internal control. wilkinson internal control internal control is a state that management strives to...
TRANSCRIPT
Internal Control
Wilkinson
Internal Control
Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved
These controls encompass all the measures and practices that are used to counteract exposures to risks
The control framework is called the Internal Control Structure
Objectives of the Internal Control Structure
Promoting Effectiveness and Efficiency of Operations
Reliability of Financial Reporting Safeguarding assets Checking the accuracy and reliability of
accounting data Compliance with applicable laws and
regulations Encouraging adherence to prescribed
managerial policies
Components and Major Considerations of the IC Structure
Internal ControlStructure
ControlEnvironment
RiskAssessment
ControlActivities
Information&
CommunicationMonitoring
Activities relatedto FinancialReporting
Activities relatedto Information
Processing
GeneralControls
ApplicationControls
Control Environment The Control Environment establishes the tone of a
company, influencing the control consciousness of its employees
It is comprised of seven components:• Management philosophy and operating style• Integrity and ethical values• Commitment to competence• The Board of Directors and the Audit Committee• Organizational Structure• Assignment of authority and responsibility• Human resources policies and practices• External Influences
Highlights of CE Components - I
Management Philosophy and Operating Style• Does management emphasize short-term profits and
operating goals over long-term goals?
• Is management dominated by one or a few individuals?
• What type of business risks does management take and how are these risks managed?
• Is management conservative or aggressive toward selecting from available alternative accounting principles?
Highlights of CE Components - II
Organization Structure• Is an up-to-date organization chart prepared, showing
the names of key personnel?
• Is the information systems functionseparated from incompatible functions?
• How is the accounting departmentorganized?
• Is the internal audit function separate and distinct from accounting?
• Do subordinate managers report to more than one supervisor?
Highlights of CE Components - III
Assignment of Authority and Responsibility• Does the company prepare written employee job
descriptions defining specific duties and reporting relationships?
• Is written approval required for changes made to information systems?
• Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships?
• Does the company properly delegate authority to employees and departments?
Highlights of CE Components - IV Human Resource Policies and Practices
• Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct?
• Is the company in compliance with the ADA? The EEOA?
• Are Grievance Procedures to manage conflict in force?
• Does the company maintain a sound Employee Relations program?
• Do employees work in a safe, healthy environment?
• Are Counseling Programs available to employees?
• Are proper Separation Programs in force for employees who leave the firm?
• Are critical employees Bonded?
Key Functions Performed by Audit Committees
Establish an Internal Audit Department Review the Scope and Status of Audits Review Audit Findings with the Board and
ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions
Maintain a direct Line of Communication among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties
Key Functions Performed by Audit Committees Review the Audited Financial Statements with
the Internal Auditors and the Board of Directors
Require periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvement
Supervise special investigations, such as Fraud Investigations
Assess the performance of Financial Management
Require the Review of Compliance with Laws and Regulations and with Corporate Codes of Conduct
Risk Assessment
Top management must be directly involved in Business Risk Assessment.
This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.
Control Activities - I Control Activities as related to Financial
Reporting may be classified according to their intended uses in a system:• Preventive Controls block adverse events, such as
errors or losses, from occurring • Detective Controls discover the occurrence of
adverse events such as operational inefficiency• Corrective controls are designed to remedy
problems discovered through detective controls • Security Measures are intended to provide adequate
safeguards over access to and use of assets and data records
Control Activities - II
Control Activities relating to Information Processing may also be classified according to where they will be applied within the system• General controls are those controls that pertain to all
activities involving a firm’s AIS and assets
• Application controls relate to specific accounting tasks or transactions
The overall trend seems to be going from specific application controls to more global general controls
Control Activities - III Performance Reviews
• Comparing Budgets to Actual Values
• Relating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions
• Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections
Information & Communication
All Transactions entered for processing are Valid and Authorized
All valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of Transactions
The input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary terms
All entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data sets
All required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable Information
All transactions are recorded in the proper Accounting Period
Risk
Business firms face risks that reduce the chances of achieving their control objectives.
Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers.
Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Some Typical Sources of Risk - I
Clerical and Operational Employees, who process transactional data and have access to Assets
Computer Programmers, who have knowledge relating to the Instructions by which transactions are processed
Managers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions
Some Typical Sources of Risk - II Former Employees, who may still understand the
Control Structure and may harbor grudges against the firm
Customers and Suppliers, who generate many of the transactions processed by the firm
Competitors, who may desire to acquire confidential information of the firm
Outside Persons, such as Computer Hackers and Criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts
Acts of Nature or Accidents, such as floods, fires, and equipment breakdowns
Types of Risks
Unintentional errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of assets Breaches of Security Acts of Violence and Natural Disasters
Factors that Increase Risk Exposure
Frequency - the more frequent an occurrence of a transaction thegreater the exposure to risk
Vulnerability - liquid and/or portable assets contribute to risk exposure
Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure
Problem Conditions Affecting Risk Exposures
Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures
Lack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassment
Computer crime poses very high degreesof risk, and fraudulent activities are difficultto detect
Computer Crime Computer crime (computer abuse) is the use of a
computer to deceive for personal gain. Due to the proliferation of networks and personal
computers, computer crime is expected to significantly increase both in frequency and amount of loss.
It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.
Examples of Computer Crime
Theft of Computer Hardware & Software Unauthorized Use of Computer Facilities
for Personal Use Fraudulent Modification or Use of Data
or Programs
Reasons Why Computers Cause Control Problems
Processing is Concentrated Audit Trails may be Undermined Human Judgment is bypassed Data are stored in Device-Oriented rather than
Human-Oriented forms• Invisible Data
• Stored data are Erasable
• Data are stored in a Compressed form
• Stored data are relatively accessible Computer Equipment is Powerful but Complex and
Vulnerable
Feasibility of Controls Audit Considerations Cost-Benefit Considerations
• Determine Specific Computer Resources Subject to Control
• Determine all Potential Threats to the company’s Computer System
• Assess the Relevant Risks to which the firm is exposed
• Measure the Extent of each Relevant Risk exposure in dollar terms
• Multiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year
• Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure
• Compare the Benefits against the Costs of Each Control
Legislation The Foreign Corrupt Practices Act of 1977 Of the Federal Legislation governing the use of
computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most important• This act makes it a federal crime to intentionally access
a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information
• (2) committing a fraud
• (3) altering or destroying federal information
Methods for Thwarting Computer Abuse
Enlist top-management support so that awareness of computer abuse will filter down through management ranks.
Implement and enforce control procedures. Increase employee awareness in the seriousness
of computer abuse, the amount of costs, and the disruption it creates.
Establish a code of conduct. Be aware of the common characteristics of most
computer abusers.
Methods for Thwarting Computer Abuse
Recognize the symptoms of computer abuse such as:
• behavioral or lifestyle changes in an employee
• accounting irregularities such as forged, altered or destroyed input documents or suspicious accounting adjustments
• absent or ignored control procedures
• the presence of many odd or unusual anomalies that go unchallenged
Encourage ethical behavior
Control Problems Caused by Computerization: Data Collection
Characteristics Characteristics Risk Exposures CompensatingControls
Data recorded inpaper sourcedocuments
Data sometimescaptured withoutuse of sourcedocuments
Audit trail may bepartially lost
Printed copies ofsource documentsprepared bycomputer systems
Data reviewed forerrors by clerks
Data often notsubject to reviewby clerks
Errors, accidentalor deliberate, maybe entered forprocessing
Edit checksperformed bycomputer system
Manual System Computer-based System
Control Problems Caused by Computerization: Data ProcessingManual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Processing stepsperformed by clerkswho possess judgment
Processing stepsperformed by CPU“blindly” in accordancewith programinstructions
Errors may causeincorrect results ofprocessing
Outputs reviewed byusers of computersystem; carefullydeveloped computerprocessing programs
Processing stepsamong various clerks inseparate departments
Processing stepsconcentrated withincomputer CPU
Unauthorizedmanipulation of dataand theft of assets canoccur on larger scale
Restricted access tocomputer facilities;clear procedure forauthorizing changes toprograms
Processing requires useof journals and ledgers
Processing does notrequire use of journals
Audit trail may bepartially lost
