Documente Academic
Documente Profesional
Documente Cultură
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314
INTRODUCTION
• Questions to be addressed in this chapter:
– What are the basic internal control concepts, and why are
computer control and security important?
– What is the difference between the COBIT, COSO, and ERM
control frameworks?
– What are the major elements in the internal environment of a
company?
– What are the four types of control objectives that companies
need to set?
– What events affect uncertainty, and how can they be identified?
– How is the Enterprise Risk Management model used to assess
and respond to risk?
– What control activities are commonly used in companies?
– How do organizations communicate information and monitor
control processes?
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 2 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 3 of 314
INTRODUCTION
• Historically, many organizations have not adequately
protected their data due to one or more of the following
reasons:
– Computer control problems are often underestimated and
downplayed.
– Control implications of moving from centralized, host-based
computer systems to those of a networked system or Internet-
based system are not always fully understood.
– Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
– Productivity and cost pressures may motivate management to
forego time-consuming control measures.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 4 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 5 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 6 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 7 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 8 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 9 of 314
INTRODUCTION
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 10 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 11 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 12 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 13 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 14 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 15 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 16 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 17 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 18 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 19 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 20 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 21 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 22 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 23 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 24 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 25 of 314
OVERVIEW OF CONTROL CONCEPTS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 26 of 314
CONTROL FRAMEWORKS
• COBIT Framework
– Also know as the Control Objectives for
Information and Related Technology
framework.
– Developed by the Information Systems Audit
and Control Foundation (ISACF).
– A framework of generally applicable
information systems security and control
practices for IT control.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 29 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 30 of 314
• To satisfy business objectives,
CONTROL FRAMEWORKS information must conform to
certain criteria referred to as
“business requirements for
• The framework addresses the issue of information.”
• The criteria are divided into
control from three vantage points or seven distinct yet overlapping
dimensions: categories that map into COSO
objectives:
– Business objectives – Effectiveness (relevant,
pertinent, and timely)
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance with legal
requirements
– Reliability
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 31 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 32 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 33 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 34 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 36 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 37 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 38 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 39 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 40 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 42 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 44 of 314
CONTROL FRAMEWORKS
• Intent of ERM is to achieve all goals of the
internal control framework and help the
organization:
– Provide reasonable assurance that company
objectives and goals are achieved and problems and
surprises are minimized.
– Achieve its financial and performance targets.
– Assess risks continuously and identify steps to take
and resources to allocate to overcome or mitigate
risk.
– Avoid adverse publicity and damage to the entity’s
reputation.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 45 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 46 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 47 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 49 of 314
CONTROL FRAMEWORKS
• COSO developed a
model to illustrate
the elements of
ERM.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 50 of 314
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
• Strategic objectives are
high-level goals that are
aligned with and support
the company’s mission.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 51 of 314
CONTROL FRAMEWORKS
• Columns at the top
represent the four types of
objectives that
management must meet to
achieve company goals.
– Strategic objectives
– Operations objectives
• Operations objectives deal with
effectiveness and efficiency of
company operations, such as:
– Performance and
profitability goals
– Safeguarding assets
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 52 of 314
CONTROL FRAMEWORKS
• Reporting objectives help
ensure the accuracy,
• Columns at the and
completeness, top reliability of
internal and
represent theexternal company
four types of
reports of both a financial and
objectives that
non-financial nature.
management must meet to
• Improve decision-making and
achieve
monitorcompany goals. and
company activities
–performance
Strategic objectives
more efficiently.
– Operations objectives
– Reporting objectives
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 53 of 314
CONTROL FRAMEWORKS
• • Columns at the
Compliance top
objectives help the
company the
represent comply
fourwith
types of
applicable laws and
objectives
regulations.
that
management must meet to
– External parties often set
achieve company goals.
the compliance rules.
