CASESTUDY FOR FINAL EXAM
bondsp
final_case.zipCASESTUDY.docx
CASESTUDY FOR FINAL EXAM- SEMESTER 1, 2014
QUESTION 4 (This case will appear like this at the start of Question 4 in exam)
Jon is the CEO of a boutique business that sells pet accessories, MyPetDesign. Jon is a fashion designer by trade and as a result he has chosen to focus heavily on the design of the unique pet clothing. He started the business as a small operation, but demand quickly grew in a few years. Unable to handle orders himself, he decided to bring together a group of young, up-and-coming fashion designers with a love for animals. The company now includes teams focusing on design, operations, IT, finance, and accounting, all of which report to Jon. The company does not have a board of directors, as Jon doesn’t believe it needs one and he is reluctant to lose control.
All manufacturing of clothing is outsourced to Australian manufacturing contractors. Jon chose Australian manufacturers because he believes it gives the company better control over product quality, delivery schedules, and associated costs. After production, the finished products are shipped to the company’s three warehouses, located in Sydney, Melbourne, and Brisbane.
Although reluctant to move away from manufacturing, Jon was convinced by the Director of Operations to source other unique pet products from around the world. The company now sells various types of pet products such as beds, collars and toys from several suppliers.
Currently, e-commerce, through the official website, is the company’s only sales and distribution channel. A customer can make a purchase using a major credit card. The website was created when the company first started operating, nearly 10 years ago, and hasn’t been updated since. Bill, the Director of IT believes it is in need of a major update as the security is quite out-dated. He is concerned their systems would not be able to handle a serious virus or malware attack, which is likely to occur and would cause severe consequences.
The MyPetDesign accounting system is computerized. However, the system is homemade, starting with just a few accounting tables built in Microsoft Excel. Through the years, additional tables and computer programs were added as needed. After some general discussion on the state of their current accounting system, Ronald, Director of Accounting, and Bill, again voiced their concerns about the company’s accounting system. Ronald was particularly concerned about the reliability of the system. Their current system commonly required data to be entered many different times into many different tables, which can lead to data inconsistency and duplication. Furthermore, the entry of the data lacks automated data entry controls.
In addition, there have been some suppliers complaining about their invoice payments. Payments were not being made on time and one major supplier has stopped supplying to MyPetDesign. Although the loss of this supplier has created a minor setback in terms of obtaining products, Ronald is concerned that if the payment problem is not fixed, it is possible that more suppliers will withdraw. The company cannot afford to lose any more because finding suppliers that provide quality and unique pet products is not easy and can lead to a major loss of profits.
Jon’s attitude is laid back and goes with the philosophy of “it will be right” and often doesn’t see the issues as real problems. Both Bill and Ronald are frustrated with his attitude and believe that perhaps the company needs to replace its current accounting system with a more effective one as well as undertake a complete update of the business to introduce proper policies and procedures.
AYB221 Lecture 10 Reliable Systems.pptx
Lecture 10 RELIABLE SYSTEMS
Queensland University of Technology
CRICOS No. 00213J
CRICOS No. 00213J
a university for the
world
real
R
Announcements
Quiz 2 is coming up soon
Week 12
Saturday 24th May at 10am
Similar to Quiz 1 in structure
Excel tutorials and Excel topic in week 9 lecture
CRICOS No. 00213J
a university for the
world
real
R
Reading
Chap 14
Chap 15: 452-463
Chap 16
CRICOS No. 00213J
a university for the
world
real
R
Lecture Modules
Availability and Security
Confidentiality and Privacy
Processing Integrity
CRICOS No. 00213J
a university for the
world
real
R
Unit Objectives
Appreciate the importance of a reliable system
Understand controls used to:
protect availability and security,
improve confidentiality and privacy, and
ensure processing integrity
CRICOS No. 00213J
a university for the
world
real
R
Module 1
Importance of a reliable system
System reliability principles of availability and security.
Some of the key (control) considerations under these principles.
CRICOS No. 00213J
a university for the
world
real
R
Importance of reliable information
Increasing dependence on information and the systems that deliver the information
If you use computer-generated information in decision-making or for audit evidence, you need to assess its reliability.
If you are the holder of computer-generated information, you must exercise appropriate and defendable controls to safeguard that information, or evidence.
CRICOS No. 00213J
a university for the
world
real
R
IT and Information
Every organisation relies on IT
Management wants assurance that the information produced by the AIS is reliable
How can this be achieved?
CRICOS No. 00213J
a university for the
world
real
R
A Reliable System
System that delivers required outcomes consistently
i.e. Reliable
What constitutes reliable systems?
System Reliability Principles as set out in the Trust Services Framework.
developed by AICPA and the Canadian Institute of Chartered Accountants
classifies IS controls that relate specifically to systems reliability
Availability
Security
Confidentiality
Privacy
Processing Integrity
http :// www.webtrust.org/overview-of-trust-services/item64420.aspx
CRICOS No. 00213J
a university for the
world
real
R
Why use a framework?
Frameworks are used as a process to guide organisations to achieve objectives and create value
Ensuring the information that comes from their systems provides value
CRICOS No. 00213J
a university for the
world
real
R
Reliable systems
Security (Ch 14)
Confidentiality (Ch 15)
Privacy (Ch 15)
Processing integrity (Ch 16)
Availability (Ch 16)
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
AVAILABILITY
Reliable systems are available for use whenever needed.
Threats to system availability originate from many sources, including:
Hardware and software failures
Natural and man-made disasters
Human error
Worms and viruses
Denial-of-service attacks and other sabotage
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
Availability Controls
Proper controls can minimise the risk of significant system downtime caused by the preceding threats.
It is impossible to totally eliminate all threats.
Consequently, organisations must develop disaster recovery and business continuity plans to enable them to quickly resume normal operations after such an event.
