1 / 80

Chapter 7: Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control

Chapter 7: Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control . Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler. Learning Objectives. Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework.

tahir
Télécharger la présentation

Chapter 7: Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 7:Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  2. Learning Objectives • Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework. • Understand that management employs internal control systems as part of organizational and IT governance initiatives. • Describe how internal control systems help organizations achieve objectives and respond to risks. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  3. Learning Objectives (cont’d) • Describe fraud, computer fraud, and computer abuse. • Enumerate control goals for operations and information processes. • Describe the major categories of control plans. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  4. Suggested Exercise Questions • P 7-1 on page 250 • P 7-3 on page 251 • P 7-4 on page 253 © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  5. Why are Controls Needed? • To provide reasonable assurance that the goals of each business process are being achieved. • To mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts). • To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  6. A Control Hierarchy Besides the internal control topics by the textbook, we will also study about IS analysis, design, and maintenance related control topics as well. Chapter 7 © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  7. Governance • Organizational governance • Highest level of control mechanism • process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. • Enterprise Risk Management (ERM): a framework that has been proven to be an effective process for organizational governance © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  8. Governance example © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  9. Risk Management • Enterprise Risk Management (ERM): process, effected by an entity’s board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  10. Eight Components of Enterprise Risk Management (ERM) – on page. 221 Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring • Another reason why ERM is necessary because of “Sarbanes-Oxley Act of 2002 (SOX)” © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  11. Sarbanes-Oxley Act (SOX) of 2002 • Created due to failure of governance (i.e., Enron) • Detail from financial accounting and auditing courses • Created public company accounting oversight board (PCAOB). • Strengthened auditor independence rules. • Increased accountability of company officers and directors. • Mandated upper management to take responsibility for the company’s internal control structure. • Enhanced the quality of financial reporting. • Increased white collar crime penalties. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  12. Key Elements of SOX (AIS perspective) • Section 201—prohibits audit firms from providing a wide array of nonaudit services to audit clients • in particular, the act prohibits consulting engagements involving the design and implementation of financial information systems. • Section 302—CEOs and CFOs must certify quarterly and annual financial statements. • Section 404—Mandates the annual report filed with the SEC include an internal control report. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  13. Outline of SOX (AIS perspective) • Outline on page 226 • Title III—Corporate Responsibility: Company’s CEO and CFO must certify quarterly and annual reports stating: • They are responsible for establishing, maintaining, and reporting on the effectiveness of internal controls, including significant deficiencies, frauds, or changes in internal controls. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  14. Outline of SOX (AIS perspective) • Title IV— • Section 409 requires that companies disclose information on material changes in their financial condition or operations on a rapid and current basis. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  15. Outline of SOX (AIS perspective) • Title VIII—Corporate and Criminal Fraud Accountability: Makes it a felony to knowingly destroy, alter, or create records or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation (example on the next slide). Offers legal protection to whistleblowers who provide evidence of fraud. Provides criminal penalties for those who knowingly execute, or attempt to execute, securities fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  16. Recovered E-Mail between Enron and Andersen Consulting

  17. Outline of SOX (AIS perspective) • Title IX—White-Collar Crime Penalty Enhancements: Requires that CEOs and CFOs certify that information contained in periodic reports fairly presents, in all material respects, the financial condition and results of the company’s operations. Sets criminal penalties applicable to CEOs and CFOs if they knowingly or willfully falsely so certify. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  18. Your Computer Usage Pattern • Your property? • Computer files, email by your personal email system • Talking about your boss or peers by email • Web shopping during lunch break • Visiting adult website • All files are deleted…are you safe now? • When leaving the company? • Access to your computer © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  19. Definition of Internal Control • Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness & efficiency of operations • Reliability of financial reporting • Compliance with applicable laws & regulations © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  20. COSO Influence on Defining Internal Control (most current COSO framework on the class website) © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  21. Matrix for Evaluating Internal Controls © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  22. Fraud and its Relationship to Control • Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain. • Management charged with responsibility to prevent and/or disclose fraud. Instances of fraud undermine management’s ability to convince various authorities that it is upholding its stewardship responsibility. • Control systems enable management to do this job. • Management is responsible for an internal control system per the Foreign Corrupt Practices Act of 1977. • Section 1102 of the Sarbanes-Oxley Act specifically addresses corporate fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  23. Consideration of Fraud in a Financial Statement Audit (SAS 99) • The accounting profession has been proactive in dealing with corporate fraud, as it has launched an anti-fraud program. • One of the manifestations of this initiative is Statement on Auditing Standards (SAS) No. 99. • SAS 99 emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns, and detecting management override of internal controls. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  24. 2010 ACFE Report to the Nation on Occupational Fraud and Abuse • Median loss from frauds was $160,000. • One quarter of lasses at least $1 million. • Projected global losses would be $2.9 trillion. • Typical fraud was underway 18 months. • Frauds were more likely detected by tips. • Over 80 percent of the frauds were committed by individuals within the organization. • Small businesses are disproportionately victimized by fraud (31 percent of cases). © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  25. PwC Economic Crime Survey • 30% of companies reported frauds in the previous 12 months and 43% reported an increase from the previous year. • Larger companies reported a greater number of frauds. • Collateral damage—described as damage or significant damage to their business—was reported in 100% of frauds. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  26. PwC Economic Crime Survey (cont’d) • Frauds were detected by internal audit (17%), internal tip-offs (16%) and fraud risk management (14%). • There was a strong correlation between fraud risk management activities and higher chances of detecting frauds. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  27. Computer Fraud and Abuse • Digital forensics • Computer crime • Malware • Computer virus © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

