Business and Information Process Rules, Risks and Controls

A risk is any exposure to the chance of injury or loss. You can’t have an opportunity without some risk, and with every risk there is some potential opportunity Change creates opportunities. Work patterns change. Information technology has been one of the biggest enablers of change in recent years. Each new generation of faster and cheaper computers, new software and new telecommunications equipment all provide opportunities to do things we previously had not event thought about. Change creates many new opportunities. The opportunities an organization seeks are guided by its objectives. But with every opportunity there is some element of risk. We seek to manage these risks by a systems of controls. The problem with controls is that implementation takes time and cost money The key is identifying and controlling the most material in a manner such that the benefits of controlling the risk exceed the cost of the controls, while the efficiency of the organization is balanced with effectiveness.

High Likelihood Of loss Low Materiality Of risk Small Large Size of potential impact Low likelihood High Impact Low likelihood Low Impact High likelihood High Impact High likelihood Low Impact Low Minor High Likelihood Of occurrence catastrophic Impact on achieving objectives EXHIBIT 5-1 Materiality of Risk

Strategic risk are risks associated with doing the wrong things Decision risk are risk associated with making a bad decision Operating risk are risk associated with doing the right things the wrong way Financial risks are risk associated with the loss of financial resources or the creation of financial liabilities. Information risks are risks associated with information processing Internal controls encompass a set rules, policies and procedures an organization implements to provide reasonable assurance that (1) its financial reports are reliable, (2) its operations are effective and efficient and (3) its activity comply with applicable laws and regulations.

EXHIBIT 5-2 Relationship among Components, Objectives, and the Entity Risk assessment Control activities Information and communications Control environment Monitoring Financial Reporting Operations Compliance Units Functions Entity Components Objectives

The control environment sets the tone of the organization, which influence the control consciousness of its people. The control environment includes the following areas: Integrity and ethical behavior Commitment to competence Boards of directors and audit committee participation Management philosophy and operating style Organization structure Assignment of authority and responsibility Human resource policies and practices Risk assessment identifies and analyzes the relevant risk associated with the organization achieving its objectives. Some of the specific controls the auditor will investigate to minimize risks a associated with company assets include

Risk assessment Control activities Information and communications Control environment Monitoring Financial Reporting Operations Compliance Units Functions Entity Components Objectives Controls for safeguarding assets EXHIBIT 5-3 Relevant controls for Audit Review

Control activities Control activities are the policies and procedures the organization uses to ensure that necessary actions are taken to minimize risks associated with achieving its objectives. Control usage: Prevent, Detect, or Correct, The purpose of each control is evident by its name: Preventive controls focus on preventing an error or irregularity Detective controls focus on identifying when an error or irregularity has occurred Corrective controls focus on recovering the damage from, or minimizing the cost an error or irregularity An error is an unintended mistake on the part of an employee while an irregularity is an intentional effort to do something that is undesirable to the organization.

Other categories of controls that are very important include segregation of duties, physical control, information processing controls and performance reviews, for example: Separation of Duties, separation of duties structures the work of people so the work of one person is checked by the work of the next person performs his/her assigned tasks. Physical controls, Physical controls include security over the assets themselves, limiting access to the assets to only authorized people and periodically reconciling the quantities on hand with the quantities recorded in the organizations record’s Information Processing, Information Processing control are used to check accuracy, completeness and authorization of transactions. The two broad groups are (1) general controls cover data center operations, system software acquisition and maintenance, access security and application system development and maintenance. (2) application control apply to the processing of a specific application, like running a computer program to prepare employees payroll checks each month. Performance Reviews, Performance Reviews are any reviews of an entity’s performance.

The information system consists of the methods and record used to record, maintain, and report the events of an entity as well as to maintain accountability for the related assets, liabilities and equity. The information system should do each Identify and record all business events on a timely basis Describe each event in sufficient detail Measure the proper monetary value of each event Determine the time period in which events occurred Present properly the events and related disclosures in the financial statements. The communication aspect of this components deal with providing an understanding of individuals roles and responsibilities pertaining to internal controls.

Monitoring is the process of assessing the quality of internal control performance over time. Traditional accounting and auditing control philosophy has been based on the following concept and practices: Extensive use of hard-copy documents Separation of duties and responsibilities so the work of one person checks the work of another person. Accounts who view their role primarily as independent, reactive and detective Heavy reliance on a year-end review of financial statements and extensive use of long checklists of required controls. Greater emphasis given to internal control than to operational efficiency. Avoidance or tolerance toward advances in information technology.

Accountants and auditors enhance their ability to help an organization identify and control business and information process risk? We need to develop a control philosophy that effectively integrates IT into the process in such a way as to protect and enhance the organization simultaneously. Two rules to illustrate of focusing on specific control procedures rather than identifying risk for a specific business context. IT provides value by: Helping the organization to be much more proactive in preventing, detecting, and correcting errors and irregularities Facilitating, rather than inhibiting, continual improvement in business and information processes

Batch input Update process Batch output Hardcopy source documents provide the input This provides a hardcopy of intermediate processes These file are usually used As inputs to other processes Disk or tape Master file EXHIBIT 5-4 Traditional “Noncomplex” System

EXHIBIT 5-5 “Complex” Information System

The following points summarize the changed philosophy Hardcopy document should largely be eliminated Separation of duties continues to be a relevant concept, but IT can be used as a substitute for some of the function normally assigned to a separate individual. Duplicate recording of business event data and reconciliations should be eliminated Accountants should become consultants with a real time, proactive control philosophy. Greater emphasis must be placed on implementing controls during the design and developments of information systems and on more auditor involvement in verifying the accuracy of the systems themselves. Greater emphasis must be placed on enhancing organizational effectiveness and internal controls must be adapted to remain strong. Information technology should be exploited to its fullest extent

Develop a control philosophy based on the key control concepts identified in this chapter, the process an internal control systems rather straight forward: Identify the organizations objectives, process and risk and determine risk materiality Select the internal control system-including rules, processes and procedures-to control materials risk Develop, test and implement the internal control system Monitor and refine the system Most of the risk associated with classifying and summarizing the event information and the risk of duplicate data and frequent reconciliation are avoided.

Operating Events Risk, Business event risk results in errors and irregularities having one or more of the following characteristics: A business event occurring at the wrong time or sequence A business event occurring without proper authorization A business event involving the wrong internal agent A business event involving the wrong external agent A business event involving the wrong resource A business event involving at the wrong amount of resource A business event occurring at the wrong location

Business Event Occurs Business Event Occurs Business Event Occurs Business Event Risk 1.What happens? 2.When ? 3.Who Is Involved? 4.Who Resources are involved? 5.Where does it occur? Information Processing Risk 1.Recording event data? 2.Maintaining resource agent, and location data 3. Reporting useful information EXHIBIT 5-6 Business and Information Processing Risk in an Event Driven System

Information Processing Risk. Risk relating to information processing include: Recording risk Maintaining risk Reporting risk The following guideline with regard to the “new” fiduciary view of the profession: Policies and procedures need to be revisited in terms of practicality and relevance, and revised as necessary Controls should be built into processes as enablers and not imposed externally to the process as barriers Cost and cycle time should be given high priority when building the fiduciary control environment

Reference Hollander, A. S. Eric L. Denna, J. Owen Cherrington Accounting Information Technology, And Business Solutions. Irwin McGraw-Kill, New York-USA.