美文网首页
C6 Control & CIS

C6 Control & CIS

作者: Scrummble | 来源:发表于2013-07-01 08:50 被阅读0次

    Introduction

    • Threat: any potential adverse occurrence or unwanted event, to be injurious to either AIS or organization

    • Exposure / impact of the threat: potential dollar loss if a particular threat comes true

    • Likelihood: probability to happen

    • Internal control: the process by the board of directors / management / those under their direction, to provide reasonable assurance of a number of goals

    • Preventive controls: deter before problems

    • Detective controls: discover as soon as problems

    • Corrective controls: remedy after problems discovered

    • Levers of control: to reconcile the conflict between creativity and controls

    1. Belief system: communicates company core values to employees, and inspire them to live by them
    2. Boundary system: helps employees act ethically by setting forbidding rules
    3. Diagnostic system: measures company process by comparing actual to planned
    4. Interactive control system: helps top managers with high level activities, that demand frequent and regular attention

    ERM (Enterprise risk management - integrated framework)

    • Objectives:
    • Provide reasonable assurance to achieve goals and minimize problems
    • Achieve financial & performance targets
    • Assess risks continuously, and identify instructions and resources against risks
    • Avoid adverse publicity and disreputes
    • Basic principles:
    • Companies are formed to create value for owners
    • Company management must decide how much uncertainty can be acepted
    • Uncertainty results in risk or opportunity
    • ERM framework is to help management manage uncertainty, and risk & opportunity, to build or preserve value
    • Components
    1. Internal environment
    2. Objective setting
    3. Event identification
    4. Risk assessment
    5. Risk response
    6. Control activities
    7. Information & communication
    8. Monitoring

    The Internal Environment (most important part of ERM)

    1. Management's philosophy, operating style, and risk appetite
    2. The board of directors
    • Oversee management & scrutinize its plans, performance, andactivities
    • Approve company stretegy
    • Review financial results
    • Annually review security policy
    • Interact with internal & external auditors
      • Audit committee: non-employee independent directors
    1. Commitment to integrity, ethical values, and competence
    • To create an organization culture that stresses integrity and commitment of ethical values and competence
      • To endorse integrity as a basic operating principle, teach & require
      • To reward and encourage honesty, give verbal label to honest and dishonest behavior
      • To develop clear policies explicitly describe honest and dishonest behavior
      • To require employees to report dishonest, illegal, or unethical acts, discipline who not
      • To make a commitment to competence by competent employees
    1. Organizational structure
    • Lines of authority, responsibility, and reporting
    • Overall framework for planning, directing, executing, controlling & monitoring operations
    1. Methods of assigning authority and responsibility
    • To make sure employees understand entity's objectives, assign authority & responsibility for business objectives to specific departments and individuals, encourage them to use initiative to solve problem, then hold them accountable for achieving objectives
    1. Human resource standards
    • Employees can be both the greatest control strength and weakness
    1. External influences

    Objective Setting

    • Precedes the later six
    • Cooperate vision / mission: why the company exists and that it hopes to achieve
    • Strategic objectives: supporting mission, intended to create shareholder value
    • Operator objectives: a product of management preferences, judgments, and style, varying among entities
    • Compliance & reporting objectives: many imposed by external entities

    Event Identification

    • Event: incident or occurrence emanating from internal or external sources to affect strategy or objectives

    Risk Assessment & Response

    • Inherent / residual risk: unable / able to avoid before
    • Estimate likelihood and impact (with softwares)
    • Identify controls (to protect from each event)
    • Estimate costs & benefits & determine cost/benefit effectiveness
    • Implement control or avoid, share, or accept the risk

    Control Activities

    • Policies, procedures & rules to provide reasonable assurance for objectives and anti-risk
    • Must also ensure compliance & enforcement
    • Segregation of duties: no single employee given too much responsibility
    • Segregation of accounting duties: authorization, recording, custody
    • Project development & acquisition controls: to have a formal, appropriate & proven methodology to govern
    • Change management: making sure changes do not harm reliability, security, confidentiality, integrity & availability

    Information & Communication

    Monitoring

    1. Perform ERM evaluations
    2. Implement effective supervision
    3. Use responsibility accounting
    4. Monitor system activities

    相关文章

      网友评论

          本文标题:C6 Control & CIS

          本文链接:https://www.haomeiwen.com/subject/jhgxtttx.html