Threat is any potential adverse occurrence or unwanted events that could injure the AIS or the organization. Exposure is the potential dollar loss that would occur if the threat becomes reality. Likelihood is the probability that the threat will occur.
Internal control is the policies, procedures, practices and organizational structure designed to provide reasonable assurance that business objective will be achieved or detected and corrected.
Internal control objectives
1. Safeguard asset
2. Maintain records in sufficient detail to report company assets accurately and fairly. 3. Provide accurate and reliable information.
4. Prepare financial report in accordance with established criteria 5. Promote and improve operational efficiency.
6. Encourage adherence to prescribed managerial policies.
7. Comply with laws and regulations.
Internal control functions
1. Preventive control deter problems before they arise
2. Detective control discover problem that are not prevented 3. Corrective control correct problems as well as correct and recover from the resulting errors.
Control Objectives for information Technology (COBIT)
1. Business Objectives
2. IT resources
3. IT processes
Committee of Sponsoring Organization (COSO)
1. Control environment
2. Control activities
3. Risk assessment
4. Information and communication
COSO’s Enterprise Risk Management Framework (ERM)
1. The basic principles behind ERM are as follows
Company are formed to create value for their owners
Management must decide how much uncertainty it will accept
Uncertainty results in risk.
Uncertainty results in opportunity
The ERM framework can manage uncertainty as well as create and preserve value.
2. Four objective: Strategic, Operations, Reporting, Compliance
3. 8 interrelated risk and control components of ERM
Information and Communication
Internal Environment consists of the following
1. Management’s Philosophy, Operating style, and Risk Appetite 2. The Board of Directors
3. Commitment to Integrity, Ethical values and Competence
4. Organizational Structure
5. Methods of Assigning Authority and Responsibility
6. Human resources Standards
1. Strategic Objectives: High level goals aligned with corporate mission 2. Operational: effectiveness and efficiency of operations
3. Reporting: complete and reliable / Improve decision making 4. Compliance: Laws and regulations are followed
COSO defines an event as “an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.”
Type of Risk
Inherent: Risk that exists before any plans are made to control it Residual: Remaining risk after controls are in place to reduce it
Reduce: Reduce the likelihood and impact of risk by implementing an effective system of internal controls Accept: Accept the likelihood and impact of the risk
Share: Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions Avoid: Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated Event / Risk / Response Model
Estimate Likelihood and Impact
Estimate Costs and Benefits
Determine Cost/Benefit Effectiveness
Implement Control or Accept, Share, or Avoid the Risk
Calculating Risk Levels
Expected Loss = Exposure (or impact) Ⅹ Likelihood of risk occurring Expected Loss: The value of a control procedure is the difference between expected loss with control procedure and expected loss without it.
Control Activities are policies and procedures that...
Please join StudyMode to read the full document