Escolar Documentos
Profissional Documentos
Cultura Documentos
Risk Assessment
Risk Assessment: Internal Perspective Risk Assessment: External perspective
Control Strategies
Fourfold Perspective of Controls Model
Prediction Prevention Detection correction
Corporate Governance
Risk Assessment
Risk assessment is a critical step in building an effective control system that has the ability to internal manage undesirable events, primarily because it strategically focuses attention on the most likely trouble spots withhighest costs rather than general protection. the The IIA on risk assessment in internal auditor focuses activities and standards.
Risk Assessment: Internal Perspective An effective risk assessment must emphasize a good understanding of the internal risks.
An effective risk assessment must also emphasize a good understanding of the external risks, especially if the firm has a web server connected to its internal systems or has remote to networks. If the company has access remote to its computer systems, it should be access concerned about unauthorized access by users external to the organization. If the company has employed electronic commerce, there are a number of risks to consider. 8
While online, there is a risk that the data used in an e-commerce transaction might be stolen. The highest risk associated with the Internet is neither hackers or crackers but viruses or It is relatively easy to spread malicious code worm. attachments to e-mail. And while it is as impossible to activate a virus by simply virtually an e-mail message, Microsoft complicated opening by allowing the automatic opening of that attachments in Outlook. Almost all wideviruses spread depend on the features of Outlook automatically open attachments) and the (e.g., 9 address book on each computer.
There are several other problem areas or risks associated with e-mail.
10
Control Strategies
Effective control activities can help to mitigate the risks identified in the risk assessment.
11
Fourfold Perspective of Controls Model Before developing management policies, management needs to have a general understanding of how to design internal controls. effective
12
Prediction
The first area, prediction, is the most difficult.
13
Prevention Secondly, activities should be implemented where the objective is to prevent malicious activities. A better control is firewall that has multiple layers: a combination of routers, filters, proxy servers, software, and so on, used to provide a shield that could be compared to an onion, with layers of skin. Preventive controls are all its also necessary in software applications to prevent errors in data
14
Detection
It is much easier to develop controls for detection, the third perspective.
15
Correction
The last perspective, correction, is another fruitful source of controls.
16
Information Systems and Controls Model A second model applies to controls in general: physical and computer.
17
Physical Controls Physical controls involve controls of a manual nature. Transaction authorization needs physical controls (i.e., manual controls) to ensure all material transactions are processed by the accounting system with integrity and in compliance with management policies and objectives. Using management decision certain rules, recurring transactions become a programmed procedure, or operate under general authority. Other decisions of a nonroutine nature need specific authority. 18
19
Three good rules of thumb for developing controls using segregation of duties controls is:
Separate authorization of transactions from processing them Separate custody of assets from record keeping Create controls such that a successful fraud can only be perpetrated using collusion
20
The latter generally can be accomplished by separating the process between different individuals. steps of Also, sure segregation of duties extends beyond make the typical area of basic accounting functions.
21
Some of the controls that illustrate proper segregation of duties in information systems are: Separate systems development from computer
operations. Separate new systems development from maintenance, which also should increase the of documentation. quality Separate the database administrator (DBA) from other database and systems functions, computer operations, development and maintenance. Separate data library function from computer operations, development and maintenance. Use of a data control group. 22
Management also will assess the integrity of the computer system and data on an ongoing basis as a of independent verification. Internal controls should part be implemented for independent verification of also classicA data. control in this category is the comparison of physical assets with accounting records but it includes controls such as reviewing management also reports.
23
24
Requiring full off-line testing for new applications, hardware, or systems before activation online Requiring training of new applications before implementation
26
Major changes to existing software systems should generally follow the same set of controls. There should also be controls regarding computer operations. Access to programs and data are critical and need controls and have already been discussed.
27
28
29
Corporate Governance
A key control strategy is an effective corporate governance structure. This strategy begins with the internal auditor function and includes an effective audit committee and information technology governance.
30
Audit Committee Another key major control activity is an audit committee. But having an audit adequate is not the same as having an effective audit committee committee. Companies need an audit committee for reasons. several The organizational structure of the committee is also important. Leadership refers to the chair of the audit committee. Lastly, the audit committee needs to be 31 proactive.
Information Technology Governance Information technology governance is similar to corporate governance in its objectives and is a prime of ISACA. service
32
33
34
Logs and Auditability The last control activities area is that of logs. The more an enterprise is dependent on systems, automation and computers, the invisible audit trails tend to become. more One effective control is the implementation of computer logs. If the entity is connected to the Internet, logs become even more important. Logs hould be used to track data such as sites visited, files downloaded or uploaded, time spent on the Internet, etc.
35
Hacking tools might be an indication of an employee preparing to hack into the organizations system.
36
Segregation of Duties
Another primary objective of internal controls is the effective use of segregation of incompatible duties. Three rules to observe are to separate transaction authorization from transaction processing, keeping from asset custody and any series of record processing steps such that a collusion of transaction would be necessary to commit fraud. individuals
37
Investigation Procedures
Management must also consider what specific procedures should be employed to protect against internal threats. Key positions, including executives, a background search. may require
38
Investigation in Risk
Risk of new Policy Risk of Implement new Policy Risk of impact to the Business
The End
42