INTRODUCTION Why AIS threats are increasing Control risks have increased in the last few years...

INTRODUCTIONWhy AIS threats are increasing

Control risks have increased in the last few years because: There are computers and servers everywhere, and

information is available to an unprecedented number of workers.

Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.

Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.

INTRODUCTIONSome vocabulary terms for this chapter:

A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization.

The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality.

The likelihood is the probability that the threat will occur.

OVERVIEW OF CONTROL CONCEPTSInternal controls perform three important

functions:Preventive controls

•Deter problems before they arise.


functions:Preventive controlsDetective controls

•Discover problems quickly when they do arise.


functions:Preventive controlsDetective controlsCorrective controls

• Remedy problems that have occurred by:– Identifying the cause;– Correcting the resulting errors; and– Modifying the system to prevent

future problems of this sort.

OVERVIEW OF CONTROL CONCEPTSInternal controls are often classified as:

General controls

• Those designed to make sure an organization’s control environment is stable and well managed.

• They apply to all sizes and types of systems.

• Examples: Security management controls.

OVERVIEW OF CONTROL CONCEPTSInternal controls are often classified as:

General controlsApplication controls

• Prevent, detect, and correct transaction errors and fraud.

• Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.

OVERVIEW OF CONTROL CONCEPTS

An effective system of internal controls should exist in all organizations to:Help them achieve their missions and goals.Minimize surprises.

CONTROL FRAMEWORKSA number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:The COBIT frameworkThe COSO internal control frameworkCOSO’s Enterprise Risk Management framework (ERM)

CONTROL FRAMEWORKSCOSO’s internal control framework

The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute

CONTROL FRAMEWORKSIn 1992, COSO issued the Internal Control

Integrated Framework:Defines internal controls.Provides guidance for evaluating and

enhancing internal control systems.Widely accepted as the authority on internal

controls.Incorporated into policies, rules, and

regulations used to control business activities.

CONTROL FRAMEWORKSCOSO’s internal control model has five

crucial components:- Control environment

•The core of any business is its people.•Their integrity, ethical values, and competence

make up the foundation on which everything else rests.


crucial components:- Control environment- Control activities

• Policies and procedures must be established and executed to ensure that actions identified by

management as necessary to address risks are, in fact, carried out.


crucial components:- Control environment- Control activities- Risk assessment

• The organization must be aware of and deal with the risks it faces.

• It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and

manage the related risks.


crucial components:- Control environment- Control activities- Risk assessment- Information and communication

• Information and communications systems surround the control activities.

• They enable the organization’s people to capture and exchange information needed to conduct,

manage, and control its operations.


crucial components:- Control environment- Control activities- Risk assessment- Information and communication- Monitoring

•The entire process must be monitored and modified as necessary.

RISK ASSESSMENT AND RISK RESPONSECompanies should:Assess inherent riskDevelop a responseThen assess residual risk

The ERM model indicates four ways to respond to risk:Reduce it

•The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.

RISK ASSESSMENT AND RISK RESPONSECompanies should:

Assess inherent riskDevelop a responseThen assess residual risk

The ERM model indicates four ways to respond to risk:Reduce itAccept it

•Don’t act to prevent or mitigate it.

RISK ASSESSMENT AND RISK RESPONSECompanies should:Assess inherent riskDevelop a responseThen assess residual risk

The ERM model indicates four ways to respond to risk:Reduce itAccept itShare it

•Transfer some of it to others via activities such as insurance, outsourcing, or hedging.

RISK ASSESSMENT AND RISK RESPONSECompanies should:

Assess inherent riskDevelop a responseThen assess residual risk

The ERM model indicates four ways to respond to risk:Reduce itAccept itShare itAvoid it

• Don’t engage in the activity that produces it.

• May require:– Sale of a division– Exiting a product line– Canceling an expansion plan

RISK ASSESSMENT AND RISK RESPONSE

Accountants:Help management design effective controls to

reduce inherent risk.Evaluate internal control systems to ensure

they are operating effectively.Assess and reduce inherent risk using the risk

assessment and response strategy.


Event identificationThe first step in risk

assessment and response strategy is event identification, which we have already discussed.

Identify the events or threatsthat confront the company

Estimate the likelihood orprobability of each event occurring

Estimate the impact of potentialloss from each threat

Identify set of controls toguard against threat

Estimate costs and benefitsfrom instituting controls

Reduce risk by implementing set ofcontrols to guard against threat

Is itcost-

beneficialto protect

system

Avoid, share,

or accept

riskYes

No

RISK ASSESSMENT AND RISK RESPONSEEstimate likelihood

and impactSome events pose

more risk because they are more probable than others.

