Beruflich Dokumente
Kultur Dokumente
Introduction
Why Accounting Information Systems Threats Are Increasing
More than 60 percent of organizations have recently experienced a
major control failure for some of the following reasons:
1. Increase in number of information systems means that
information is available to an increasing number of workers.
2. Distributed (decentralized) computer networks are harder to
control than centralized mainframe systems.
3. Wide area networks are giving customers and suppliers access
to each others systems and data, making confidentiality a
major concern
Some of the reasons why organizations do not adequately protect
there data are:
1. Computer control problems have been underestimated and
downplayed.
2. The control implications of moving from centralized, hostbased computer systems to a networked or Internet-based
system have not been fully understood.
Page 1 of 25
2.
Page 2 of 25
2.
3.
4.
Page 3 of 25
Page 4 of 25
http://news.bbc.co.uk/1/hi/business/1752954.stm
Play the Enron Blame Game
http://slate.msn.com/?id=2061470
Anderson Conviction Overturned
http://money.cnn.com/2005/05/31/news/midcaps/scandal_andersen_scotus/ind
ex.htm?cnn=yes
SEC vs. WorldCom
http://www.sec.gov/spotlight/worldcom.htm
WorldCom Special Coverage
http://news.findlaw.com/legalnews/lit/worldcom/
WorldComs Financial Bomb
http://money.cnn.com/2002/06/25/news/worldcom/index.htm
5. New internal control requirements
Requires publicly held companies to issue a report
accompanying the financial statements that states
management is responsible for establishing and
maintaining an adequate internal control structure and
appropriate control procedures.
For more detailed information on The Sarbanes-Oxley Act,
click on the following Website:
http://www.sec.gov/about/laws/soa2002.pdf
After the Sarbanes-Oxley Act was passed, the Security & Exchange
Commission mandated that management must:
1. Base its evaluation on a recognized control framework.
The most likely frameworks are formulated by The
Committee of Sponsoring Organizations (COSO).
2. Disclose any and all material internal control
weaknesses.
3. Conclude that a company does not have effective
internal controls over financial reporting if there
are any material weaknesses.
Levers of Control
Many people feel there is a basic conflict between creativity and
controls. In other words, you cant have both.
Page 5 of 25
2.
3.
4.
Control Frameworks
COBIT Framework
The Information Systems Audit and Control Foundation (ISACF)
developed the Control Objectives for Information and related
Technology (COBIT) framework. COBIT is a framework of generally
applicable information systems security and controls practices of
Information Technology control.
The framework allows
1.
Page 6 of 25
Efficiency
Confidentiality
Integrity
Availability
Reliability
[Refer to power point slide #8-4 from chapter8]
2.
3.
Monitoring
Page 7 of 25
3. Risk assessment
4. Information and communication
5. Monitoring
Page 8 of 25
Page 9 of 25
7. Information
company and
identified,
can fulfill
Page 10 of 25
Organizational structure
Important aspects of organizational structure include:
1. Centralization or decentralization of authority
2. Assignment of responsibility for specific tasks
3. Whether there is a direct reporting relationship
(i.e., functional organizational structure or
divisional organizational structure) or more of a
matrix structure. A matrix organizational structure is
a design that utilizes functional and divisional
Page 11 of 25
2.
3.
4.
Fraud awareness
Ethical considerations
Page 12 of 25
5.
6.
7.
8.
9.
Page 13 of 25
External influences
Financial Accounting Standards Board (FASB)
Public Company Accounting Oversight Board (PCAOB)
Security and Exchange Commission (SEC)
Objective Setting
Objective setting is the second ERM component because it must
precede the other six components.
Top management, with board approval, needs to articulate why the
company exists and what it hopes to achieve.
This is often referred to as the corporate vision or mission.
The company uses its mission statement as a base from which it
sets and prioritizes corporate objectives.
Strategic objectives, which are high-level goals that support the
companys mission and are intended to create shareholder value,
must be set first.
Operations objectives, which are a product of management
preferences, judgments, and style, may vary significantly.
Operation objectives deal with the effectiveness and efficiency of
company operations, such as performance and profitability goals
and safeguard assets.
Compliance objectives help the company comply with all applicable
laws and regulations.
Reporting objectives help ensure the accuracy, completeness, and
reliability of internal and external company reports, of both a
financial and nonfinancial nature. They also improve decision
making and monitor company activities and performance more
efficiently.
Event Identification
COSO defines an event as an incident or occurrence emanating from
internal or external sources that affects implementation of
strategy or achievement of objectives.
Page 14 of 25
A few of the events, or threats, that the company will face are:
1. Choosing an inappropriate technology
2. Unauthorized system access
3. Tapping into data transmission
4. Loss of data integrity
5. Incomplete transactions
6. System failures
7. Incompatible systems
Some of the more common techniques companies use to identify
events follow. One, two, or more of these techniques are used
together.
1.
2.
3.
4.
5.
6.
2.
3.
Page 15 of 25
Identify Controls
Management must identify one or more controls that will
protect the company from each event.
Page 16 of 25
Page 17 of 25
Control Activities
The sixth component of COSOs ERM model is control activities,
which are policies, procedures, and rules that provide reasonable
assurance that managements control objectives are met and the
risk responses are carried out.
Generally, control procedures fall into one of the following
categories:
1. Proper authorization of transactions and activities
Management establishes policies for employees to follow
and then empowers employees to perform accordingly. This
empowerment called authorization, is an important part of
an organizations control procedures.
Authorizations are often documented by signing,
initializing, or entering an authorization code on a
transaction document or record. Computer systems are now
capable of recording a digital signature, a means of
signing a document with a piece of data that cannot be
forged.
Employees who process transactions should verify the
presence of the appropriate authorization(s).
Certain activities or transactions may be of such
consequence that management grants specific authorization
for them to occur.
For example,
required for
expenditures
write-off in
Page 18 of 25
Page 19 of 25
2.
Page 20 of 25
3.
4.
5.
6.
Page 21 of 25
2.
3.
4.
2.
3.
4.
5.
6.
Page 22 of 25
Monitoring
Perform ERM Evaluations.
Implement Effective Supervision.
Use Responsibility Accounting.
Monitor System Activities.
There are software packages available to review computer and
network security measures, detect illegal entry into
systems, test for weaknesses and vulnerabilities, report
weaknesses found, and suggest improvements.
Software is also available to monitor and combat viruses,
spyware, spam, pop-up ads, and to prevent browsers from
being hijacked.
All system transactions and activities should be recorded in
a log that indicates who accessed what data, when, and from
which online device.
The Privacy Foundation estimated that one-third of all
American workers with access to computers are monitored, and
that number is expected to increase.
CNN News (March 19, 2001), estimated that seventy-five
percent of all companies in the United States currently
monitor their employees computers. And now it has spread to
the home.
In monitoring employees computers at work or at home,
companies must be careful to ensure that they dont violate
the employees privacy.
To help, one way would be to have written policies
that employees agree to in writing which indicate:
1.
2.
3.
Page 23 of 25
Page 24 of 25
Page 25 of 25