Chapter 7 - Controlling Information Systems:

Introduction to Enterprise Risk Management and Internal Control

Accounting Information Systems 8eUlric J. Gelinas and Richard Dull

© 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product

or service or otherwise on a password-protected website for classroom use

2

Learning Objectives• Summarize the eight elements of COSO’s Enterprise Risk

Management—Integrated Framework.

• Understand that management employs internal control systems as part of organizational and IT governance initiatives.

• Describe how internal control systems help organizations to objectives and respond to risks.

• Describe fraud, computer fraud, and computer abuse.

• Enumerate control goals for operations and information processes.

• Describe the major categories of control plans.

3

Why are Controls Needed?

1. To provide reasonable assurance that the goals of each business process are being achieved.

2. To mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts).

3. To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.

4

Components of Enterprise Risk Management (ERM)

• Internal Environment – Encompasses the tone of an organization.

– Sets the basis for how risk is viewed and addressed by an entity’s people.

– Includes risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

•Objective Setting– Objectives must exist before management can identify

potential events affecting their achievement.

– ERM ensures management has a process in place to set objectives and that the objectives support and align with the entity’s mission and are consistent with its risk appetite.

Objective Setting

5

6

Components of ERM (Cont’d.)• Event Identification

– Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.

– Opportunities are channeled back to management’s strategy or objective-setting processes.

• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a

basis for determining how they should be managed.

– Risks are assessed on an inherent and a residual basis.

• Risk Response

– Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

7

Risk Assessment and Residual Risk1. Estimate the annual dollar loss should a costly event,

i.e. a destructive fire, take place. Assume an estimated loss of $1,000,000.

2. Estimate the annual probability that the event will occur (i.e., the likelihood). Assume the estimate is 5 percent.

3. Multiply item 1 by item 2 to get an initial expected gross risk (loss) of $50,000 ($1,000,000 × 0.05). This is the maximum amount or upper limit that should be paid for controls and the related risk reduction offered by such controls, in a given year.

4. If the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control), the expected gross risk (loss) remains at $50,000. The company’s residual expected risk exposure is now $31,000 [$50,000 - ($20,000 – $1,000)]. The expected loss is reduced by the amount of the insurance policy (less the cost of the policy).

8

Risk Assessment and Residual Risk (Cont.)

5. Assume the company installs a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent so the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000.

6. The residual expected risk exposure is $1,000, calculated as follows: Expected gross risk ($20,000 or $1,000,000 × 0.02) plus the insurance policy ($30,000) equals a gain of $10,000, subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at $1,000.

Components of ERM (Cont’d.)• Control Activities

– Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

• Information and Communication– Relevant information is identified, captured, and communicated

to enable people to carry out their responsibilities.

– Effective communication also occurs in a broader sense, flowing down, across and up the entity.

• Monitoring– Enterprise risk management is monitored and modifications are

made as necessary.

– Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

9

Objectives, Risks, and Responses

10

11

Internal Control Legislation

• Sarbanes-Oxley Act (SOX) of 2002– Created public company accounting

oversight board.– Increased accountability for company

officers and board of directors.– Increased white collar crime penalties.– Prohibits audit firms from providing design

and implementation of financial information systems.

12

Sarbanes-Oxley Act of 2002 (SOX)

• Section 302—CEOs and CFOs must certify quarterly and annual financial statements.

• Section 404—Mandates the annual report filed with the SEC include an internal control report.

Sarbanes-Oxley Act of 2002 (SOX)(see Exhibit 7.4 for details)

• Title I—Public Company Accounting Oversight Board: Establishes the PCAOB and assigns oversight and enforcement authority over the board to the SEC.

• Title II—Auditor Independence: Prohibits a CPA firm that audits a public company to engage in certain nonaudit services with the same client, requires audit partner rotation, states that a company’s CEO, CFO, controller, or chief accountant cannot have been employed by the company’s audit firm and participated in an audit of that company during the prior one-year period.