CRICOS No. 00213J
a university for the
world
real
R
Minimising System Downtime
To avoid hardware or software malfunctions which cause an AIS to fail
Proactive Step
Preventative maintenance – cleaning, proper storage (COBIT control objective DS 13.5 )
Fault tolerance - Use of redundant components
UPS (Uninterruptible power supply)
Proper location of critical servers (COBIT control objectives DS 12.1 and 12.4)
Fire detection and suppression devices
Cooling
Training - Well-trained operators are less likely to make mistakes and more able to recover if they do
CRICOS No. 00213J
a university for the
world
real
R
Disaster Recovery and Business Continuity Plans
To enable computing capability to be recovered as soon as possible after a disaster
Reactive Step that should:
Minimise disruption, damage and loss
Establish temporary processing
Resume normal operations
Train staff
RS pp. 310-12
CRICOS No. 00213J
a university for the
world
real
R
Disaster recovery Key Considerations
Key components of effective disaster recovery and business continuity plans include
Data backup procedures
Full/Partial backups
Multiple
Infrastructure replacement
Hot site – facilities installed ready to use
Cold site – facilities not installed but can be quickly set up
Documentation
Testing
Insurance
RS pp. 310-12
CRICOS No. 00213J
a university for the
world
real
R
Example - IBM
CRICOS No. 00213J
a university for the
world
real
R
Security
Who needs access to what information, when they need it, and on which system the information resides
Security Controls include:
Authentication controls
Authorisation controls
Training
Controlling physical access
Internet and e-Commerce considerations
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
Authentication and Authorisation Controls
Authentication – Determine the Legitimacy of the User
User IDs and passwords (something they know)
Physical possession identification (something they have)
Biometric identification - fingerprints, retina, voice (some physical characteristic)
Authorisation - Allow access to data necessary for role and limit access ability as necessary
Reading, Copying, Adding, Deleting
Access Control Matrix
Compatibility tests
CRICOS No. 00213J
a university for the
world
real
R
An Access Control Matrix
CRICOS No. 00213J
a university for the
world
real
R
User Training
People play a critical role in information security
Effectiveness of procedures depends on how well employees understand and follow security policies
Training Should Include:
Follow safe computer practices
Avoid social engineering attacks (deception to obtain unauthorised access)
Keep abreast of recent developments
CRICOS No. 00213J
a university for the
world
real
R
Controlling Physical Access
Key Considerations:
Lock rooms especially server rooms with limited access & limit entrances to secure areas and monitor
Use reliable ID for access (Badges, Biometrics)
Log visitor access, require badges, escort whilst in secure area
Alarms – smoke, fire and motion
Restrict access to network components
Secure equipment to avoid removal
Control laptops, mobile phones and PDAs
CRICOS No. 00213J
a university for the
world
real
R
Internet & e-Business Concerns
Extremely Vulnerable to Security Issues
Key Reasons
Internet’s size, complexity and user numbers
Many web sites have security flaws
Attracts hackers
An unknown environment
Key Considerations
Passwords
Encryption
Virus detection
Firewalls
Virtual Private Networks (tunnelling)
CRICOS No. 00213J
a university for the
world
real
R
Review – Module 1
Why is it important to have a reliable system?
Why would you use a framework for achieving a reliable system?
CRICOS No. 00213J
a university for the
world
real
R
Module 2
System reliability principles of confidentiality and privacy.
Key (control) considerations under these principles.
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Reliable systems maintain the confidentiality of sensitive information.
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Maintaining confidentiality requires that management identify which information is sensitive.
Each organisation will develop its own definitions of what information needs to be protected.
Most definitions will include:
Business plans
Pricing strategies
Client and customer lists
Legal documents
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Maintaining confidentiality requires that management identify which information is sensitive.
Each organisation will develop its own definitions of what information needs to be protected.
Most definitions will include:
Business plans
Pricing strategies
Client and customer lists
Legal documents
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information.
Confidential information should be encrypted:
While stored
Whenever transmitted
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
The Internet provides inexpensive transmission, but data is easily intercepted.
Encryption solves the interception issue.
If data is encrypted before sending it, a virtual private network (VPN) is created.
Provides the functionality of a privately owned network
But uses the Internet
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Use of VPN software creates private communication channels, often referred to as tunnels.
The tunnels are accessible only to parties who have the appropriate encryption and decryption keys.
Cost of the VPN software is much less than costs of leasing or buying a privately-owned, secure communications network.
Also, makes it much easier to add or remove sites from the “network.”
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Use of VPN software creates private communication channels, often referred to as tunnels.
The tunnels are accessible only to parties who have the appropriate encryption and decryption keys.
Cost of the VPN software is much less than costs of leasing or buying a privately-owned, secure communications network.
Also, makes it much easier to add or remove sites from the “network.”
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices.
Many organisations have policies against storing sensitive information on these devices.
81% of users admit they do so anyway.
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken.
Access controls are also needed:
To prevent unauthorised parties from obtaining the encrypted data; and
Because not all confidential information can be encrypted in storage.
Strong authentication techniques are necessary.
Strong authorisation controls should be used to limit the actions (read, write, change, delete, copy, etc.) that authorised users can perform when accessing confidential information.
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Access to system outputs should also be controlled:
Do not allow visitors to roam through buildings unsupervised.
Cell phones (Jamming)
Require employees to log out of any application before leaving their workstation
Use of password-protected screen savers
Restrict access to printers and fax machines.
Use codes to reflect different levels of report sensitivity
Proper disposal of sensitive material
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
It is especially important to control disposal of information resources.
Printed reports and microfilm with sensitive information should be shredded.
Other material?
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Other confidential information
Phone conversations
Voice over Internet (e.g. Skype)
Instant Messaging
CRICOS No. 00213J
a university for the
world
real
R
CONFIDENTIALITY
Key controls to protect confidentiality of information:
| Situation | Controls |
| Storage | Encryption and access controls |
| Transmission | Encryption |
| Disposal | Shredding, thorough erasure, physical destruction |
| Overall | Training in proper work practices |
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
In the Trust Services framework, the privacy principle is closely related to the confidentiality principle.
Primary difference is that privacy focuses on protecting personal information about customers rather than organisational data.
Key controls for privacy are the same that were previously listed for confidentiality.
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
A number of regulations require organisations to protect the privacy of customer information.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
The organisation establishes a set of procedures and policies for protecting privacy of personal information it collects.
Assigns responsibility and accountability for those policies to a specific person or group.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Provides notice about its policies and practices when it collects the information or as soon as practicable thereafter.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Describes the choices available to individuals and obtains their consent to the collection and use of their personal information.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
The organisation collects only that information needed to fulfill the purposes stated in its privacy policies.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
The organisation uses its customers’ personal information only according to stated policy and retains that information only as long as needed.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
The organisation provides individuals with the ability to access, review, correct, and delete the personal information stored about them.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
Disclosure to Third Parties
The organisation discloses customers’ personal information to third parties only per stated policy and only to third parties who provide equivalent protection.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
Disclosure to Third Parties
Security
The organisation takes reasonable steps to protect customers’ personal information from loss or unauthorized disclosure.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
Disclosure to Third Parties
Security
Quality
The organisation maintains the integrity of its customers’ personal information.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
The AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
Disclosure to Third Parties
Security
Quality
Monitoring and enforcement
The organisation assigns one or more employees to be responsible for assuring and verifying compliance with its stated policies.
Also provides for procedures to respond to customer complaints, including third-party dispute-resolution processes.
CRICOS No. 00213J
a university for the
world
real
R
PRIVACY
As with confidentiality, encryption and access controls are the two basic mechanisms for protecting consumers’ personal information.
It is common practice to encrypt all personal information transmitted between individuals and the organisation’s Website.
