RISK EXPOSURES AND THE INTERNAL CONTROL STRUCTURE

NATURE OF CONTROL

One of the managements basic function is to ensure that enterprise objectives are achieved.
Management is responsible for establishing and maintaining a control framework over its firms formal structures: accounting information system(AIS), the operational or management information system (MIS), and the organization system.

CONTROL FRAMEWORK
ensures that relevant controls are implemented. And it is also called the INTERNAL CONTROL STRUCTURE (ICS).

CONTROLS

provides a reasonable assurance that certain risks exposures are counteracted within the three formal structures.

Accountants as a key users of the AIS, they should take active roles in developing and reviewing the ICS or the framework. Work closely with the system designer during the development phase of the information systems to ensure that the planned control measures are adequate and auditable. And during audit they can assess the reliability of ICS when performing an auditing program steps.

INTERNAL CONTROL STRUCTURE

Internal Control Objectives Financial Oriented View of the Internal Control Structure Subcomponents

Risk Assessment Component

Control activities Component Information and communication Component Monitoring Component

Nonfinancial oriented view of the Internal Control Structure

a. Management Control System b. Operational Control System

INTERNAL CONTROL OBJECTIVES

Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

FINANCIAL ORIENTED VIEW OF THE INTERNAL CONTROL STRUCTURE

1. 2. 3. 4. 5. Control Environment Risk Assessment Control Activities Information and Communication Monitoring

CONTROL ENVIRONMENT COMPONENT

Every organization, regardless of size, should devise a strong internal control environment. It is the foundation of all other components of internal control, providing discipline and structure.

SUBCOMPONENTS
a. b. c. d. e. f. g. Management philosophy and operating style Integrity and ethical values Commitment to competence Board of directors or audit committee Organizational Structure Assignment of authority Human resource policies and practices

RISK ASSESSMENT COMPONENT

Consists of identification and analysis of relevant risks that may prevent the companywide objectives and objectives of organizational units and the formation of plan to determine how to manage the risks.

CONTROL ACTIVITIES COMPONENT

A firm should develop specific control activities policies, practices, and procedures to help ensure that employees properly carry out management directives.

INFORMATION AND COMMUNICATION COMPONENT

Information must be identified, processed, and communicated so that appropriate personnel may carry out their responsibilities. A properly functioning information system helps ensure that responsibilities are achieved.

MONITORING COMPONENT
The purpose of monitoring, the final component of the ICS, is to assess the quality of the ICS overtime by conducting ongoing activities and separate evaluations.

NONFINANCIAL ORIENTED VIEW OF THE INTERNAL CONTROL STRUCTURE

Management Control System
Management Control System involves developing control and monitoring activities to evaluate performance and supervise the firms activities on ongoing basis. Operational Control System The process or system that promotes effectiveness and efficiency in performing day-to-day operating tasks.

 Nature of Computer Crimes Importance of Computer Fraud Types of Computer Crimes Reasons Why Computers Cause Control Problems

In Computer crime , the computer is involved in 2 ways in committing the criminal act.

Directly
- Sabotage of computer facilities.

Indirectly
- Unauthorized access of stored data because the presence of the computer created the environment for committing the crime

Computer Crime

Computer fraud poses very high degrees of risk,

since all the three factors(frequency, vulnerability and size) tend to be present.
A computer and its data are often vulnerable to unauthorized access as well as damage. Fraudulent activities by either authorized and unauthorized persons are very difficult to detect. We can say that average loss per incident of computer fraud is significantly larger than the average fraud loss when manual systems are involved.

Theft of computer hardware and software.

Unauthorized use of computer facilities for personal use. Fraudulent modification or use of data or programs.

It is known as software piracy, is quite prevalent. It involves making unauthorized copies of programs and software packages, either from diskettes, or from filed stored on disks.

This crime may be committed by a HACKER, who breaks into a computer system via a remote terminal or micro computer, or by an employee who run his or her own programs on the firms computer.

In most fraud cases the perpetrator intends to steal assets, such as cash or merchandise. For instance, a purchasing agent may enter unauthorized purchase transactions via a terminal and have a merchandise sent to his home. A programmer employed at a bank may modify a withdraw program a manner that causes withdrawals against his or her personal account be charged to an inactive account.

1. Processing is Concentrated
Manual System: the processing is done by clerks in various departments who can cross-check each others work, thus detecting errors. Computer-Based System: the processing is often concentrated within selfcontained computer facilities. Consequently, less opportunity exists for detecting errors and fraudulent events.

2. Audit Trails May Be Undermined

Portions of the audit trail are more likely to be fragmented or eliminated in computer-based system than in manual systems. One consequence is that fraudulent acts are less likely to leave traces that can be detected.

3. Human Judgment is Bypassed.

Computers performed programmed instructions blindly, they exercise o judgment. Thus fewer opportunities exist for persons to spot errors and questionable data o to observe processing steps.

4. Data are Stored in Device-Oriented Rather than Human-Oriented Forms.

Data stored in computer-based systems are oriented to the characteristics of magnetic or optical media. These characteristics differ radically from paper-oriented and hence human oriented media familiar to users.

