ais romney 2006 slides 06 control and ais part 1 091101082444 phpapp01
Post on 04-Jun-2018
227 Views
Preview:
TRANSCRIPT
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
1/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314
C HAPTER 6
Control and Accounting
Information Systems
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
2/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 314
INTRODUCTION
Questions to be addressed in this chapter: What are the basic internal control concepts, and why are
computer control and security important?
What is the difference between the COBIT, COSO, and ERMcontrol frameworks?
What are the major elements in the internal environment of acompany?
What are the four types of control objectives that companiesneed to set?
What events affect uncertainty, and how can they be identified?
How is the Enterprise Risk Management model used to assess
and respond to risk? What control activities are commonly used in companies?
How do organizations communicate information and monitorcontrol processes?
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
3/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 314
INTRODUCTION
Why AIS Threats Are Increasing
Control risks have increased in the last few years
because:
There are computers and servers everywhere, andinformation is available to an unprecedented number of
workers.
Distributed computer networks make data available to many
users, and these networks are harder to control than
centralized mainframe systems. Wide area networks are giving customers and suppliers
access to each others systems and data, making
confidentiality a major concern.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
4/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 314
INTRODUCTION
Historically, many organizations have not adequatelyprotected their data due to one or more of the followingreasons: Computer control problems are often underestimated and
downplayed. Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-based system are not always fully understood.
Companies have not realized that data is a strategic resourceand that data security must be a strategic requirement.
Productivity and cost pressures may motivate management toforego time-consuming control measures.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
5/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 314
INTRODUCTION
Some vocabulary terms for this chapter:
A threatis any potential adverse occurrence
or unwanted event that could injure the AIS or
the organization.
The exposureor impactof the threat is the
potential dollar loss that would occur if the
threat becomes a reality. The l ikel ihoodis the probability that the
threat will occur.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
6/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 314
INTRODUCTION
Control and Security are Important
Companies are now recognizing the problems and
taking positive steps to achieve better control,
including: Devoting full-time staff to security and control concerns.
Educating employees about control measures.
Establishing and enforcing formal information security
policies.
Making controls a part of the applications developmentprocess.
Moving sensitive data to more secure environments.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
7/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 314
INTRODUCTION
To use IT in achieving control objectives,accountants must:
Understand how to protect systems from
threats. Have a good understanding of IT and its
capabilities and risks.
Achieving adequate security and controlover the information resources of anorganization should be a top managementpriority.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
8/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 314
INTRODUCTION
Control objectives are the same regardless of
the data processing method, but a computer-
based AIS requires different internal control
policies and procedures because: Computer processing may reduce clerical errors but
increase risks of unauthorized access or modification
of data files.
Segregation of duties must be achieved differently inan AIS.
Computers provide opportunities for enhancement of
some internal controls.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
9/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 314
INTRODUCTION
One of the primary objectives of an AIS is to
control a business organization.
Accountants must help by designing effective control
systems and auditing or reviewing control systemsalready in place to ensure their effectiveness.
Management expects accountants to be control
consultants by:
Taking a proactive approach to eliminating systemthreats; and
Detecting, correcting, and recovering from threats
when they do occur.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
10/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 314
INTRODUCTION
It is much easier to build controls into a
system during the initial stage than to add
them after the fact.
Consequently, accountants and control
experts should be members of the teams
that develop or modify information
systems.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
11/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 314
OVERVIEW OF CONTROL CONCEPTS
In todays dynamic business environment,companies must react quickly to changingconditions and markets, including steps to: Hire creative and innovative employees.
Give these employees power and flexibility to: Satisfy changing customer demands;
Pursue new opportunities to add value to the organization;and
Implement process improvements.
At the same time, the company needs controlsystems so they are not exposed to excessiverisks or behaviors that could harm theirreputation for honesty and integrity.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
12/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. This objective includes prevention or timely
detection of unauthorized acquisition, use, or
disposal of material company assets.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
13/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
14/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
15/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
16/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP. Operational efficiency is promoted and improved.
This objective includes ensuring that company
receipts and expenditures are made in accordance
with management and directors authorizations.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
17/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports are
prepared in accordance with GAAP. Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
18/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal contro lis the process implemented by theboard of directors, management, and those under theirdirection to provide reasonable assurance that thefollowing control objectives are achieved:
Assets (including data) are safeguarded. Records are maintained in sufficient detail to accurately and
fairly reflect company assets.
