Processes for Governance of Enterprise IT

CHAPTER 7
CONTROL AND ACCOUNTING INFORMATION SYSTEMS
entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM areas follows Companies are formed to create value for their owners Management must decide how much uncertainty it will accept as it creates value Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value Uncertainty results in opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value The ERM framework can manage uncertainty as well as create and preserve value.
COSO developed the ERM model shown in Figure 7-3 to illustrate the elements of ERM. The four columns at the top represent the objectives management must meet to achieve company goals. The columns on the right represent the company’s units. The horizontal rows TABLE 7-1 Five Components and 17 Principles of COSO’s Internal Control Model
COMPONENT
DESCRIPTION
Control environment
This is the foundation for all other components of internal control. The core of any business is its people—their individual attributes, including integrity, discipline, ethical values, and competence and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. Commitment to integrity and ethics. Internal control oversight by the board of directors, independent of management. Structures, reporting lines, and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board. A commitment to attract, develop, and retain competent individuals in alignment with objectives. Holding individuals accountable for their internal control responsibilities in pursuit of objectives
Risk assessment
The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that maybe obstacles to its objectives 6. Specifying objectives clearly enough for risks to be identified and assessed 7. Identifying and analyzing risks to determine how they should be managed 8. Considering the potential of fraud 9. Identifying and assessing changes that could significantly impact the system of internal control
Control activities
Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization’s objectives are effectively carried out. Control activities are performed at all levels and at various stages within the business process and over technology. Selecting and developing controls that might help mitigate risks to an acceptable level. Selecting and developing general control activities over technology. Deploying control activities as specified in policies and relevant procedures
Information and communication
Information and communication systems capture and exchange the information needed to conduct, manage, and control the organization’s operations. Communication must occur internally and externally to provide information needed to carryout day-to-day internal control activities. All personnel must understand their responsibilities. Obtaining or generating relevant, high-quality information to support internal control. Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control. Communicating relevant internal control matters to external parties
Monitoring
The entire process must be monitored, and modifications made as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. Selecting, developing, and performing ongoing or separate evaluations of the components of internal control. Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate

PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS
are the eight interrelated risk and control components of ERM. The ERM model is three dimensional. Each of the eight risk and control elements applies to each of the four objectives and to the company and/or one of its subunits. For example, XYZ Company could look at the control activities for the operations objectives in its Pacific Division.
THE ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL CONTROL FRAMEWORK
The IC framework has been widely adopted as the way to evaluate internal controls, as required by SOX. The more comprehensive ERM framework takes a risk-based rather than a controls-based approach. ERM adds three additional elements to COSO’s IC framework setting objectives, identifying events that may affect the company, and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.
Because it is more comprehensive, the text uses the ERM model to explain internal controls. If one understands the ERM model, it is easy to understand the IC model, as it is 5 of the 8 components of the ERM model. It is harder to go from understanding the IC model to understanding the ERM model, as the user may not be familiar with the three additional components. The eight ERM components shown in Figure 7-3 are the topic of the remainder of the chapter.
The Internal Environment
The internal environment, or company culture, influences how organizations establish strategies and objectives structure business activities and identify, assess, and respond to risk. It is the foundation for all other ERM components. A weak or deficient internal environment often results in breakdowns in risk management and control. It is essentially the same thing as the control environment in the IC framework.
An internal environment consists of the following:

Download 1.2 Mb.

Share with your friends: