INTRODUCTION Why AIS threats are increasing Control risks have increased in the last few years because: There are computers and servers everywhere, and information is available to an unprecedented number of workers. Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.
INTRODUCTION Some vocabulary terms for this chapter: A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. The likelihood is the probability that the threat will occur.
OVERVIEW OF CONTROL CONCEPTS Internal controls perform three important functions: Preventive controls Deter problems before they arise.
OVERVIEW OF CONTROL CONCEPTS Internal controls perform three important functions: Preventive controls Detective controls Discover problems quickly when they do arise.
OVERVIEW OF CONTROL CONCEPTS Internal controls perform three important functions: Preventive controls Detective controls Corrective controls Remedy problems that have occurred by: Identifying the cause; Correcting the resulting errors; and Modifying the system to prevent future problems of this sort.
OVERVIEW OF CONTROL CONCEPTS Internal controls are often classified as: General controls Those designed to make sure an organization’s control environment is stable and well managed. They apply to all sizes and types of systems. Examples: Security management controls.
OVERVIEW OF CONTROL CONCEPTS Internal controls are often classified as: General controls Application controls Prevent, detect, and correct transaction errors and fraud. Concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
OVERVIEW OF CONTROL CONCEPTS An effective system of internal controls should exist in all organizations to: Help them achieve their missions and goals. Minimize surprises.
CONTROL FRAMEWORKS A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: The COBIT framework The COSO internal control framework COSO’s Enterprise Risk Management framework (ERM)
CONTROL FRAMEWORKS COSO’s internal control framework The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute
CONTROL FRAMEWORKS In 1992, COSO issued the Internal Control Integrated Framework: Defines internal controls. Provides guidance for evaluating and enhancing internal control systems. Widely accepted as the authority on internal controls. Incorporated into policies, rules, and regulations used to control business activities.
CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: Control environment The core of any business is its people. Their integrity, ethical values, and competence make up the foundation on which everything else rests.
CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: Control environment Control activities Policies and procedures must be established and executed to ensure that actions identified by management as necessary to address risks are, in fact, carried out.
CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment The organization must be aware of and deal with the risks it faces. It must set objectives for its diverse activities and establish mechanisms to identify, analyze, and manage the related risks.
CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment Information and communication Information and communications systems surround the control activities. They enable the organization’s people to capture and exchange information needed to conduct, manage, and control its operations.
CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: Control environment Control activities Risk assessment Information and communication Monitoring The entire process must be monitored and modified as necessary.
RISK ASSESSMENT AND RISK RESPONSE Companies should: Assess inherent risk Develop a response Then assess residual risk The ERM model indicates four ways to respond to risk: Reduce it The most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls.
RISK ASSESSMENT AND RISK RESPONSE Companies should: Assess inherent risk Develop a response Then assess residual risk The ERM model indicates four ways to respond to risk: Reduce it Accept it Don’t act to prevent or mitigate it.
RISK ASSESSMENT AND RISK RESPONSE Companies should: Assess inherent risk Develop a response Then assess residual risk The ERM model indicates four ways to respond to risk: Reduce it Accept it Share it Transfer some of it to others via activities such as insurance, outsourcing, or hedging.
RISK ASSESSMENT AND RISK RESPONSE Companies should: Assess inherent risk Develop a response Then assess residual risk The ERM model indicates four ways to respond to risk: Reduce it Accept it Share it Avoid it Don’t engage in the activity that produces it. May require: Sale of a division Exiting a product line Canceling an expansion plan
RISK ASSESSMENT AND RISK RESPONSE Accountants: Help management design effective controls to reduce inherent risk. Evaluate internal control systems to ensure they are operating effectively. Assess and reduce inherent risk using the risk assessment and response strategy.
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Event identification The first step in risk assessment and response strategy is event identification, which we have already discussed. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate likelihood and impact Some events pose more risk because they are more probable than others. Some events pose more risk because their dollar impact would be more significant. Likelihood and impact must be considered together: If either increases, the materiality of the event and the need to protect against it rises. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Identify controls Management must identify one or more controls that will protect the company from each event. In evaluating benefits of each control procedure, consider effectiveness and timing. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring All other factors equal: A preventive control is better than a detective one. However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover. Consequently, the three complement each other, and a good internal control system should have all three. Similarly, a company should use all four levers of control. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate costs and benefits It would be cost-prohibitive to create an internal control system that provided foolproof protection against all events. Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include: Increased sales and productivity Reduced losses Better integration with customers and suppliers Increased customer loyalty Competitive advantages Lower insurance premiums Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Costs are usually easier to measure than benefits. Primary cost is personnel, including: Time to perform control procedures Costs of hiring additional employees to effectively segregate duties Costs of programming controls into a system Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Other costs of a poor control system include: Lost sales Lower productivity Drop in stock price if security problems arise Shareholder or regulator lawsuits Fines and penalties imposed by governmental agencies Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring The expected loss related to a risk is measured as: Expected loss = impact x likelihood The value of a control procedure is the difference between: Expected loss with control procedure Expected loss without it Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Determine cost-benefit effectiveness After estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change? Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring In evaluating costs and benefits, management must consider factors other than those in the expected benefit calculation. If an event threatens an organization’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits. The additional cost can be viewed as a catastrophic loss insurance premium. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it cost-beneficial to protect system Avoid, share, or accept risk No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Expected Loss without control procedure = $800,000 x .12 = $96,000. Expected loss with control procedure = $800,000 x .005 = $4,000. Estimated value of control procedure = $96,000 - $4,000 = $92,000. Estimated cost of control procedure = $43,000 (given). Benefits exceed costs by $92,000 - $43,000 = $49,000. In this case, Hobby Hole should probably install the motion detectors. RISK ASSESSMENT AND RISK RESPONSE Let’s go through an example: Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. A catastrophic theft could result in losses of $800,000. Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. Companies with motion detectors only have about a .5% probability of catastrophic theft. The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. Should Hobby Hole install the motion detectors?
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Implement the control or avoid, share, or accept the risk When controls are cost effective, they should be implemented so risk can be reduced. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Avoid, share, or accept risk Is it cost-beneficial to protect system No Yes Reduce risk by implementing set of controls to guard against threat
RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Risks that are not reduced must be accepted, shared, or avoided. If the risk is within the company’s risk tolerance, they will typically accept the risk. A reduce or share response is used to bring residual risk into an acceptable risk tolerance range. An avoid response is typically only used when there is no way to cost-effectively bring risk into an acceptable risk tolerance range. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Avoid, share, or accept risk Is it cost-beneficial to protect system No Yes Reduce risk by implementing set of controls to guard against threat