However, encryption only protects the information in transit.
Consequently, strong authentication controls are needed to restrict Website visitors’ access to individual accounts.
CRICOS No. 00213J
a university for the
world
real
R
Other Privacy Concerns
Cookies
Cookies are text files and cannot “do” anything other store information, but many people worry that they violate privacy rights.
Spam
Unsolicited email that contains either advertising or offensive content.
Reduces the efficiency benefits of email.
Is a source of many viruses, worms, spyware, and other malicious content.
Importance of training
Organisations need to train employees on how to manage personal information collected from customers.
CRICOS No. 00213J
a university for the
world
real
R
Review – Module 2
Why is it important to consider confidentiality and privacy of information?
CRICOS No. 00213J
a university for the
world
real
R
Module 3
System reliability principles of processing integrity.
Some of the key (control) considerations under this principle.
CRICOS No. 00213J
a university for the
world
real
R
PROCESSING INTEGRITY
Addresses the need for controls over the input, processing, and output of data.
Identifies six categories of controls that can be used to satisfy that objective.
Six categories are grouped into three for discussion.
SECURITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SYSTEMS
RELIABILITY
CRICOS No. 00213J
a university for the
world
real
R
PROCESSING INTEGRITY
Three categories/groups of integrity controls are designed to meet the preceding objectives:
Input controls
Processing controls
Output controls
CRICOS No. 00213J
a university for the
world
real
R
Processing Integrity
Output is what is desired - Produces information that is accurate and timely, reflects the results of only authorised transactions, and is complete
2 Key Factors
Data input quality
Processing of that data
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
If the data entered into a system is inaccurate or incomplete, the output will be, too.
Garbage in Garbage out
Companies must establish control procedures to ensure that all source documents are:
authorised, accurate, complete, properly accounted for, and entered into the system or sent to their intended destination in a timely manner.
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Source documents and other forms should be designed to help ensure that errors and omissions are minimised
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Pre-numbering helps verify that no items are missing.
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Documents sent to external parties that are prepared in machine-readable form to facilitate their subsequent processing as input records.
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Source documents that have been entered should be cancelled so they aren’t mistakenly re-entered (Not disposing, just flagging)
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorisation and segregation of duties
Source documents should be prepared only by authorised personnel acting within their authority
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorisation and segregation of duties
Visual scanning
Documents should be scanned for reasonableness and propriety.
CRICOS No. 00213J
a university for the
world
real
R
Input Controls
The following input controls regulate integrity of input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorisation and segregation of duties
Visual scanning
Data entry controls
CRICOS No. 00213J
a university for the
world
real
R
Data Input Quality
Data Entry Controls- how data is entered into a system
Check the validity and accuracy of input data
Sometimes referred to as “input validation controls”
CRICOS No. 00213J
a university for the
world
real
R
Data Entry Controls – Edit Checks
Field check – numeric, text, date
Sign check - + or – ( inventory +)
Limit check – max hours worked (40), age
Range check – between 2 values
Size check – limit size of field – age – 2 or 3
Completeness check – all fields are complete
Validity check – are values valid (exist)
Reasonableness test – overtime = 0 when normal hours is < 40
Check digit – additional digit added to account numbers, policy numbers, ID numbers, etc.
CRICOS No. 00213J
a university for the
world
real
R
Processing Controls
Preserve the accuracy and completeness of data processing.
Data matching – vendor invoice with purchase order before continuing with payment
File labels – correct files are updated – check header and trailer records
Recalculation of batch totals – all transactions processed correctly
Cross-footing balance test – check balance in various ways
Write-protection mechanisms – protect master files
Concurrent update controls – protect records from being updated by two users simultaneously.
CRICOS No. 00213J
a university for the
world
real
R
Output Controls
User review of output – Examine output to verify:
Reasonableness, completeness, intended recipient
Reconciliation procedures - Should reconcile corresponding output and input control totals
General ledger control accounts with subsidiary ledger (accounts receivable, accounts payable, inventory, non-current assets)
External data reconciliation – Database totals should be verified with data maintained outside the system
e.g. Inventory on hand compared to quantity on hand recorded
Data transmission – Reduce the risk of data transmission failures
Data encryption (cryptography)
Routing verification procedures e.g. checksums
Parity checking (number of 1s are odd or even)
CRICOS No. 00213J
a university for the
world
real
R
Review – Module 3
What does reliability of processing refer to?
CRICOS No. 00213J
a university for the
world
real
R
Summary
Importance of a reliable system and the need to use a recognised framework to comply with regulations
What are the five principles of system reliability?
CRICOS No. 00213J
a university for the
world
real
R
Next week
E-Business and Computer Fraud
Continue with Excel in the tutorials
See you then
CRICOS No. 00213J
a university for the
world
real
R
image2.jpeg
image3.png
image4.png
image5.png
image6.png
image7.png
image8.png
image9.png
image10.png
image11.png
image12.png
image13.png
image14.png
image1.jpeg
AYB221 Lecture 11 E-Business and Computer Fraud(3).pptx
LECTURE 11
E-Business and Computer Fraud
Queensland University of Technology
CRICOS No. 00213J
CRICOS No. 00213J
a university for the
world
real
R
Excel Quiz
Saturday 24th May at 10am (End of Week 12).
20 MC questions – 35 minutes working time
Must be attempted using Mozilla Firefox
All the work in the Excel Workbook and the Excel Lecture in Week 9 will be examinable
Same processes as the quiz for Access
Note the timer just counts down from 35 minutes. There will be no warnings during the quiz re time, so you must focus on the timer to ensure you don’t run out of time.
CRICOS No. 00213J
a university for the
world
real
R
Final Exam
4 questions worth 25 marks each. Total 100 marks - worth 60% of your final grade
Content Covered
Cover Weeks 4-13 knowledge excluding Excel lecture in Week 9.
There will be no Excel, MYOB or Access in the exam.
Structure
Questions 1-2 will mainly be short answer questions and will focus on the theory associated with accounting cycles Note:CasWorkX videos and MYOB may be used as examples to assist with answering these cycle questions.
Question 3 will be short answer theory related questions
Question 4 will be short answer questions related to a case study.
CRICOS No. 00213J
a university for the
world
real
R
Final Exam
Student Preparation
You will be provided with the case study one week prior to the exam date so you can prepare for the potential questions you will be asked
You will be able to bring in 1 double sided resource sheet (i.e. 2 pages) in any format
You should start working through the review quizzes for each week from 4 onwards and reading your lecture notes and the text book.