13

Sarbanes-Oxley Act of 2002(cont’d, see Exhibit 7.4 for details)

• Title III—Corporate Responsibility: Requires a company’s CEO and CFO to certify quarterly and annual reports,. They are certifying that they reviewed the reports; the reports are not materially untruthful or misleading; the financial statements fairly reflect in all material respects the financial position of the company; and they are responsible for establishing, maintaining, and reporting on the effectiveness of internal controls, including significant deficiencies, frauds, or changes in internal controls.

14

Sarbanes-Oxley Act of 2002(cont’d, see Exhibit 7.4 for details)

• Title IV—Enhanced Financial Disclosures: Requires each annual report filed with the SEC to include an internal control report. The report shall state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain management’s assessment, as of the end of the company’s fiscal year, of the effectiveness of the internal control structure and procedures of the company for financial reporting. Requires that companies disclose whether or not they have adopted a code of ethics for senior financial officers. Requires that companies disclose whether or not their audit committee contains at least one member who is a financial expert. Section 409 requires that companies disclose information on material changes in their financial condition or operations on a rapid and current basis.

15

Sarbanes-Oxley Act of 2002(cont’d, see Exhibit 7.4 for details)

• Title V—Analysts Conflicts of Interests: Requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend.

• Title VI—Commission Resources and Authority: Authorizes the SEC to censure or deny any person the privilege of appearing or practicing before the SEC if that person is deemed to be unqualified, have acted in an unethical manner, or have aided and abetted in the violation of federal securities laws.

• Title VII—Studies and Reports: Authorizes the General Accounting Office (GAO) to study the consolidation of public accounting firms since 1989 and offer solutions to any recognized problems.

16

Sarbanes-Oxley Act of 2002(cont’d, see Exhibit 7.4 for details)

• Title VIII—Corporate and Criminal Fraud Accountability: Makes it a felony to knowingly destroy, alter, or create records or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation. Offers legal protection to whistleblowers who provide evidence of fraud. Provides criminal penalties for those who knowingly execute, or attempt to execute, securities fraud.

• Title IX—White-Collar Crime Penalty Enhancements: Requires that CEOs and CFOs certify that information contained in periodic reports fairly presents, in all material respects, the financial condition and results of the company’s operations. Sets criminal penalties applicable to CEOs and CFOs if they knowingly or willfully falsely so certify.

17

Sarbanes-Oxley Act of 2002(cont’d, see Exhibit 7.4 for details)

• Title X—Corporate Tax Returns: Conveys a “sense of the Senate” that the corporate federal income tax returns are signed by the CEO.

• Title XI—Corporate Fraud and Accountability: Provides for fines and imprisonment of up to 20 years to individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the document’s integrity or availability for use in an official proceeding, or to otherwise obstruct, influence, or impede any official proceeding. Authorizes the SEC to prohibit anyone from serving as an officer or director if the person has committed securities fraud.

18

19

Definition of Internal Control

• From SAS 78 (1995) - adopted COSO definition:– Internal control is a process-effected by an entity’s

board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness & efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws & regulations

COSO Influence on Defining Internal Control

20

21

Five Interrelated Components of Internal Control

1. Control environment- tone at the top.

2. Risk assessment - identification/analysis of risks.

3. Control activities - policies and procedures.

4. Information & communication - processing of info in a form and time frame to enable people to do their jobs.

5. Monitoring - process that assess quality of internal control over time.

Internal Control (as defined in Gelinas & Dull)

Internal control is a process—effected by an entity’s board of directors, management and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

– efficiency and effectiveness of operations– reliability of reporting*

– compliance with applicable laws and regulations

*All reporting, not just financial

Matrix for Evaluating Internal Controls

24

Fraud and its Relationship to Control• Fraud: deliberate act or untruth intended to

obtain unfair or unlawful gain.

– Management charged with responsibility to prevent and/or disclose fraud.

– Control systems enable management to do this job.

– Management is responsible for an internal control system per the Foreign Corrupt Practices Act of 1977.

– Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud.

– Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility.

25

SAS 99• The accounting profession has been proactive in

dealing with corporate fraud, as it has launched an anti-fraud program.

• One of the manifestations of this initiative is Statement on Auditing Standards (SAS) Number 99, entitled Consideration of Fraud in a Financial Statement Audit.