Some events pose more risk because their dollar impact would be more significant.

Likelihood and impact must be considered together:

If either increases, the materiality of the event and the need to protect against it rises.







Is itcost-


system

Avoid, share,

or accept

riskYes

No


Identify controlsManagement must

identify one or more controls that will protect the company from each event.

In evaluating benefits of each control procedure, consider effectiveness and timing.







Is itcost-


system

Avoid, share,

or accept

riskYes

No


All other factors equal:

A preventive control is better than a detective

one.However, if preventive

controls fail, detective controls are needed to discover the problem,

and corrective controls are needed to recover.

Consequently, the three complement

each other, and a good internal control system

should have all three.Similarly, a company

should use all four levers of control.







Is itcost-


system

Avoid, share,

or accept

riskYes

No


Estimate costs and benefitsIt would be cost-

prohibitive to create an internal control system that provided foolproof protection against all events.

Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.







Is itcost-


system

Avoid, share,

or accept

riskYes

No


The benefits of an internal control procedure must exceed its costs.

Benefits can be hard to quantify,

but include:Increased sales and

productivityReduced lossesBetter integration with

customers and suppliers

Increased customer loyalty

Competitive advantagesLower insurance

premiums







Is itcost-


system

Avoid, share,

or accept

riskYes

No


Costs are usually easier to measure

than benefits.Primary cost is

personnel, including:Time to perform

control proceduresCosts of hiring

additional employees to effectively

segregate dutiesCosts of programming

controls into a system







Is itcost-


system

Avoid, share,

or accept

riskYes

No


Other costs of a poor control system

include:Lost salesLower productivityDrop in stock price if

security problems arise

Shareholder or regulator lawsuits

Fines and penalties imposed by

governmental agencies







Is itcost-


system

Avoid, share,

or accept

riskYes

No


The expected loss related to a risk is

measured as:Expected loss =

impact x likelihoodThe value of a

control procedure is the difference

between:Expected loss with

control procedureExpected loss without

it







Is itcost-


system

Avoid, share,

or accept

riskYes

No


Determine cost-benefit

effectivenessAfter estimating

benefits and costs, management

determines if the control is cost

beneficial, i.e., is the cost of implementing a control procedure

less than the change in expected loss that

would be attributable to the change?







Is itcost-

beneficial

to protectsystem

Avoid, share,

or accept

riskYes

No


In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation. If an event threatens an

organization’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits.

The additional cost can be viewed as a catastrophic loss insurance premium.







Is itcost-

beneficial

to protectsystem

Avoid, share,

or accept

riskYes

No

RISK ASSESSMENT AND RISK RESPONSELet’s go through an example:Hobby Hole is trying to decide whether to install

a motion detector system in its warehouse to reduce the probability of a catastrophic theft.

A catastrophic theft could result in losses of $800,000.

Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.

Companies with motion detectors only have about a .5% probability of catastrophic theft.

The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.

Should Hobby Hole install the motion detectors?

• Expected Loss without control procedure = $800,000 x .12 = $96,000.

• Expected loss with control procedure = $800,000 x .005 = $4,000.

• Estimated value of control procedure = $96,000 - $4,000 = $92,000.

• Estimated cost of control procedure = $43,000 (given).• Benefits exceed costs by $92,000 - $43,000 = $49,000.• In this case, Hobby Hole should probably install the motion

detectors.


Implement the control or avoid, share, or accept

the riskWhen controls are

cost effective, they should be

implemented so risk can be reduced.







Is itcost-

beneficial

to protectsystem

Avoid, share,

or accept

riskYes

No


Risks that are not reduced must be

accepted, shared, or avoided.

If the risk is within the company’s risk

tolerance, they will typically accept the

risk.A reduce or share

response is used to bring residual risk into

an acceptable risk tolerance range.

An avoid response is typically only used

when there is no way to cost-effectively bring

risk into an acceptable risk tolerance range.







Is itcost-

beneficial

to protectsystem

Avoid, share,

or accept

risk

Yes

No

INTRODUCTION Why AIS threats are increasing Control risks have increased in the last few years...

Documents

Transcript of INTRODUCTION Why AIS threats are increasing Control risks have increased in the last few years...