Watching the CasWorkX videos will also assist with understanding the accounting cycles
CRICOS No. 00213J
a university for the
world
real
R
Reading
A SYSTEMATIC APPROACH TO E-BUSINESS SECURITY
http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html#_ftn2
Chap 15: 463-470
Chap 12 352-357
CRICOS No. 00213J
a university for the
world
real
R
Lecture Modules
What is E-Business
E-Business Security
Encryption
Computer Fraud
CRICOS No. 00213J
a university for the
world
real
R
What is E-Business?
E-Business and E-Commerce
Different types of Network Infrastructures relating to
Locality/Size
Connectivity
Role of the communication tools and protocols
CRICOS No. 00213J
a university for the
world
real
R
I’m an accountant, why should I worry about e-business?
E-Business, particularly, e-commerce has and will continue to impact the many dimensions of the accounting profession
Understand how the Internet fits into the company’s business strategy
Integrate accounting software that can track sales orders and customer data
Internal auditors must understand the laws relating to sales and ensure the e-business website is secure and trustworthy
Must be aware of the various tax issues with online trading
Source: Hicks, J (2004), UNC Greensboro Journal of Student Research in Accounting Issue 1, 1-16
CRICOS No. 00213J
a university for the
world
real
R
A change of duties
The increased technology and global business will expand accountants’ duties and offer new challenges
Web assurance services
Assure customers about the security and features of a website
These services create new opportunities for CPAs
Advise management on the best and most profitable way to enter into the world of ecommerce
CRICOS No. 00213J
a university for the
world
real
R
What is E-Business
Definition
Technology-enabled business interactions between parties
Application of information and communication technologies in support of all the activities of business
E-commerce generally refers to the transaction processing component of E-business
CRICOS No. 00213J
a university for the
world
real
R
E-Business:
Improving business
performance through low cost and
open connectivity:
New technologies in the value chain
Connecting value chains across businesses
in order to :
Improve service/reduce costs
Open new channels
Transform competitive landscapes
E-Commerce:
Marketing, selling
buying of products and
services on the Internet
e-Business vs e-Commerce
CRICOS No. 00213J
a university for the
world
real
R
11
This is our definition. Yours may be just as valid.
e-Commerce is largely what you see in the press: transactions using open networks. Often also concentrated on consumer commerce over the world wide web.
e-Business is the use of information networks to gain competitive advantage
Universal connectivity between enterprises and value chains
Process enhancement
Innovative business models
e-Business is different than e-commerce - e-business is about blowing up your business model - much broader than selling books on the Internet
Different Models
coles.com.au
ebay.com.au
fotolia.com
vistaprint.com.au
austrade.gov.au
ato.gov.au
Gateway.gov.uk
humanservices.gov.au
ato.gov.au
CRICOS No. 00213J
a university for the
world
real
R
E-Business Network Infrastructure
LAN - Local area network
A network that links nodes (computers or other devices) within a limited geographical area such as a building.
WAN - Wide area network
A network that links nodes (computers or other devices) over a large geographic area.
VPN - Virtual private network
A network that uses the Internet as if it were a private network by use of encryption and authentication technologies.
VAN - Value added network
A network designed to facilitate the exchange of data between various private networks eg EDI
CRICOS No. 00213J
a university for the
world
real
R
E-Business Network Infrastructure
Internet
An international network of independent computers that operates as a giant seamless computing network.
Intranet
A private network using Internet to enable employees to share information.
Extranet
Formed by extending an intranet beyond a company to customers, suppliers and collaborators.
CRICOS No. 00213J
a university for the
world
real
R
CRICOS No. 00213J
a university for the
world
real
R
Communication Tools and Protocols
Communications software performs the functions of
Access control
Network management
Data and file transmission
Error detection and control
Data security
Internet Protocol – Agreed Protocol
TCP/IP - Transmission Control Protocol/Internet Protocol
Breaks up digital messages into packets, sends them to the proper address and then reassembles them into coherent messages
CRICOS No. 00213J
a university for the
world
real
R
What have you learnt in Module 1
Thinking about your experience with online shopping, what are other accounting challenges do you foresee?
CRICOS No. 00213J
a university for the
world
real
R
E-Business Security
The 6 key objectives of information security policy in E-Business
The concept of trust in e-business transactions
CRICOS No. 00213J
a university for the
world
real
R
E-Business Control Issues
Key Resource
A Systematic Approach To E-business Security
URL - http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html#_ftn2
CRICOS No. 00213J
a university for the
world
real
R
Information Security Policy in E-Business
Must Ensure (Six Key Objectives):
Confidentiality;
Integrity;
Availability;
Legitimate use (identification, authentication, and authorization);
Auditing or traceability; and
Non-repudiation.
CRICOS No. 00213J
a university for the
world
real
R
Confidentiality
involves making information accessible to only authorized parties, or restricting information access to unauthorized parties.
Integrity
System will perform as trusted
Transmitting information over the Internet (or any other network) is similar to sending a package by mail. The package may travel across numerous trusted and un-trusted networks before reaching its final destination. It is possible for the data to be intercepted and modified while in transit.
Information Security Policy in E-Business
CRICOS No. 00213J
a university for the
world
real
R
Availability
systems, data, and other resources are usable when needed despite subsystem outages and environmental disruptions.
Legitimate use
Three components - identification, authentication and authorization.
Identification involves a process of a user positively identifying itself (human or machine)
The response to identification is authentication.
Once an entity is certified as uniquely identified, the next step in establishing legitimate use is to ensure that the entity’s activities within the system are limited to what it has the right to do.
Information Security Policy in E-Business
CRICOS No. 00213J
a university for the
world
real
R
Traceability or Trust
From an accounting perspective, auditing is the process of officially examining accounts. Similarly, in an e-business security context, auditing is the process of examining transactions.
Trust is enhanced if users can be assured that transactions can be traced from origin to completion
Information Security Policy in E-Business
CRICOS No. 00213J
a university for the
world
real
R
Non-repudiation
is the ability of an originator or recipient of a transaction to prove to a third party that their counterpart did in fact take the action in question.
Thus the sender of a message should be able to prove to a third party that the intended recipient got the message and the recipient should be able to prove to a third party that the originator did actually send the message.
Information Security Policy in E-Business
CRICOS No. 00213J
a university for the
world
real
R
Traditional control (Trust) built on the premise that people perform the activities and paper is used extensively.
Can the same be said in an E-Business Environment?
New approach is needed to control an environment based on IT.
Trust and E-Business Transactions
CRICOS No. 00213J
a university for the
world
real
R
What have you learned in Module 2?
Why is this E-Business trust different to normal trust situations?
CRICOS No. 00213J
a university for the
world
real
R
Encryption
Describing Encryption/PKI.
Digital Certificates and who provides them
SSL and how it works
CRICOS No. 00213J
a university for the
world
real
R
Encryption
When is losing money at a greater risk? When it is stored in the bank or when it is being transported?
Think about this in terms of data. Stored on a computer or being transmitted?
