C HAPTER 6 Control and Accounting Information Systems
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
1 of 314
INTRODUCTION • Questions to be addressed in this chapter: – What are the basic internal control concepts, and why are computer control and security important? – What is the difference between the COBIT, COSO, and ERM control frameworks? – What are the major elements in the internal environment of a company? – What are the four types of control objectives that companies need to set? – What events affect uncertainty, and how can they be identified? – How is the Enterprise Risk Management model used to assess and respond to risk? – What control activities are commonly used in companies? – How do organizations communicate information and monitor control processes?
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
2 of 314
INTRODUCTION • Why AIS Threats Are Increasing – Control risks have increased in the last few years because: • There are computers and servers everywhere, and information is available to an unprecedented number of workers. • Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. • Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
3 of 314
INTRODUCTION • Historically, many organizations have not adequately protected their data due to one or more of the following reasons: – Computer control problems are often underestimated and downplayed. – Control implications of moving from centralized, host-based computer systems to those of a networked system or Internetbased system are not always fully understood. – Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. – Productivity and cost pressures may motivate management to forego time-consuming control measures.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
4 of 314
INTRODUCTION • Some vocabulary terms for this chapter: – A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. – The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. – The likelihood is the probability that the threat will occur.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
5 of 314
INTRODUCTION • Control and Security are Important – Companies are now recognizing the problems and taking positive steps to achieve better control, including: • Devoting full-time staff to security and control concerns. • Educating employees about control measures. • Establishing and enforcing formal information security policies. • Making controls a part of the applications development process. • Moving sensitive data to more secure environments.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
6 of 314
INTRODUCTION • To use IT in achieving control objectives, accountants must: – Understand how to protect systems from threats. – Have a good understanding of IT and its capabilities and risks.
• Achieving adequate security and control over the information resources of an organization should be a top management priority.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
7 of 314
INTRODUCTION • Control objectives are the same regardless of the data processing method, but a computerbased AIS requires different internal control policies and procedures because: – Computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files. – Segregation of duties must be achieved differently in an AIS. – Computers provide opportunities for enhancement of some internal controls. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
8 of 314
INTRODUCTION • One of the primary objectives of an AIS is to control a business organization. – Accountants must help by designing effective control systems and auditing or reviewing control systems already in place to ensure their effectiveness.
• Management expects accountants to be control consultants by: – Taking a proactive approach to eliminating system threats; and – Detecting, correcting, and recovering from threats when they do occur. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
9 of 314
INTRODUCTION • It is much easier to build controls into a system during the initial stage than to add them after the fact. • Consequently, accountants and control experts should be members of the teams that develop or modify information systems.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
10 of 314
OVERVIEW OF CONTROL CONCEPTS • In today’s dynamic business environment, companies must react quickly to changing conditions and markets, including steps to: – Hire creative and innovative employees. – Give these employees power and flexibility to: • Satisfy changing customer demands; • Pursue new opportunities to add value to the organization; and • Implement process improvements.
• At the same time, the company needs control systems so they are not exposed to excessive risks or behaviors that could harm their reputation for honesty and integrity. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
11 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. •
This objective includes prevention or timely detection of unauthorized acquisition, use, or disposal of material company assets.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
12 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
13 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
14 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
15 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. • This objective includes ensuring that company receipts and expenditures are made in accordance with management and directors’ authorizations. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
16 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. – Adherence to prescribed managerial policies is encouraged.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
17 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: – Assets (including data) are safeguarded. – Records are maintained in sufficient detail to accurately and fairly reflect company assets. – Accurate and reliable information is provided. – There is reasonable assurance that financial reports are prepared in accordance with GAAP. – Operational efficiency is promoted and improved. – Adherence to prescribed managerial policies is encouraged. – The organization complies with applicable laws and regulations. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
18 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control is a process because: – It permeates an organization’s operating activities. – It is an integral part of basic management activities.
• Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
19 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal control systems have inherent limitations, including: – They are susceptible to errors and poor decisions. – They can be overridden by management or by collusion of two or more employees.
• Internal control objectives are often at odds with each other. – EXAMPLE: Controls to safeguard assets may also reduce operational efficiency.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
20 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls • Deter problems before they arise.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
21 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls – Detective controls •
Discover problems quickly when they do arise.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
22 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal controls perform three important functions: – Preventive controls – Detective controls – Corrective controls • Remedy problems that have occurred by: – Identifying the cause; – Correcting the resulting errors; and – Modifying the system to prevent future problems of this sort. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
23 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: – General controls • Those designed to make sure an organization’s control environment is stable and well managed. • They apply to all sizes and types of systems. • Examples: Security management controls.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
24 of 314
OVERVIEW OF CONTROL CONCEPTS • Internal controls are often classified as: – General controls – Application controls • •
Prevent, detect, and correct transaction errors and fraud. Are concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
25 of 314
OVERVIEW OF CONTROL CONCEPTS • An effective system of internal controls should exist in all organizations to: – Help them achieve their missions and goals – Minimize surprises
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
26 of 314
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: – The COBIT framework – The COSO internal control framework – COSO’s Enterprise Risk Management framework (ERM) © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
27 of 314
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: – The COBIT framework – The COSO internal control framework – COSO’s Enterprise Risk Management framework (ERM) © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
28 of 314
CONTROL FRAMEWORKS • COBIT Framework – Also know as the Control Objectives for Information and Related Technology framework. – Developed by the Information Systems Audit and Control Foundation (ISACF). – A framework of generally applicable information systems security and control practices for IT control. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
29 of 314
CONTROL FRAMEWORKS • The COBIT framework allows: – Management to benchmark security and control practices of IT environments. – Users of IT services to be assured that adequate security and control exists. – Auditors to substantiate their opinions on internal control and advise on IT security and control matters.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
30 of 314
• To satisfy business objectives, information must conform to certain criteria referred to as “business requirements for information.” • The criteria are divided into seven distinct yet overlapping categories that map into COSO objectives: objectives – Effectiveness (relevant, pertinent, and timely) – Efficiency – Confidentiality – Integrity – Availability – Compliance with legal requirements – Reliability
CONTROL FRAMEWORKS
• The framework addresses the issue of control from three vantage points or dimensions: – Business
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
31 of 314
CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives – IT resources • Includes: • • • • •
© 2006 Prentice Hall Business Publishing
People Application systems Technology Facilities Data
Accounting Information Systems, 10/e
Romney/Steinbart
32 of 314
CONTROL FRAMEWORKS • The framework addresses the issue of control from three vantage points or dimensions: – Business objectives – IT resources – IT processes • Broken into four domains – – – –
© 2006 Prentice Hall Business Publishing
Planning and organization Acquisition and implementation Delivery and support Monitoring
Accounting Information Systems, 10/e
Romney/Steinbart
33 of 314
CONTROL FRAMEWORKS • COBIT consolidates standards from 36 different sources into a single framework. • It is having a big impact on the IS profession. – Helps managers to learn how to balance risk and control investment in an IS environment. – Provides users with greater assurance that security and IT controls provided by internal and third parties are adequate. – Guides auditors as they substantiate their opinions and provide advice to management on internal controls. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
34 of 314
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: – The COBIT framework – The COSO internal control framework – COSO’s Enterprise Risk Management framework (ERM) © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
35 of 314
CONTROL FRAMEWORKS • COSO’s Internal Control Framework – The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: • • • • •
The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
36 of 314
CONTROL FRAMEWORKS • In 1992, COSO issued the Internal Control Integrated Framework: – Defines internal controls. – Provides guidance for evaluating and enhancing internal control systems. – Widely accepted as the authority on internal controls. – Incorporated into policies, rules, and regulations used to control business activities. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
37 of 314
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment • •
The core of any business is its people. Their integrity, ethical values, and competence make up the foundation on which everything else rests.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
38 of 314
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities •
Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
39 of 314
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: - Control environment - Control activities - Risk assessment • •
The organization must be aware of and deal with the risks it faces. It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
40 of 314
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: -
Control environment Control activities Risk assessment Information and communication • •
Information and communications systems surround the control activities. They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
41 of 314
CONTROL FRAMEWORKS • COSO’s internal control model has five crucial components: -
Control environment Control activities Risk assessment Information and communication Monitoring •
The entire process must be monitored and modified as necessary.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
42 of 314