– SAS 99 has the same title as its predecessor, SAS 82, but the new standard is much more encompassing than the old.

– SAS 99 emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls.

26

PwC Economic Crime Survey

• 43% of companies reported frauds in the past two years, a 6% increase over the 2005 survey.

• Larger companies reported a greater number of frauds.

• Collateral damage—described as damage or significant damage to their business—was reported by 80% of those who had suffered fraud.

• Average losses from frauds increased to $3.2 million from the $1.7 million reported in 2005.

• Most frauds (41%) were detected by chance.

• Other detection sources included whistle-blower hotlines (8%) and tip-offs (from internal sources 21%, and external sources 14%).

• There was a strong correlation between fraud risk management activities and higher chances of detecting frauds.

Malicious Software (malware)

• Salami slicing

• Back door

• Trojan horse

• Logic bomb

• Worm

• Zombie

27

28

Ethics and Controls

• COSO report stresses ethics as part of control environment (tone at the top).

• AICPA has built ethics issues into CPA exam.

• The Institute of Management Accountants has a code of ethics which is also tested on both the CMA and CFM exams.

• Internal Auditing has ethics articles.

• Many corporations have developed Codes of Conduct.

Why a Control Framework?

• Uniform, consistent approach

• Complete analysis

• Directed at objectives, rather than list of expected controls

• Can determine costs and benefits

• Results in recommendations for improvements

Lenox Company Systems Flowchart

30

31

Control Goals for the Lenox Cash Receipts Business Process

32

Business Process Control GoalsControl Goals - ends to be obtained

• Control goals of the operations processes– Ensure effectiveness of operations– Ensure efficient employment of resources– Ensure security of resources

• Control goals of the information processes– For business event inputs, ensure

• Input validity, input completeness, input accuracy

– For master data, ensure• Update completeness, update accuracy

33

Control Goals of Operations Processes• Ensure effectiveness of operations

– A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes.

• Ex. Deposit cash receipts on the day received.

• Ensure efficient employment of resources– A measure of the productivity of the resources applied to achieve a

set of goals.• Ex. What is the cost of people, computers, and other resources needed

to deposit cash on the day received?

• Ensure security of resources– Protecting an organization’s resources from loss, destruction,

disclosure, copying, sale, or other misuse.• Ex. Are cash and information resources available when required?

34

Control Goals of Information Processes

• Input validity– Input data is approved and represents actual economic events and

objects.• Ex. Are all cash receipts input into the process and supported by

customer payments?

• Input completeness– Requires that all valid events or objects be captured and entered

into the system.• Ex. Are all valid customer payment captured on a customer remittance

advice (RA) and entered into the process?

• Input accuracy– Requires that events be correctly captured and entered into the

system.• Ex. Is correct payment amount and customer number keyed in the

system?

35

Control Goals of Information Processes

• Update completeness– Requires all events entered into the computer are

reflected in their respective master data.• Ex. Are all input cash receipts recorded in the AR master

data?

• Update accuracy– Requires that data entered into a computer are

reflected correctly in their respective master data.• Ex. Are all input cash receipts correctly recorded in the AR

master data?

36

A Control

Hierarchy

37

Control Plans• Business Process Control Plans

– Reflect information processing policies and procedures that assist in accomplishing control goals.

– Relate to controls particular to a specific process or subsystem (i.e. billing) or to a particular technology used to process the data.

• The Control Environment – Appears at the top of the hierarchy.– Consists of a multitude of factors that can either reinforce or

mitigate the effectiveness of the pervasive and application control plans.

• Pervasive Control Plans– Also relate to a multitude of goals and processes.– Provides a climate or set of surrounding conditions in which the

various business processes operate.– Broad in scope and apply equally to all business processes,

hence they pervade all systems.

Lenox Control Matrix

39

Other Classifications of Control Plans

• Preventive Controls– Issue is prevented from occurring

• Ex. Cash receipts are immediately deposited to avoid loss.

• Detective Controls – Issue is discovered

• Ex. Unauthorized disbursement is discovered during reconciliation.

• Corrective Controls– Issue is corrected

• Ex. Erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data.