Bài giảng Enterprise information systems - Chapter 14: Enterprise System Risks and Controls

Chapter 14Enterprise System Risks and ControlsChapter Learning ObjectivesDescribe the relationship between enterprise risks, opportunities, and controlsExplain the levels at which enterprise risks occurUse the REA pattern to identify sources of enterprise riskIdentify specific controls to prevent, detect, and recover from enterprise risks2The Relationship between Risks, Opportunities, and ControlsRisksA risk is any exposure to the chance of injury or loss (also known as a threat).Opportunities and ObjectivesOpportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity.ControlsA control is an activity performed to minimize or eliminate a risk. 3Internal Control SystemsCongress passed the Sarbanes-Oxley Act requiring publicly traded companies to issue reports on their internal control systems along with their annual financial reportsManagement is responsible for establishing and maintaining adequate internal controls for financial reportingReports must include assessments of the effectiveness of the internal controls and the financial reporting proceduresSarbanes-Oxley also requires auditors to attest to and report on management’s assessmentsAICPA’s Statement on Auditing Standards No. 94 established standards for auditing internal controlsCOSO Reports stress the importance of examining control at many levels of detail4LikelihoodOf LossSize of Potential ImpactHighLowSmallLargeMateriality ofRisk Materiality and Risk5COSO Internal Control Integrated FrameworkThe Committee of Sponsoring Organizations (COSO) is a private sector group consisting of the AAA, AICPA, IIA, IMA, and FEI. COSO’s internal control integrated framework is considered the authority on internal controls.COSO’s internal control model has five components:Control environmentRisk assessmentControl ActivitiesInformation and communicationMonitoring6Control EnvironmentControl environment sets the tone of the organization, which influences the control consciousness of its people. This foundation provides discipline and structure upon which all other components of internal control are built. The control environment includes the following areas:Integrity and ethical behaviorCommitment to competenceBoard of directors and audit committee participationManagement philosophy and operating styleOrganization structureAssignment of authority and responsibilityHuman resource policies and practices7Risk AssessmentRisk assessment identifies and analyzes the relevant risks associated with the organization achieving its objectives.Risk assessment forms the basis for determining what risks need to be controlled and the controls required to manage them.8Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Controls have various objectives and may be applied at various organizational and functional levels.Control Activities9Control ActivitiesObjectives - Prevent, Detect, and CorrectPreventive controls focus on preventing an error or irregularity.Detective controls focus on identifying when an error or irregularity has occurred.Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.All else being equal, it is best to prevent errors and irregularitiesError versus IrregularityError is unintended mistakeIrregularity is an intentional effort to cause loss to an enterprise10Information and CommunicationThe information system consists of the methods and records used to record, maintain, and report enterprise events. The quality of the system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports.The information system should do each of the following to provide accurate and complete information in the accounting system and correctly report the results of operations:Identify and record all business events on a timely basis.Describe each event in sufficient detail.Measure the proper monetary value of each event.Determine the time period in which events occurred.Present properly the events and related disclosures in the financial statements.11The communication aspect of this component deals with providing an understanding of individual roles and responsibilities pertaining to internal controls.People should understand how their activities relate to the work of others and how exceptions should be reported to higher levels of management.Open communication channels help insure that exceptions are reported and acted upon.Communication also includes the policy manuals, accounting manuals, and financial reporting manuals. Information and Communication12MonitoringMonitoring is the process of assessing the quality of internal control performance over timeMonitoring involves assessing the design and operation of controls on a timely basis and taking corrective actions as neededThis process is accomplished by ongoing monitoring activities by management as they question reports that differ significantly from their knowledge of operationsPerformance reviews provide meansfor monitoringCompare this year to last yearCompare actual to budgetCompare related items to each other13Risk IdentificationEconomy RisksAffect an entire economyExamples include global economic downturn, war, epidemic, terrorism, environmental disastersIndustry RisksAffect an entire industryExamples include industry wide cost increases or demand decreases, or an economy risk that has an especially strong effect on a specific industry14Risk IdentificationEnterprise RisksInternal Lack of ethics, low employee morale, employee incompetenceExternal Increased competition, reduced brand quality perceptions, crises involving business partners (value system relationships), catastrophe that interrupts operations, merger or acquisition Business Process RisksRisks associated with business process objectsR’s, E’s, A’s, and R-E, E-E, E-A, R-A relationshipsInformation Process RisksRisks associated with recording, maintaining, and reporting information about business processes15Questions to identify enterprise riskDoes the enterprise hire competent people who possess the knowledge and skills needed to perform their assigned jobs?Does management have a conservative or reasonable approach in accepting business risks and in reporting financial results? Is there a board of directors with outside representatives?If the entity undergoes an annual audit of its financial statements, does an audit committee oversee the audit? Is the enterprise organizational structure well-defined with appropriate division of duties and responsibilities and identified reporting relationships so that