CONTROL FRAMEWORKS • A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: – The COBIT framework – The COSO internal control framework – COSO’s Enterprise Risk Management framework (ERM) © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
43 of 314
CONTROL FRAMEWORKS • Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. • Result: Enterprise Risk Manage Integrated Framework (ERM) – An enhanced corporate governance document. – Expands on elements of preceding framework. – Provides a focus on the broader subject of enterprise risk management. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
44 of 314
CONTROL FRAMEWORKS • Intent of ERM is to achieve all goals of the internal control framework and help the organization: – Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized. – Achieve its financial and performance targets. – Assess risks continuously and identify steps to take and resources to allocate to overcome or mitigate risk. – Avoid adverse publicity and damage to the entity’s reputation. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
45 of 314
CONTROL FRAMEWORKS • ERM defines risk management as: – A process effected by an entity’s board of directors, management, and other personnel – Applied in strategy setting and across the enterprise – To identify potential events that may affect the entity – And manage risk to be within its risk appetite – In order to provide reasonable assurance of the achievement of entity objectives. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
46 of 314
CONTROL FRAMEWORKS • Basic principles behind ERM: – Companies are formed to create value for owners. – Management must decide how much uncertainty they will accept. – Uncertainty can result in: • Risk •
The possibility that something will happen to: – Adversely affect the ability to create value; or – Erode existing value.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
47 of 314
CONTROL FRAMEWORKS • Basic principles behind ERM: – Companies are formed to create value for owners. – Management must decide how much uncertainty they will accept. – Uncertainty can result in: • Risk • Opportunity •
The possibility that something will happen to positively affect the ability to create or preserve value.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
48 of 314
CONTROL FRAMEWORKS – The framework should help management manage uncertainty and its associated risk to build and preserve value. – To maximize value, a company must balance its growth and return objectives and risks with efficient and effective use of company resources.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
49 of 314
CONTROL FRAMEWORKS • COSO developed a model to illustrate the elements of ERM.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
50 of 314
CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives •
© 2006 Prentice Hall Business Publishing
Strategic objectives are high-level goals that are aligned with and support the company’s mission.
Accounting Information Systems, 10/e
Romney/Steinbart
51 of 314
CONTROL FRAMEWORKS • Columns at the top represent the four types of objectives that management must meet to achieve company goals. – Strategic objectives – Operations objectives •
© 2006 Prentice Hall Business Publishing
Operations objectives deal with effectiveness and efficiency of company operations, such as: – Performance and profitability goals – Safeguarding assets
Accounting Information Systems, 10/e
Romney/Steinbart
52 of 314
CONTROL FRAMEWORKS •
•
© 2006 Prentice Hall Business Publishing
Reporting objectives help ensure the accuracy, completeness, Columns at the and top reliability of internal and company represent theexternal four types of reports of both a financial and objectives that non-financial nature. management must meet to • Improve decision-making and achieve goals. and monitorcompany company activities –performance Strategic objectives more efficiently. – Operations objectives – Reporting objectives
Accounting Information Systems, 10/e
Romney/Steinbart
53 of 314
CONTROL FRAMEWORKS Compliance objectives help the • • Columns at the top company the comply represent fourwith types of applicable laws and objectives that regulations. management must meet to – External parties often set achieve company goals. the compliance rules. – –Strategic objectives Companies in the same – Operations objectives industry often have similar concerns in this area. – Reporting objectives – Compliance objectives
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
54 of 314
CONTROL FRAMEWORKS •
•
•
© 2006 Prentice Hall Business Publishing
ERM can provide reasonable assurance that reporting and compliance objectives will be achieved because companies have control over them. However, strategic and operations objectives are sometimes at the mercy of external events that the company can’t control. Therefore, in these areas, the only reasonable assurance the ERM can provide is that management and directors are informed on a timely basis of the progress the company is making in achieving them.
Accounting Information Systems, 10/e
Romney/Steinbart
55 of 314
CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
56 of 314
CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
57 of 314
CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division – Business unit
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
58 of 314
CONTROL FRAMEWORKS • Columns on the right represent the company’s units: – Entire company – Division – Business unit – Subsidiary
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
59 of 314
CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment • •
•
© 2006 Prentice Hall Business Publishing
The tone or culture of the company. Provides discipline and structure and is the foundation for all other components. Essentially the same as control environment in the COSO internal control framework.
Accounting Information Systems, 10/e
Romney/Steinbart
60 of 314
CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting •
• •
Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company’s mission and are consistent with the company’s tolerance for risk. Strategic objectives are set first as a foundation for the other three. The objectives provide guidance to companies as they identify riskcreating events and assess and respond to those risks.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
61 of 314
CONTROL FRAMEWORKS • The horizontal rows are eight related risk and control components, including: – Internal environment – Objective setting – Event identification • •
Requires management to identify events that may affect the company’s ability to implement its strategy and achieve its objectives. Management must then determine whether these events represent: – Risks (negative-impact events requiring assessment and response); or – Opportunities (positive-impact events that influence strategy and objective-setting processes).