– –Strategic objectives
Companies in the same
– Operations objectives
industry often have similar
concerns
– Reporting in this area.
objectives
– Compliance objectives
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 54 of 314
CONTROL FRAMEWORKS
• ERM can provide reasonable
assurance that reporting and
compliance objectives will be
achieved because companies
have control over them.
• However, strategic and
operations objectives are
sometimes at the mercy of
external events that the
company can’t control.
• Therefore, in these areas, the
only reasonable assurance the
ERM can provide is that
management and directors are
informed on a timely basis of the
progress the company is making
in achieving them.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 55 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 56 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 57 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 58 of 314
CONTROL FRAMEWORKS
• Columns on the
right represent the
company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 59 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
• The tone or culture of the
company.
• Provides discipline and
structure and is the foundation
for all other components.
• Essentially the same as control
environment in the COSO
internal control framework.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 60 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
control components,
including:
– Internal environment
– Objective setting
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 63 of 314
• Management aligns identified risks
with the company’s tolerance for
CONTROL FRAMEWORKS risk by choosing to:
– Avoid
– Reduce
• The horizontal rows are
– Share
eight related risk and
– Accept
control components,
• Management
including: takes an entity-wide
or portfolio view of risks in
– Internalthe
assessing environment
likelihood of the
– Objective
risks, setting impact, and
their potential
costs-benefits of alternate
– Event identification
responses.
– Risk assessment
– Risk response
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 64 of 314
CONTROL FRAMEWORKS
• •TheTohorizontal
implement rows are
management’s
riskrelated
eight responses,
risk control
and policies
and procedures are established
control components,
and implemented throughout
including:
the various levels and
– Internal environment
functions of the organization.
•– Objective setting
Corresponds to the control
– activities element in the COSO
Event identification
– internal control framework.
Risk assessment
– Risk response
– Control activities
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 65 of 314
• Information about the company
and ERM components must be
CONTROL FRAMEWORKS identified, captured, and
communicated so employees
can fulfill their responsibilities.
• •The Information
horizontalmustrowsbeareable to
flowrelated
eight through all and
risk levels and
functions in the company as
control components,
well as flowing to and from
including:
external parties.
• – Employees
Internal environment
should understand
– their
Objective
role setting
and importance in
– ERM
Eventand how these
identification
– responsibilities
Risk assessmentrelate to those
of others.
– Risk response
• Has a corresponding element
– Control activities
in the COSO internal control
– Information and
framework.
communication
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 66 of 314
CONTROL FRAMEWORKS
• The horizontal rows are
eight related risk and
•control components,
ERM processes must be
monitored on an ongoing basis
including:
and modified as needed.
– Internal environment
• Accomplished with ongoing
– Objective setting
management activities and
– Event identification
separate evaluations.
•– Risk assessment
Deficiencies are reported to
– management.
Risk response
•– Corresponding
Control activitiesmodule in
– COSO internal
Information andcontrol
framework.
communication
– Monitoring
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 67 of 314
CONTROL FRAMEWORKS
• ERM Framework
• Examining Vs. the
controls without first Internal
examining purposes and
Control Framework
risks of business processes provides little context for
evaluating the results.
– The internal
• Makes control
it difficult framework has been
to know:
widely adopted
– Which controlas the principal
systems way to
are most important.
– Whether
evaluate internal controlsdeal
they adequately as with
required
risk. by SOX.
– Whether important control systems are missing.
However, there are issues with it.
• It has too narrow of a focus.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 69 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 70 of 314
CONTROL FRAMEWORKS
• These issues led to COSO’s development of the
ERM framework.
– Takes a risk-based, rather than controls-based,
approach to the organization.
– Oriented toward future and constant change.
– Incorporates rather than replaces COSO’s internal
control framework and contains three additional
elements:
• Setting objectives.
• Identifying positive and negative events that may affect the
company’s ability to implement strategy and achieve
objectives.
• Developing a response to assessed risk.
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 71 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 72 of 314
CONTROL FRAMEWORKS
© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 73 of 314