Presentation is loading. Please wait.

Presentation is loading. Please wait.

Errors, Fraud, Risk Management, and Internal Controls

Similar presentations


Presentation on theme: "Errors, Fraud, Risk Management, and Internal Controls"— Presentation transcript:

1 Errors, Fraud, Risk Management, and Internal Controls

2 The Risk Management Puzzle
Individual Risk Management Accounting Information Systems Controls Assets & Fraud Types Controls

3 Individuals Errors Fraud

4 Errors Errors may be the result of many factors
Distractions – Concurrent tasks, work environment, personal situations, Complexity – It’s easier to complete a simple task than a hard one. Limitations – Fatigue, cognitive limitations, etc. Errors

5 Fraud Rationalization Opportunity Need

6 The Fraud Triangle Pressure - what causes a person to commit fraud.
Opportunity - the ability to commit fraud. Rationalization – talking oneself into coming the fraud even though it may go against his/her own values.

7 Assets and Fraud Types

8 Assets Processes Cash People Software Hardware Inventory Data
Facilities

9 Fraud Types Internal vs. external, on-book vs. off-book
Cash Internal vs. external, on-book vs. off-book Misrepresentation of material facts, failure to disclose material facts, embezzlement, larceny, bribery, illegal gratuity Inventory Data

10 Risk Management and Controls
Individual Accounting Information Systems Controls Assets & Fraud Types Controls

11 Risk Management and Controls
Risk control strategies and goals Risk management process Asset Identification Risk Assessment IT Controls Specification Documentation

12 Risk Control Strategies
Avoidance Policy, Training and Education, or Technology Transference – shifting the risk to other assets, processes, or organizations (insurance, outsourcing, etc.) Mitigation – reducing the impact through planning and preparation Acceptance – doing nothing if the cost of protection does not justify the expense of the control

13 Information System Goals - CIA Triangle
Confidentiality Integrity Availability

14 CIA Triangle Confidentiality – Insuring that information is accessible only by those who are properly authorized Integrity – Insuring that data has not be modified without authorization Availability – Insuring that systems are operational when needed for use

15 Application Control Goals
Input validity Input data approved and represent actual economic events and objects Input completeness Requires that all valid events or objects be captured and entered into the system Input Accuracy Requires that events be correctly captured and entered into the system 15

16 The Risk Management Process
Identify IT Assets Assess IT Risks Identify IT Controls Document IT Controls monitor

17 Risk Management – Asset Identification
Processes People Hardware Software Cash Inventory Data Facilities

18 Assets Valuation - What do we stand to lose?
Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Criticality to the organization’s success Revenue generated Profitability Cost to replace Cost to protect Embarrassment/Liability

19 Assess - AIS Threat Examples
Fraud Computer crimes Nonconformity with agreements & contracts between the organization & third parties Violations of intellectual property rights Noncompliance with other regulations & laws Computerized transactions systems increase some risks and decrease others

20 Copyright 2007 John Wiley & Sons, Inc
Assess IT Risks Copyright 2007 John Wiley & Sons, Inc

21 Risk Assessment Risk assessment is the process of making a network more secure, by comparing each security threat with the control designed to reduce it (where are controls needed?). Cost Benefit Assessment (which controls are appropriate based on cost reward tradeoff?) Vulnerability Assessment (how effective are the controls?; are they working properly?)

22 Threats Continued Destruction – Loss of data
Disruption – Loss of service Disaster – Physical damage do to environment Intrusion – Human acts

23 Controls Risk Management Controls Individual Controls
Accounting Information Systems Controls Assets & Fraud Types Controls

24 Classification of Controls
Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data 24

25 Classification of Controls
Administrative – Policies, procedures, standards, and guidelines. Logical/Technical – Monitoring and access control via IT. Physical – Control of physical access to computing equipment.

26 Classification of Controls
COSO identifies two groups of IT controls: Application controls – apply to specific applications and programs, and ensure data validity, completeness and accuracy General controls – apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development

27 IT Governance …the process for controlling an organization’s IT resources, including information and communication systems, and technology. …using IT to promote an organization’s objectives and enable business processes and to manage and control IT related risks. IT Auditors ensure IT governance by assessing risks and monitoring controls over those risks

28 Segregation of Duties Transaction authorization is separate from transaction processing. Asset custody is separate from record-keeping responsibilities. The tasks needed to process the transactions are subdivided so that fraud requires collusion. 3 28

29 Other Controls Supervision – Harder to commit fraud under a watchful eye Mandatory Leave – Harder to commit fraud without constant attention to its details Policy – Appropriate Use, Disclosure of beneficial interests, tec. 3 29

30 Documenting IT Controls
Internal control narratives Flowcharts – internal control flowchart IC questionnaires

31 Risk Assessment One way to do this is by developing a control spreadsheet Network assets are listed down the side. Threats are listed across the top of the spreadsheet. The cells of the spreadsheet list the controls that are currently in use to address each threat.

32 Valuation of Asset Assets: People, Data, Hardware, Software, Facilities, (Procedures) Valuation Methods Criticallity to the organization’s success Revenue generated Profitability Cost to replace Cost to protect Embarrassment/Liability

33 Sample Control Spreadsheet
Sample Control Spreadsheet Copyright 2007 John Wiley & Sons, Inc


Download ppt "Errors, Fraud, Risk Management, and Internal Controls"

Similar presentations


Ads by Google