Printed journals andother analyses
Processing performedrelatively slowly
Processing performedvery rapidly
Effects of errors mayspread rapidly throughfiles
Editing of all dataduring input andprocessing steps
Control Problems Caused by Computerization: Data Storage & Retrieval
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Data stored in filedrawersthroughout thevariousdepartments
Data compressedon magneticmedia (e.g.,tapes, disks)
Data may beaccessed byunauthorizedpersons or stolen
Security measuresat points of accessand over datalibrary
Data stored onhard copies inhuman- readableform
Data stored ininvisible,eraseable,computer-readableform
Data aretemporarilyunusable byhumans, andmight possibly belost
Data files printedperiodically;backup of files;protection againstsudden powerlosses
Stored dataaccessible on apiece-meal basisat variouslocations
Stored data oftenreadily accessiblefrom variouslocations viaterminals
Data may beaccessed byunauthorizedpersons
Security measuresat points of access
Control Problems Caused by Computerization: Information Generation
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Outputsgeneratedlaboriously andusually in smallvolumes
Outputs generatedquickly and neatly,often in largevolumes
Inaccuracies maybe buried inimpressive-lookingoutputs that usersaccept on faith
Reviews by usersof outputs,including thechecking ofamounts
Outputs usually inhard-copy form
Outputs providedin various forms,including soft-copydisplays and voiceresponses
Information storedon magneticmedia is subject tomodification (onlyhard copyprovidespermanent record)
Backup of files;periodic printing ofstored files ontohard-copy records
Control Problems Caused by Computerization: Equipment
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Relatively simple,inexpensive, andmobile
Relativelycomplex,expensive, and infixed locations
Businessoperations may beintentionally orunintentionallyinterrupted; dataor hardware maybe destroyed;operations may bedelayed throughinefficiencies
Backup of dataand power supplyand equipment;preventivemaintenance ofequipment;restrictions onaccess tocomputerfacilities;documentation ofequipment usageand processingprocedures
Jones & Rama
Internal Control and Accountants’ Roles
Accountants as
Managers –
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:
• Management to prepare a statement describing and assessing the company’s internal control system
Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:
• Annual reports of public companies to include:
(1) a statement that management is responsible for internal controls over financial reporting,
Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:
• Annual reports of public companies to include:
(2) a statement identifying the framework used by management to evaluate internal controls,
Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:
• Annual reports of public companies to include
(3) an assessment of internal controls and disclosure of any material weaknesses, and
Internal Control and Accountants’ Roles
Sarbanes-Oxley Act of 2002 and Standard No. 2 of the Public Company Accounting Oversight Board (PCAOB) requires:
• Annual reports of public companies to include:
(4) a statement that a public accounting firm has issued an attestation report on management’s assessment of internal control.
Internal Control and Accountants’ Roles
Accountants as
Users –
Must understand a company’s internal controls to apply them correctly.
Internal Control and Accountants’ Roles
Accountants as Designers of internal control
procedures –Must understand a company’s internal controls in working to achieve to compliance with regulations and company objectives and to minimize risks
Internal Control and Accountants’ Roles
Accountants asEvaluators – must understand internal control
systems to: Help develop management’s report that
assesses internal controls (as internal auditors)
Prepare an attestation to management’s statement about internal control (as external auditors)
Conduct the audit of a company’s financial statements (as external auditors)
Framework for Studying Internal Control
Components of internal control (the COCO Report)
Internal control objectives Risk assessment
Framework for Studying Internal Control
The COSO Report: 5 interrelated components of internal
control:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
Internal Control Components and Objectives
Internal control: Execution objectives –
2 execution objectives for the revenue cycle:
• Ensure proper delivery of goods and services
• Ensure proper collection and handling of cash2 execution objectives for the acquisition cycle:
• Ensure proper receiving of goods and services
• Ensure proper payment and handling of cash
Internal Control Components and Objectives
Internal control: Information system objectives -
• Focus on recording, updating, and reporting accounting information
• Important for ensuring effective execution of transactions
Internal Control Components and Objectives
Internal control: Asset protection objectives -
• Focus on safeguarding assets to minimize risk of theft or loss of assets
Internal Control Components and Objectives
Internal control: Performance objectives –
• Focus on achieving favorable performance of an organization, person, department, product, or service
• Established to ensure effective operations
Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions:
1.Delivering goods/services:• Unauthorized sale/service permitted• Authorized sale/service did not occur,
occurred late, or was duplicated unintentally
• Wrong type of product/service• Wrong quantity/quality• Wrong customer/address
Assessment of Execution Risks: Revenue Cycle
Generic execution risks for each of the two revenue cycle transactions:
2. Collecting cash:• Cash not collected or collected late• Wrong amount of cash collected
Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions:
1. Receiving goods/services:• Unauthorized goods/services received• Expected receipt of goods/services did not
occur, occurred late, or was duplicated unintentionally
• Wrong type of product or service received• Wrong quantity/quality• Wrong supplier
Assessment of Execution Risks: Acquisition Cycle
Generic execution risks for each of the two acquisition cycle transactions:
2. Making payment:• Unauthorized payment• Cash not paid, paid late, or duplicate
payment• Wrong amount paid• Wrong supplier paid
Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps:
Step 1. Achieve understanding of the processes
Step 2. Identify the at-risk goods/services provided and cash received
Step 3. Restate generic risk to describe the execution risk more precisely for process under study - exclude irrelevant/immaterial risks
Assessment of Execution Risks: Revenue & Acquisition Cycles
Understanding and assessing execution risks – 5 steps:
Step 4. Assess the significance of remaining risks
Step 5. Identify factors that contribute to each significant risk – use events in the process to systematically identify factors
What control activities could be implemented to mitigate the risks?
Assessment of Information Systems Risks
2 categories of information systems risks:• Recording risks • Updating risks
Assessment of Information Systems Risks
The process of recording and updating information – both a risk and a control• Risk - information will be recorded
incorrectly, perhaps resulting in transaction errors and incorrect financial statements
• Control – when information is correct because recorded information is used to control transactions
Assessment of Information Systems Risks
Recording risks: Risks that event information is not captured
accurately in an organization’s information system
Errors in recording can cause substantial losses
Recording events late can cause opportunity losses
In the acquisition cycle, recording errors can result in overpaying bills or loss of credit from failure to pay
Assessment of Information Systems Risks
Recording risks: Revenue/acquisition cycles - generic
recording risks• Event recorded never occurred• Event not recorded, recorded late, or
duplication of recording• Wrong product/service recorded• Wrong quantity/price recorded• Wrong external/internal agent recorded• Wrong recording of other data
Assessment of Information Systems Risks
Recording risks: Identifying recording risks – 3 steps
Step 1. Achieve an understanding of the process under study - identify the events
Step 2. Review events - identify where data are recorded in a source document or a transaction file
Assessment of Information Systems Risks
Recording risks: Identifying recording risks – 3 steps
• Step 3. For each event where data are recorded in a source document or transaction record:• Consider the preceding generic recording risks• Restate each generic risk to describe the risk
more precisely for the particular event under consideration
• Exclude any risks that are irrelevant or immaterial
Assessment of Information Systems Risks
Updating risks: Risks that summary fields in master
records are not properly updated Update failures can be costly Errors in updates can reduce the
effectiveness of controls over the general ledger balances for assets and liabilities
Assessment of Information Systems Risks
Updating risks: Generic risks
• Update of master record omitted or unintended duplication of update
• Update of master record occurred at the wrong time • If updates are scheduled, users need to know
and schedule needs to be followed• Summary field updated by wrong amount• Wrong master record updated
Assessment of Information Systems Risks
Identifying updating risks: 3 steps
Step 1. Identify recording risks
Step 2. Identify the events that include update activity and the summary fields in updated master files
Assessment of Information Systems Risks
Identifying update risks: 3 steps
Step 3. For each event in updated master file• Consider the preceding generic update risks• Restate each generic risk to describe the update
risk more precisely for the particular event under consideration
• Exclude any update risks that are irrelevant or immaterial
Recording and Updating in the General Ledger System
The General_Ledger File stores reference and summary data about the general ledger accounts.
The process of updating a general ledger account is sometimes referred to as “posting.”
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Risks• Wrong general ledger account recorded • Wrong amounts debited/credited• General ledger master record not updated at all,
updated late, or updated twice• Wrong general ledger master record updated
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Important to internal control:
• Policy for updating general ledger accounts should be well understood.
