Enterprise System and Risk Controls

1
Enterprise System andRisk Controls

• Chapter 14

2
Chapter Learning Objectives

1. Describe the relationship between enterprise
   risks, opportunities, and controls
2. Explain the levels at which enterprise risks
   occur
3. Use the REA pattern to identify sources of
   enterprise risk
4. Identify specific controls to prevent, detect,
   and recover from enterprise risks

3
The Relationship between Risks, Opportunities,
and Controls

• Risks
• any exposure to the chance of injury or loss
• Opportunities and Objectives
• Controls
• A control is an activity performed to minimize or
  eliminate a risk.

4
Internal Control Systems

• Congress passed the Sarbanes-Oxley Act requiring
  publicly traded companies to issue reports on
  their internal control systems along with their
  annual financial reports
• Management responsibility for internal controls
• Reporting considerations
• Auditors requirements
• SAS No. 94
• COSO

5
Materiality and Risk
6
COSO Internal Control Integrated Framework

• The Committee of Sponsoring Organizations (COSO)
• COSOs components
• Control environment
• Risk assessment
• Control Activities
• Information and communication
• Monitoring

7
Control Environment

• Control environment sets the tone of the
  organization
• The control environment includes
• Integrity and ethical behavior
• Commitment to competence
• Board of directors and audit committee
  participation
• Management philosophy and operating style
• Organization structure
• Assignment of authority and responsibility
• Human resource policies and practices

8
Risk Assessment

• Risk assessment identifies and analyzes the
  relevant risks associated with the organization
  achieving its objectives.

9
Control Activities

• Policies and procedures the organization uses to
  ensure that necessary actions are taken to
  minimize risks associated with achieving its
  objectives
• Objectives
• Preventive controls
• Detective controls
• Corrective controls
• Error versus Irregularity

10
Information and Communication

• The information system consists of the methods
  and records used to record, maintain, and report
  enterprise events.
• The information system should
• Identify and record all business events on a
  timely basis.
• Describe each event in sufficient detail.
• Measure the proper monetary value of each event.
• Determine the time period in which events
  occurred.
• Present properly the events and related
  disclosures in the financial statements.

11
Information and Communication

• Provides an understanding of individual roles and
  responsibilities pertaining to internal controls.
• Open communication channels
• Includes the policy manuals, accounting manuals,
  and financial reporting manuals

12
Monitoring

• Assessing the quality of internal control
  performance over time
• Assessing the design and operation of controls on
  a timely basis and taking corrective actions as
  needed
• Performance reviews provide meansfor monitoring

13
Risk Identification

• Economy Risks
• Industry Risks
• Enterprise Risks
• Business Process Risks
• Information Process Risks

14
Controls for Economy/Industry Risks

• Economy and industry risks can be very difficult
  to control
• Diversify to multiple industries
• Use hedges and derivatives
• Be outwardly focused
• Pay attention to industry and economy trends and
  market demands

15
Controls for Enterprise Risks

• Respond quickly to drops in perceived brand
  quality or firm reputation
• Purchase insurance
• Use sound personnel practices
• Set a strong tone at the top
• Create contingency plans to minimize business
  interruptions

16
Controls for Business Process Risks

• Resources
• Resource Risks
• Theft, Loss, Waste, or Damage
• Obsolescence
• Resource Risk Controls
• Separation of Duties (preventive)
• Physical counts and Reconciliations (primarily
  detective may help prevent loss too)
• Insurance (corrective)
• Asset tracking devices (primarily detective
  however, often help prevent loss too)

17
Controls for Business Process Risks

• Instigation Event Risks
• Failure to inform customers of product features
• Mistakes in ads or promotions
• Unnecessary/unwanted sales call presentations
• Customer cant find information needed
• Inability to track results of marketing efforts
• Unproductive salespeople
• Failure to identify need for input resources in
  timely manner
• Requisitioning unnecessary or wrong resources
• Inability to find source for needed resources
• Failure to approve valid requisitions
• Requisitioning items for which budget is
  unavailable

18
Controls for Business Process Risks

• Controls for Instigation Event Risks
• Accurate querying of a complete information
  system with adequate data entry controls combined
  with the procedural controls provides effective
  means for controlling instigation event risks

19
Controls for Business Process Risks

• Mutual Commitment Event Risks
• Failure to accept desirable, valid sale orders
• Acceptance of undesirable or invalid sale orders
• Commitment with an unrealistic delivery date
• Commitment to provide goods/services at
  unprofitable price
• Failure to place desirable, valid purchase orders
• Placement of undesirable or invalid purchase
  orders
• Failure to provide adequate lead time to vendors
• Failure to obtain lowest possible cost for
  highest possible quality
• Controls
• Procedural controls PLUS effective querying of a
  good information system with adequate data entry
  controls

