Chapter 3 - Risk Management and Internal Controls - Student

.docx

School

University of Alabama *

*We aren’t endorsed by this school

Course

389

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

5

Uploaded by MasterSnailMaster1057

Report
Ch 3 – Risk Management and Internal Controls LO 1 Distinguish among the three functions of internal controls. 1. How do internal controls mitigate risk? a. Internal Control is a process that specifically mitigates risks to the company’s financial information. b. An adequate process creates assurance that i. accounting information is reliable, complete, and valid; ii. operations are effective and efficient; and iii. the business is complying with laws and regulations. c. Proper controls can: i. Create quality information ii. Lessen the risk of financial statement misstatements and Identify financial issues iii. Prevent fraud and Safeguard assets from theft and waste iv. Increase operating efficiency and Measure business objectives and goals v. Ensure compliance with applicable laws and regulations vi. Provide investors with reassurance d. Different Functions of Internal Controls i. Controls, or control activities, are the mechanisms, like rules, policies, and procedures that make up the process. ii. Provide reasonable assurance, which means not absolute mitigation but enough mitigation to give the company confidence that is risk is at an acceptable level. iii. Function of a control is to do one of the following: 1. Prevent problems from happening. a. Segregation of Duties also called separation of duties i. lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of business activity: 2. Detect - Alert management to an issue like fraud risk, quality control, or legal compliance once it has occurred. 3. Correct - change undesirable outcomes and occur after the potential outcome of a risk has become a reality. P, D, or C Control Preventative Firewall blocking access to an organization's computer network Correcting Filling a police report Detecting Physical Inventory Counts Preventative Policy and Procedure documentation (most common) Corrective Insurance Detecting Reconciliations
2. Control Weaknesses 1. Management Override of Control occurs when internal control activities don’t work because management is not following policy or procedures ( The Achilles heel of fraud prevention .) 2. Collusion – two or more people working together to override the controls. i. What if a control requires one employee to input invoices into the accounts payable system and a different employee to approve payment for the invoices? ii. If these two employees work together, they can commit fraud by inputting a fictitious invoice and authorizing the payment to go to a bank account they control. 3. Time Based Model of Controls a. Specific to the time it takes for a technology attack to bypass preventive controls compared to the company’s detective and corrective control reaction times b. Measure the residual risk for technology attacks by comparing the relationship of the three control functions. Otherwise, the security measures are inadequate to protect the company’s systems from intruders. LO 2 Characterize a control by its location and implementation method. 1. How Are Controls Classified? a. A control based on where it exists in a business process. i. If the control is NOT in a computer environment, it is Physical such as locks. ii. If the control is in a computer environment, it is characterized as either a: 1. IT General Control (ITGC), or a 2. IT Application Control 2. General Controls – IT General Controls (ITGCs) apply to the entire operation of the full system and its environment. a. All corporate applications, like email, web browsers, time-keeping software, benefits management systems, and more, are subject to ITGCs. Three common/broad examples of ITGCs are:
b. System Security Controls embedded in the company’s system specifically target the risk of external, unauthorized users performing malicious activities against company data or systems. c. Data Backups All servers are backed up to a secondary set of equipment, stored at a different location, that can be brought online in the event of a disaster. d. Duplicate Environments System changes are not released to the software before being reviewed and approved. Instead, changes are created in a duplicated environment – a copy – of the software. 3. Application Controls – In accounting, an application is software that captures and records accounting business events. Essentially, an AIS is an application a. When a control only applies to a specific application – An accounting application for sales would have application controls that cover the sale accounts, AR, customer information, returns, etc. Exercise: Match the Application Data Entry Controls with the appropriate description. Redundant Check Field Check Validity Check Limit Check Range Check Size Check Completeness Check Sign Check Reasonableness Test Control Description Field Check Characters in a field are proper type (certain fields might only accept numbers, numbers and letters, no special characters, etc.) Sign Check Data in a field is an appropriate sign (positive/negative) Limit Check Tests numerical amount against a fixed value Range Check Tests numerical amount against lower and upper limits Redundant Check Requires the inclusion of two identifiers in each input record (entering passwords twice) Size Check Input data fits into the field Completeness Check Verifies that all required data is entered Validity Check Compares data from the transaction file to that of the master file to verify existence Reasonableness Test Correctness of logical relationship between two data items 4. Implementing Controls – There are two methods of implementing a control: a. Manual – Requires human judgment or physical interaction is required. i. Note: there is a difference between the terms “manual controls” and “physical controls.” 1. Manual controls are executed by people or physical interaction 2. Physical controls mitigate risks related to people and their actions. b. Automated – Use technology to implement control activities. i. They are often more reliable and consistent than manual controls because they are not susceptible to human error, judgment, or override. ii. A control must be fully automated to be classified as automated. An example would be a systems-level separation of duties.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help