Beruflich Dokumente
Kultur Dokumente
Internal Control
Internal Control is a state that management strives to achieve to provide reasonable assurance that the firms objectives will be achieved These controls encompass all the measures and practices that are used to counteract exposures to risks The control framework is called the Internal Control Structure
Control Environment
Risk Assessment
Control Activities
Monitoring
General Controls
Application Controls
Figure 7-1
Control Environment
The Control Environment establishes the tone of a company, influencing the control consciousness of its employees It is comprised of seven components:
Management philosophy and operating style Integrity and ethical values Commitment to competence The Board of Directors and the Audit Committee Organizational Structure Assignment of authority and responsibility Human resources policies and practices External Influences
Highlights of CE Components - I
Management Philosophy and Operating Style
Does management emphasize short-term profits and operating goals over long-term goals? Is management dominated by one or a few individuals? What type of business risks does management take and how are these risks managed? Is management conservative or aggressive toward selecting from available alternative accounting principles?
Figure 7-2
Highlights of CE Components - II
Organization Structure
Is an up-to-date organization chart prepared, showing the names of key personnel? Is the information systems function separated from incompatible functions? How is the accounting department organized? Is the internal audit function separate and distinct from accounting? Do subordinate managers report to more than one supervisor?
Figure 7-2 Continued
Highlights of CE Components - IV
Human Resource Policies and Practices
Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct? Is the company in compliance with the ADA? The EEOA? Are Grievance Procedures to manage conflict in force? Does the company maintain a sound Employee Relations program? Do employees work in a safe, healthy environment? Are Counseling Programs available to employees? Are proper Separation Programs in force for employees who leave the firm? Are critical employees Bonded?
Risk Assessment
Top management must be directly involved in Business Risk Assessment. This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.
Control Activities - I
Control Activities as related to Financial Reporting may be classified according to their intended uses in a system:
Preventive Controls block adverse events, such as errors or losses, from occurring Detective Controls discover the occurrence of adverse events such as operational inefficiency Corrective controls are designed to remedy problems discovered through detective controls Security Measures are intended to provide adequate safeguards over access to and use of assets and data records
Control Activities - II
Control Activities relating to Information Processing may also be classified according to where they will be applied within the system
General controls are those controls that pertain to all activities involving a firms AIS and assets Application controls relate to specific accounting tasks or transactions
The overall trend seems to be going from specific application controls to more global general controls
Risk
Business firms face risks that reduce the chances of achieving their control objectives. Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers. Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Types of Risks
Unintentional errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of assets Breaches of Security Acts of Violence and Natural Disasters
Computer Crime
Computer crime (computer abuse) is the use of a computer to deceive for personal gain. Due to the proliferation of networks and personal computers, computer crime is expected to significantly increase both in frequency and amount of loss. It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.
Feasibility of Controls
Audit Considerations Cost-Benefit Considerations
Determine Specific Computer Resources Subject to Control Determine all Potential Threats to the companys Computer System Assess the Relevant Risks to which the firm is exposed Measure the Extent of each Relevant Risk exposure in dollar terms Multiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure Compare the Benefits against the Costs of Each Control
Legislation
The Foreign Corrupt Practices Act of 1977 Of the Federal Legislation governing the use of computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most important
This act makes it a federal crime to intentionally access a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information (2) committing a fraud (3) altering or destroying federal information
Characteristics
Characteristics
Risk Exposures
Compensating Controls
Data reviewed for Data often not errors by clerks subject to review by clerks
Errors, accidental Edit checks or deliberate, may performed by be entered for computer system processing
Figure 7-6
Characteristics
Characteristics
Risk Exposures
Compensating Controls
Outputs reviewed by users of computer system; carefully developed computer processing programs Restricted access to computer facilities; clear procedure for authorizing changes to programs Printed journals and other analyses
Processing steps performed by CPU blindly in accordance with program instructions Processing steps Processing steps among various clerks in concentrated within separate departments computer CPU
Unauthorized manipulation of data and theft of assets can occur on larger scale Audit trail may be partially lost
Processing requires use Processing does not of journals and ledgers require use of journals
Computer-based System
Risk Exposures Compensating Controls Security measures at points of access and over data library Data files printed periodically; backup of files; protection against sudden power losses Security measures at points of access
Data stored in file drawers throughout the various departments Data stored on hard copies in human- readable form
Data compressed on magnetic media (e.g., tapes, disks) Data stored in invisible, eraseable, computer-readable form Stored data often readily accessible from various locations via terminals
Data may be accessed by unauthorized persons or stolen Data are temporarily unusable by humans, and might possibly be lost Data may be accessed by unauthorized persons
Characteristics
Characteristics
Risk Exposures
Compensating Controls
Outputs Outputs generated generated quickly and neatly, laboriously and often in large usually in small volumes volumes Outputs usually in Outputs provided hard-copy form in various forms, including soft-copy displays and voice responses
Inaccuracies may be buried in impressive-looking outputs that users accept on faith Information stored on magnetic media is subject to modification (only hard copy provides permanent record)
Reviews by users of outputs, including the checking of amounts Backup of files; periodic printing of stored files onto hard-copy records
Characteristics
Characteristics
Risk Exposures
Compensating Controls
Business operations may be intentionally or unintentionally interrupted; data or hardware may be destroyed; operations may be delayed through inefficiencies
Backup of data and power supply and equipment; preventive maintenance of equipment; restrictions on access to computer facilities; documentation of equipment usage and processing procedures
Copyright 2000 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.