3510 Exam 3 Chapter 6
entity objectives and the ERM framework components can be viewed in the context of their relationship with any of the following
The entire organization/entity-level A division A business unit A subsidiary
IT Governance
IT governance focuses on handling transactions, events, and decision making responsibly; fully disclosing the performance measures used; using independent review and practicing continuous improvement; and adapting to the constantly changing business environmentAn organization with effective IT goverance would include the following best practices: Alignment of organizational values (e.g., management risk culture, risk assessment, and risk response). Establishment of policies and procedures (e.g., updating and reviewing policies frequently, making procedure documentation easily accessible, and having policies relate to critical areas of organization). Effective organizational communications (e.g., encouraging interaction in all directions — not just "top-down" — to promote an open culture and information accessibility). Strategy designed to include an IT infrastructure that supports and promotes the organization's success. This infrastructure should be reviewed and updated as needed, with proper documentation and maintenance to allow the business to function effectively. Accurately documented processes that are monitored and updated (e.g., the organization's disaster recovery/ business continuity plan). Proper asset management to include the oversight and tracking of assets within the organization (e.g., mobile devices and software licenses).
Stakeholders' Interest in Internal Control
Stakeholders' (that is, shareholders, customers, suppliers, employees, creditors) interest in an organi- zation's internal control is high because of their dependence on the accuracy of issued financial infor- mation for decision making. Furthermore, stakeholders are concerned about the failure of external auditors to detect management wrongdoing
Internal environment
The internal environment is the organizational infrastructure that supports internal control.It also provides discipline and structure by influencing how strategy and objectives are set, as well as how risks are assessed and addressed. In addition, the internal environment affects how control activities are designed and monitored
Strategic Objective
The objective related to the alignment of strategy is at a higher level than the others. This is because the strategy of an organization should flow from its mission, which then also affects the operations, reporting, and compliance objectives. The strategies set by the organizations should flow through to the business units, divisions, and business processes.
Management's philosophy and operating style
To establish the vision of the organization, management determines the organization's risk management strategy, establishes the organization's risk appetite, and develops a risk culture. Important in this regard are the following. Behavior toward Other Managers or Personnel Behavior toward Other Managers or Personnel Attitude Regarding the Accounting Function Attitude Regarding Information Processing
Commitment to competence and development of personnel
To foster competence, management should establish job requirements and descriptions that specify what knowledge, skills, and abilities are necessary for each position in the organization. Moreover, management should enforce the hiring of only those people who meet these job requirements. To maintain employees 'professional competence, development activities must go beyond the initial orientation training and be updated throughout an employee's career. Management can further demonstrate its commitment to competence by letting personnel know it expects high quality performance.
Risk assessment
is the systematic identification and analysis of risks that can undermine the achievement of organizational objectives
Compliance Objective
An organization must comply with applicable laws and regulations. These laws and regulations relate to, for example, taxes, the environment, international trade, and employment issues. All organizations must obey the law of the land, but certain industries, such as financial institutions and health-care facilities, must also comply with specific regulations prescribed by government agencies. An organization's compliance or noncompliance with laws and regulations can have a significant impact on its reputation.
Integrity and ethical values
Because an organization's good reputation can determine its success, standards for the behavior of employees should extend far beyond those required to be in compliance with the law.Management should implement an ethics program that includes a code of conduct, training and awareness programs, and policies for resolving ethical dilemmas.Management can also encourage honest and ethical conduct by setting a good example, reminding employees of its commitment to integrity and ethics, and reducing temptation and opportunity for dishonest, illegal, or unethical acts. An organization's integrity and ethical values affect the design, administration, and monitoring of the other factors of the internal environment.
Objective Setting
Before management can identify events that may have positive or negative impacts on the organization's operations, objectives must first be developed.
Event Identification
Everyone knows that uncertanties exist, and that many of these uncertainties are not predictable. What this component is trying to get management to focus on is the identification of events that could affect the organization's success, both positively (i.e. opportunities) and negatively (i.e. risks to acheivement of organizational objectives) . These events are affected by both internal (e.g., management's choices with regard to technology) and external (e.g., economic uncertainty) factors. Both past (e.g., payment history) and future (e.g., shifting demographics) events should be considered. These events should be considered both entity-wide and among all levels of the organization (e.g., business unit and division levels).
External Auditors' Interest in Internal Control
External auditors are interested in internal control as they perform financial statement audits so they can express an opinion on how fairly a company's financial statements present its financial po- sition, results of operations, and cash flows in conformity with generally accepted accounting princi- ples
components of internal control in the ERM framework include the following:
Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
• Why do people outside the organization care about internal controls?
Management wants to en- sure that the organization's activities are "in control" so that, at least internally, management is doing what it can to achieve its objectives. Management of publicly held companies is required to estabilish, test, and maintain the organization's internal control.. Internal control is also of considerable interest to parties outside the organization because it provides a measure of protection against erroneous or fraudulent financial reporting.
