C6 Control & CIS

Introduction

• Threat: any potential adverse occurrence or unwanted event, to be injurious to either AIS or organization

• Exposure / impact of the threat: potential dollar loss if a particular threat comes true

• Likelihood: probability to happen

• Internal control: the process by the board of directors / management / those under their direction, to provide reasonable assurance of a number of goals

• Preventive controls: deter before problems

• Detective controls: discover as soon as problems

• Corrective controls: remedy after problems discovered

• Levers of control: to reconcile the conflict between creativity and controls

1. Belief system: communicates company core values to employees, and inspire them to live by them
2. Boundary system: helps employees act ethically by setting forbidding rules
3. Diagnostic system: measures company process by comparing actual to planned
4. Interactive control system: helps top managers with high level activities, that demand frequent and regular attention

ERM (Enterprise risk management - integrated framework)

• Objectives:
• Provide reasonable assurance to achieve goals and minimize problems
• Achieve financial & performance targets
• Assess risks continuously, and identify instructions and resources against risks
• Avoid adverse publicity and disreputes
• Basic principles:
• Companies are formed to create value for owners
• Company management must decide how much uncertainty can be acepted
• Uncertainty results in risk or opportunity
• ERM framework is to help management manage uncertainty, and risk & opportunity, to build or preserve value
• Components

1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information & communication
8. Monitoring

The Internal Environment (most important part of ERM)

1. Management's philosophy, operating style, and risk appetite
2. The board of directors

• Oversee management & scrutinize its plans, performance, andactivities
• Approve company stretegy
• Review financial results
• Annually review security policy
• Interact with internal & external auditors
  • Audit committee: non-employee independent directors

3. Commitment to integrity, ethical values, and competence

• To create an organization culture that stresses integrity and commitment of ethical values and competence
  • To endorse integrity as a basic operating principle, teach & require
  • To reward and encourage honesty, give verbal label to honest and dishonest behavior
  • To develop clear policies explicitly describe honest and dishonest behavior
  • To require employees to report dishonest, illegal, or unethical acts, discipline who not
  • To make a commitment to competence by competent employees

4. Organizational structure

• Lines of authority, responsibility, and reporting
• Overall framework for planning, directing, executing, controlling & monitoring operations

5. Methods of assigning authority and responsibility

• To make sure employees understand entity's objectives, assign authority & responsibility for business objectives to specific departments and individuals, encourage them to use initiative to solve problem, then hold them accountable for achieving objectives

6. Human resource standards

• Employees can be both the greatest control strength and weakness

7. External influences

Objective Setting

• Precedes the later six
• Cooperate vision / mission: why the company exists and that it hopes to achieve
• Strategic objectives: supporting mission, intended to create shareholder value
• Operator objectives: a product of management preferences, judgments, and style, varying among entities
• Compliance & reporting objectives: many imposed by external entities

Event Identification

• Event: incident or occurrence emanating from internal or external sources to affect strategy or objectives

Risk Assessment & Response

• Inherent / residual risk: unable / able to avoid before
• Estimate likelihood and impact (with softwares)
• Identify controls (to protect from each event)
• Estimate costs & benefits & determine cost/benefit effectiveness
• Implement control or avoid, share, or accept the risk

Control Activities

• Policies, procedures & rules to provide reasonable assurance for objectives and anti-risk
• Must also ensure compliance & enforcement
• Segregation of duties: no single employee given too much responsibility
• Segregation of accounting duties: authorization, recording, custody
• Project development & acquisition controls: to have a formal, appropriate & proven methodology to govern
• Change management: making sure changes do not harm reliability, security, confidentiality, integrity & availability

Information & Communication

Monitoring

1. Perform ERM evaluations
2. Implement effective supervision
3. Use responsibility accounting
4. Monitor system activities