internal control. wilkinson internal control internal control is a state that management strives to...

Internal Control

Wilkinson

Internal Control

Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved

These controls encompass all the measures and practices that are used to counteract exposures to risks

The control framework is called the Internal Control Structure

Objectives of the Internal Control Structure

Promoting Effectiveness and Efficiency of Operations

Reliability of Financial Reporting Safeguarding assets Checking the accuracy and reliability of

accounting data Compliance with applicable laws and

regulations Encouraging adherence to prescribed

managerial policies

Components and Major Considerations of the IC Structure

Internal ControlStructure

ControlEnvironment

RiskAssessment

ControlActivities

Information&

CommunicationMonitoring

Activities relatedto FinancialReporting

Activities relatedto Information

Processing

GeneralControls

ApplicationControls

Control Environment The Control Environment establishes the tone of a

company, influencing the control consciousness of its employees

It is comprised of seven components:• Management philosophy and operating style• Integrity and ethical values• Commitment to competence• The Board of Directors and the Audit Committee• Organizational Structure• Assignment of authority and responsibility• Human resources policies and practices• External Influences

Highlights of CE Components - I

Management Philosophy and Operating Style• Does management emphasize short-term profits and

operating goals over long-term goals?

• Is management dominated by one or a few individuals?

• What type of business risks does management take and how are these risks managed?

• Is management conservative or aggressive toward selecting from available alternative accounting principles?

Highlights of CE Components - II

Organization Structure• Is an up-to-date organization chart prepared, showing

the names of key personnel?

• Is the information systems functionseparated from incompatible functions?

• How is the accounting departmentorganized?

• Is the internal audit function separate and distinct from accounting?

• Do subordinate managers report to more than one supervisor?

Highlights of CE Components - III

Assignment of Authority and Responsibility• Does the company prepare written employee job

descriptions defining specific duties and reporting relationships?

• Is written approval required for changes made to information systems?

• Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships?

• Does the company properly delegate authority to employees and departments?

Highlights of CE Components - IV Human Resource Policies and Practices

• Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct?

• Is the company in compliance with the ADA? The EEOA?

• Are Grievance Procedures to manage conflict in force?

• Does the company maintain a sound Employee Relations program?

• Do employees work in a safe, healthy environment?

• Are Counseling Programs available to employees?

• Are proper Separation Programs in force for employees who leave the firm?

• Are critical employees Bonded?

Key Functions Performed by Audit Committees

Establish an Internal Audit Department Review the Scope and Status of Audits Review Audit Findings with the Board and

ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions

Maintain a direct Line of Communication among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties

Key Functions Performed by Audit Committees Review the Audited Financial Statements with

the Internal Auditors and the Board of Directors

Require periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvement

Supervise special investigations, such as Fraud Investigations

Assess the performance of Financial Management

Require the Review of Compliance with Laws and Regulations and with Corporate Codes of Conduct

Risk Assessment

Top management must be directly involved in Business Risk Assessment.

This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.

Control Activities - I Control Activities as related to Financial

Reporting may be classified according to their intended uses in a system:• Preventive Controls block adverse events, such as

errors or losses, from occurring • Detective Controls discover the occurrence of

adverse events such as operational inefficiency• Corrective controls are designed to remedy

problems discovered through detective controls • Security Measures are intended to provide adequate

safeguards over access to and use of assets and data records

Control Activities - II

Control Activities relating to Information Processing may also be classified according to where they will be applied within the system• General controls are those controls that pertain to all

activities involving a firm’s AIS and assets

• Application controls relate to specific accounting tasks or transactions

The overall trend seems to be going from specific application controls to more global general controls

Control Activities - III Performance Reviews

• Comparing Budgets to Actual Values

• Relating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions

• Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections

Information & Communication

All Transactions entered for processing are Valid and Authorized

All valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of Transactions

The input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary terms

All entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data sets

All required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable Information

All transactions are recorded in the proper Accounting Period

Risk

Business firms face risks that reduce the chances of achieving their control objectives.

Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers.

Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.

