L e a r n I n g o b j e c t I v e s


Processes for Governance of Enterprise IT



Download 1.2 Mb.
View original pdf
Page14/46
Date20.09.2021
Size1.2 Mb.
1   ...   10   11   12   13   14   15   16   17   ...   46
Processes for Governance of Enterprise IT
Processes for Management of Enterprise IT
Evaluate, Direct, and Monitor
Align, Plan, and Organize
Monitor, Evaluate,
and Assess
Build, Acquire, and Implement
Deliver, Service, and Support
DSS06 Manage
Business
Process Controls
DSS05 Manage
Security
Services
DSS04 Manage
Continuity
DSS03 Manage
Problems
DSS02 Manage
Service Requests and Incidents
DSS01 Manage
Operations
BAI10 Manage
Configuration
BAI09 Manage
Assets
BAI08 Manage
Knowledge
BAI07 Manage
Change
Acceptance and
Transitioning
BAI06 Manage
Changes
BAI05 Manage
Organizational
Change
Enablement
BAI04 Manage
Availability and Capacity
BAI03 Manage
Solutions
Identification and Build
BAI02 Manage
Requirements
Definition
BAI01 Manage
Programs and
Projects
APO13 Manage
Security
APO12 Manage
Risk
APO11 Manage
Quality
APO10 Manage
Suppliers
APO09 Manage
Service
Agreements
APO08 Manage
Relationships
APO07 Manage
Human Resources
MEA03 Monitor,
Evaluate, and Assess
Compliance with
External Requirements
MEA02 Monitor,
Evaluate, and Assess the System of Internal
Control
MEA01 Monitor,
Evaluate, and Assess
Performance and
Conformance
APO06 Manage
Budget and Costs
APO05 Manage
Portfolio
APO04 Manage
Innovation
APO03 Manage
Enterprise
Architecture
APO02 Manage
Strategy
APO01 Manage the IT Management
Framework

CHAPTER 7
CONTROL AND ACCOUNTING INFORMATION SYSTEMS
entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM areas follows Companies are formed to create value for their owners Management must decide how much uncertainty it will accept as it creates value Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value Uncertainty results in opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value The ERM framework can manage uncertainty as well as create and preserve value.
COSO developed the ERM model shown in Figure 7-3 to illustrate the elements of ERM. The four columns at the top represent the objectives management must meet to achieve company goals. The columns on the right represent the company’s units. The horizontal rows TABLE 7-1 Five Components and 17 Principles of COSO’s Internal Control Model
COMPONENT
DESCRIPTION
Control environment
This is the foundation for all other components of internal control. The core of any business is its people—their individual attributes, including integrity, discipline, ethical values, and competence and the environment in which they operate. They are the engine that drives the organization and the foundation on which everything rests. Commitment to integrity and ethics. Internal control oversight by the board of directors, independent of management. Structures, reporting lines, and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board. A commitment to attract, develop, and retain competent individuals in alignment with objectives. Holding individuals accountable for their internal control responsibilities in pursuit of objectives
Risk assessment
The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that maybe obstacles to its objectives 6. Specifying objectives clearly enough for risks to be identified and assessed 7. Identifying and analyzing risks to determine how they should be managed 8. Considering the potential of fraud 9. Identifying and assessing changes that could significantly impact the system of internal control
Control activities
Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization’s objectives are effectively carried out. Control activities are performed at all levels and at various stages within the business process and over technology. Selecting and developing controls that might help mitigate risks to an acceptable level. Selecting and developing general control activities over technology. Deploying control activities as specified in policies and relevant procedures
Information and communication
Information and communication systems capture and exchange the information needed to conduct, manage, and control the organization’s operations. Communication must occur internally and externally to provide information needed to carryout day-to-day internal control activities. All personnel must understand their responsibilities. Obtaining or generating relevant, high-quality information to support internal control. Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control. Communicating relevant internal control matters to external parties
Monitoring
The entire process must be monitored, and modifications made as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board. Selecting, developing, and performing ongoing or separate evaluations of the components of internal control. Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate

PART II CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS
are the eight interrelated risk and control components of ERM. The ERM model is three dimensional. Each of the eight risk and control elements applies to each of the four objectives and to the company and/or one of its subunits. For example, XYZ Company could look at the control activities for the operations objectives in its Pacific Division.
THE ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL CONTROL FRAMEWORK
The IC framework has been widely adopted as the way to evaluate internal controls, as required by SOX. The more comprehensive ERM framework takes a risk-based rather than a controls-based approach. ERM adds three additional elements to COSO’s IC framework setting objectives, identifying events that may affect the company, and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.
Because it is more comprehensive, the text uses the ERM model to explain internal controls. If one understands the ERM model, it is easy to understand the IC model, as it is 5 of the 8 components of the ERM model. It is harder to go from understanding the IC model to understanding the ERM model, as the user may not be familiar with the three additional components. The eight ERM components shown in Figure 7-3 are the topic of the remainder of the chapter.
The Internal Environment
The internal environment, or company culture, influences how organizations establish strategies and objectives structure business activities and identify, assess, and respond to risk. It is the foundation for all other ERM components. A weak or deficient internal environment often results in breakdowns in risk management and control. It is essentially the same thing as the control environment in the IC framework.
An internal environment consists of the following:

Download 1.2 Mb.

Share with your friends:
1   ...   10   11   12   13   14   15   16   17   ...   46




The database is protected by copyright ©ininet.org 2020
send message

    Main page