As a result, encrypting data when it is being transmitted is crucial.
CRICOS No. 00213J
a university for the
world
real
R
Encryption Methods
Symmetric
Uses one key to encode and decode the message (i.e. the sender and the recipient must have the same key)
Asymmetric
Uses two keys, with one key to encode (Public) and a second related, but different key (Private) to decode.
CRICOS No. 00213J
a university for the
world
real
R
Encryption Infrastructure
Transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
CRICOS No. 00213J
a university for the
world
real
R
Sender
Receiver
Message
Text
Ciphered
Text
Message
Text
Encryption
Decryption
Private Key of
Sender
Public Key of
Sender
IF: Decrypted OK
THEN: Message must have been sent by owner of the Public/Private Key combination
THEREFORE: a Digital Signature
CRICOS No. 00213J
a university for the
world
real
R
Digital Certificates
An electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth.
The certificate can be used to verify that a public key belongs to an individual.
CRICOS No. 00213J
a university for the
world
real
R
Who Provides Digital Certificates?
Certifying Authorities (CA)
Purpose:
Verify the information and create a certificate that contains the applicant’s public key along with identifying information
http :// www.verisign.com.au/repository/tutorial/digital/intro1.shtml
http:// www.sslshopper.com/what-is-ssl.html
CRICOS No. 00213J
a university for the
world
real
R
Secure Site Certificates
CRICOS No. 00213J
a university for the
world
real
R
How can a computer crack a key?
By trying every combination
4 bit is 24 (= 16) different combinations
64 bit encryption
264 = 2*1019 different combinations
128 bit encryption
2128 = 3*1038 different combinations
1024 bit encryption
21024 = 8*10307 different combinations
CRICOS No. 00213J
a university for the
world
real
R
Secure Sockets Layer (SSL)
An encryption method that provides communication security over the Internet.
The following is a simplified example of the setting up of a secure interaction between a consumer Browser and an e-commerce Server using SSL
CRICOS No. 00213J
a university for the
world
real
R
SSL Handshake
Browser
Secure
Server
1. Request to connect
2. Signed Digital
Certificate including server’s public key
3. Certificate verified
and server
Authenticated
4. Secret private session key generated & encrypted with Server’s public key
5. Encrypted private session key
6. Server private key used to decrypt secret private session key
7. Private session key
communication
CRICOS No. 00213J
a university for the
world
real
R
QUT SSL Handshake
Student PC
QUT
Secure
Server
Log into QUT virtual using QUT username and access password
2. QUT Digital Certificate & QUT Public Key
3. Internet program verifies QUT digital certificate & QUT Public Key
4. Student’s
Private Session Key generated
5. Encrypted with QUT
Public
key
6. Student’s Private Session Key encrypted with QUT public key
7. Student’s
Private Session Key
6. Decrypted with QUT private key
7. Student Private Session key on QUT server communicates with Student Private Session key on Student PC
2. Server responds to student request
7.Student’s
Private Session Key (same as above)
Now have
CRICOS No. 00213J
a university for the
world
real
R
QUT - Authentication
CRICOS No. 00213J
a university for the
world
real
R
Session Creation
CRICOS No. 00213J
a university for the
world
real
R
What have you learnt in Module 3?
Why is it important to use a Digital Certificate?
Is it necessary to know who provides such services?
CRICOS No. 00213J
a university for the
world
real
R
Computer Fraud
Computer Fraud Classification
Abuse Techniques
Computer Fraud Prevention and Detection
CRICOS No. 00213J
a university for the
world
real
R
Computer Fraud
Any illegal act in which knowledge of computer technology is necessary for:
Perpetration
Investigation
Prosecution.
43
CRICOS No. 00213J
a university for the
world
real
R
Computer Fraud
Unauthorised theft, use, access, modification, copying and destruction of software or data
Theft of money by altering computer records
Theft of computer time
Theft or destruction of computer hardware
Use or the conspiracy to use computer resources to commit a felony
Intent to illegally obtain information or tangible property through the use of computers
CRICOS No. 00213J
a university for the
world
real
R
Computer Fraud
By using computer technology, fraudsters can steal:
More,
In less time,
With less effort
Often leaving little evidence, making it hard to detect
CRICOS No. 00213J
a university for the
world
real
R
Computers are vulnerable
Hard to control physical access, especially portable devices
To be flexible, organisations want employees, customers and suppliers to access their systems
Access privileges are difficult to enforce and often overlooked
Segregation of duties is harder with computer tasks
CRICOS No. 00213J
a university for the
world
real
R
Rise of Computer Fraud
Definition is not agreed on
Looking at someone else’s computer
Unlicensed copy of software
Many go undetected
High percentage is not reported
Adverse publicity
Loss of customer confidence (Reputation)
Copycats
Lack of network security
Step-by-step guides are easily available
Law enforcement is overburdened
Difficulty calculating loss
The belief that “it won’t happen to us”
CRICOS No. 00213J
a university for the
world
real
R
Computer Fraud Classifications
CRICOS No. 00213J
a university for the
world
real
R
Input Fraud
Alteration or falsifying input.
Requires little computer skills
Disbursement Fraud
Causing the company to pay too much for ordered goods
Inventory Fraud
Entering data into system to show stolen inventory accounted for
Payroll Fraud
Increase salaries
Create fictitious employee (ghost)
Retain terminated employee on record
Cash Receipt Fraud
Fictitious Refund Fraud
CRICOS No. 00213J
a university for the
world
real
R
Processor fraud
Unauthorised system use
Theft of computer time and services
Surfing the Internet
Conducting personal business
Conducting business for a competitor
Users are often oblivious to the ethical and moral issues with this type of fraud
CRICOS No. 00213J
a university for the
world
real
R
Computer instructions fraud
Tampering with the software that processes company data
May include
Modifying software,
illegal copying of software,
using software in an unauthorised manner,
creating software to undergo unauthorised activities.
Used to be one of the least common types of fraud due to specialised computer knowledge
But now it is on the rise as a result of “instructions on the Internet”
CRICOS No. 00213J
a university for the
world
real
R
Data fraud
Altering or damaging a company’s data files
Copying, using or searching data files without authorisation
Disgruntled employees are the highest risk for committing this fraud
Often theft of data occurs to
Sell to competitor
Use for setting up a company
CRICOS No. 00213J
a university for the
world
real
R
Output fraud
Stealing, copying, or misusing computer printouts or displayed information
Prying eyes and unauthorised copying
Screen output can be easily read from a remote location using electronic gear
Creating counterfeit outputs such as cheques
CRICOS No. 00213J
a university for the
world
real
R
Computer Attacks and Abuse
Hacking
Unauthorised access, modification, or use of a computer system or other electronic device.
Malware
Any software which can be used to do harm.
