Chapter 3 - Risk Management and Internal Controls - Student

docx

School

University of Alabama *

*We aren’t endorsed by this school

Course

389

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

5

Uploaded by MasterSnailMaster1057

Report
Ch 3 – Risk Management and Internal Controls LO 1 Distinguish among the three functions of internal controls. 1. How do internal controls mitigate risk? a. Internal Control is a process that specifically mitigates risks to the company’s financial information. b. An adequate process creates assurance that i. accounting information is reliable, complete, and valid; ii. operations are effective and efficient; and iii. the business is complying with laws and regulations. c. Proper controls can: i. Create quality information ii. Lessen the risk of financial statement misstatements and Identify financial issues iii. Prevent fraud and Safeguard assets from theft and waste iv. Increase operating efficiency and Measure business objectives and goals v. Ensure compliance with applicable laws and regulations vi. Provide investors with reassurance d. Different Functions of Internal Controls i. Controls, or control activities, are the mechanisms, like rules, policies, and procedures that make up the process. ii. Provide reasonable assurance, which means not absolute mitigation but enough mitigation to give the company confidence that is risk is at an acceptable level. iii. Function of a control is to do one of the following: 1. Prevent problems from happening. a. Segregation of Duties also called separation of duties i. lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of business activity: 2. Detect - Alert management to an issue like fraud risk, quality control, or legal compliance once it has occurred. 3. Correct - change undesirable outcomes and occur after the potential outcome of a risk has become a reality. P, D, or C Control Preventative Firewall blocking access to an organization's computer network Correcting Filling a police report Detecting Physical Inventory Counts Preventative Policy and Procedure documentation (most common) Corrective Insurance Detecting Reconciliations
2. Control Weaknesses 1. Management Override of Control occurs when internal control activities don’t work because management is not following policy or procedures ( The Achilles heel of fraud prevention .) 2. Collusion – two or more people working together to override the controls. i. What if a control requires one employee to input invoices into the accounts payable system and a different employee to approve payment for the invoices? ii. If these two employees work together, they can commit fraud by inputting a fictitious invoice and authorizing the payment to go to a bank account they control. 3. Time Based Model of Controls a. Specific to the time it takes for a technology attack to bypass preventive controls compared to the company’s detective and corrective control reaction times b. Measure the residual risk for technology attacks by comparing the relationship of the three control functions. Otherwise, the security measures are inadequate to protect the company’s systems from intruders. LO 2 Characterize a control by its location and implementation method. 1. How Are Controls Classified? a. A control based on where it exists in a business process. i. If the control is NOT in a computer environment, it is Physical such as locks. ii. If the control is in a computer environment, it is characterized as either a: 1. IT General Control (ITGC), or a 2. IT Application Control 2. General Controls – IT General Controls (ITGCs) apply to the entire operation of the full system and its environment. a. All corporate applications, like email, web browsers, time-keeping software, benefits management systems, and more, are subject to ITGCs. Three common/broad examples of ITGCs are:
b. System Security Controls embedded in the company’s system specifically target the risk of external, unauthorized users performing malicious activities against company data or systems. c. Data Backups All servers are backed up to a secondary set of equipment, stored at a different location, that can be brought online in the event of a disaster. d. Duplicate Environments System changes are not released to the software before being reviewed and approved. Instead, changes are created in a duplicated environment – a copy – of the software. 3. Application Controls – In accounting, an application is software that captures and records accounting business events. Essentially, an AIS is an application a. When a control only applies to a specific application – An accounting application for sales would have application controls that cover the sale accounts, AR, customer information, returns, etc. Exercise: Match the Application Data Entry Controls with the appropriate description. Redundant Check Field Check Validity Check Limit Check Range Check Size Check Completeness Check Sign Check Reasonableness Test Control Description Field Check Characters in a field are proper type (certain fields might only accept numbers, numbers and letters, no special characters, etc.) Sign Check Data in a field is an appropriate sign (positive/negative) Limit Check Tests numerical amount against a fixed value Range Check Tests numerical amount against lower and upper limits Redundant Check Requires the inclusion of two identifiers in each input record (entering passwords twice) Size Check Input data fits into the field Completeness Check Verifies that all required data is entered Validity Check Compares data from the transaction file to that of the master file to verify existence Reasonableness Test Correctness of logical relationship between two data items 4. Implementing Controls – There are two methods of implementing a control: a. Manual – Requires human judgment or physical interaction is required. i. Note: there is a difference between the terms “manual controls” and “physical controls.” 