Topics: Auditing, Internal control, Audit Pages: 6 (2042 words) Published: September 24, 2014
Threat is any potential adverse occurrence or unwanted events that could injure the AIS or the organization. Exposure is the potential dollar loss that would occur if the threat becomes reality. Likelihood is the probability that the threat will occur.

Internal control is the policies, procedures, practices and organizational structure designed to provide reasonable assurance that business objective will be achieved or detected and corrected.

Internal control objectives
1. Safeguard asset
2. Maintain records in sufficient detail to report company assets accurately and fairly. 3. Provide accurate and reliable information.
4. Prepare financial report in accordance with established criteria 5. Promote and improve operational efficiency.
6. Encourage adherence to prescribed managerial policies.
7. Comply with laws and regulations.

Internal control functions
1. Preventive control deter problems before they arise
2. Detective control discover problem that are not prevented 3. Corrective control correct problems as well as correct and recover from the resulting errors.

Internal Framework
Control Objectives for information Technology (COBIT)
1. Business Objectives
2. IT resources
3. IT processes

Committee of Sponsoring Organization (COSO)
1. Control environment
2. Control activities
3. Risk assessment
4. Information and communication
5. Monitoring

COSO’s Enterprise Risk Management Framework (ERM)
1. The basic principles behind ERM are as follows
Company are formed to create value for their owners
Management must decide how much uncertainty it will accept
Uncertainty results in risk.
Uncertainty results in opportunity
The ERM framework can manage uncertainty as well as create and preserve value.

2. Four objective: Strategic, Operations, Reporting, Compliance

3. 8 interrelated risk and control components of ERM
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication

Internal Environment consists of the following
1. Management’s Philosophy, Operating style, and Risk Appetite 2. The Board of Directors
3. Commitment to Integrity, Ethical values and Competence
4. Organizational Structure
5. Methods of Assigning Authority and Responsibility
6. Human resources Standards

Objective setting
1. Strategic Objectives: High level goals aligned with corporate mission 2. Operational: effectiveness and efficiency of operations
3. Reporting: complete and reliable / Improve decision making 4. Compliance: Laws and regulations are followed

Event identification
COSO defines an event as “an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.”

Rise Assessment
Type of Risk
Inherent: Risk that exists before any plans are made to control it Residual: Remaining risk after controls are in place to reduce it

Risk Response
Reduce: Reduce the likelihood and impact of risk by implementing an effective system of internal controls Accept: Accept the likelihood and impact of the risk
Share: Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions Avoid: Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated Event / Risk / Response Model

Estimate Likelihood and Impact
Identify Controls
Estimate Costs and Benefits
Determine Cost/Benefit Effectiveness
Implement Control or Accept, Share, or Avoid the Risk
Calculating Risk Levels
Expected Loss = Exposure (or impact) Ⅹ Likelihood of risk occurring Expected Loss: The value of a control procedure is the difference between expected loss with control procedure and expected loss without it.

Control Activities
Control Activities are policies and procedures that...
Continue Reading

Please join StudyMode to read the full document

Become a StudyMode Member

Sign Up - It's Free