Some Typical Sources of Risk - I

Clerical and Operational Employees, who process transactional data and have access to Assets

Computer Programmers, who have knowledge relating to the Instructions by which transactions are processed

Managers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions

Some Typical Sources of Risk - II Former Employees, who may still understand the

Control Structure and may harbor grudges against the firm

Customers and Suppliers, who generate many of the transactions processed by the firm

Competitors, who may desire to acquire confidential information of the firm

Outside Persons, such as Computer Hackers and Criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts

Acts of Nature or Accidents, such as floods, fires, and equipment breakdowns

Types of Risks

Unintentional errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of assets Breaches of Security Acts of Violence and Natural Disasters

Factors that Increase Risk Exposure

Frequency - the more frequent an occurrence of a transaction thegreater the exposure to risk

Vulnerability - liquid and/or portable assets contribute to risk exposure

Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure

Problem Conditions Affecting Risk Exposures

Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures

Lack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassment

Computer crime poses very high degreesof risk, and fraudulent activities are difficultto detect

Computer Crime Computer crime (computer abuse) is the use of a

computer to deceive for personal gain. Due to the proliferation of networks and personal

computers, computer crime is expected to significantly increase both in frequency and amount of loss.

It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.

Examples of Computer Crime

Theft of Computer Hardware & Software Unauthorized Use of Computer Facilities

for Personal Use Fraudulent Modification or Use of Data

or Programs

Reasons Why Computers Cause Control Problems

Processing is Concentrated Audit Trails may be Undermined Human Judgment is bypassed Data are stored in Device-Oriented rather than

Human-Oriented forms• Invisible Data

• Stored data are Erasable

• Data are stored in a Compressed form

• Stored data are relatively accessible Computer Equipment is Powerful but Complex and

Vulnerable

Feasibility of Controls Audit Considerations Cost-Benefit Considerations

• Determine Specific Computer Resources Subject to Control

• Determine all Potential Threats to the company’s Computer System

• Assess the Relevant Risks to which the firm is exposed

• Measure the Extent of each Relevant Risk exposure in dollar terms

• Multiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year

• Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure

• Compare the Benefits against the Costs of Each Control

Legislation The Foreign Corrupt Practices Act of 1977 Of the Federal Legislation governing the use of

computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most important• This act makes it a federal crime to intentionally access

a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information

• (2) committing a fraud

• (3) altering or destroying federal information

Methods for Thwarting Computer Abuse

Enlist top-management support so that awareness of computer abuse will filter down through management ranks.

Implement and enforce control procedures. Increase employee awareness in the seriousness

of computer abuse, the amount of costs, and the disruption it creates.

Establish a code of conduct. Be aware of the common characteristics of most

computer abusers.

Methods for Thwarting Computer Abuse

Recognize the symptoms of computer abuse such as:

• behavioral or lifestyle changes in an employee

• accounting irregularities such as forged, altered or destroyed input documents or suspicious accounting adjustments

• absent or ignored control procedures

• the presence of many odd or unusual anomalies that go unchallenged

Encourage ethical behavior

Control Problems Caused by Computerization: Data Collection

Characteristics Characteristics Risk Exposures CompensatingControls

Data recorded inpaper sourcedocuments

Data sometimescaptured withoutuse of sourcedocuments

Audit trail may bepartially lost

Printed copies ofsource documentsprepared bycomputer systems

Data reviewed forerrors by clerks

Data often notsubject to reviewby clerks

Errors, accidentalor deliberate, maybe entered forprocessing

Edit checksperformed bycomputer system

Manual System Computer-based System

Control Problems Caused by Computerization: Data ProcessingManual System Computer-based System

Characteristics Characteristics Risk Exposures CompensatingControls

Processing stepsperformed by clerkswho possess judgment

Processing stepsperformed by CPU“blindly” in accordancewith programinstructions

Errors may causeincorrect results ofprocessing

Outputs reviewed byusers of computersystem; carefullydeveloped computerprocessing programs

Processing stepsamong various clerks inseparate departments

Processing stepsconcentrated withincomputer CPU

Unauthorizedmanipulation of dataand theft of assets canoccur on larger scale

Restricted access tocomputer facilities;clear procedure forauthorizing changes toprograms

Processing requires useof journals and ledgers

Processing does notrequire use of journals

Audit trail may bepartially lost

Printed journals andother analyses

Processing performedrelatively slowly

Processing performedvery rapidly

Effects of errors mayspread rapidly throughfiles

Editing of all dataduring input andprocessing steps

Control Problems Caused by Computerization: Data Storage & Retrieval

Manual System Computer-based System

Characteristics Characteristics Risk Exposures CompensatingControls

Data stored in filedrawersthroughout thevariousdepartments

Data compressedon magneticmedia (e.g.,tapes, disks)