important activities are planned, executed, controlled, and monitored on a timely basis? Has management developed a culture that emphasizes integrity and ethical behavior?Does the enterprise have a whistleblower policy that encourages employees to inform management or the board of directors of fraudulent activities observed in the firm’s operations?16Controls for Economy/Industry RisksEconomy and industry risks can be very difficult to controlDiversify to multiple industriesUse hedges and derivativesBe outwardly focusedPay attention to industry and economy trends and market demands Gather and monitor information to enhance ability to predict trends and product replacements17Controls for Enterprise RisksRespond quickly to drops in perceived brand quality or firm reputationPurchase insuranceUse sound personnel practices Set a strong “tone at the top”Create contingency plans to minimize business interruptions18Controls for Business Process RisksResourcesResource RisksTheft, Loss, Waste, or DamageObsolescenceResource Risk ControlsSeparation of Duties (preventive)Physical counts and Reconciliations (primarily detective; may help prevent loss too)Insurance (corrective)Asset tracking devices (primarily detective; however, often help prevent loss too)19Controls for Business Process RisksInstigation Event RisksFailure to inform customers of product featuresMistakes in ads or promotionsUnnecessary/unwanted sales call presentationsCustomer can’t find information neededInability to track results of marketing effortsUnproductive salespeopleFailure to identify need for input resources in timely mannerRequisitioning unnecessary or wrong resourcesInability to find source for needed resourcesFailure to approve valid requisitionsRequisitioning items for which budget is unavailable20Controls for Business Process RisksControls for Instigation Event RisksA myriad of procedural controls may be used to specifically address the risks on the previous slideAccurate querying of a complete information system with adequate data entry controls combined with the procedural controls provides effective means for controlling instigation event risks21Controls for Business Process RisksMutual Commitment Event RisksFailure to accept desirable, valid sale ordersAcceptance of undesirable or invalid sale ordersCommitment with an unrealistic delivery dateCommitment to provide goods/services at unprofitable priceFailure to place desirable, valid purchase ordersPlacement of undesirable or invalid purchase ordersFailure to provide adequate lead time to vendorsFailure to obtain lowest possible cost for highest possible qualityControlsProcedural controls PLUS effective querying of a good information system with adequate data entry controls22Controls for Business Process RisksEconomic Decrement Event RisksFailure to ship goods in response to valid sale orderShipment of goods not ordered or not authorized Shipment of goods to or by invalid agentPoor packaging used in shipmentShipment via a poor carrier or routeLost sales due to untimely shipmentsFailure to pay for goods received in a timely mannerDuplicating payment for same purchaseFailure to take advantage of early payment discounts Controls for Economic Decrement Event RisksProcedural controls PLUS effective querying of a good information system with adequate data entry controls23Controls for Business Process RisksEconomic Increment Event RisksFailure to receive cash as result of sale Accepting duplicate cash receipts for same saleFailure to deposit cash into bank in timely mannerDepositing cash into wrong bank accountFailure to receive goods in response to purchase orderReceipt of goods not orderedReceipt of wrong goods or incorrect quantity of goodsDamage of goods during receiving processControls for Economic Increment Event RisksProcedural controls PLUS effective querying of a good information system with adequate data entry controls24Controls for Business Process RisksEconomic Decrement Reversal Event RisksFailure to accept goods for legitimate sale return Acceptance of goods for illegitimate sale returnApproval of sale return by unauthorized employeeRecording sale return that didn’t occurEconomic Decrement Reversal Event RisksFailure to return unsatisfactory goodsReturn of goods that enterprise neededApproval of purchase return by unauthorized employeeRecording purchase return that didn’t occurControlsProcedural controls PLUS effective querying of a good information system with adequate data entry controls25Controls for Information Process RisksSystem Resource Risks and ControlsPhysical access controlsAre adequate controls in place to prevent unauthorized physical access to the computer equipment? What if it is on a network so that the intruder does not need to be physically present?Logical access controlsAre adequate controls in place to prevent unauthorized logical access to the programs and data in the system?Access control matrix identifies functions each user is allowed to perform and what data and programs the user can access after gaining access to the systemPassword is a unique identifier only the authorized user should know and which the user must enter to gain access to the system26Controls for Information Process RisksSystem Resource Risks and ControlsLogical access controls, continuedRequire user to authenticate themselves by providingSomething they knowE.g. a user id and passwordSomething they possessE.g. a smart card or tokenSomething they areE.g. biometric measurements by devices that read fingerprints, retinal scans, voice recognition, or digital signature recognition27Case In Point: PasswordsSurveys show that most passwords are “no-brainers” for hackers trying to break into a system.The most common password is the users own name or the name of a child. The second most common password is “secret.”Other common passwords in order of usage are:Stress related words such as “deadline” or “work”Sports teams or sports terms like “bulls” or “golfer”“Payday”“Bonkers”The current season (e.g. “winter” or “spring”)The users ethnic groupRepeated characters (e.g. “bbbbb” or “AAAAA”)Obscenities or sexual terms28Cases In Point: Tokens and Biometrics Token systemAuthenticates a user through a hardware device combined with a log-in passwordSmart cards incorporate randomly generated one-time-only password codes and are synchronized with host system random code generatorActive badge technologyAutomatically authenticates users who come within a designated range of the receivers via weak radio signalsBiometric authenticationCompares