Any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization .
The potential dollar loss should a particular threat become a reality.
The probability that the threat will happen.
The process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved.
-Perform 3 important functions: Preventive, Detective, and corrective controls
-Process that provides reasonable, rather than absolute assurance.
-Susceptible to Errors, Mgmt Override, and Poor Decisions
Objectives of Internal Controls
1.safeguard assets, including preventing/detecting unauthorized use of assets
2. maintaining records in sufficient detail to accurately and fairly reflect the co's assets
3. provide accurate and reliable information,
4. provide assurance financial reporting is done with GAAP,
5. promoting and improving operational efficiency,
6. encouraging adherence to managerial policies,
7. complying with applicable laws and regulations.
***some IC Obj may be at odds with one other
Deter problems before they arise.
-Ex. Hiring qualified personnel, segregation of duties, controlling physical access
-spend most resources on this control
Discover problems as soon as they arise, since not all problems can be prevented
-Ex. Duplicate checking of calculations and bank reconciliations
-use only when something bad has happened or in attempt to see if something bad has happened.
Remedy control problems that have been discovered.
-Apply to all sizes of systems
-Having backup copies of trans and master files, resubmitting info
Designed to make sure an organization's control environment is stable and well managed.
-IS mgmt controls, security mgmt controls
Foreign Corrupt Practices Act
The primary purpose was to prevent the Bribery of foreign officials in order to obtain business. (1997)
-A significant effect was to require corporations to maintain good systems of internal accounting control.
-Mandates record keeping of high cost assets
Sarbanes Oxley Act
Applies to publicly traded companies, and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls, and punish executives who perpetrate fraud.
Important Aspects of SOX
Created Public Company Accounting Oversight Board (PCAOB),
-new rules for auditors, new rules for audit committees, new rules for management, new internal control requirements.
Committee of Sponsoring Organizations (COSO)
group of key bus execs who model internal controls of firms.
-Create appropriate controls for firms.
-Established the Integrated Framework, defining IC and provides guidance for evaluating/enhancing IC systems
Why increase in security problems? (3)
1. Increase in # of IS and IS users
2. Networks are all over world - harder to control
3. Wide area network giving customers and suppliers access to each other's systems and data.
Why Ctrl and Security are Important?
-An acct must be able to understand how to protect IS from threats.
-Having security and ctrl over IS should be top mgmt priority
Inherent and Residual Risk
Inherent - Risk that exists before mgmt takes any steps to control likelihood/impact of risk.
-Residual - risk that remains after mgmt implements IC
4 Ways to Respond to Risk
1. Reduce: Most effective way to reduce likelihood and impact of risk is to implement an effective system of IC
2. Accept the impact/likelihood of risk by not acting to prevent/mitigate it
3. Share some of the risk with someone else (insurance)
4. Avoid the risk completely
Policies, prod, and rules that provide reasonable assurance that mgmt's control obj are met and risk responses are carried out.
Control Procedures (7)
1. Proper authorization of trans and activities
2. Segregation of duties
3. Project development and acquisition control
4. Change mgmt controls
5. Design and use of docs and records
6. Safeguarding assets, records, and data
7. Independent checks on performance
Segregation of Duties
Most important IC function
-Ensures no single employee is given too much responsibility over bus transactions/ processes
-Achieved when the functions are separated:
1. Authorization - approving trans/ decisions
2. Recording data
3. Custody of assets
-if an employee performs 2 or 3 of these functions, problems can arise
When 2 or more employees get together to commit fraud.
-Harder to detect/prevent
Independent Checks on Performance
Checks on IC should be performed independently, by someone other than the person who is responsible for the original operation.
-Ex. Top-level reviews, analytical reviews, reconciliation of two maintained sets of records, comparison of actual and recorded amts., double-entry acct, indie review
Political - (laws/regs and foreign threats)
Natural - weather, things that occur naturally
Unintentional Act (most common) - software errors, equip malfunctions, errors and ommisions
Intentional acts - crimes, sabotage
*External = Political and Natural
**Internal = Unintentional and intentional acts
amt of risk a co is willing to accept in order to achieve its goals and obj
-must be aligned with company's strategy
-Risk Seeking - aggressive risk takers
-Risk Neutral - accept risks as normal. Don't go looking for risks
-Risk Averse: avoid all risks
Hiring qualified indivs (background checks)
Training - fraud and ethical awareness training and known and enforced punishment for fraud and unethical behavior
Evaluating/Promoting should be fair
Discharging with security
Managing disgruntled employees
Vacations and rotation of duties to decrease possibility of fraud.
Confidentiality agreements and fidelity bond assurance on key employees in case of losses from fraud by employees
Mgmt at all levels should monitor co results and periodically compare actual co performance to planned performance and prior period performance and performance of competitors
More Threats (4)
1. Strategic - doing the right thing, but something goes wrong
2. Operational - doing right thing in wrong way
3. Fin - lost, wasted or stolen A's and inappropriate Ls
4. Info - privacy protection, correctness and completion
Obj of an AIS (5)
1. ID and record valid trans
2. Properly classify trans
3. Record trans at proper values
4. Record trans in proper period
5. Prepare/present appropriate fin. statements showing impact of trans, along with note disclosure
Proper authorization of trans and activities
-Specific Authorization: specific criteria that needs mgmt approval
-General Authorization: authorize employees to handle routine trans without special approval
-Establish policies for employees to follow and then empower them to perform them, or authorize them