Data may beaccessed byunauthorizedpersons or stolen

Security measuresat points of accessand over datalibrary

Data stored onhard copies inhuman- readableform

Data stored ininvisible,eraseable,computer-readableform

Data aretemporarilyunusable byhumans, andmight possibly belost

Data files printedperiodically;backup of files;protection againstsudden powerlosses

Stored dataaccessible on apiece-meal basisat variouslocations

Stored data oftenreadily accessiblefrom variouslocations viaterminals

Data may beaccessed byunauthorizedpersons

Security measuresat points of access

Control Problems Caused by Computerization: Information Generation

Manual System Computer-based System

Characteristics Characteristics Risk Exposures CompensatingControls

Outputsgeneratedlaboriously andusually in smallvolumes

Outputs generatedquickly and neatly,often in largevolumes

Inaccuracies maybe buried inimpressive-lookingoutputs that usersaccept on faith

Reviews by usersof outputs,including thechecking ofamounts

Outputs usually inhard-copy form

Outputs providedin various forms,including soft-copydisplays and voiceresponses

Information storedon magneticmedia is subject tomodification (onlyhard copyprovidespermanent record)

Backup of files;periodic printing ofstored files ontohard-copy records

Control Problems Caused by Computerization: Equipment

Manual System Computer-based System

Characteristics Characteristics Risk Exposures CompensatingControls

Relatively simple,inexpensive, andmobile

Relativelycomplex,expensive, and infixed locations

Businessoperations may beintentionally orunintentionallyinterrupted; dataor hardware maybe destroyed;operations may bedelayed throughinefficiencies

Backup of dataand power supplyand equipment;preventivemaintenance ofequipment;restrictions onaccess tocomputerfacilities;documentation ofequipment usageand processingprocedures

Jones & Rama

Internal Control and Accountants’ Roles

Accountants as

Managers –

Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:

• Management to prepare a statement describing and assessing the company’s internal control system

Internal Control and Accountants’ Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:

• Annual reports of public companies to include:

(1) a statement that management is responsible for internal controls over financial reporting,

Internal Control and Accountants’ Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:

• Annual reports of public companies to include:

(2) a statement identifying the framework used by management to evaluate internal controls,

Internal Control and Accountants’ Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:

• Annual reports of public companies to include

(3) an assessment of internal controls and disclosure of any material weaknesses, and

Internal Control and Accountants’ Roles

Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:

• Annual reports of public companies to include:

(4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control.

Internal Control and Accountants’ Roles

Accountants as

Users –

Must understand a company’s internal controls to apply them correctly.

Internal Control and Accountants’ Roles

Accountants as Designers of internal control

procedures –Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks

Internal Control and Accountants’ Roles

Accountants asEvaluators – must understand internal control

systems to: Help develop management’s report that

assesses internal controls (as internal auditors)

Prepare an attestation to management’s statement about internal control (as external auditors)

Conduct the audit of a company’s financial statements (as external auditors)

Framework for Studying Internal Control

Components of internal control (the COCO Report)

Internal control objectives Risk assessment

Framework for Studying Internal Control

The COSO Report: 5 interrelated components of internal

control:

• Control environment

• Risk assessment

• Control activities

• Information and communication

• Monitoring

Internal Control Components and Objectives

Internal control: Execution objectives –

2 execution objectives for the revenue cycle:

• Ensure proper delivery of goods and services

• Ensure proper collection and handling of cash2 execution objectives for the acquisition cycle:

• Ensure proper receiving of goods and services

• Ensure proper payment and handling of cash

Internal Control Components and Objectives

Internal control: Information system objectives -

• Focus on recording, updating, and reporting accounting information

• Important for ensuring effective execution of transactions

Internal Control Components and Objectives

Internal control: Asset protection objectives -

• Focus on safeguarding assets to minimize risk of theft or loss of assets

Internal Control Components and Objectives

Internal control: Performance objectives –

• Focus on achieving favorable performance of an organization, person, department, product, or service