Social Engineering
Techniques, usually psychological tricks, to gain access to sensitive data or information.
Used to gain access to secure systems or locations.
CRICOS No. 00213J
a university for the
world
real
R
Hacking Schemes
Salami Technique
Taking small amounts from many different accounts.
Round-down
Rounding figures down and depositing the remaining fractions
Economic Espionage
Theft of information, trade secrets, and intellectual property.
Internet Terrorism
Act of disrupting electronic commerce and harming computers and communications.
CRICOS No. 00213J
a university for the
world
real
R
Social Engineering Techniques
Scavenging/Dumpster Diving
Looking for sensitive information in items thrown away.
Shoulder Surfing
Snooping over someone’s shoulder for sensitive information
Chipping
Planting a device to read credit card information in a credit card reader.
Eavesdropping
Listening to private communications.
Copyright ©2013 Pearson Australia (a division of Pearson Australia Group Pty Ltd) – 9781442542594/Romney/Accounting Information Systems/1e
56
CRICOS No. 00213J
a university for the
world
real
R
Type of Malware
Spyware
Secretly monitors and collects personal information about users and sends it to someone else.
Adware
Pops banner ads on a monitor, collects information about the user’s web-surfing, and spending habits, and forwards it to the adware creator.
Key logging
Records computer activity, such as a user’s keystrokes, emails sent and received, Web sites visited, and chat session participation.
Trojan Horse
Malicious computer instructions in an authorised and otherwise properly functioning program.
Time bombs/logic bombs
Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur.
CRICOS No. 00213J
a university for the
world
real
R
Virus
A segment of self-replicating, executable code that attaches itself to a file or program.
During replication phase, the virus spreads to other systems when an infected file or program is downloaded or opened by a recipient.
Newer viruses can mutate each time they infect a computer.
Making them more difficult to detect and destroy.
Many viruses lie dormant for extended periods without causing damage, except to propagate themselves.
CRICOS No. 00213J
a university for the
world
real
R
Worm
A self-replicating computer program similar to a virus, with some exceptions:
A virus is a segment of code hidden in or attached to a host program or executable file, whereas a worm is a stand-alone program.
A virus requires a human to do something (run a program, open a file etc.) to replicate itself, whereas a worm does not and actively seeks to send copies of itself to other network devices.
Worms harm networks (if only by consuming bandwidth), whereas viruses infect or corrupt files or data on a targeted computer.
Reside in email attachments and reproduce by mailing themselves to a recipient’s mailing list, resulting in an electronic chain letter.
Usually does not live very long.
CRICOS No. 00213J
a university for the
world
real
R
Prevent and Detect Fraud
Organisations must take every precaution to protect their information systems
Make fraud less likely to occur
Increase the difficulty of committing fraud
Improve detection methods
Reduce fraud losses
CRICOS No. 00213J
a university for the
world
real
R
Make fraud less likely to occur
All about the culture of the organisation
Internal employees are the greatest threat
Create a culture that stresses integrity
Have an active and independent audit committee
Develop a set of security policies and enforce them
Train employees
CRICOS No. 00213J
a university for the
world
real
R
Increase the difficulty of committing fraud
Implement computer-based controls over data input, processing, storage, transmission and output
Develop strong internal controls
Segregate the accounting functions
Authorisation
Recording
Custody
Restrict physical and remote access to authorised personnel
Fix known software vulnerabilities immediately
CRICOS No. 00213J
a university for the
world
real
R
Improve detection methods
Create an audit trail so individual transactions can be traced through the system to the financial statements and vice versa
Conduct periodic external and internal audits as well as network security audits
Install fraud detection software, intrusion detection systems
Implement a fraud hotline (whistleblowing)
CRICOS No. 00213J
a university for the
world
real
R
Reduce Fraud Losses
Maintain adequate insurance
Develop comprehensive fraud contingency, disaster recovery and business continuity plans
Store backup copies in a secure off-site location
CRICOS No. 00213J
a university for the
world
real
R
What have you learnt in Module 4?
Think about your own computer systems/applications, what sort of fraud can happen to you?
CRICOS No. 00213J
a university for the
world
real
R
Final note…
Accounting systems contain some of a business’ most confidential data. The introduction to the Internet and new technologies create vulnerabilities to cyber attacks on this confidential information.
For this reason, accountants need to be prudent and aware when implementing new technology until it has been tested and proven reliable enough to safeguard accounting data.
CRICOS No. 00213J
a university for the
world
real
R
Next Week (Week 12)
Managing Risk & Threats
Continue with Excel in the tutorials
CRICOS No. 00213J
a university for the
world
real
R
image2.jpeg
image3.jpeg
image4.gif
image5.png
image6.gif
image7.png
image8.png
image9.png
image10.png
image11.png
image12.png
image13.png
image14.png
image1.jpeg
AYB221 Lecture 12 Managing Risk.pptx
Lecture 12
Managing Risk
CRICOS No. 00213J
a university for the
world
real
R
Reading
Lecture
Chap 5: 139 onwards
CRICOS No. 00213J
a university for the
world
real
R
Reminders……
Excel Quiz
Sat 24th May at 10am
Final Exam
June 16th at 8.30am
Week 13 Review
Keep an eye out for the Insight Survey at the end of May
CRICOS No. 00213J
a university for the
world
real
R
Lecture Modules
Accountants and their role in risk management
Using frameworks for risk management
COSO Enterprise Risk Management (ERM) Model (Global)
Standards Australia Risk Assessment Model (Australian)
CRICOS No. 00213J
a university for the
world
real
R
4
The role of Accountants in risk management
APES 325
Responding to different forms of risks
Threats to AIS
CRICOS No. 00213J
a university for the
world
real
R
Why should accountants be concerned with risk?
Accounting often plays varying roles in success or failure of all businesses
The key objects of most industries have physical existence independent of accounting
However, the key objects of finance (stocks, bonds, deposits, derivatives) are entirely defined by accounting, and do not exist independent of their accounting
CRICOS No. 00213J
a university for the
world
real
R
Why should accountants be concerned with risk?
Important to clearly understand this link, and their interaction when trying to explore the role of accounting in risk management for firms
Management expects accountants to be control consultants i.e. accountants are to:
take a proactive approach to eliminating/reducing system threats
detect, correct, and recover from threats if and when they occur
CRICOS No. 00213J
a university for the
world
real
R
APES 325 Risk Management for Firms
The Accounting Professional & Ethical Standards Board’s new standard APES 325 Risk Management for Firms came into effect on 1 January 2013
The standard requires firms to identify and address key organisational risks applicable to the circumstances of each practice
The requirements add value to practices where a risk culture is implemented and the Institute will be providing support for practices to achieve this.
CRICOS No. 00213J
a university for the
world
real
R
What is Risk?