Accurate and reliable information is provided.
There is reasonable assurance that financial reports areprepared in accordance with GAAP.
Operational efficiency is promoted and improved.
Adherence to prescribed managerial policies is encouraged.
The organization complies with applicable laws andregulations.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
19/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal control is a processbecause: It permeates an organizations operating activities.
It is an integral part of basic management activities.
Internal control provides reasonable, ratherthan absolute, assurance, because completeassurance is difficult or impossible to achieveand prohibitively expensive.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
20/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal control systems have inherentlimitations, including: They are susceptible to errors and poor decisions.
They can be overridden by management or bycollusion of two or more employees.
Internal control objectives are often at odds witheach other. EXAMPLE: Controls to safeguard assets may also
reduce operational efficiency.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
21/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important
functions:
Preventive controls
Deter problems before they arise.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
22/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important
functions:
Preventive controls
Detective controls Discover problems quickly when they do arise.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
23/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls perform three important
functions:
Preventive controls
Detective controls
Corrective controls
Remedy problems that have occurred by:
Identifying the cause; Correcting the resulting errors; and
Modifying the system to prevent future
problems of this sort.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
24/73 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as:
General controls
Those designed to make sure an
organizations control environment is stable
and well managed.
They apply to all sizes and types of systems.
Examples: Security management controls.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
25/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 314
OVERVIEW OF CONTROL CONCEPTS
Internal controls are often classified as:
General controls
Application controls
Prevent, detect, and correct transaction errorsand fraud.
Are concerned with accuracy, completeness,
validity, and authorization of the data captured,
entered into the system, processed, stored,
transmitted to other systems, and reported.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
26/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 314
OVERVIEW OF CONTROL CONCEPTS
An effective system of internal controlsshould exist in all organizations to:
Help them achieve their missions and goals
Minimize surprises
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
27/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 27 of 314
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
28/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 28 of 314
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
29/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 314
CONTROL FRAMEWORKS
COBIT Framework
Also know as the Control Objectives for
Information and Related Technology
framework. Developed by the Information Systems Audit
and Control Foundation (ISACF).
A framework of generally applicableinformation systems security and control
practices for IT control.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
30/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 314
CONTROL FRAMEWORKS
The COBIT framework allows:
Management to benchmark security and
control practices of IT environments.
Users of IT services to be assured thatadequate security and control exists.
Auditors to substantiate their opinions on
internal control and advise on IT security andcontrol matters.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
31/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 314
CONTROL FRAMEWORKS
The framework addresses the issue of
control from three vantage points or
dimensions:
Business objectives
To satisfy business objectives,
information must conform to
certain criteria referred to as
business requirements forinformation.
The criteria are divided into
seven distinct yet overlapping
categories that map into COSO
objectives: Effectiveness (relevant,
pertinent, and timely)
Efficiency
Confidentiality
Integrity
Availability
Compliance with legal
requirements
Reliability
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
32/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 314
CONTROL FRAMEWORKS
The framework addresses the issue of
control from three vantage points or
dimensions:
Business objectives
IT resources Includes: People
Application systems
Technology Facilities
Data
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
33/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 314
CONTROL FRAMEWORKS
The framework addresses the issue of
control from three vantage points or
dimensions:
Business objectives
IT resources
IT processes Broken into four domains
Planning and organization Acquisition and implementation
Delivery and support
Monitoring
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
34/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 314
CONTROL FRAMEWORKS
COBIT consolidates standards from 36 different
sources into a single framework.
It is having a big impact on the IS profession.
Helps managers to learn how to balance risk andcontrol investment in an IS environment.
Provides users with greater assurance that security
and IT controls provided by internal and third parties
are adequate. Guides auditors as they substantiate their opinions
and provide advice to management on internal
controls.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
35/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 35 of 314
CONTROL FRAMEWORKS
A number of frameworks have been
developed to help companies develop
good internal control systems. Threeof the most important are:
The COBIT framework
The COSO internal control framework COSOs Enterprise Risk Management
framework (ERM)
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
36/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 314
CONTROL FRAMEWORKS
COSOs Internal Control Framework
The Committee of Sponsoring Organizations
(COSO) is a private sector group consisting
of: The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
37/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 314
CONTROL FRAMEWORKS
In 1992, COSO issued the Internal
Con trol Integrated Framework:
Defines internal controls.