fingerprints, palm prints, retina eye patterns, signatures, voices, keyboard-typing patterns, or facial patterns29Terminal identification codesPrevent access by unauthorized terminals over communication linesHost computer can require a terminal to electronically transmit its identification code that proves it is an authorized terminal and defines the type of transactions the terminal user can performEncryption Protects highly sensitive and confidential dataIs a process of encoding data entered into the system, storing or transmitting the data in coded form, and then decoding the data upon its use or arrival at its destination.Controls for Information Process Risks30Controls for Information Process RisksSystem Failure ProtectionHardware failures may result in business interruptions and loss of dataProper maintenance of equipment and facilitiesOperate equipment in appropriate physical environmentBackup system components (e.g. extra disk storage, printers, or communication channels)Similar to backup engines on a planePower source failures may also result in business interruptions and loss of dataUninterruptible power supplies (UPS) provide battery support and sound an alarm when power is interruptedAllow time to top computer processes, back up data and instructions, and shut down properlySurge protectors provide protection against power surges or spikes31Controls for Information Process RisksSystem Failure ProtectionVirus protection (anti-virus) softwareViruses are malicious software programs that attach themselves to other applications without the user’s knowledge Worms are more invasive, self-replicating types of virusesWhen infected file is executed, virus or worm also executes and may cause damage such as deleting files, destroying hard disks, or even crashing entire systemsAnti-virus software is designed to search for and destroy known viruses and wormsDon’t protect against unknown viruses and wormsFirewallsCombinations of hardware and software used to shield a computer or network from unauthorized users or from file transfers of unauthorized types32Software Processing ControlsGeneral software controlsSystem Development and Maintenance ProceduresCare in specifying requirementsUse of test data to verify accuracy of programsSeparation of duties between programmers, system analysts, data control group, and operations personnelNetwork Operating System (NOS) controlsDoes the NOS have adequate controls to prevent unauthorized logical access?Applications may often be accessed through holes in the NOS layerApplication software controlsDoes the application software contain adequate controls to prevent unauthorized access and data entry? Controls for Information Process Risks33Application ControlsData Input ControlsEvent processing rules should be built into systems to verify the prescribed rules are followed Example Rule: A customer may exist in our database before participating in a related sale event, but it is not permissible to record a sale event without identifying the related customerRelationship: ParticipationConnected Entities: (0, ) Customer  (1, ) SaleSet field property to require data entry in the Customer ID that is posted into the Sale table as a foreign keyControls for Information Process Risks34Application ControlsData Entry VerificationClosed Loop VerificationUses one input data item to locate the record to be updatedDisplays other data from record so data entry person can verify it is the desired record to updateE.g. user enters customer id; application displays user name and addressKey Verification (also called rekeying)Input data is entered twice (often by two different people) Differences are highlighted and response is required to verify correct entryControls for Information Process Risks35Controls for Information Process RisksApplication ControlsEdit checksField Edit Checks control field level data Check Digit – apply formula to account number to calculate check digit and append it to account number Completeness check – verifies all critical field data are enteredDefault Value – sets field contents to prescribed valuesField or Mode check – verifies entered data type is appropriateRange (limit) check – compares entered data to predetermined upper and/or lower limitValidity/ set check – compares entered data to prespecified data stored within system36Controls for Information Process RisksApplication ControlsEdit checksRecord Edit Checks control record level dataMaster Reference check (file-based system) – verifies an event record has a corresponding master record to be updatedReferential Integrity (database system) – ensures every posted foreign key attribute represents an actual primary key value is basically a master reference check in a databaseReasonableness check – verifies whether amount of event record appears reasonable when compared to other elements associated with each item being processedValid Sign check – highlights illogical balances in a master file record (e.g. negative quantity-on-hand)37Application ControlsEdit checksBatch Edit Checks control batches of eventsSequence check – verifies records in batch are sorted in proper sequence and highlights missing itemsTransaction Type check – verifies all transactions in batch are of same categoryBatch Control totals – verify all transactions within a batch are present and have been processedHash Control total – sum of attribute for which sum has no real meaning Financial/Numeric total – sum of financial attributeRecord Count Control total – total of the number of records in a batchControls for Information Process Risks38Batch Control TotalsHow are they generated and verified?Typically batch control totals are generated manually as batches are created; this happens before data from documents are entered into a computerized process. For example:Clerk separates day’s remittance advices into batches, each containing approximately 100 documents. Clerk creates a “batch header” for each batch; the batch header will include an identifying code (i.e., a “batch number”) and a date. Clerk uses a 10-key adding machine to create a batch total of the remittance advice amounts that can then be compared to the computer-generated batch total.39Batch Control Totals How are they generated and verified?Example Flowchart40Controls for Information Process RisksApplication ControlsFile ControlsDevices or techniques to verify the correct file is updated and to prevent inadvertent destruction or inappropriate use of filesExternal file labels – identify a storage medium’s contents on the outs