companies employ neural networks (programs that
mimic the brain and have learning capabilities), which are very
accurate in identifying suspected fraud.
For example, if a husband and wife were each using the same
credit card in two different stores at the same time, a neural
network would probably flag at least one of the transactions
immediately as suspicious.
These networks and other recent advances in fraud detection
software are significantly reducing the incidences of credit card
fraud.
2008 Prentice Hall Business Publishing
Romney/Steinbart
308 of 315
MONITORING
Key methods of monitoring performance include:
Romney/Steinbart
309 of 315
MONITORING
Implement a fraud hotline
People who witness fraudulent behavior are
often torn between conflicting feelings.
They want to protect company assets and report
fraud perpetrators.
But they are uncomfortable in the whistleblower
role and find it easier to remain silent.
Romney/Steinbart
310 of 315
MONITORING
SOX mandates that companies set up
mechanisms for employees to anonymously
report abuses such as fraud.
An effective way to comply with the law and resolve
employee concerns is to provide access to an
anonymous hotline.
Anonymous reporting can be accomplished through:
Phone lines
Web-based reporting
Anonymous emails
Snail mail
Romney/Steinbart
311 of 315
MONITORING
Outsourcing is available through a number of third
parties and offers several benefits, including:
Increased confidence on the part of employee that his/her
report is truly anonymous.
24/7 availability.
Often have multilingual capabilitiesan important plus for
multinational organizations.
The outsourcer may be able to do follow up with the
employee if additional information is needed after the initial
contact.
The employee can be advised of the outcome of his report.
Low cost.
Romney/Steinbart
312 of 315
MONITORING
A downside to anonymous reporting
mechanisms is that they will produce a
significant amount of petty or slanderous reports
that do not require investigation.
The ACFEs 2004 Report to the Nation indicates
that companies without fraud hotlines had
median fraud losses that were 140% higher than
companies that had fraud hotlines.
Romney/Steinbart
313 of 315
SUMMARY
In this chapter, youve learned about basic internal control
concepts and why computer control and security are so
important.
Youve learned about the similarities and differences between
the COBIT, COSO, and ERM control frameworks.
Youve learned about the major elements in the internal
control environment of a company and the four types of
control objectives that companies need to set.
Youve also learned about events that affect uncertainty and
how these events can be identified.
Youve explored how the Enterprise Risk Management model
is used to assess and respond to risk, as well as the control
activities that are commonly used in companies.
Finally, youve learned how organizations communicate
information and monitor control processes.
2008 Prentice Hall Business Publishing
Romney/Steinbart
314 of 315