• Often, general ledger balances are updated after a batch of transactions, not with each transaction
Recording and Updating in the General Ledger System
Risks in recording and updating information in a general ledger system:
Important to internal control:• Employees need to know:
• Under the batch process, general ledger account balances are temporarily out of date
• When updates are made
Recording and Updating in the General Ledger System
Controlling risks: Identify significant risks of losses or errors Consider ways to control the risks Accountants, external auditors, or internal auditors
evaluate existing controls and suggest additional controls where warranted
Control Activities
The policies and procedures to address risks to achievement of the organization’s objectives
Manual or automated May be implemented at various levels of the
organization. 4 types of controls:
• Workflow controls
• Input controls
• General controls
• Performance reviews
Control Activities
Workflow controls: Used to control a process as it moves from one
event to the next Exploit linkages between events Focus on:
• Responsibilities for events• Sequence of events• Flow of information between events in a business
process
Control Activities
Workflow controls: Segregation of duties Use of information from prior events to control activities Required sequence of events Follow-up on events Sequence of prenumbered Recording of internal agent(s) accountable for an event
in a process Limitation of access to assets and information Reconciliation of records with physical evidence of
assets
Control Activities
1. Segregation of duties: Organizations make an effort to segregate:
• Authorization of events• Execution of events• Recording of event data • Custody of resources associated with the event
The overview activity diagram is best suited to understanding and documenting segregation of duties
Control Activities
2. Use of information about prior events: Information about prior events can come from
documents or computer records. 2 examples of information from computer files:
• Checking summary data in master files to authorize events
• Transaction records may help control events - similar to using documents before approving an invoice
Control Activities
3. Required sequence of events:Often, organizations - Have policies requiring a process to follow a
particular sequence Require a sequence of events without having prior
recorded information to rely on
Control Activities
4. Follow-up on events:Organizations: Need automated or manual way to review transactions
not yet concluded Should have “open” item or aging reports to identify
events needing follow up Can design/use routine reports to flag unfinished
business Can querying a database for status reports
Control Activities
5. Prenumbered documents: Provide an opportunity to control events Prenumbered documents created during one event
are accounted for in a later event Checking the sequence of prenumbered documents
helps ensure that all events are executed and recorded appropriately
Control Activities
6. Recording of internal agent(s) accountable for an event in a process:
Important Clear job descriptions and specific instructions from
supervisors Recording employee ID number at the time the event Safeguarding of assets through use of with serial
numbers, recordkeeping, and identification of custodian of the assets
Control Activities
7. Limitation of access to assets and information:
Safeguards Access to assets only for employees needing
them for assigned duties Physical assets stored in secure locations Employees badges for access Alarms Password required for access to data
Control Activities
8. Reconciliation of records with physical evidence of assets:
Ensures that recorded event and master file data correspond to actual assets
Differs from the use of documents to control events – reconciliation:• Is broader• Usually involves data about multiple events• Occurs after the events have been executed and
recorded
Control Activities
Input controls: Used to control input of data into computer systems Drop-down or look-up menus Record-checking of data entered Confirmation of data entered Referential integrity controls Format checks to limit data Validation rules to limit the data Defaults from data entered in prior sessions
Control Activities
Input controls: Restriction against leaving a field blank Field established as a primary key Computer-generated values entered in records Batch control totals taken before data entry
compared to printouts after data entry Review for errors before posting Exception reports
Control Activities
General controls: Broader controls that apply to multiple processes Help workflow and input controls be effective Organized into four categories:
• Information systems (IS) planning• Organizing the information technology (IT) function • Identifying and developing IS solutions• Implementing and operating accounting systems
Control Activities
Performance reviews: Measure performance by comparing actual data with
budgets, forecasts, or prior-period data Include analyzing data, identifying problems, and taking
corrective action Ensure events support broader long-term goals Typically involve comparing actual results to plans,
standards, and prior performance
Control Activities
Performance reviews: Often result in taking corrective action Require an information system (AIS in particular)
that records and stores information about standards and actual outcomes
Requires reports that allow for meaningful analysis of actual results
Control Activities
Performance reviews: And master records
• Related in two ways:• Planned standards and budget figures (reference
data) are typically recorded during file maintenance activities in master records
• Summary data stored in master records are often used to implement corrective action
• Summary fields in master records can also help in reviewing performance
Haryono, MCom, Ak.