• Established to ensure effective operations

Assessment of Execution Risks: Revenue Cycle

Generic execution risks for each of the two revenue cycle transactions:

1.Delivering goods/services:• Unauthorized sale/service permitted• Authorized sale/service did not occur,

occurred late, or was duplicated unintentally

• Wrong type of product/service• Wrong quantity/quality• Wrong customer/address

Assessment of Execution Risks: Revenue Cycle

Generic execution risks for each of the two revenue cycle transactions:

2. Collecting cash:• Cash not collected or collected late• Wrong amount of cash collected

Assessment of Execution Risks: Acquisition Cycle

Generic execution risks for each of the two acquisition cycle transactions:

1. Receiving goods/services:• Unauthorized goods/services received• Expected receipt of goods/services did not

occur, occurred late, or was duplicated unintentionally

• Wrong type of product or service received• Wrong quantity/quality• Wrong supplier

Assessment of Execution Risks: Acquisition Cycle

Generic execution risks for each of the two acquisition cycle transactions:

2. Making payment:• Unauthorized payment• Cash not paid, paid late, or duplicate

payment• Wrong amount paid• Wrong supplier paid

Assessment of Execution Risks: Revenue & Acquisition Cycles

Understanding and assessing execution risks – 5 steps:

Step 1. Achieve understanding of the processes

Step 2. Identify the at-risk goods/services provided and cash received

Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks

Assessment of Execution Risks: Revenue & Acquisition Cycles

Understanding and assessing execution risks – 5 steps:

Step 4. Assess the significance of remaining risks

Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors

What control activities could be implemented to mitigate the risks?

Assessment of Information Systems Risks

2 categories of information systems risks:• Recording risks • Updating risks

Assessment of Information Systems Risks

The process of recording and updating information – both a risk and a control• Risk - information will be recorded

incorrectly, perhaps resulting in transaction errors and incorrect financial statements

• Control – when information is correct because recorded information is used to control transactions

Assessment of Information Systems Risks

Recording risks: Risks that event information is not captured

accurately in an organization’s information system

Errors in recording can cause substantial losses

Recording events late can cause opportunity losses

In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay

Assessment of Information Systems Risks

Recording risks: Revenue/acquisition cycles - generic

recording risks• Event recorded never occurred• Event not recorded, recorded late, or

duplication of recording• Wrong product/service recorded• Wrong quantity/price recorded• Wrong external/internal agent recorded• Wrong recording of other data

Assessment of Information Systems Risks

Recording risks: Identifying recording risks – 3 steps

Step 1. Achieve an understanding of the process under study - identify the events

Step 2. Review events - identify where data are recorded in a source document or a transaction file

Assessment of Information Systems Risks

Recording risks: Identifying recording risks – 3 steps

• Step 3. For each event where data are recorded in a source document or transaction record:• Consider the preceding generic recording risks• Restate each generic risk to describe the risk

more precisely for the particular event under consideration

• Exclude any risks that are irrelevant or immaterial

Assessment of Information Systems Risks

Updating risks: Risks that summary fields in master

records are not properly updated Update failures can be costly Errors in updates can reduce the

effectiveness of controls over the general ledger balances for assets and liabilities

Assessment of Information Systems Risks

Updating risks: Generic risks

• Update of master record omitted or unintended duplication of update

• Update of master record occurred at the wrong time • If updates are scheduled, users need to know

and schedule needs to be followed• Summary field updated by wrong amount• Wrong master record updated

Assessment of Information Systems Risks

Identifying updating risks: 3 steps

Step 1. Identify recording risks

Step 2. Identify the events that include update activity and the summary fields in updated master files

Assessment of Information Systems Risks

Identifying update risks: 3 steps

Step 3. For each event in updated master file• Consider the preceding generic update risks• Restate each generic risk to describe the update

risk more precisely for the particular event under consideration

• Exclude any update risks that are irrelevant or immaterial

Recording and Updating in the General Ledger System

The General_Ledger File stores reference and summary data about the general ledger accounts.

The process of updating a general ledger account is sometimes referred to as “posting.”

Recording and Updating in the General Ledger System

Risks in recording and updating information in a general ledger system:

Risks• Wrong general ledger account recorded • Wrong amounts debited/credited• General ledger master record not updated at all,

updated late, or updated twice• Wrong general ledger master record updated

Recording and Updating in the General Ledger System

Risks in recording and updating information in a general ledger system:

Important to internal control:

• Policy for updating general ledger accounts should be well understood.