20
Controls for Business Process Risks

• Economic Decrement Event Risks
• Failure to ship goods in response to valid sale
  order
• Shipment of goods not ordered or not authorized
• Shipment of goods to or by invalid agent
• Poor packaging used in shipment
• Shipment via a poor carrier or route
• Lost sales due to untimely shipments
• Failure to pay for goods received in a timely
  manner
• Duplicating payment for same purchase
• Failure to take advantage of early payment
  discounts
• Controls for Economic Decrement Event Risks
• Procedural controls PLUS effective querying of a
  good information system with adequate data entry
  controls

21
Controls for Business Process Risks

• Economic Increment Event Risks
• Failure to receive cash as result of sale
• Accepting duplicate cash receipts for same sale
• Failure to deposit cash into bank in timely
  manner
• Depositing cash into wrong bank account
• Failure to receive goods in response to purchase
  order
• Receipt of goods not ordered
• Receipt of wrong goods or incorrect quantity of
  goods
• Damage of goods during receiving process
• Controls for Economic Increment Event Risks
• Procedural controls PLUS effective querying of a
  good information system with adequate data entry
  controls

22
Controls for Business Process Risks

• Economic Decrement Reversal Event Risks
• Failure to accept goods for legitimate sale
  return
• Acceptance of goods for illegitimate sale return
• Approval of sale return by unauthorized employee
• Recording sale return that didnt occur
• Economic Decrement Reversal Event Risks
• Failure to return unsatisfactory goods
• Return of goods that enterprise needed
• Approval of purchase return by unauthorized
  employee
• Recording purchase return that didnt occur
• Controls
• Procedural controls PLUS effective querying of a
  good information system with adequate data entry
  controls

23
Controls for Information Process Risks

• System Resource Risks and Controls
• Physical access controls
• Logical access controls

24
Controls for Information Process Risks

• Terminal identification codes
• Prevent access by unauthorized terminals over
  communication lines
• Encryption
• Protects highly sensitive and confidential data
• Process of encoding data entered into the system,
  storing or transmitting the data in coded form,
  and then decoding the data upon its use or
  arrival at its destination

25
Controls for Information Process Risks

• System Failure Protection
• Proper maintenance of equipment and facilities
• Operate equipment in appropriate physical
  environment
• Backup system components
• Power source failures may also result in business
  interruptions and loss of data

26
Controls for Information Process Risks

• System Failure Protection
• Virus protection (anti-virus) software
• Firewalls
• Combinations of hardware and software used to
  shield a computer or network from unauthorized
  users or from file transfers of unauthorized types

27
Controls for Information Process Risks

• Software Processing Controls
• General software controls
• System Development and Maintenance Procedures
• Care in specifying requirements
• Use of test data to verify accuracy of programs
• Separation of duties between programmers, system
  analysts, data control group, and operations
  personnel
• Network Operating System (NOS) controls
• Application software controls

28
Controls for Information Process Risks

• Application Controls
• Data Input Controls
• Event processing rules
• should be built into systems to verify the
  prescribed rules are followed

29
Controls for Information Process Risks

• Application Controls
• Data Entry Verification
• Closed Loop Verification
• Key Verification (also called rekeying)
• Input data is entered twice

30
Controls for Information Process Risks

• Application Controls
• Edit checks
• Field Edit Checks control field level data
• Check Digit
• Completeness check
• Default Value
• Field or Mode check
• Range (limit) check
• Validity/ set check

31
Controls for Information Process Risks

• Application Controls
• Edit checks
• Record Edit Checks control record level data
• Master Reference check (file-based system)
• Referential Integrity (database system)
• Reasonableness check
• Valid Sign check

32
Controls for Information Process Risks

• Application Controls
• Edit checks
• Batch Edit Checks control batches of events
• Sequence check
• Transaction Type check
• Batch Control totals
• Hash Control total
• Financial/Numeric total
• Record Count Control total

33
Controls for Information Process Risks

• Application Controls
• File Controls
• Devices or techniques to verify the correct file
  is updated and to prevent inadvertent destruction
  or inappropriate use of files
• External file labels
• Internal file labels
• Lockout procedures
• Read-only file designation
• File protection rings

34
Controls for Information Process Risks

• Application Controls
• Data Loss and File Reconstruction Capability
• Maintain backup or duplicate copies of current
  data files, programs, and documentation
• File reconstruction
• Batch process file reconstruction
• Grandparent-parent-child approach
• Real-time process file reconstruction

35
Batch processing and file reconstruction
Batch Processing
36
Real-time processing and file reconstruction
Real-time Processing
Real-time File Reconstruction
37
Summary

• Controlling enterprise risk is crucial for
  long-term enterprise success.
• Controls over the enterprise information system
  are as important as procedural controls over the
  enterprise activities
• The REA ontology may be used as guidance for
  considering risk areas and developing controls
  for those risks
• Preventive controls should always be the goal
  where prevention is impossible or impractical,
  then detection and correction should be employed
• Detection and correction should also be employed
  as secondary controls (as backup) even when
  preventive controls are in place

38
Chapter 14

• End of Chapter