DEFINITION
Risk is “the chances of negative outcome” or “potential of loss”
Types of Risk
Business Risk• Potensi kegagalan organisasi untuk mencapai tujuan bisnisnya
karena faktor internal maupun eksternal
Audit Risk• KAP melakukan kesalahan ketika memberikan pendapat ttg
laporan keuangan atau IT auditor gagal mengungkap kesalahan/fraud yg material
Security Risk• Risiko yang berkaitan dengan keakuratan dan akses database,
trend dalam e-Commerce
Continuity Risk• Risiko yang berkaitan dengan ketersediaan, backup dan
recovery sistem informasi
Why is e-Commerce so risky? Control techniques are not so apparent
Tight integration with business partners requires high levels of mutual trust
A replacement to ‘face to face‘ business methods must be used
We need more trust in technology!
Business models, technologies and the legal environment are very immature
Similar to the ‘gold rush’ of the 1880s
• high risks matched by high returns
E-Commerce Risks
Strategic Risk Economic Risk Security Risk Integrity Risk Fraud Risk Reliability Risk Disruption Risk
Image Risk Legal Risk Privacy Risk Efficiency Risk Terrorism Risk Technology Risk Moral Risk
Strategic Risk Risk
• A competitor can use the internet to gain a competitive advantage
Example• Amazon vs. Barnes & Noble
Relevant Controls• Consider eCom as a key business strategy
• Develop an eCom strategy immediately if in the business of information or services
Economic Risk Risk
• acceptable ROI from eCom?
Relevant Controls• Begin with small steps - pilot projects
• Take a long term view an ROI
• Analyze cost/benefit thoroughly
• Exercise strong project management
Security Risk Risk
• Intruders can use the Internet to access internal systems
Example• Hackers publishing customer’s credit cards
numbers
Relevant Controls• Ensure network architecture is geared for security• Use encryption and authentication technologies• Use intrusion detection systems such as Real
Secure
Integrity Risk Risk
• The internet can be used to access and modify your sensitive business data
Example• Hackers merubah nama-nama partai pemilu
Relevant Controls• Ensure data access control are tightened
• Implement highly secured logging mechanism on data repositories
Fraud Risk
Risk• Fraudsters love the anonymity of the internet
Example• Credit card fraud
Relevant control• Authenticate user with digital certificates and a
public key infrastructure (extranet Vs internet)
• Implement independent trust such as web trust
Reliability Risk Risk
• eCom systems are less reliable and more prone to problems than traditional systems
Relevant Controls• Automate business rules and associated controls
into eCom System• Use intelligent filtering technologies to enables
manual intervention for unusual transactions• Test new eCom systems comprehensively
Disruption Risk Risk
• Disruptions to eCom systems could disable a company
Relevant Control• Use dedicate intrusion detection systems such as
real secure
• Implement proper business continuity management across eCom System
• Build redundancy into eCom network
Image Risk
Risk• Hacker can vandalize web sites and embarrass an
organization
Example• Perubahan gambar dalam website resmi dg gambar lain
Relevant Control• Ensure Web server are highly secured, tested and locked
down • Ensure Web hosting service offer proof of security
competency• Implement intrusion detection systems such as real Secure
Legal Risk Risk
• An eCom application may break local or foreign laws
Example
• Internet gambling in Indonesia? Relevant Controls
• Get legal advice during system design• Authenticate users and apply appropriate legal
rules to different locations• Do not assume the internet is not policed
Privacy Risk Risk
• Individuals and government are wary of people’s privacy Example
• The European Union has made global privacy compliance mandatory
Relevant Controls• Comply with relevant government or industry privacy
legislation are codes of conduct
• Include privacy controls amongst other controls
• Include privacy controls amongst other control
• Provide reassurance through certification schemes
Efficiency Risk Risk
• The internet may be used to add to, rather that replace, existing processes
Relevant Controls• Consider eCom as a re-engineering project
• Use the internet to eliminate manual intervention and increase process automation and efficiency
• Ensure return on Investment is possible
Terrorism Risk
Risk• A country or business infrastructure can be attacked
Relevant Controls• Leave sensitive systems disconnected from the
internet if possible
• Comprehensively test security of vulnerable systems
• Counsel staff acting inappropriately
Technology Risk Risk
• Chosen Com system may soon become obsolete Example
• Companies with heavy EDI investment now moving to eCom
Relevant Controls• Plan strategically rather than technologically• Use technologies which confirm to internet standards• Use more than one technology supplier• Plan on going investment
Moral Risk Risk
• Staff may use internet systems inappropriately
Example• Staff dismissed and charged with sexual harassment
Relevant Controls• Develop ‘appropriate usage” policy for the internet
• Notify all staff that internet will be monitored
• Log Accesses to inappropriate site
• Counsel staff acting inappropriate
The Risk Management Process
Identify IT Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor IT Risks and
Control
IT Risk Assessment Process
1. Identify Threats/Exposures Eg. Data confidentiality, availability, integrity,
timeliness, accuracy and IT infrastructure
2. Assess Vulnerabilities to Threats/ Exposures
Eg. Remote access by unauthorized users
3. Determine Acceptable Risk Levels or Assess the Probability of Vulnerabilities
Eg.Chance of remote access by unauthorized users is 0.05 percent
Internal Control Environment Model
Internal Control-Integrated Framework It was published by COSO (Committee of Sponsoring
Organization of the Treadway Commission) in 1992• Joint 5 orgs: AICPA, AAA, IIA, Financial Executives Institute and
IMA
COSO defines internal control as a process, affected by an entity’s board of directors, mgt and other personnel, designed to provide reasonable assurance regarding the achievement of objectives (effectiveness and efficiency of operation; reliability of financial reporting; compliance with law & regulations
COBIT (Control Objectives for Information and Related Technology)
COBIT was published by ISACA in 1996 and revised in 1998 & 2000
COBIT is a comprehensive internal control framework specifically pertaining to Internal Control issues associated with IT
COBIT defines control as “the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.”
SAC (Systems Auditability and Control) SAC published by the IIA in 1977. It was the first internal
control framework pertaining to IT (revised in 1991 and then in 1994)
SAC report is intended to provide “sound guidance on control and audit of IS and Technology. The report focuses on the business perspective of IT and the risks associated with planning, implementing, and using automation”
SAC emphasizes management’s responsibility to identify, understand, and assess the risks associated with the integration of technology in an organization and oversee and control the org’s use of technology.
eSAC
In 2001 the IIA published a more contemporary IC model called Electronic Systems Assurance and Control (eSAC) Electronic: increase use of IT and
e-BusinessAuditibility changes by Assurance
eSAC MODEL
SASs 55/78/94 (Statements on Auditing Standards)
SAS 55 was published by AICPA for External Auditor in consideration of internal control in an audit financial statements
SAS 78 use COSO’s IC definition and model
SAS 94 added new significant sections regarding the effect of IT on internal control
Comparison of Control Concepts
COBIT SAC COSO SASs 55/78
Primary Audience Management, users, information system auditors
Internal Auditors Management External Auditors
IC viewed as a Set of processes including policies, procedures, practices, and organizational structures
Set of processes, subsystems, and people
Process Process
IC Objectives organizational
Effective & efficient operationsConfidentiality, Integrity and availability of informationReliable financial reportingCompliance with laws & regs
Effective & efficient operationsReliable financial reportingCompliance with laws & regs
Effective & efficient operationsReliable financial reportingCompliance with laws & regs
Reliable financial reportingEffective & efficient operationsCompliance with laws & regs
Components or Domains
Domains:Planning and organizationAcquisition and implementationDelivery and supportMonitoring
Components:Control EnvironmentManual & AutomatedSystems Control Procedures
Components:Control EnvironmentRisk Management ControlActivities Information & Communication Monitoring
Components:Control Environment RiskAssessment ControlActivities Information & Communication Monitoring
Focus Information Technology Information Technology Overall Entity Financial Statement
IC Effectiveness Evaluated
For a period of time For a period of time At a point in time For a period of time
Responsibility for IC System
Management Management Management Management
Size 187 pages in four documents 1193 pages in 12 modules 353 pages in four volumes
63 pages in two documents