Page 15 of 28
Companies are reluctant to report computer
crimes and intrusionsa recent study showed
only 36 percent reporting intrusionsbecause a
highly visible fraud is a public relations
disaster.
Many law enforcement officials, lawyers, and
judges lack the computer skills needed to
investigate, prosecute, and evaluate computer
crimes.
External influences
Financial Accounting Standards Board (FASB)
Multiple Choice 5
What is the most important component of the ERM?
a. internal environment
Multiple Choice 6
Which of the following statements is FALSE?
a. An internal environment consists of an organizational
structure.
Learning Objective Four
Describe the four types of control objectives
that companies need to set.
Page 16 of 28
Objective Setting
Objective setting is the second ERM component because it must
precede the other six components.
Top management, with board approval, needs to articulate why the
company exists and what it hopes to achieve.
Operations objectives, which are a product of management
preferences, judgments, and style, may vary significantly.
Operation objectives deal with the effectiveness and efficiency
of company operations, such as performance and profitability
goals and safeguard assets.
Multiple Choice 7
What corporate objective is based on a company’s mission statement?
a. strategic objectives
b. operations objectives
Event Identification
COSO defines an event as an incident or occurrence emanating from
internal or external sources that affects implementation of
strategy or achievement of objectives.
Page 17 of 28
A few of the events, or threats, that the company will face are:
2. Unauthorized system access
4. Loss of data integrity
6. System failures
7. Incompatible systems
Some of the more common techniques companies use to identify
events follow. One, two, or more of these techniques are used
together.
2. Perform an internal analysis.
4. Conduct workshops and interviews.
6. Analyze business processes.
Multiple Choice 8
The third ERM component is
a. objective setting
b. risk assessment
Risk Assessment and Risk Response
The fourth and fifth components of COSO’s ERM mode are risk
assessment and risk response
The risks that exist before management takes any steps to control
the likelihood or impact of a risk is inherent risk.
Page 18 of 28
The risk that remains after management implements internal
controls, or some other response to risk, is residual risk.
The ERM model indicates that there are four ways to respond to
risk:
2. Accept. Accepts the likelihood and impact of the risk by
not acting to prevent or mitigate it.
3. Share. Share some of the risk or transfer it to someone
else. For example, buy insurance, outsource an activity,
or enter into hedging transactions.
Auditing definition of hedges: hedges protect an entity
against the risk of adverse price or interestrate
movements on its assets, liabilities, or anticipated
transactions. A hedge avoids or reduces risk by
counterbalancing losses with gains on separate
positions.
There are three main types of hedges; fair value hedges,
cash flow hedges, and foreign currency hedgeswhich are
beyond the scope of this class.
Estimate Likelihood and Impact
Some events pose a greater risk because the probability of
their occurrence is more likely
Page 19 of 28
Identify Controls
Management must identify one or more controls that will
protect the company from each event.
Estimate Costs and Benefits
No internal control system can provide foolproof protection
against all events, as the cost would be prohibitive.
Benefits can be hard to quantify, but include:
2. Reduced losses
4. Increased customer loyalty
6. Lower insurance premiums
Costs are usually easier to measure than benefits.
Primary cost is personnel, including:
1. Time to perform control procedures
Other costs of a poor control system include:
1. Lost sales
One way to estimate the value of internal controls involves
expected loss, the mathematical product of impact and
likelihood:
Expected loss = Impact x Likelihood
Determine Cost/Benefit Effectiveness
Page 20 of 28
Total pay period payroll cost $10,000
The expected benefit of validation procedure is $800 as
shown in Table 7-2 on page 195.
Implement Control or Avoid, Share, or Accept the Risk
When controls are cost-effective, they should be
implemented so that risk can be reduced.
Multiple Choice 9
The cost of conducting and compiling the end of the month inventory is
$20,000 and the risk of an inventory error is 12 percent without a
validation procedure and 2 percent with the validation procedures. The
expected total to retake and compile the inventory without a validation
Control Activities
The sixth component of COSO’s ERM model is control activities,
which are policies, procedures, and rules that provide reasonable
Generally, control procedures fall into one of the following
categories:
1. Proper authorization of transactions and activities
Learning Objective Seven
Describe control activities commonly use in
companies.
Page 21 of 28
Management establishes policies for employees to follow
and then empowers employees to perform accordingly. This
empowerment called authorization, is an important part
of an organization’s control procedures.
Employees who process transactions should verify the
presence of the appropriate authorization(s).
Certain activities or transactions may be of such
consequence that management grants specific
authorization for them to occur.
2. Segregation(separation) of duties [Figure 7-3 on page
197]
Authorizationapproving transactions and decisions
If two of these three functions are the
responsibility of a single person, then problems can
arise.