• Often, general ledger balances are updated after a batch of transactions, not with each transaction

Recording and Updating in the General Ledger System

Risks in recording and updating information in a general ledger system:

Important to internal control:• Employees need to know:

• Under the batch process, general ledger account balances are temporarily out of date

• When updates are made

Recording and Updating in the General Ledger System

Controlling risks: Identify significant risks of losses or errors Consider ways to control the risks Accountants, external auditors, or internal auditors

evaluate existing controls and suggest additional controls where warranted

Control Activities

The policies and procedures to address risks to achievement of the organization’s objectives

Manual or automated May be implemented at various levels of the

organization. 4 types of controls:

• Workflow controls

• Input controls

• General controls

• Performance reviews

Control Activities

Workflow controls: Used to control a process as it moves from one

event to the next Exploit linkages between events Focus on:

• Responsibilities for events• Sequence of events• Flow of information between events in a business

process

Control Activities

Workflow controls: Segregation of duties Use of information from prior events to control activities Required sequence of events Follow-up on events Sequence of prenumbered Recording of internal agent(s) accountable for an event

in a process Limitation of access to assets and information Reconciliation of records with physical evidence of

assets

Control Activities

1. Segregation of duties: Organizations make an effort to segregate:

• Authorization of events• Execution of events• Recording of event data • Custody of resources associated with the event

The overview activity diagram is best suited to understanding and documenting segregation of duties

Control Activities

2. Use of information about prior events: Information about prior events can come from

documents or computer records. 2 examples of information from computer files:

• Checking summary data in master files to authorize events

• Transaction records may help control events - similar to using documents before approving an invoice

Control Activities

3. Required sequence of events:Often, organizations - Have policies requiring a process to follow a

particular sequence Require a sequence of events without having prior

recorded information to rely on

Control Activities

4. Follow-up on events:Organizations: Need automated or manual way to review transactions

not yet concluded Should have “open” item or aging reports to identify

events needing follow up Can design/use routine reports to flag unfinished

business Can querying a database for status reports

Control Activities

5. Prenumbered documents: Provide an opportunity to control events Prenumbered documents created during one event

are accounted for in a later event Checking the sequence of prenumbered documents

helps ensure that all events are executed and recorded appropriately

Control Activities

6. Recording of internal agent(s) accountable for an event in a process:

Important Clear job descriptions and specific instructions from

supervisors Recording employee ID number at the time the event Safeguarding of assets through use of with serial

numbers, recordkeeping, and identification of custodian of the assets

Control Activities

7. Limitation of access to assets and information:

Safeguards Access to assets only for employees needing

them for assigned duties Physical assets stored in secure locations Employees badges for access Alarms Password required for access to data

Control Activities

8. Reconciliation of records with physical evidence of assets:

Ensures that recorded event and master file data correspond to actual assets

Differs from the use of documents to control events – reconciliation:• Is broader• Usually involves data about multiple events• Occurs after the events have been executed and

recorded

Control Activities

Input controls: Used to control input of data into computer systems Drop-down or look-up menus Record-checking of data entered Confirmation of data entered Referential integrity controls Format checks to limit data Validation rules to limit the data Defaults from data entered in prior sessions

Control Activities

Input controls: Restriction against leaving a field blank Field established as a primary key Computer-generated values entered in records Batch control totals taken before data entry

compared to printouts after data entry Review for errors before posting Exception reports

Control Activities

General controls: Broader controls that apply to multiple processes Help workflow and input controls be effective Organized into four categories:

• Information systems (IS) planning• Organizing the information technology (IT) function • Identifying and developing IS solutions• Implementing and operating accounting systems

Control Activities

Performance reviews: Measure performance by comparing actual data with

budgets, forecasts, or prior-period data Include analyzing data, identifying problems, and taking

corrective action Ensure events support broader long-term goals Typically involve comparing actual results to plans,

standards, and prior performance

Control Activities

Performance reviews: Often result in taking corrective action Require an information system (AIS in particular)

that records and stores information about standards and actual outcomes

Requires reports that allow for meaningful analysis of actual results

Control Activities

Performance reviews: And master records

• Related in two ways:• Planned standards and budget figures (reference

data) are typically recorded during file maintenance activities in master records

• Summary data stored in master records are often used to implement corrective action

• Summary fields in master records can also help in reviewing performance

Haryono, MCom, Ak.

DEFINITION

Risk is “the chances of negative outcome” or “potential of loss”

Types of Risk

Business Risk• Potensi kegagalan organisasi untuk mencapai tujuan bisnisnya

karena faktor internal maupun eksternal

Audit Risk• KAP melakukan kesalahan ketika memberikan pendapat ttg

laporan keuangan atau IT auditor gagal mengungkap kesalahan/fraud yg material

Security Risk• Risiko yang berkaitan dengan keakuratan dan akses database,

trend dalam e-Commerce

Continuity Risk• Risiko yang berkaitan dengan ketersediaan, backup dan

recovery sistem informasi

Why is e-Commerce so risky? Control techniques are not so apparent

Tight integration with business partners requires high levels of mutual trust

A replacement to ‘face to face‘ business methods must be used

We need more trust in technology!

Business models, technologies and the legal environment are very immature

Similar to the ‘gold rush’ of the 1880s

• high risks matched by high returns

E-Commerce Risks

Strategic Risk Economic Risk Security Risk Integrity Risk Fraud Risk Reliability Risk Disruption Risk

Image Risk Legal Risk Privacy Risk Efficiency Risk Terrorism Risk Technology Risk Moral Risk

Strategic Risk Risk

• A competitor can use the internet to gain a competitive advantage

Example• Amazon vs. Barnes & Noble

Relevant Controls• Consider eCom as a key business strategy

• Develop an eCom strategy immediately if in the business of information or services

Economic Risk Risk

• acceptable ROI from eCom?

Relevant Controls• Begin with small steps - pilot projects

• Take a long term view an ROI

• Analyze cost/benefit thoroughly

• Exercise strong project management

Security Risk Risk

• Intruders can use the Internet to access internal systems

Example• Hackers publishing customer’s credit cards

numbers

Relevant Controls• Ensure network architecture is geared for security• Use encryption and authentication technologies• Use intrusion detection systems such as Real

Secure

Integrity Risk Risk

• The internet can be used to access and modify your sensitive business data

Example• Hackers merubah nama-nama partai pemilu

Relevant Controls• Ensure data access control are tightened

• Implement highly secured logging mechanism on data repositories

Fraud Risk

Risk• Fraudsters love the anonymity of the internet

Example• Credit card fraud

Relevant control• Authenticate user with digital certificates and a

public key infrastructure (extranet Vs internet)

• Implement independent trust such as web trust

Reliability Risk Risk

• eCom systems are less reliable and more prone to problems than traditional systems

Relevant Controls• Automate business rules and associated controls

into eCom System• Use intelligent filtering technologies to enables

manual intervention for unusual transactions• Test new eCom systems comprehensively

Disruption Risk Risk

• Disruptions to eCom systems could disable a company

Relevant Control• Use dedicate intrusion detection systems such as

real secure

• Implement proper business continuity management across eCom System

• Build redundancy into eCom network

Image Risk

Risk• Hacker can vandalize web sites and embarrass an

organization

Example• Perubahan gambar dalam website resmi dg gambar lain

Relevant Control• Ensure Web server are highly secured, tested and locked

down • Ensure Web hosting service offer proof of security

competency• Implement intrusion detection systems such as real Secure

Legal Risk Risk

• An eCom application may break local or foreign laws

Example

• Internet gambling in Indonesia? Relevant Controls

• Get legal advice during system design• Authenticate users and apply appropriate legal

rules to different locations• Do not assume the internet is not policed

Privacy Risk Risk

• Individuals and government are wary of people’s privacy Example

• The European Union has made global privacy compliance mandatory

Relevant Controls• Comply with relevant government or industry privacy

legislation are codes of conduct

• Include privacy controls amongst other controls

• Include privacy controls amongst other control

• Provide reassurance through certification schemes

Efficiency Risk Risk

• The internet may be used to add to, rather that replace, existing processes

Relevant Controls• Consider eCom as a re-engineering project

• Use the internet to eliminate manual intervention and increase process automation and efficiency