1. Manual controls are executed by people or physical interaction 2. Physical controls mitigate risks related to people and their actions. b. Automated – Use technology to implement control activities. i. They are often more reliable and consistent than manual controls because they are not susceptible to human error, judgment, or override. ii. A control must be fully automated to be classified as automated. An example would be a systems-level separation of duties.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Exercise: Identify which of the following controls are manual or automated. Manual Physical Inventory Controls Manual Employee performing bank reconciliation Automated Calculations embedded in spreadsheets Manual Supervisor review and sign-off Automated System user role privileges and limitations Automated Continuous monitoring and data analytics 5. Continuous Monitoring – Internal auditors, who are data analysts, use continuous monitoring technology to create detective controls that use rules-based programming to monitor a business’s data for red flags or risks. a. These are programmed to keep tabs on key performance indicators (KPIs), like gross profit margin, or to look for red flags, like fraud risk indicators. LO3 Explain the three lines of defense to ensure the effectiveness of internal controls. 1. How Do We Assess Internal Controls? a. Continuously assess controls to determine if they function properly and address risk appropriately. Assessments can be performed by management, internal auditors, or external auditors. b. Three lines of defense based on their involvement in combating risk to protect the company. i. First line of defense: Business Operations 1. Management is responsible for enforcing mitigating measures to prevent identified risks from occurring. 2. This is where financial accountants, tax accountants, system analysts, and other accounting professionals who are not auditors or compliance officers work. ii. Second line of defense: Risk Management and Compliance 1. In many companies, ERM and compliance operations are combined, while in teams, they might be separated departments. 2. Accountants specializing in compliance –designing and monitoring internal controls, performing risk assessments and responses, or assisting the legal team, work here. iii. Third line of defense: Internal Audit
1. An independent (ish) function of the company that has a unique reporting relationship in an organization. 2. Removed from the business process and has no stake in or influence over the outcome of the business processes they are auditing. 3. Reports directly to executive management and the board of directors. 4. Provides assurance, insight, and objectivity to a company . LO4 Describe the importance of frameworks in an internal control environment. 1. Why Are Internal Control Frameworks Important? a. Set of specifications and criteria that define a strategy to achieve certain objectives. b. Many types are not exclusive to the accounting industry. c. Provides a set of instructions for businesses to follow. d. They are often referred to as roadmaps e. They are not prescriptive 2. Sarbanes-Oxley Act of 2002 (SOX) a. Aims to protect investors from fraud and other risks by improving the reliability and accuracy of financial statements. b. Primarily focuses on the internal control structures of a company. SOX compliance is required for the following: i. Publicly traded companies in the US and their subsidiaries ii. Foreign companies that are publicly traded and do business in the US iii. Private companies planning their IPOs iv. Accounting firms that perform audits of SOX-regulated companies c. SOX has many requirements, but the most significant are: i. CEOs and CFOs are responsible for the accuracy of the financial statements ii. Management is responsible for implementing and maintaining an adequate system of internal control iii. External auditors audit internal controls 3. COSO Internal Control – Integrated Framework – To comply with SOX, most publicly traded companies turn to an organization called the Committee of Sponsoring Organizations of the Treadway Commission (COSO). a. A control-based approach to risk management that is wisely accepted as the authoritative guidance on internal controls and SOX compliance. The three control objectives and five control components are mapped out visually in the COSO cube: 4. COSO ERM Framework – Additionally, COSO has a framework that includes risk management concepts along with the primary control concepts.

Related Documents

HLT 520-Topic 5 DQ 1.docx
Ebooks - Cengage eReader 18.pdf
IMG_0755.jpeg
IMG_0755.jpeg
Mod-4-asssignment.docx
Lab 9-2 (1).docx
Ethical Hacking-Assignment 13.docx
IDS 402 7-1 Final Project Physical Fitness.docx
Sp24_Assignment4_Solution.docx
IDS 402 6-2 Activity Reflection Society.docx
Ethical Hacking-Assignment 14.docx
CYB-515- Benchmark - Business Continuity Plan (BCP) – Phase 1.docx