Provides guidance for evaluating and
enhancing internal control systems.
Widely accepted as the authority on internal
controls. Incorporated into policies, rules, and
regulations used to control business activities.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
38/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
The core of any business is its people.
Their integrity, ethical values, and competence make
up the foundation on which everything else rests.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
39/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
Policies and procedures must be established and
executed to ensure that actions identified by
management as necessary to address risks are, in
fact, carried out.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
40/73
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
41/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 41 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
Information and communications systems surround thecontrol activities.
They enable the organizations people to capture and
exchange information needed to conduct, manage, and
control its operations.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
42/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 314
CONTROL FRAMEWORKS
COSOs internal control model has five
crucial components:
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring The entire process must be monitored and modified
as necessary.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
43/73
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
44/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 314
CONTROL FRAMEWORKS
Nine years after COSO issued the precedingframework, it began investigating how toeffectively identify, assess, and manage risk soorganizations could improve the risk
management process. Result: Enterprise Risk Manage Integrated
Framework (ERM) An enhanced corporate governance document.
Expands on elements of preceding framework.
Provides a focus on the broader subject of enterpriserisk management.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
45/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 314
CONTROL FRAMEWORKS
Intent of ERM is to achieve all goals of theinternal control framework and help theorganization: Provide reasonable assurance that company
objectives and goals are achieved and problems andsurprises are minimized.
Achieve its financial and performance targets.
Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigaterisk.
Avoid adverse publicity and damage to the entitysreputation.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
46/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 314
CONTROL FRAMEWORKS
ERM defines risk management as:
A process effected by an entitys board ofdirectors, management, and other personnel
Applied in strategy setting and across theenterprise
To identify potential events that may affect theentity
And manage risk to be within its risk appetite In order to provide reasonable assurance of
the achievement of entity objectives.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
47/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 314
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for
owners.
Management must decide how muchuncertainty they will accept.
Uncertainty can result in:
Risk The possibility that something will happen to:
Adversely affect the ability to create value; or
Erode existing value.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
48/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 48 of 314
CONTROL FRAMEWORKS
Basic principles behind ERM:
Companies are formed to create value for
owners.
Management must decide how muchuncertainty they will accept.
Uncertainty can result in:
Risk Opportunity
The possibility that something will happen to
positively affect the ability to create or preserve
value.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
49/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 314
CONTROL FRAMEWORKS
The framework should help management
manage uncertainty and its associated risk to
build and preserve value.
To maximize value, a company must balanceits growth and return objectives and risks with
efficient and effective use of company
resources.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
50/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 314
CONTROL FRAMEWORKS
COSO developed a
model to illustrate
the elements of
ERM.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
51/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 314
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
object ivesthat
management must meet to
achieve company goals. Strategic objectives
Strategic objectives are
high-level goals that are
aligned with and support
the companys mission.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
52/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 314
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
object ivesthat
management must meet to
achieve company goals. Strategic objectives
Operations objectives
Operations objectives deal with
effectiveness and efficiency ofcompany operations, such as:
Performance and
profitability goals
Safeguarding assets
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
53/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 314
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
object ivesthat
management must meet to
achieve company goals. Strategic objectives
Operations objectives
Reporting objectives
Reporting objectives help
ensure the accuracy,
completeness, and reliability of
internal and external company
reports of both a financial and
non-financial nature.
Improve decision-making and
monitor company activities andperformance more efficiently.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
54/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 314
CONTROL FRAMEWORKS
Columns at the top
represent the four types of
object ivesthat
management must meet to
achieve company goals. Strategic objectives
Operations objectives
Reporting objectives
Compliance objectives
Compliance objectives help the
company comply with
applicable laws and
regulations.
External parties often set
the compliance rules.
Companies in the same
industry often have similar
concerns in this area.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
55/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 314
CONTROL FRAMEWORKS
ERM can provide reasonableassurance that reporting andcompliance objectives will beachieved because companieshave control over them.
However, strategic and
operations objectives aresometimes at the mercy ofexternal events that thecompany cant control.
Therefore, in these areas, theonly reasonable assurance the
ERM can provide is thatmanagement and directors areinformed on a timely basis of theprogress the company is makingin achieving them.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
56/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 314
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
57/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 314
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
58/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 314
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
Business unit
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
59/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 314
CONTROL FRAMEWORKS
Columns on the
right represent the
companys units:
Entire company
Division
Business unit
Subsidiary
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
60/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 314
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment
The tone or culture of the
company.
