AIS Chapter 11

Code of Ethics

Ethical behavior prompted by a code of ethics can be considered a form of INTERNAL CONTROL

Sarbanes Oxley

- Requires public companies registered with the SEC & their auditors to annually and report on design & effectiveness of ICFR

- Established by the PCAOB to provide independent oversight of public accounting firms

PCAOB Auditing Standard No. 5 (AS 5)

encourages auditors to use risk-based, top-down approach to ID key controls

Corporate Governance

A set of processes and policies in managing an organization with sound ethics, internal and external control mechanisms to safeguard the interests of its stakeholders

Control Concepts

Processes implemented to provide assurance that the following objectives are achieved:

Safeguard assets

Maintain sufficient records

Provide accurate and reliable information

Prepare financial reports according to established criteria

Promote and improve operational efficiency

Encourage adherence with management policies

Comply with laws and regulations

Preventive controls

deter problems from occurring (Authorization)

Detective controls

discover problems that are not prevented (Bank reconciliations and monthly trial balances)

Corrective controls

correct and recover from the problems that have been identified (Backup files to recover corrupted data)

General controls

pertain to enterprise-wide issues (controls over accessing the network, developing and maintaining applications, etc.)

Application controls

specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions

COSO Internal Control Framework

- Widely accepted authority on internal control

- Provides baseline for evaluating, reporting, and improving internal control

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

- AAA (American accounting Association)

- AICPA (American Institute of Certified Public Accounts)

- FEI (Financial Executive International)

- IIA (Institute of Internal Auditors)

- IMA (Institute of Management Accountants)

COSO Cube

Objectives of COSO

Operations (effectiveness and efficiency of a firm’s operations)

Reporting (reliability of reporting)

Compliance (adherence to applicable laws and regulations)

Components of COSO

Control Environment

Risk Assessment
Control Activities
Information & Communication
Monitoring Activities

Control Environment

Management’s philosophy, operating style

Commitment to integrity, ethical values, and competence

Internal control oversight by Board of Directors

Organizing structure

Methods of assigning authority and responsibility

Human resource standards

Risk Assessment

Identifying and analyzing a firm’s risks from external and internal environments.

Allows a firm to understand the extent to which potential events might affect corporate objectives.

Risk is assessed from two perspectives:

Likelihood

-Probability that the event will occur

Impact

-Estimate potential loss if event occurs

Control Activities

A firm must establish control policies, procedures, and practices that ensure the firm’s objectives are achieved and risk mitigation strategies are carried out.

Occur throughout a firm at all levels and in all functions.

Information and Communication

Supports all other control components by communicating effectively to ensure information flows within the firm

• Down

• Across

• Up

To interact with external parties and inform them about related policy positions

• customers

• suppliers

• regulators

  • shareholders

Monitoring Activities

The design and effectiveness of internal controls should be monitored by management in an ongoing basis.

Findings should be evaluated, and deficiencies must be communicated in a timely manner.

Necessary modifications should be made to improve the business process and the internal control system

Control Environment Principals (COSO 2013)

1.Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority, & responsibility

4.Demonstrates commitment to competence

5. Enforces accountability

Risk Assessment Principals (COSO 2013)

6. Specifies suitable objectives

7. Identifies & analyzes risk

8. Assesses fraud risk

9. Identifies & analyzes significant change

Control Activities Principals (COSO 2013)

10. Selects & develops control activities

11. Selects & develops general controls over technology

12. Deploys through policies & procedures

Information and Communication Principals (COSO 2013)

13. Uses relevant information

14.Communicates internally

15. Communicates externally

Monitoring Activities Principals (COSO 2013)

16. Conducts ongoing and/or separate evaluations

17. Evaluates & communicates deficiencies

Enterprise Risk Management

1. Identifies potential events that may affect the firm

2. Manages risk to be within the firm’s risk appetite.

3. Provides reasonable assurance regarding the achievement of the firm’s objectives.

4. Expands the COSO Internal Control framework to provide a broader view on risk management to maximize firm value

COSO Enterprise Risk Management Cube

COSO Enterprise Risk Management Objevtives

Strategic — high-level goals, aligned with and supporting the firm’s mission and vision

Operations — effectiveness and efficiency of operations

Reporting — reliability of internal and external reporting

Compliance — compliance with applicable laws and regulations

What additional info are in ERM vs COSO

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Objective Setting

strategic level, establishing a basis for operations, reporting and compliance

Event Identification

Identifying incidents both external and internal to the organization that could affect the achievement of the organization's objectives must distinguish between risks and opportunities

Risk Assessment

First step to n developing an audit plan to meet the mandate of SOX Section 404

Inherent risk

exists already before plans are made to address it

Control risk

the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system

Residual risk

the product of inherent risk and control risk (risks that is left over after controlling it)

Risk Response

(1) Reduce risks: implement effective internal control

(2) Share risks: buy insurance, outsource, or hedge

(3) Avoid risks: do not engage in the activity

(4) Accept risks: Do nothing, accept likelihood and impact of risk

Cost and benefit analysis

Expected benefit of an internal control

=Impact * Decreased Likelihood

=Estimated impact of a risk times * decreased likelihood if the control is implemented

Physical Control

mainly manual but could involve the physical use of computing technology

+ proper authorization of transactions and activities

+ segregation of duties

+ project development and acquisition controls

IT Controls

Provide assurance for information and help to mitigate risks associated with the use of technology

IT general controls (ITGC)

Enterprise-level controls over IT

+ IT control environment

+ Access controls

+ Change management controls

IT application input controls

field checks, size checks, range checks, validity checks

IT application processing controls

pre-numbered documents, sequence checks, batch totals

COSO ERM 2017

defined ERM as “the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”

COBIT (Control Objectives for Information and related Technology)

a generally accepted framework for IT governance and management

COBIT Framework

Provides a business focus to align business and IT objectives

Defines the scope and ownership of IT process and control

Is consistent with accepted IT good practices and standards

Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders

Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.

Key Criterias for COBIT Framework

Effectiveness – relevant and timely

Efficiency – produced economically

Confidentiality – protection of sensitive information

Integrity – valid, accurate and complete

Availability – available when needed

Compliance – complying with the laws and regulations

Reliability – reliable for daily decision making

ITIL (Information Technology Infrastructure Library)

ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives.

It is a de facto standard in Europe for the best practices in IT infrastructure management and service delivery.

ITIL adopts a lifecycle approach to IT services and organizes IT service management into five high-level categories.

ITIL 5 high-level categories

•Service Strategy (SS)

•the strategic planning of IT service management capabilities and the alignment of IT service and business strategies

•Service Design (SD)

•the design and development of IT services and service management processes

•Service Transition (ST)

•realizing the requirements of strategy and design, and maintaining capabilities for the ongoing delivery of a service

•Service Operation (SO)

•the effective and efficient delivery and support of services, with a benchmarked approach for event, incident, request fulfillment, problem, and access management.

•Continual Service Improvement (CSI)

•ongoing improvement of the service and the measurement of process performance required for the service.

ISO (International Organization for Standardization) 27000 Series

address information security issues.

have become the most recognized and generally accepted sets of information security framework and guidelines.

The main objective s to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS) using a “process approach

Steps to SIO 27000 Series