CHAPTER 5 Control Framework

Cards (43)

  • Control Frameworks
    Structures that organize, categorize, and sometimes prioritize an organization's internal controls
  • Internal controls
    Practices put in a place to create value for stakeholders and minimize risks
  • COSO's Internal Control Integrated Framework (ICIF)
    The most widely known internal controls framework in the world
  • IT Controls
    A subset of internal controls related to information technology
  • Capability Maturity Model Integration (CMMI)
    Widely used project management, process assessment and performance improvement environment
  • COSO's goal was to improve the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control
  • COSO ICIF Model and the Related Principles
    • Commitment to integrity and ethical values
    • BOD exercises oversight responsibility
    • Establish structure, authority, and responsibility
    • Commitment to competence
    • Enforce accountability
    • Set suitable objectives
    • Identify and analyzes risks
    • Assess risk of fraud
    • Identify and analyze significant change
    • Select and develop control activities
    • Select and develop IT GCCs
    • Mobilize through policies and procedures
    • Use relevant information
    • Communicate internally
    • Communicate externally
    • Conduct ongoing/separate evaluations
    • Evaluate and communicate deficiencies
  • Control Environment
    The workplace environment, characterized by the way the organization is structured, the manner of leadership, the degree of openness, management's operating style, having and practicing the tenets of its code of ethics and statement of values
  • Control Environment Activities
    • Competence and Development of Personnel
    • Assignment of Authority and Responsibility
    • Organizational Structure
  • Tone at the Top
    Set at the top and promoted by the BOD and senior management, it refers to the general attitude, integrity, and ethical practices of these individuals
  • Organizational Culture
    The collection of learned beliefs, traditions, and guides for behavior shared among members of the organization
  • Communication, consistency, and belief in the message are very important for management to clearly, consistently, and often communicate what is allowed and what is not
  • Form over Substance
    Management practices whereby on the surface it appears as though an essential activity has been performed, when in fact that is not so
  • Principles under Control Environment
    • The organization should demonstrate a commitment to integrity and ethical values
    • The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
    • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
    • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
    • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives
  • Entity Level Controls
    Used to determine if an organization's values, systems, policies, and processes would enable or dissuade fraud and encourage proper conduct
  • Tone in the Middle
    Deciding who becomes a manager is one of the most important organizational actions because employees judge their organization as ethical or not based on what they think their boss does
  • Risk Assessment
    The possibility that an event will occur and adversely affect the achievement of objectives
  • Risk Assessment Principles
    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assess fraud risk
    • Identifies and analyzes significant change
  • Control Activities Principles
    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys control activities through policies and procedures
  • Information and Communication Principles
    • Uses relevant information
    • Communicates internally
    • Communicates externally
  • Monitoring Activities Principles
    • Conducts ongoing and/or separate evaluations
    • Evaluates and communicates deficiencies
  • BUSINESS AND PROCESS RISK
    The risk that the organization's processes are not effectively obtaining, managing, and disposing their assets, that the organization is not performing effectively and efficiently in meeting customer needs, is nor creating value or is diluting value by suffering the degradation of financial, physical, and information assets
  • TECHNOLOGICAL AND INFORMATION TECHNOLOGY RISKS
    Risks relate to conditions where IT is nor operating as intended, the integrity and reliability of data is compromised, and significant assets are exposed to potential loss or misuse. It also relates to the inability to maintain critical systems and processes
  • PERSONNEL RISKS
    Relate to conditions that limit the organization's ability to obtain, deploy, and retain sufficient numbers of suitably qualified and motivated workers.
  • FINANCIAL RISKS
    Can result in poor cash flows, currency and interest rate fluctuations, and an inability to move funds quickly and without loss of value to where they are needed
  • ENVIRONMENTAL RISKS
    Relates to the actual or potential threat of negative effects on the environment by emissions, wastes, and resource depletion. This can be caused by an organization's activities and it influences living organisms, land, air, and water
  • POLITICAL RISK
    This is a type of risk faced by organizations, investors, and governments. It refers to the effects that political decisions, events, or conditions can cause when they affect the profitability of a business, or the ability to operate freely.
  • SOCIAL RISK
    It relates to dynamics where an issue affects stakeholders who can form negative perceptions that can cause some form of damage to the organization.
  • IT framework
    A set of guidelines, instructions, or principles that dictate an organization's information technology infrastructure
  • IT framework
    • Ensures the technology being used by teams aligns with overall business objectives, industry regulations, and security requirements
  • COBIT
    A framework that addresses more than technical subjects, but also includes critical managerial and accounting/financial activities
  • COBIT framework
    1. Establishing IT direction
    2. Project management
    3. Purchases
    4. Training end users
  • IT direction
    Informs organizational priorities, the assignment of resources, and the identification of appropriate metrics to track performance and the achievement of those goals
  • ISO
    An independent, nongovernmental organization that brings together experts to share knowledge and develop voluntary standards that support innovation and provide solutions to global and business challenges
  • Popular ISO standards
    • ISO 9000 Quality management
    • ISO 14000 Environmental management
    • ISO 3166 Country codes
    • ISO 26000 Social responsibility
    • ISO 50001 Energy management
    • ISO 31000 Risk management
  • ISO 17799
    Provides guidelines and general principles for identifying, initiating, deploying, and maintaining an organization's information security infrastructure
  • ITIL
    Defines the organizational structure and skill requirements of an IT organization and standard management procedures and practices to manage an IT operation
  • ITIL 2011 volumes
    1. ITIL service strategy
    2. ITIL service design
    3. ITIL service transition
    4. ITIL service operation
    5. ITIL continual service improvement
  • ITIL
    • Provides a process-driven approach
    • Improves resource utilization
    • Helps organizations become more competitive
    • Decreases rework
    • Eliminates redundant works
    • Helps to improve project deliverable quality and turnaround time
    • Improves availability, reliability, and security of mission critical IT services
    • Justifies the cost of service quality
    • Provides services that meet business, customer, and user demands
    • Integrates central processes
    • Documents and communicates roles and responsibilities while providing services
    • Provides performance indicators
  • CMMI
    A process improvement appraisal program administered and marketed by Carnegie Mellon University, widely used in project management, software development, process assessment, and performance improvement