For example;
The former city treasurer of Fairfax,
Virginia, was convicted of embezzling
$600,000 from the city treasury. When
Page 22 of 28
real or fictitious property owner.
The payroll director of the Los Angeles
Dodgers, who was responsible for both
authorization and recording functions,
Collusion is when two or more people are working
together to override the preventive aspect of the
internal control system
3. Segregation of Systems Duties:
Systems administration. Systems administrators
are responsible for ensuring that the different
parts of an information system operate smoothly
and efficiently.
Change management. These individuals manage all
changes to an organization’s information system
to ensure they are made smoothly and
efficiently and to prevent errors and fraud.
Users. Users record transactions, authorize
data to be processed, and use system output.
programs.
Computer operations. Computer operators run the
software on the company’s computers. They
ensure that data are input properly and
correctly processed and needed output is
produced.
Project development and acquisition controls
1. Strategic master plan. To align an organization’s
2. Project controls. A project development plan shows how
a project will be completed, including the modules or
tasks to be performed and who will perform them, the
dates they should be completed, and project costs.
Project milestonessignificant points when
3. Data processing schedule. To maximize the use of
4. Steering committee. A steering committee should be
5. System performance measurements. For a system to be
evaluated properly, it must be assessed using system
performance measurements.
6. Post-implementation review. After a development
project is completed, a post-implementation review
should be performed to determine if the anticipated
benefits were achieved.
Companies that use systems integrators should:
Develop clear specifications.
Monitor the systems integration project.
Change management controls
Change management is the process of making sure changes do not
Design and use of documents and records
The proper design and use of electronic and paper documents and
Safeguarding assets, records, and data
In addition to safeguarding cash and physical assets such as
inventory and equipment, a company needs to protect its
information.
Some of the computer-based controls that can be put into place to
safeguard assets include:
2. Maintain accurate records of all assets.
4. Protect records and documents.
Page 25 of 28
Independent checks on performance
1. Top level reviews. Management at all levels should
monitor company results and periodically compare actual
2. Analytical reviews. An analytical review is an
3. Reconciliation of two independently maintained sets of
records.
5. Double-entry accounting: debits must equal credits.
6. Independent review. After one person processes a
transaction, a second person sometimes reviews the work
of the first.
Multiple Choice 10
Which of the following does not violate separation of duties?
a. Approving purchase orders and receiving items ordered
b. Approving payment to vendors and completing the monthly bank
Information and Communication
Accounting Information Systems has five primary objectives:
2. Properly classify transactions.
4. Record transactions in the proper accounting period.
5. Properly present transactions and related disclosures in
the financial statements.
Monitoring
Perform ERM Evaluations.
Implement Effective Supervision.
Use Responsibility Accounting.
Monitor System Activities.
There are software packages available to review computer
and network security measures, detect illegal entry into
systems, test for weaknesses and vulnerabilities, report
weaknesses found, and suggest improvements.
The Privacy Foundation estimated that one-third of all
American workers with access to computers are monitored,
and that number is expected to increase.
To help, one way would be to have written policies
that employees agree to in writing which indicate:
2. E-mails received on company computers are not
3. Employees should not use technology in any way
to contribute to a hostile work environment.
Perhaps some of you have also seen this happen; many
government activities and offices have taken the
computer games off their computers.
Page 27 of 28
Track Purchased Software
The Business Software Alliance (BSA) is very aggressive in
tracking down and finding companies who violate software
license agreements.
Companies should periodically conduct software
audits.
Conduct Periodic Audits
One way to monitor risk and detect fraud and errors is to
conduct periodic external and internal audits, as well as
special network security audits.
Employ a Computer Security Officer and Computer Consultants
A computer security officer (CSO) is in charge of AIS security
and should be independent of the information system function and
report to the COO or CEO.
Engage Forensic Specialists
Forensic accountants specialize in fraud detection and
investigation. Forensic accounting is now one of the
fastest-growing areas of accounting due to the Sarbanes
Oxley Act, new accounting rules such as SAS No. 99, and
Install Fraud Detection Software
Page 28 of 28
People who commit fraud tend to follow certain patterns and
leave behind clues, such as things that do not make sense.
1. Hundreds of thousands of dollars in fraudulent claims
from a Los Angeles chiropractor. The software noticed
2. A Long Island doctor who submitted bills weekly for a
3. A podiatrist who saw four patients and then billed
ReliaStar for almost 500 separate procedures.
Other companies have neural networks (programs that mimic
the brain and have learning capabilities), which are quite
accurate in identifying suspected fraud.
Implement a Fraud Hot Line
The Sarbanes-Oxley Act mandates that companies set up
mechanisms for employees to report abuses such as fraud.
Answer to Multiple Choice Questions:
Multiple Choice Question Answers
Number
Answer
Number
Answer
1
B
6
D
2
C
7
A
3
B
8
D
4
D
9
A
5
A
10
D