Refer to Lecture 3
Risk is the likelihood that a threat will actually come to pass
Threats - potential adverse events that may affect the organisation
Natural and political disasters
Software errors and equipment malfunctions
Unintentional acts (errors, accidents, lost data)
Intentional acts (computer crimes)
Exposure – actual financial loss associated with the adverse event
CRICOS No. 00213J
a university for the
world
real
R
7-10
Threats to Accounting Information Systems
What are examples of natural and political disasters?
fire or excessive heat
floods
earthquakes
high winds
war
CRICOS No. 00213J
a university for the
world
real
R
10
7-11
Threats to Accounting Information Systems
What are examples of software errors and equipment malfunctions?
hardware failures
power outages and fluctuations
undetected data transmission errors
CRICOS No. 00213J
a university for the
world
real
R
11
7-12
Threats to Accounting Information Systems
What are examples of unintentional acts?
accidents caused by human carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet company needs
CRICOS No. 00213J
a university for the
world
real
R
12
7-13
Threats to Accounting Information Systems
What are examples of intentional acts?
sabotage
computer fraud
embezzlement
CRICOS No. 00213J
a university for the
world
real
R
13
What is Risk Management?
Risk management is the
identification,
assessment and
prioritization of risks
followed by coordinated and economical application of resources to
minimise,
monitor and
control the probability and/or impact of unfortunate events.
CRICOS No. 00213J
a university for the
world
real
R
How Much Risk to Tolerate?
Depends on Organizations Risk Appetite
Risk Appetite - The amount of Risk an organization is willing to take to achieve its goals and objectives
How much risk can the organisation tolerate?
A Computer Chip Manufacturer for:
Missile guidance system
Desktop PC
Depends upon the Nature of Business
CRICOS No. 00213J
a university for the
world
real
R
Risk Appetite
CRICOS No. 00213J
a university for the
world
real
R
Risk Taker
Risk Averse
Setting Risk Appetite
Key questions:
What risks will the organization not accept? (e.g. environmental or quality compromises)
What risks will the organization take on new initiatives? (e.g. new product lines)
What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
CRICOS No. 00213J
a university for the
world
real
R
Typical Response to Risks
Options that can be chosen
Avoid
Exit activities giving rise to the risk
Reduce
Action to reduce risk likelihood or impact or both
Share
Transferring or sharing risk such as insurance
Accept
No action taken to affect likelihood or impact
Enterprise Risk Management Framework, COSO 2004
CRICOS No. 00213J
a university for the
world
real
R
7-19
Why are AIS Threats Increasing?
Technology has a lot to do with it
Increasing numbers of client/server systems mean that information is available to an unprecedented number of workers.
Because data is now more easily distributed to many users, they are harder to control than centralised systems.
Customers and suppliers can access each other’s systems and data, making confidentiality a concern.
Cloud computing adds a whole new level of risk
Inadequate Protection:
Threats are underestimated, controls are not well understood.
Productivity pressures, cost reduction pressures.
Companies have not always understood the threats.
Cost pressures mean that managers skip time-consuming control proc.
CRICOS No. 00213J
a university for the
world
real
R
What have you learnt in Module 1?
Why are threats to AIS increasing?
Why should accountants have an interest in risk?
CRICOS No. 00213J
a university for the
world
real
R
Using Frameworks for Risk Management
Why use a framework
Overview of COSO frameworks
CRICOS No. 00213J
a university for the
world
real
R
Risk Frameworks
Risk management processes of organisations are under increasing regulatory and private scrutiny
Risk is an essential part of any business. It can’t be avoided.
Properly managed, it drives growth and opportunity.
The issue is often executives struggle with business pressures that may be partly or completely beyond their immediate control.
To help manage this risk, established frameworks are used
CRICOS No. 00213J
a university for the
world
real
R
Frameworks to Help Manage Risks
Framework - a structural plan or basis of a project – a set of guidelines
The COSO Framework
COSO - Committee of Sponsoring Organizations of the Treadway Commission
Role – provide guidelines to organisations to manage their operations
Aspects of operations include:
organizational governance,
business ethics,
internal control – known as the COSO IC,
enterprise risk management – known as the COSO ERM,
fraud,
financial reporting
AS/NZS ISO 31000:2009
CRICOS No. 00213J
a university for the
world
real
R
The COSO ERM Framework
Components
Internal Environment – setting the tone of the organisation
Objective Setting – What do the organisation want to achieve
Event Identification – What are the factors?
Risk Assessment - know the risks and how they will affect meeting objectives
Risk Response – How will you deal with the factors?
Control Activities - put measures (controls) to manage risks
Information and Communication - regular up and down the organisational hierarchy
Monitoring - monitor the controls
CRICOS No. 00213J
a university for the
world
real
R
24
25
Key Benefits From ERM
Awareness of risk increased
Cross-enterprise risk identified
Coordination across business units for more effective mitigation
Complete/consistent risk information
Common risk language established
Shareholder value protected/enhanced
CRICOS No. 00213J
a university for the
world
real
R
The COSO ERM Framework
CRICOS No. 00213J
a university for the
world
real
R
26
What have you learnt in Module 2?
Why use the COSO ERM Framework?
CRICOS No. 00213J
a university for the
world
real
R
The COSO ERM in detail
Key steps and activities within the COSO-ERM framework
CRICOS No. 00213J
a university for the
world
real
R
Internal Environment
Management philosophy, operating style and risk appetite
Board of Directors/Audit Committee
Integrity, Ethical Values and Competence
Organisational Structure
Authority and Responsibility
Human Resource Standards
External Influences
CRICOS No. 00213J
a university for the
world
real
R
Objective Setting
Objectives must exist before management can identify potential events affecting their achievement
ERM does not dictate which objectives management should choose
Provides a process that aligns strategic objectives with the mission
Ensures that the chosen strategic and related objectives are consistent with the agency’s risk appetite
CRICOS No. 00213J
a university for the
world
real
R
Objective Setting
Objectives
Strategic – high level goals aligned with company’s mission
Operations – deal with effectiveness and efficiency of company operations (such as performance and profitability goals)
Reporting – helps ensure accuracy, completeness and reliability of internal and external reports (both financial and non-financial)
Compliance – comply with all applicable laws and regulations
CRICOS No. 00213J
a university for the
world
real
R
31
Event Identification
An event is an incidence or occurrence coming from internal or external sources that affects implementation of strategy or achievement of objectives.
Events may have positive or negative impacts or both
Positive impacts represents opportunities
Negative impacts represent risks
Events represent uncertainty
Events do not often occur in isolation
CRICOS No. 00213J
a university for the
world
real
R
Event Identification
A number of external and internal factors drive events
Economic
Technological
Natural Environment e.g.
