Control & AIS Part 2 PDF
Document Details
Uploaded by AdequateBernoulli
CamEd Business School
Dr. Zubir Azhar
Tags
Summary
This document provides an overview of internal control and risk management. It defines internal control as a process that supports the completion of the entity’s objectives. The summary highlights components of internal control and how they work together to manage risks and achieve organizational goals.
Full Transcript
8/21/24 CONTROL & AIS: PART 2 DR. ZUBIR AZHAR CAMED 1 AIS THREATS ARE INCREASING: WHY? Control risks have increased in the last few years because: There are computers and servers everywhere. Distributed computer networks make data availabl...
8/21/24 CONTROL & AIS: PART 2 DR. ZUBIR AZHAR CAMED 1 AIS THREATS ARE INCREASING: WHY? Control risks have increased in the last few years because: There are computers and servers everywhere. Distributed computer networks make data available to many users. Wide area networks (WANs) are giving customers and suppliers access to each other’s systems and data. Inadequate Protection: Threats are underestimated, controls are not well understood. Productivity pressures, cost reduction pressures. Companies have not always understood the threats. Cost pressures mean that managers skip time-consuming control processes 2 1 8/21/24 INTERNAL CONTROL-DEFINITION A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. 3 UNDERSTANDING INTERNAL CONTROL Internal control is: Geared to the achievement of objectives A process consisting of ongoing tasks and activities Effected by people Able to provide reasonable assurance (not absolute assurance) Adaptable to the entity structure 4 2 8/21/24 WHAT CAN BE EXPECTED FROM INTERNAL CONTROL? Internal Control aims at providing reasonable assurance regarding the achievement of 3 objectives: Operations Objectives Reporting Objectives Compliance Objectives These objectives are pre-set within organizations along with their missions, visions and strategies, which are preconditions for an internal control system. 5 OBJECTIVES Mission- Vision Strategic An example of objectives flow Goals Entity Level Organizations’ functions Objectives departments, processes or divisions can also be included Operations Compliance Reporting in the flow Objectives Objectives Objectives Sub- Sub- Sub- Objectives Objectives Objectives 6 3 8/21/24 COMPONENTS OF INTERNAL CONTROL Components shown below are requirements to achieve the objectives: Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring Activities 7 COMPONENTS OF IC CONTROL RISK ASSESSMENT CONTROL INFORMATION MONITORING ENVIRONMENT ACTIVITIES AND ACTIVITIES COMMUNICATION The set of Dynamic and Actions established Necessary for the Ongoing standards, iterative process. by policies and entity to carryout evaluations, processes, structures Consists of procedures to help internal control separate that provide the identifying and ensure that responsibilities is evaluations or basis for carrying analyzing risks management support of its combination of the out IC across the impairing the directives to objectives. two. organization. objectives and mitigate risks. responding to them The management Management should Control activities Provides To ascertain establishes the tone consider possible are performed at organization with whether each of the at the top changes in the all levels of the the information 5 components is regarding the internal and entity and at needed to carry out present functioning importance of IC. external various stages day-to-day and operating environment related within business controls. together. to its objectives. processes. 8 4 8/21/24 COMPONENTS AND PRINCIPLES OF INTERNAL CONTROL CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES INFORMATION, MONITORING COMMUNICATION 1. The organization demonstrates 6. The organization specifies 10. The organization selects and 13. The organization obtains 16.. The organization selects, develops a commitment to integrity and objectives with sufficient develops control activities that or generates and uses and performs ongoing and/or separate ethical values clarity to enable the contribute to the mitigation of risks relevant, quality information to evaluations to ascertain whether the identification and assessment to the achievement of objectives support the functioning of components of internal control are of risks relating to objectives to acceptable levels internal control present and functioning 2. The board of directors 7. The organization identifies 11. The organization selects and 14. The organization internally 17. The organization evaluates and demonstrates independence from risks to the achievement of its develops general control activities communicates information, communicates internal control management and exercises objectives across the entity over technology to support the including objectives and deficiencies in a timely manner to those oversight of the development and and analyzes risks as a basis achievement of objectives responsibilities for internal parties responsible for taking corrective performance of internal control for determining how the risks control, necessary to support action, including senior management should be managed the functioning of internal and the board of directors, as control appropriate 3.Management establishes, with 8. The organization considers 12. The organization deploys 15. The organization board oversight, structures, the potential for fraud in control activities through policies communicates with external reporting lines, appropriate assessing risks to the that establish what is expected parties regarding matters authorities and responsibilities in achievement of objectives and procedures that put policies affecting the functioning of the pursuit of objectives into action internal control 4. The organization demonstrates 9. The organization identifies a commitment to attract, develop, and assesses changes that and retain competent individuals could significantly impact the in alignment with objectives system of internal control 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives 9 SETTING OBJECTIVES Setting, mission, vision, strategic aims and entity level objectives out are not part of internal control but the management role. Specifying objectives is part of internal control What does specifying objectives mean? Principle 6 explains how to do it. Alignment between established vision, objectives and applicable legislation Articulation of objectives using terms that are specific, measurable or observable, attainable, relevant and time- bound. Grouping objectives within broad categories at all levels 10 5 8/21/24 IDENTIFYING AND ANALYZING RISK IN TERMS OF INTERNAL CONTROL Identifying risks Risk is: “The possibility that events will occur and affect the achievement of strategy and business objectives.” Analyze internal and external factors Risk identification must be comprehensive Includes all levels, stakeholders, internal and external factors Considers factors that influence the severity, velocity, likelihood and persistence of risk, etc. Estimating the significance of risks identified Impact A result or effect of a risk Likelihood The possibility of a risk occurring Determining how to respond to risks 11 FRAMEWORKS FOR ENTERPRISE RISK MANAGEMENT 12 6 8/21/24 RISK AND RISK MANAGEMENT Risk is: “The possibility that events will occur and affect the achievement of strategy and business objectives.” (COSO ERM – Integrating with Strategy and Performance 2017) Effect of uncertainty on objectives (ISO 31 000) COSO defines ERM as follows: The culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value. ISO defines risk management as follows: Coordinated activities to direct and control an organization with regard to risk 13 INTERNATIONALLY RECOGNIZED RISK MANAGEMENT FRAMEWORKS (COMMONLY USED) 1) ISO International Standard for Risk Management (31 000: 2018), 2) COBIT 2019 3) COSO ERM – Integrated Framework (2004), 4) COSO ERM Integrating with Strategy and Performance Framework (2017) 14 7 8/21/24 Control Objectives for Information and Related Technology Registered trademark of ISACA A main framework for corporate IT governance and management Covers the activities and responsibilities of both the IT function and non-IT business functions Deals with risk management in the IT domain and, specifically, the governance and management of enterprise IT. 15 COBIT 2019 Two perspectives on how to use COBIT 5 in a risk context: Risk function perspective—Describes what is needed in an enterprise to build and sustain efficient and effective core risk governance and management activities Risk management perspective—Describes how the core risk management process of identifying, analyzing, responding to and reporting on risk can be assisted by the COBIT 5 enablers 16 8 8/21/24 COSO ERM Publications Regarding Regarding ERM In 2004, COSO issued Enterprise Risk Management — Integrated Framework. In 2017 of “Enterprise Risk Management–Integrating with Strategy and Performance,” 17 WHAT IS THE ROLE AND OBJECTIVES OF ERM? Creating and protecting value, Meeting mission and achieving strategies and business objectives, Enhanced performance of the organization, Improved decision making, Improved performance, Identifying, assessing and managing the risks. An integral part of the strategy selection process. 18 9 8/21/24 COSO ERM 2004 COSO ERM 2004 8 components Internal Environment Objective Setting Event Identificitaion Risk Assessment Risk Response Control Activities Information and Communication Monitoring 4 categories of objectives Many organizations found it complex and hard to understand 19 COSO ERM 2017 COSO ERM 2017 COSO took criticism into account and updated the previous one, 5 components Principle-based (20 principles) Promotes integration of ERM practices throughout an organization Aligning with strategy setting and performance Focuses on improving decision-making in governance, strategy, objective setting, and day- to-day operations Allocating resources according to predetermined principles 20 10 8/21/24 COSO ERM 2017 The COSO ERM framework comprises five interrelated components: 1) Governance and culture, 2) Strategy and objective setting, 3) Performance, 4) Review and revision and 5) Information, communication, and reporting. 21 RISK APETITE Risk apetite is the types and amount of risk, the management is willing to accept in its pursuit of value (in short; acceptable amount of risks) There is no universal risk apetite It can be defined on the level of Strategy and business objective that align with the mission and vision Business objective categories Performance targets of the entity How to define? Discussions Reviewing past Internal and external stakeholder expectations 22 11 8/21/24 23 12
