Chapter 4

Controlling Information
Systems/Enterprise Risk
Management
 Points should be covered
 Internal control system
 Why controlling is important in AIS
 Why AIS Threats Are Increasing
 Computer fraud and Preventive Measures,
Security, and Controls
 Enterprise risk management (ERM)
 Internal control And AIS

A strong system of internal control is essential to effective enterprise risk
management.

Internal control is a process, affected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following
categories:
 Assets (including data) are safeguarded.
 Effectiveness and efficiency of operations
 Reliability of financial reporting
 Compliance with applicable laws and regulations
 Cont’d
Internal controls are often classified as:
A. General controls
 Those designed to make sure an organization’s
control environment is stable and well managed.
 They apply to all sizes and types of systems.
 Examples: Security management controls.
 Cont’d
B. Application controls
 Prevent, detect, and correct transaction errors
and fraud.
 Are concerned with accuracy, completeness,
validity, and authorization of the data
captured, entered into the system,
processed, stored, transmitted to other
systems, and reported.
 Cont’d

Internal controls perform three important

functions:
1. Preventive controls

Deter problems before they arise.

 Cont’d
2. Detective controls
Discover problems quickly when
they do arise.
 Cont’d
3. Corrective controls
 Remedy problems that have
occurred by:
 Identifying the cause;
 Correcting the resulting errors;
and
 Modifying the system to prevent
future problems of this sort.
Five Key Internal Control Activities…

9
 1. Separation of Duties
 Divide responsibilities between different
employees so one individual doesn’t control all
aspects of a transaction.
 Reduce the opportunity for an employee to commit
and conceal errors (intentional or unintentional) or
perpetrate fraud.

10
 2. Documentation

 Document the following activities:

 Critical decisions and significant events: Typically
involving the use, commitment, or transfer of
resources.
 Transactions: Enables a transaction to be traced from
its initial up to completion.
 Policies & Procedures: Documents which set forth the
fundamental principles and methods that employees
rely on to do their jobs.

11
 3. Authorization & Approvals
 Management documents and communicates which
activities require approval, and by whom, based on
the level of risk to the organization.
 Ensure that transactions are approved and executed
only by employees acting within the scope of their
authority granted by management.

12
 4. Security of Assets
 Secure and restrict access to equipment, cash,
inventory, confidential information, etc. to reduce the
risk of loss or unauthorized use.
 Perform periodic physical inventories to verify
existence, quantities, location, condition, and
utilization.
 Base the level of security on the vulnerability of items
being secured, the likelihood of loss, and the
potential impact should a loss occur.

13
 5. Reconciliation & Review
 Examine transactions, information, and events to
verify accuracy, completeness, appropriateness, and
compliance.
 Base the level of review on materiality, risk, and
overall importance to organization’s objectives.
 Ensure frequency is adequate enough to detect and act
upon questionable activities in a timely manner.

14
 Limitations of Internal control
 Internal control systems have inherent limitations,
including:
 They are susceptible to errors and poor
decisions.
 They can be overridden by management or by
collusion of two or more employees.
 Internal control objectives are often at odds
with each other.
 EXAMPLE: Controls to safeguard assets
may also reduce operational efficiency.
 Why controlling is important in AIS

Controlling is important in AIS because of:

 One of the primary objectives of an AIS is to
control a business organization resource
including data.
 As threats to AIS is increasing from time to time.
 As Fraud within the organization and out side of
the organization increases from time to time.
 Currently Computer fraud and Hacking
increasing
 Why AIS Threats Are Increasing

 Control risks have increased in the last few

years because:
 There are computers and servers everywhere, and
information is available to an unprecedented number
of workers.
 Wide area networks and wireless networks are
giving customers and suppliers access to each
other’s systems and data, making confidentiality a
major concern.
 Cont’d
 Historically, many organizations have not adequately protected
their data due to one or more of the following reasons:
 Computer control problems are often underestimated and
downplayed.
 Control implications of moving from centralized, host-based
computer systems to those of a networked system or
Internet-based system are not always fully understood.
 Companies have not realized that data is a strategic resource
and that data security must be a strategic requirement.
 Threats to AIS

 Natural and Political disasters

 Software errors and equipment
malfunctions
 National acts
 Intentional acts
 Fraud
 Any means a person uses to gain an unfair
advantage over another person; includes:
 A false statement, representation, or
disclosure
 A material fact, which induces a victim to act
an intent to deceive
 Victim relied on the misrepresentation
 Injury or loss was suffered by the victim
 Categories of Fraud
Misappropriation of assets
Theft of company assets which can include
physical assets (e.g., cash, inventory) and
digital assets (e.g., intellectual property such
as protected trade secrets, customer data)
Fraudulent financial reporting
“cooking the books” (e.g. booking fictitious
revenue, overstating assets, etc.)
 Computer Fraud
If a computer is used to commit fraud it is
called computer fraud.
Computer fraud is classified as:
 Input
 Processor
 Computer instruction
 Data
 Output
Types of Computer Systems Attack
A. Hacking
Unauthorized access, modification, or use of an
electronic device or some element of a computer
system
B. Social Engineering
Techniques or tricks on people to gain physical
or logical access to confidential information
C. Malware
Software used to do harm
Preventive Measures, Security, and Controls

