Week 2: Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk Management Controls Lab #2 Lab Report File: Risk Management – IS355 Sherry Best Nicole Goodyear January 23, 2018 Describe the primary goal of the COBIT v4.1 framework. Define COBIT. The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT with understanding and managing the risks associated with IT. COBIT also bridges the gaps between control requirements, business risk, and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems by developing good practices for IT control for organization.
The Internal Controls used in Computerized Systems As an auditor, whether internal or external, junior or senior, you will be exposed to computerised financial reporting, when working with clients, and therefore, a basic knowledge of computers is expected. We can for example, look at the way in which businesses pay employees, creditors, etc, though EFT's (electronic fund transfers) - us meaning that understanding how this is controlled is of importance when auditing payroll/acquisition systems. One of the specific objectives on internal control is to achieve reliable reporting. This is also referred to as the production of information by the information system which is valid, accurate and the complete risk of material misstatement in the financial statements is significantly
Introduction After the fall of Enron and WorldCom, investors’ confidence and trust in the market was at an all time low. In response, Congress passed the Sarbanes-Oxley Act to help regulate and provide guidance over internal controls and financial reporting. With the implementation of SOX was section 404, which requires external auditors to assess company’s internal controls and management to sign all financial statements. Internal controls are specific procedures and “measures adopted within an organization to safeguard assets, enhance the reliability of accounting records, increase efficiency of operations, and ensure compliance with laws and regulations” (Weygandt, Kimmel, & Kieso, 2013 p.377). The system of internal controls consists of five components; A control environment, risk assessment, control activities, information and communication, and
The author regards relevant data saying auditors are part of the organization who plays a role in strengthening internal control. Similarly, another study from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) also reveals that internal auditors are responsible for the effectiveness of the control system only and effective communication that comes across and up the organization is the key for stronger internal control. (Committee of Sponsoring Organizations of the Treadway Commission (COSO) (n.d.)). Other than that, the author interprets that segregation of duties can enhance internal control. In further support this finding, data retrieved from Public Company Accounting Oversight Board (PCAOB) on internal control explain segregation of duties in the aspect of separating the authorization of transactions, record-keeping and custody of assets and supervising the operations is a key to strengthen internal control.
To guarantee adherence to laws, regulations, contracts and management directives; and 4. To maintain reliable financial and management data, and to present that data accurately in timely report. The organization most probably can achieve its objectives and mission if it cover these four purposes in developing its internal control system. But failure to sufficiently address any one of these purposes may put the organization at risk. Therefore by establishing a sound internal control system organization can either prevent or reduce the
Integrity and ethical values are essential elements of the control environment, affecting the design, administration and monitoring of other internal control system components. 2.6 Limitations Of Internal Control Internal control systems suffer from different inherent limitations that do not make from an internal control system infallible, and can only provide reasonable assurance regarding the achievement of control objectives (Boynton, and Johnson, and Kel, 2001), this why a control system is not regarded completely effective or its effectiveness is undermined: - Susceptible to organizational corruption, or collusion among employees themselves or in cooperation with external parties, so, a fraud can be perpetrated and concealed. - Judgment mistakes due to inadequate information, time and resource constrains, or other administrative
The first step in the risk management process is to identify all major and minor loss exposures. This step involves a painstaking review of all potential losses. Important loss exposures include property, liability, business income, human resources, crime, employee benefit, foreign, intangible property loss exposures and so on. A risk manager can use several sources of information to identify the preceding loss exposures. They include risk analysis questionnaire, physical inspection, flowcharts, financial statement and historical loss data.
• Identify the scope of the risk assessment • Establish ties to earlier formed business impact analysis results • Determine the level of detail to which you plan to conduct the risk assessment • Identify internal and external sources • Secure management approval A well-run IT system that is well configured and managed tends to be more secure. Selected team members who are trustworthy and who would not use their knowledge of the company’s systems for criminal behavior. Risk appetite is the company willing to take certain types of risks with a potential of higher gain or
These five associations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). The organization is dedicated to improve organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. The organization developed a framework that serves a guide to provide common understanding of internal control among all parties and to assist management to exercise better control over an enterprise. COSO’s Internal Control – Integrated Framework helps management better control the organization and to provide a board of directors with an added ability to oversee internal control. According to Committee of Sponsoring Organization, there are five elements of an organization’s internal control framework.