Human resource policies and practices
Personnel policies that address hiring, orientation, training, evaluating, counseling, compensating, promoting, and remedial actions help organizations build a team of employees with integrity, ethical values, and competence. An organization should hire the most qualified individuals based on their educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior. Management must recognize the importance of effectively orienting and training personnel and should incorporate a variety of training techniques including online or face-to-face courses as well as on-the-job training.Periodic performance reviews and counseling should focus on helping employees improve performance and add value to the organization Employees should be properly compensated, and promotion policies should be fair and equitable. Promotions should reinforce outstanding performance, demonstrating the organization's commitment to the advancement of qualified personnel to higher levels of responsibility. Organizations seeking to fill senior positions must balance the advantages of bringing in new personnel from outside against the negative effects on the morale of their internal employees who may aspire to those positions (Vignette 6.3). An organization should establish written policies and procedures stating the disciplinary actions that will follow violations of expected behavior. Prompt, impersonal disciplinary action sends a message that violations will not be tolerated. In addition to sound personnel policies and practices, organizations should provide employees with the resources that will enable them to fulfill their job responsibilities. These resources include a supportive working environment, appropriate technology and information, and effective supervisors to whom they can turn for help.
Reliability of Reporting Objective
Reliable information is accurate, current, complete, relevant, accessible, and, when necessary, confidential. Some information is confidential (e.g., payroll data and competitive strategy information) and access to that information should be limited. Reliable information also requires adherence to generally accepted accounting principles for the preparation of financial statements. In addition, the ERM framework focuses on the reliability of information used for internal reporting. This includes both financial and non-financial information used for decision-making. This objective is important because stakeholders, management, and others rely on reliable information for making critical decisions.
The four categories of objectives in the framework are
Strategic (supporting the organization's mission/vision) Effectiveness and efficiency of operations Reliability of both internal and external reporting Compliance with applicable laws and regulations
The board of directors and the audit committee
The board of directors is a committee that represents the organization's shareholders whose interests generally are considered paramount. Increasingly, boards also are charged with representing employees, communities, and environmental interests. The board is responsible for overseeing operations, evaluating management's performance, and assuring that the organization is in compliance with applicable laws and regulation.The audit committee is a standing subcommittee of independent board members (SOX section 301) whose main objectives are to protect against management wrongdoing and to oversee the audit.function (both internal and external). It is responsible for the appointment, compensation, and oversight of the work of the public accounting firm hired by the company for the purposes of preparing or issuing an audit report or related work (i.e., the external audit).
Effectiveness and Efficiency of Operations Objective
The objective of effective and efficient operations pertains to the operations that are fundamental to an organization's existence, such as the development of new products, the manufacture of products, the marketing of products, and the provision of services. The effectiveness and efficiency of these operations are critical to an organization's success. An implicit message in this objective is the need for an organization to be responsive to competitive pressures and technological changes. The safeguarding of assets, such as cash, inventory, investments, accounting data, and the accounting system, is also part of the operations objective. Assets need to be safeguarded against unauthorized acquisition, use, or disposition. Measures for safeguarding assets range from simply locking up cash to bonding employees who handle negotiable securities.13 Another way to safeguard assets is to protect computer hardware, software, and data from unauthorized access and use. If data can be altered by individuals who stand to gain personally, enormous problems can arise (Vignette 6.2). Physical safeguards to protect accounting information systems from failure or destruction include fire prevention, insurance, preventive maintenance, and backup files.
Assignment of authority and responsibility
This includes policies and communications directed at ensuring that all personnel understand the organization's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable. Assignment of authority and responsibility establishes authorization hierarchies and reporting relationships.
Organization structure
formal organizational structure provides the framework within which the organization's activities for achieving its objectives are planned, executed, monitored, and controlled
internal controls
is a process designed to provide reasonable assurance that organizational objectives related to the reliability of both internal and external reporting, the effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved.
The following are some representative types of risks that can threaten accounting information system activities
Information security breaches Computer system failure and/or improper backup of the system Accounting system's inability to meet the organization's and users' needs Excessive hardware and software acquisition costs Excessive operating and maintenance costs Inadequate training, development, and supervision of personnel Errors and inappropriate acts in transaction and master file maintenance authorizations Errors and inappropriate acts in data input, processing, and output Fraudulent financial reporting Concealment of illegal acts
The internal environment includes the following factors:
Integrity and ethical values Commitment to competence and development of personnel Human resource policies and practices Board of directors and the audit committee IT governance Management's philosophy and operating style Organizational structure Assignment of authority and responsibility
Risk Response,The types of risks related to accounting information system activities may create an environment with the following consequences:
Resources are lost, wasted, or abused. Data are not properly organized to provide useful information for decision making. Critical information is unavailable when needed. Important decisions are based on faulty data. Competitors possess critical, confidential information. Unfavorable audit opinions are received. Public image is tarnished. Credit ratings are eroded. Investors are reluctant to buy the organization's equity or debt financial instruments. Creditors are reluctant to lend money to the organization. Fines and other sanctions are levied on the organization. Qualified individuals are unwilling to take management or board positions for fear of personal liability. Organizational survival is threatened.