5. Computer Equipment is Powerful but Complex and Vulnerable.

Because of its processing power, a computer based system can disseminate errors through out files and reports more quickly. Because of its complexity, a computer system tends to be confusing to many employees, at both the clerical and the managerial levels. Such confusions ca cause employees to make errors.

ELEMENT/ACTIVITY 1. Information generation

CHARACTERISTICS - Outputs generated laboriously and usually in small volumes. - Output usually in hard-copy form.

2. Translation of data and information 3. Equipment 4. Data Collection

- Usually transmitted via postal service and hand delivery. - Relatively simple, inexpensive and mobile. - Data recorded on paper source documents. - Data reviewed for errors by clerks. - Processing steps performed by clerk who possess judgment. -Processing steps among various clerks in separate departments.

5. Data Processing

- Processing requires use of journals ad ledgers. - Processing performed relatively slowly.

6. Data Storage and Retrieval

- Data stored in file drawers through out the various departments. - Data are stored on hard copies in human readable form. - Stored data accessible on a piece meal basis at various locations.

ELEMENT/ ACTIVITY 1. Information generation

CHARACTERISTICS - Outputs generated quickly and neatly, often large volumes. - Outputs provided in various forms, including soft copy displays and voices responses. - Often transmitted by communication lines.

RISK EXPOSRUES - Inaccuracies may be buried in impressive-looking outputs that users accept on faith. - Information stored on magnetic media is subject to modification. - Data may be accessed or modified or destroyed by unauthorized persons.

COMPENSATING CONTROL -Reviews by users of outputs, including checks of amounts. - Backups of files; periodic printing of stored files onto hard-copy records.

2. Translation of data and information

- Security measures transmission lines; coding of data; verification of transmitted data.

3. Equipment

- Relatively complex, expensive and in fixed locations.

- Business operations may be intentionally or unintentionally interrupted; data or hardware may be destroyed; operations may be delayed through inefficiencies.

- Backup of data and power supply and equipment; preventive maintenance of equipment; restrictions on access to computer facilities; documentation of equipment usage and processing procedures. -Printed copies of source of documents prepared by computer system. - Edit checks performed by computer system.

4. Data Collection

-Data sometimes captured without use of source of documents. - Data often not subject to review by clerks.

-Audit trail may be partially lost. - Errors, accidental or deliberate may be entered for processing.

5. Data processing

-Processing steps performed by CPU blindly in accordance with program instructions. - Processing steps concentrated within computer CPU -Processing does not require use of journals. - Processing performed rapidly.

-Errors may cause incorrect results of processing. - Unauthorized manipulation of data and theft of assets can occur on large scale. - Audit trail may be partially lost. - Effects of errors may spread rapidly throughout files.

-Outputs reviewed by users of computer system; carefully developed computer processing programs. - Restricted access to computer facilities; clear procedure for authorizing changes to programs. - Printed journals and other analyses. - Editing of all data during input and processing steps.

6. Data storage and retrieval

-Data compressed on magnetic media - Data stored in invisible, erasable, computer-readable form. - Stored data often readily accessible from various locations via terminals.

-Data may be accessed by unauthorized person or stolen - Data are temporarily unusable by humans and might possibly the lost. - Data may be access by unauthorized persons.

-Security measures at point of access all over data library. - Data files printed periodically; backup files protection against sudden power losses. - Security measures at point of access.

FEASIBILITY OF CONTROLS
Audit Consideration Cost-Benefit Considerations The Seven Steps to Conducting a Cost-benefit Analysis

AUDIT CONSIDERATION
A typical AIS undergoes periodic audits. Normally, the internal control structure receives particular scrutiny during such audits. Thus the internal control structure should be designed to be fully auditable. For instance, the certain analyses and reconciliations can be automatically generated on a routine basis for use by the auditors.

Incorporating a control into an information system involves a cost. Adding a control after the system is implemented usually tends to be more costly and difficult. If every conceivable control were included within an organization structure, the total cost would likely be exorbitant. The total cost of a control includes one-time recurring cost, additional losses caused by control failure and opportunity costs. A cost-benefit analysis involves the interrelated phases of completing (1) a risk analysis and (2) a value of controls analysis.

The Seven Steps to Conducting a Cost-benefit Analysis

1. Determine the specific computer resources subject to control.
2. Determine all potential threats to the companys computer system. 3. Assess the relevant risks to which the firm is exposed. 4. Measure the extent of each relevant risk exposure in dollar terms.

5. Multiply the estimated effect of each relevant risk exposure by the estimated frequency of occurrence over a reasonable period, such as year.
6. Compute the cost of installing and maintaining a control that is to counteract each relevant risk exposure.

Steps Involved: a) Determine key controls that reduce exposure to each relevant individual risk. b) Compute one-time and recurring costs of control measures selected. c) Determine the reliability percentage of each control d) The total cost of the controls equal the one-time cost plus the operating costs plus the additional cost(loss) due to the failure of the control.

7. Compare the benefits against the cost of each control.