Political
Social
Several techniques exist to help identify events
Include techniques which look to both the past and the future
Qualitative and Quantitative methods
CRICOS No. 00213J
a university for the
world
real
R
Risk Assessment
Once possible events have been identified, a risk assessment is conducted
Risk assessment allows an organisation to consider the extent to which potential events have an impact on the achievement of objectives and which actions to take
Several risk assessment approaches exist
Often have similar structures
CRICOS No. 00213J
a university for the
world
real
R
34
38
Risk Assessment - Approach
CRICOS No. 00213J
a university for the
world
real
R
Risk Assessment Tools
Management assesses events from two perspectives - likelihood and impact
The positive and negative impacts of potential events are examined
Risks are assessed on both an inherent and a residual basis.
Several tools exist to help assess risk
Includes a combination of qualitative (interviews; surveys) and quantitative methods (value at risk; sensitivity analysis)
Visually portraying risk is often used to graphically represent likelihood and impact of one or more risks
CRICOS No. 00213J
a university for the
world
real
R
Risk Map A Risk Assessment Tool
CRICOS No. 00213J
a university for the
world
real
R
37
Example: Call Center
CRICOS No. 00213J
a university for the
world
real
R
38
Identify and Estimate Controls
Once the risks have been assessed, controls are identified that will protect against threat
Preventative, detective and/or corrective controls
No internal control system can provide foolproof protection
The cost would be prohibitively high
One way to calculate benefits involves calculating expected loss.
CRICOS No. 00213J
a university for the
world
real
R
7-40
Expected loss = risk × exposure
Expected Loss
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.
CRICOS No. 00213J
a university for the
world
real
R
40
Example of cost/benefit analysis:
An organisation is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.
A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a catastrophic theft at 12%.
Companies with motion detectors only have about a .5% probability of catastrophic theft.
The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.
Should they install the motion detectors?
CRICOS No. 00213J
a university for the
world
real
R
Estimate Impact
| Without security system | With security system | Net Expected Difference | |
| Replacement cost | $800,000 | $800,000 | |
| Risk of theft | 12% | 0.5% | |
| Expected loss | $96,000 12% chance that theft will occur: .12 x $800,000 | $4,000 0.5% chance that theft will occur: .05 x $800,000 | Estimated value of control procedure: $92,000 |
| Estimated cost of system | $0 | $43,000 | $(43,000) |
| Net benefit | $49,000 |
CRICOS No. 00213J
a university for the
world
real
R
Other Considerations
When evaluating a control, factors outside of expected benefit calculation must be considered
May implement a control where the net benefit is negative (costs > benefits)
When would this happen?
When the event would be so damaging it may threaten the existence of the entity
CRICOS No. 00213J
a university for the
world
real
R
Risk Response
Having assessed relevant risks, management determines how it will respond:
If the answer is No to protect the system
Options available
Avoid the risk
Exit activities giving rise to the risk
Share the risk
Transferring or sharing risk such as insurance
Accept the risk
No action taken to affect likelihood or impact
If the answer is Yes to protect the system
Options available
Reduce the risk
Implement controls to guard against threat
Assign responsibility for implementing controls
CRICOS No. 00213J
a university for the
world
real
R
Control Activities
Control activities are the policies and procedures that help ensure that management’s risk responses are carried out.
Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as
approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
In addition to supporting risk responses, control activities themselves may serve as a risk response
CRICOS No. 00213J
a university for the
world
real
R
45
43
Example of Control Activity supporting Risk Response
Risk Reduction
A hospital’s management recognized that its ability to protect the health and well-being of its patients would be adversely affected by disruption in electrical power supply. Management responded by installing back-up electrical generators. To help ensure that the generators operate when needed, the company’s engineering department conducts routine maintenance, with maintenance logs reviewed monthly by the head of the engineering department
CRICOS No. 00213J
a university for the
world
real
R
Examples of Control Activity as a Risk Response
In some circumstances, control activities themselves serve as the risk response. This frequently is the case with respect to risks related to reporting objectives
To help ensure that computer interfaces between general ledger systems operate to effect complete and accurate processing, transaction totals from subsidiary systems are compared with the balance in the general ledger control account, with any differences reported and followed up.
To help minimise inventory losses, transfer documents are reviewed and approved by the warehouse supervisor before goods are released
CRICOS No. 00213J
a university for the
world
real
R
Information and Communication
Information is needed at all levels of an organisation to identify, assess and respond to risks and achieve objectives
Information management is necessary to avoid “information overload” by ensuring flow of the right information, in the right form, at the right level of detail
Having the right information, on time and at the right place, is essential to ERM.
Communication is necessary to share the risk management philosophy and enable the interactions necessary for an ERM process to work
Communication is key to creating the “right” internal
environment and supporting the other ERM components
CRICOS No. 00213J
a university for the
world
real
R
Monitoring
The process for assessing the quality of internal control design and operation
Ongoing monitoring:
Effective supervision
Responsibility monitoring
Many different activities including day to day reviews of information
Reports of key business activity indicators
Reports highlight trends and exceptions from normal performance
Separate evaluations:
Typically conducted periodically
conducted by management, internal auditors,
external specialists, or a combination
CRICOS No. 00213J
a university for the
world
real
R
49
42
What have you learnt in Module 3?
Why is it important to set the objectives before attempting to assess risks?
Why is information and communication vital for risk management?
CRICOS No. 00213J
a university for the
world
real
R
AS/NZS ISO 31000:2009
Brief overview of key stages of the AS/NZS ISO 31000:2009 risk assessment framework
Using the Risk Matrix
CRICOS No. 00213J
a university for the
world
real
R
AS/NZS ISO 31000:2009
Prepared by Joint Standards Australia and Standards NZ Committee.
Joint technical committee included computer, insurance, finance, safety, occupational health, government, economic and academic representatives.
Provides a generic framework for assessing and dealing with risk.
52
CRICOS No. 00213J
a university for the
world
real
R
3 Parts to the Standard
Principles
Framework
Process
CRICOS No. 00213J
a university for the
world
real
R
Comparison of both Risk Assessments
As/NZS ISO 31000:2009
COSO ERM
CRICOS No. 00213J
a university for the
world
real
R
Very similar to the Risk Assessment component of ERM
We will examine the Risk Matrix used in this Framework.
Used by many organisations in Australia
Use the Risk Matrix to Evaluate
Positive and negative consequences
Likelihood
Extent of impact
Risk Management Process
CRICOS No. 00213J
a university for the
world
real
R
Consequence or Impact of Risk
| Level | Descriptor | Example |
| I | Negligible | Low financial loss |
| II | Minor | Medium financial loss |
| III | Moderate | High financial loss |
| IV | Major | Major financial loss |
| V | Severe | Catastrophic/High financial loss |
CRICOS No. 00213J
a university for the
world
real
R
Likelihood of Risk