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
62 of 314
•
Identified risks are assessed to determine how to manage them and how they affect the company’s ability to achieve its objectives. • Qualitative and quantitative The horizontal rows are methods arerisk used to assess eight related and risks individually and by control components, category in terms of: including: – Likelihood – Internal environment – Positive and negative – Objective impactsetting – Event identification – Effect on other – Risk organizational assessment units • Risks are analyzed on an inherent and a residual basis. • Corresponds to the risk assessment element in COSO’s internal control framework.
CONTROL FRAMEWORKS •
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
63 of 314
•
Management aligns identified risks with the company’s tolerance for risk by choosing to: – Avoid – Reduce The horizontal rows are – Share eight related risk and – Accept control components, Management including: takes an entity-wide or portfolio view of risks in – Internalthe environment assessing likelihood of the – Objective setting impact, and risks, their potential costs-benefits of alternate – Event identification responses. – Risk assessment – Risk response
CONTROL FRAMEWORKS • •
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
64 of 314
CONTROL FRAMEWORKS Tohorizontal implement rows management’s • •The are riskrelated responses, eight risk control and policies and procedures are established control components, and implemented throughout including: the various levels and – •– – – – –
© 2006 Prentice Hall Business Publishing
Internal environment functions of the organization. Objective setting Corresponds to the control activities element in the COSO Event identification internal control framework. Risk assessment Risk response Control activities
Accounting Information Systems, 10/e
Romney/Steinbart
65 of 314
•
Information about the company and ERM components must be identified, captured, and communicated so employees can fulfill their responsibilities. Information able to • •The horizontalmust rowsbeare flowrelated through all and levels and eight risk functions in the company as control components, well as flowing to and from including: external parties. Internal environment • – Employees should understand – their Objective role setting and importance in how these – ERM Eventand identification – responsibilities Risk assessmentrelate to those of others. – Risk response • Has a corresponding element – Control activities in the COSO internal control – Information and framework. communication
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
66 of 314
CONTROL FRAMEWORKS • The horizontal rows are eight related risk and •control ERM processes must be components, monitored on an ongoing basis including: – – – •– – •– – •
– © 2006 Prentice Hall Business Publishing
and modified as needed. Internal environment Accomplished with ongoing Objective setting management activities and Event identification separate evaluations. Risk assessment Deficiencies are reported to management. Risk response Corresponding Control activitiesmodule in COSO internal Information andcontrol framework. communication Monitoring
Accounting Information Systems, 10/e
Romney/Steinbart
67 of 314
CONTROL FRAMEWORKS • The ERM model is three-dimensional. • Means that each of the eight risk and control elements are applied to the four objectives in the entire company and/or one of its subunits. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
68 of 314
CONTROL FRAMEWORKS • ERM Framework Vs. the • Examining controls without first Internal examining purposes and risks of business processes provides little context for Control Framework evaluating the results. – The internal control framework has been • Makes it difficult to know: – Which controlas systems are most important. widely adopted the principal way to – Whether they adequately risk. by SOX. evaluate internal controlsdeal as with required – Whether important control systems are missing. However, there are issues with it. • It has too narrow of a focus.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
69 of 314
CONTROL FRAMEWORKS • ERM Framework Vs. the Internal Control Framework – The internal control framework has been widely adopted as the principal way to • May contribute to systems with evaluate internal controls as required by SOX. many controls to protect However, there are issues with it.that are no longer against risks important. • It has too narrow of a focus. • Focusing on controls first has an inherent bias toward past problems and concerns.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
70 of 314
CONTROL FRAMEWORKS • These issues led to COSO’s development of the ERM framework. – Takes a risk-based, rather than controls-based, approach to the organization. – Oriented toward future and constant change. – Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: • Setting objectives. • Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. • Developing a response to assessed risk. © 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
71 of 314
CONTROL FRAMEWORKS – Controls are flexible and relevant because they are linked to current organizational objectives. – ERM also recognizes more options than simply controlling risk, which include accepting it, avoiding it, diversifying it, sharing it, or transferring it.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
72 of 314
CONTROL FRAMEWORKS • Over time, ERM will probably become the most widely adopted risk and control model. • Consequently, its eight components are the topic of the remainder of the chapter.
© 2006 Prentice Hall Business Publishing
Accounting Information Systems, 10/e
Romney/Steinbart
73 of 314