  28. DIGITAL FORENSICS • Digital forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court • Two phases • Collecting, authenticating, and preserving electronic evidence • Analyzing the findings

  29. Phase 1: Collection – Places to look for Electronic Evidence

  30. Phase 1: Preservation • If possible, hard disk is removed without turning computer on • Special forensics computer is used to ensure that nothing is written to drive • Forensic image copy – an exact copy or snapshot of all stored information Mod H-30

  31. Phase 1: Authentication • Authentication process necessary for ensuring that no evidence was planted or destroyed • MD5 hash value • It is like a fingerprint of the file. • There is a very small possibility of getting two identical hashes (fingerprint) of two different files. • This feature can be useful both for comparing the files and their integrity control. Mod H-31

  32. Forensic Hardware and Software Tools • Forensics computers usually have a lot of RAM and very fast processors • EnCase – software that finds all information on disks • Quick View Plus and Conversions Plus – read files in many formats • Mailbag Assistant – reads most e-mail Mod H-32

  33. Forensics Hardware and Software Tools • Gargoyle – software that identifies encrypted files and may decrypt them • Irfan View – reads image files • Ingenium – semantic analysis software that searches for meaning rather than an exact match Mod H-33

  34. Cell Phones • In 2004 - 200 countries with more than 1.5 billion users of GSM cell phones (Cingular and most of Europe) • GSM: Global System for Mobile Communications • Cell phones can be used for • Illegal drug deals • Storing stolen data • Fraudulently securing goods and services • Setting off explosives Mod H-34

  35. Cell Phones and Other Handheld Devices Files Can Be Recovered from… Mod H-35

  36. Phase 2: Analysis • Interpretation of information uncovered • Recovered information must be put into context • Digital forensic software pinpoints the file’s location on the disk, its creator, the date it was created and many other features of the file Mod H-36

  37. Where Data is Hiding Mod H-37

  38. History of Disk Activity

  39. Live Analysis • Examination of a system while it is still running • Disadvantage - not possible to get an MD5 hash value • Advantages include – the ability to retrieve information from RAM • Helix – program to collect information during live analysis Mod H-39

  40. RECOVERY AND INTERPRETATION • Snippets of e-mail, when put into context, often tell an interesting story Mod H-40

  41. E-Mail between engineers about the Spaceship Columbia Mod H-41

  42. E-Mail between Enron and Andersen Consulting Mod H-42

  43. E-Mail from Arresting Officer in the Rodney King Beating Mod H-43

  44. Internal E-Mail from Bill Gates to Microsoft Employee Mod H-44

  45. Places to Look for Useful Information • Deleted files and slack space • Slack space – the space between the end of the file and the end of the cluster • System and registry files • Controls virtual memory on hard disk • Has records on installs and uninstalls • Has MAC address (unique address of computer on the network) Mod H-45

  46. Places to Look for Useful Information • Unallocated space – set of clusters that has been marked as available to store information but has not yet received any • Unused disk space • Erased information that has not been overwritten Mod H-46

  47. Anti-Forensics • New branch of digital forensics • Set of tools and activities that make it hard or impossible to track user activity • Three categories • Configuration settings • Third party tools • Forensic defeating software Mod H-47

  48. Configuration Settings Examples: • Delete files: By passing the recycle bin • Rename the file with a different extension • Clear out virtual memory • Use Defrag to rearrange data on the hard disk and overwrite deleted files • Use Disk Cleanup to delete ActiveX controls and Java applets Mod H-48

  49. Configuration Settings Examples: • Delete temporary Internet files • Hide information by making it invisible with Hidden feature in Word or Excel • Redact – black out portions of a document • Protect your files with passwords Mod H-49

  50. Configuration Settings Examples: • Make the information invisible • Use Windows to hide files • Protect file with password Mod H-50

More Related