1. Make Fraud Less Likely to Occur

Organizational
 Create a culture of integrity
 Adopt structure that minimizes fraud, create
governance (e.g., Board of Directors)
 Assign authority for business objectives and hold
them accountable for achieving those objectives,
effective supervision and monitoring of employees
 Communicate policies
 Cont’d
Systems
 Develop security policies to guide and design
specific control procedures
 Implement change management controls and
project development acquisition controls
 Cont’d
2.Minimize the Threat of Social Engineering
 Never let people follow you into restricted areas
 Never log in for someone else on a computer
 Never give sensitive information over the phone
or through e-mail
 Never share passwords or user IDs
 Be cautious of someone you don’t know who is
trying to gain access through you
 Cont’d
3. Make It Difficulty to Commit fraud
 Organizational
 Develop strong internal controls
 Segregate accounting functions
 Use properly designed forms
 Require independent checks and
reconciliations of data
 Cont’d
Systems
 Restrict access
 System authentication
 Implement computer controls over input,
processing, storage and output of data
 Fix software bugs and update systems regularly
 Destroy hard drives when disposing of
computers
 Cont’d
4. Improve Detection
Organizational
 Assess fraud risk
 External and internal audits
Systems
 Audit trail of transactions through the system
 Install fraud detection software
 Monitor system activities (user and error logs,
intrusion detection)
 Cont’d
5. Reduce Fraud Losses
Organizational
 Insurance
 Business continuity and disaster recovery plan
Systems
 Store backup copies of program and data files
in secure, off-site location
 Monitor system activity
 Trust Services Framework
Security
▫ Access to the system and data is controlled
and restricted to legitimate users.
Confidentiality
▫ Sensitive organizational data is protected.
 Privacy
▫ Personal information about trading partners,
investors, and employees are protected.
 Cont’d

Processing integrity
▫ Data are processed accurately, completely, in
a timely manner, and only with proper
authorization.
Availability
▫ System and information are available.
 Mitigating Risk of Attack
Preventive Controls Detective Controls
• People • Log analysis
• Process • Intrusion detection
• IT Solutions systems
• Physical security • Penetration testing
• Change controls and • Continuous monitoring
change management
 Preventive: People

 Culture of security
 Tone set at the top with management
 Training
Follow safe computing practices
 Never open unsolicited e-mail attachments
 Use only approved software
 Do not share passwords
 Physically protect laptops/cell phones
 Protect against social engineering
 Preventive: Process

 Authentication—verifies the person

1. Something person knows
2. Something person has
3. Some biometric characteristic
4. Combination of all three
 Authorization—determines what a person can
access
 Preventive: IT Solutions

 Antimalware controls
 Network access controls
 Device and software hardening controls
 Preventive: Other

Physical security access controls

• Limit entry to building
• Restrict access to network and data
Change controls and change management
• Formal processes in place regarding changes
made to hardware, software, or processes
 Enterprise risk management(ERM)

 ERM prevents in holistic method of managing

both operational and strategic risk across the
entire organization.
 Create a risk management organization
structure and ensure clear reporting lines
 Develop/assign responsibilities for risk management
Components of COSO Frameworks for ERM

COSO mean an averevasion which refers joint

initiative of the five private sector organizations
stated that there are five components of ERM:
1. Control (internal) environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 1. Internal Environment
 Management’s philosophy, operating style, and
risk appetite
 Commitment to integrity, ethical values, and
competence
 Internal control oversight by Board of Directors
 Organizing structure
 Methods of assigning authority and responsibility
 Human resource standards
 2. Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs
Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
 Risk Response
 Reduce
 Implement effective internal control
 Accept
 Do nothing, accept likelihood and impact of risk
 Share
 Buy insurance, outsource, or hedge
 Avoid
 Do not engage in the activity
 3. Control Activities
 Proper authorization of transactions and
activities
 Segregation of duties
 Project development and acquisition controls
 Change management controls
 Design and use of documents and records
 Safeguarding assets, records, and data
 Independent checks on performance
 4. Information and communication
 Using information and communication
technologies for all parts enterprise risk
management.
 For modern risks modern risk management
technologies should be used
 5. Monitoring
 Perform internal control evaluations (e.g.,
internal audit)
 Implement effective supervision
 Use responsibility accounting systems (e.g.,
budgets)
 Monitor system activities
 Track purchased software and mobile devices
 Cont’d
 Conduct periodic audits (e.g., external,
internal, network security)
 Employ computer security officer
 Engage forensic specialists
 Install fraud detection software
 Implement fraud hotline
End of chapter four
 Group assignment two
Write detail note about:
1. COBIT5 comprehensive framework
2. COSO comprehensive framework.
N.B
1.The assignment will be in group (maximum five
students)
2. Submission date: The same with article review date.
3. Maximum page 7
4. Mode of submission hard copy