• Ensure return on Investment is possible

Terrorism Risk

Risk• A country or business infrastructure can be attacked

Relevant Controls• Leave sensitive systems disconnected from the

internet if possible

• Comprehensively test security of vulnerable systems

• Counsel staff acting inappropriately

Technology Risk Risk

• Chosen Com system may soon become obsolete Example

• Companies with heavy EDI investment now moving to eCom

Relevant Controls• Plan strategically rather than technologically• Use technologies which confirm to internet standards• Use more than one technology supplier• Plan on going investment

Moral Risk Risk

• Staff may use internet systems inappropriately

Example• Staff dismissed and charged with sexual harassment

Relevant Controls• Develop ‘appropriate usage” policy for the internet

• Notify all staff that internet will be monitored

• Log Accesses to inappropriate site

• Counsel staff acting inappropriate

The Risk Management Process

Identify IT Risks

Assess IT Risks

Identify IT Controls

Document IT Controls

Monitor IT Risks and

Control

IT Risk Assessment Process

1. Identify Threats/Exposures Eg. Data confidentiality, availability, integrity,

timeliness, accuracy and IT infrastructure

2. Assess Vulnerabilities to Threats/ Exposures

Eg. Remote access by unauthorized users

3. Determine Acceptable Risk Levels or Assess the Probability of Vulnerabilities

Eg.Chance of remote access by unauthorized users is 0.05 percent

Internal Control Environment Model

Internal Control-Integrated Framework It was published by COSO (Committee of Sponsoring

Organization of the Treadway Commission) in 1992• Joint 5 orgs: AICPA, AAA, IIA, Financial Executives Institute and

IMA

COSO defines internal control as a process, affected by an entity’s board of directors, mgt and other personnel, designed to provide reasonable assurance regarding the achievement of objectives (effectiveness and efficiency of operation; reliability of financial reporting; compliance with law & regulations

COBIT (Control Objectives for Information and Related Technology)

COBIT was published by ISACA in 1996 and revised in 1998 & 2000

COBIT is a comprehensive internal control framework specifically pertaining to Internal Control issues associated with IT

COBIT defines control as “the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.”

SAC (Systems Auditability and Control) SAC published by the IIA in 1977. It was the first internal

control framework pertaining to IT (revised in 1991 and then in 1994)

SAC report is intended to provide “sound guidance on control and audit of IS and Technology. The report focuses on the business perspective of IT and the risks associated with planning, implementing, and using automation”

SAC emphasizes management’s responsibility to identify, understand, and assess the risks associated with the integration of technology in an organization and oversee and control the org’s use of technology.

eSAC

In 2001 the IIA published a more contemporary IC model called Electronic Systems Assurance and Control (eSAC) Electronic: increase use of IT and

e-BusinessAuditibility changes by Assurance

eSAC MODEL

SASs 55/78/94 (Statements on Auditing Standards)

SAS 55 was published by AICPA for External Auditor in consideration of internal control in an audit financial statements

SAS 78 use COSO’s IC definition and model

SAS 94 added new significant sections regarding the effect of IT on internal control

Comparison of Control Concepts

COBIT SAC COSO SASs 55/78

Primary Audience Management, users, information system auditors

Internal Auditors Management External Auditors

IC viewed as a Set of processes including policies, procedures, practices, and organizational structures

Set of processes, subsystems, and people

Process Process

IC Objectives organizational

Effective & efficient operationsConfidentiality, Integrity and availability of informationReliable financial reportingCompliance with laws & regs

Effective & efficient operationsReliable financial reportingCompliance with laws & regs

Effective & efficient operationsReliable financial reportingCompliance with laws & regs

Reliable financial reportingEffective & efficient operationsCompliance with laws & regs

Components or Domains

Domains:Planning and organizationAcquisition and implementationDelivery and supportMonitoring

Components:Control EnvironmentManual & AutomatedSystems Control Procedures

Components:Control EnvironmentRisk Management ControlActivities Information & Communication Monitoring

Components:Control Environment RiskAssessment ControlActivities Information & Communication Monitoring

Focus Information Technology Information Technology Overall Entity Financial Statement

IC Effectiveness Evaluated

For a period of time For a period of time At a point in time For a period of time

Responsibility for IC System

Management Management Management Management

Size 187 pages in four documents 1193 pages in 12 modules 353 pages in four volumes

63 pages in two documents