Provides discipline and
structure and is the foundationfor all other components.
Essentially the same as contro l
env i ronmentin the COSO
internal control framework.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
61/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 61 of 314
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment Objective setting
Ensures that management implements a process to formulate
strategic, operations, reporting, and compliance objectives thatsupport the companys mission and are consistent with the companys
tolerance for risk.
Strategic objectives are set first as a foundation for the other three.
The objectives provide guidance to companies as they identify risk-
creating events and assess and respond to those risks.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
62/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 62 of 314
CONTROL FRAMEWORKS
The horizontal rows are
eight related risk and
control components,
including:
Internal environment Objective setting
Event identification
Requires management to identify events that may affect the companys
ability to implement its strategy and achieve its objectives.
Management must then determine whether these events represent:
Risks (negative-impact events requiring assessment and
response); or
Opportunities (positive-impact events that influence strategy and
objective-setting processes).
Identified risks are assessed todetermine how to manage them
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
63/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk and
control components,
including:
Internal environment Objective setting
Event identification
Risk assessment
determine how to manage them
and how they affect the
companys ability to achieve its
objectives.
Qualitative and quantitativemethods are used to assess
risks individually and by
category in terms of:
Likelihood
Positive and negative
impact
Effect on other
organizational units
Risks are analyzed on an
inherent and a residual basis.
Corresponds to the risk
assessment element in COSOs
internal control framework.
Management aligns identified risks
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
64/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk and
control components,
including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
with the companys tolerance for
risk by choosing to:
Avoid
Reduce Share
Accept
Management takes an entity-wide
or portfolio view of risks in
assessing the likelihood of therisks, their potential impact, and
costs-benefits of alternate
responses.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
65/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk and
control components,
including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
Control activities
To implement managements
risk responses, control policies
and procedures are established
and implemented throughout
the various levels and
functions of the organization. Corresponds to the control
activities element in the COSO
internal control framework.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
66/73
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
67/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 314
CONTROL FRAMEWORKS
The horizontal rows areeight related risk and
control components,
including:
Internal environment Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and
communication
Monitoring
ERM processes must be
monitored on an ongoing basis
and modified as needed.
Accomplished with ongoing
management activities and
separate evaluations.
Deficiencies are reported to
management.
Corresponding module in
COSO internal control
framework.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
68/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 68 of 314
CONTROL FRAMEWORKS
The ERM model isthree-dimensional.
Means that each of
the eight risk andcontrol elements areapplied to the fourobjectives in the
entire companyand/or one of itssubunits.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
69/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 314
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal
Control Framework
The internal control framework has been
widely adopted as the principal way toevaluate internal controls as required by SOX.
However, there are issues with it.
It has too narrow of a focus.
Examining controls without first examining purposes and
risks of business processes provides little context for
evaluating the results.
Makes it difficult to know:
Which control systems are most important. Whether they adequately deal with risk.
Whether important control systems are missing.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
70/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 314
CONTROL FRAMEWORKS
ERM Framework Vs. the Internal
Control Framework
The internal control framework has been
widely adopted as the principal way toevaluate internal controls as required by SOX.
However, there are issues with it.
It has too narrow of a focus.
Focusing on controls first has an inherent bias
toward past problems and concerns.
May contribute to systems with
many controls to protect
against risks that are no longer
important.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
71/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 314
CONTROL FRAMEWORKS
These issues led to COSOs development of theERM framework. Takes a risk-based, rather than controls-based,
approach to the organization.
Oriented toward future and constant change. Incorporates rather than replaces COSOs internal
control framework and contains three additionalelements:
Setting objectives.
Identifying positive and negative events that may affect thecompanys ability to implement strategy and achieveobjectives.
Developing a response to assessed risk.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
72/73
2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 314
CONTROL FRAMEWORKS
Controls are flexible and relevant becausethey are linked to current organizational
objectives.
ERM also recognizes more options thansimply controlling risk, which include
accepting it, avoiding it, diversifying it, sharing
it, or transferring it.
-
8/13/2019 Ais Romney 2006 Slides 06 Control and Ais Part 1 091101082444 Phpapp01
73/73
CONTROL FRAMEWORKS
Over time, ERM will probably become the
most widely adopted risk and control
model.
Consequently, its eight components arethe topic of the remainder of the chapter.
top related