Foreign Corrupt Practices Act (FCPA)
First piece of regulation that required companies to maintain good systems of internal control. 1970's. Did not require audits of controls.
Sarbanes-Oxley Act (SOX)
Requires public companies to maintain good internal controls. Management must report this in their financials and auditors issue an opinion on managements report. 2002.
SOX Implications-1
New rules for management of publicly traded companies.
-Management is responsible for establishing and maintaining an adequate internal control system over financial reporting.
-The auditors are told about all material internal control weakness and fraud
SOX Implications-2
Created new external auditing rules
-Audit partners must rotate periodically
-Prohibited from performing certain non-audit services
New roles for Audit Committee
-Be part of Board of Directors and be independent
-One member must be a financial expert
-Ove
SOX Implications-3
Created Public Company Accounting Oversight Board (PCAOB)
-Public entity that oversees the external auditing profession, including...
--Process, review, and approve the registration of public accounting firms that audit publicly-traded companies
--Inspect
Board of Directors
Elected, can be internal employees
Determines corporate structure, strategy, high-level goals
Supports Internal Environment and Objective Setting ERM components
Audit Committee
Members are external to company
Oversees external and internal auditors
Reports to Board of Directors
Supports Monitoring and Internal Environment ERM component
External Auditors
External firm to perform audit of financials, must be independent
For public companies, the audit will include an opinion on internal controls
Reports findings to audit committee and issues opinion to requested parties
Supports Monitoring ERM component
Internal Auditors
Department staffed with the company's employees
Variety of audits performed, may include internal controls
Reports findings to audit committee
Supports Monitoring ERM component
SOX requires that companies draft their controls contemplating at least one of the COSO frameworks:
1) Internal Control (IC)
2) Enterprise Risk Management (ERM)
COSO
Committee of Sponsoring Organizations
Represents professional organizations like the AICPA
IC Framework
More narrow; recently revamped to follow cube.
This model requires companies to ensure that each of their cycles has controls that address 5 components
If the 5 components aren't addressed, companies aren't supposed to assert that they have strong interna
ERM Framework
Was recently revamped in 2017 to drop the "cube" view. See below visual. I won't focus on these.
Focuses on addressing risks and controls beyond SOX compliance - focus on the whole enterprise.
Majority of public companies report that they officially follo
1. Control environment
How does management show proper "tone at the top"?
This can be demonstrated by:
Establishing a board of directors and independent audit committee, communications from upper management to employees emphasizing integrity, ethical values, and competence, con
2. Risk Assessment
Event Identification - Annually identify good and bad events that will impact company goals
Risk assessment
'Bad' events are known as risks; companies should next categorize these as next as high/medium/low risk
Risk Response
A cost/benefit analysis should be performed to determine the extent of controls needed to address risks
Inherent risk
Cost potential if the risk is not controlled; more expensive = higher risk
Cost of control
Payroll/time, IT/technology, documentation, etc. costs that go along with implementing a control
3. Control Activities
When determined to be appropriate and cost effective, internal controls are established and communicated to responsible parties
-Automated or Manual
-Preventative or Detective
-Multiple controls for each risks, Higher Risk=More Controls
4. Information and Communication
Management should use a system that gathers/ processes/stores information accurately and communicates it on command
5. Monitoring
The above components should be monitored by the company to ensure they are in place
Internal Control Frameworks-COBIT
#NAME?
COBIT Goals
Controls over the company's technology risks
-Operational IT Controls
-Financial Controls (IT)
SOX Goals
Controls over Financial Reporting
-Financial Controls (IT)
-Financial Controls (BP controls)
COSO Goals
Controls over the company's broader risks-operational and financial
-Financial Controls (BP controls)
-Operational Controls
IT Risk: Unauthorized users gain access to system
Operational: Access to operational systems will be granted subsequent after approval from the user's manager is obtained
Financial: Access to financials systems will be granted subsequent to approval from the user's manager and a ACCT department manager
IT Controls
Intended to secure information and protect the functionality of any financially-impacting systems. These are more broad - not intended to protect one specific cycle but all electronic financial information
Business Process Controls
Intended to address a specific business process cycle's risks. They may be automated (done automatically by systems) or manual (performed by people)
IT Control Responsibility-1
When an accounting department is responsible for IT controls, the following risks are present:
-ACCT dept may inadvertently or intentionally grant inappropriate access to users in their department, bypassing segregation of duties
-ACCT dept does not have
IT Control Responsibility-2
The best way to structure responsibilities of IT controls is to:
-Give IT dept the responsibility of executing IT controls
-Have ACCT dept assist with designing controls, such as providing feedback on appropriate ways to segregate duties and who should be
Risk: Inappropriate users can gain access to the AIS or its database
User access to systems is controlled by the following:
-New users should be approved prior to access being granted
-Users who leave the company should be promptly removed(HR)
-Users who change job title should have their access to the AIS updated
-Access
Setting up user access
Each user should be given a unique user ID's and as many authentication layers as possibe, including,
1. Something the user knows: Passwords
2. Something the user had: Randomized PINs that change by the minute and required in addition to password
3. Somet
User Access in an AIS
Most AIS's structure user access in the following ways:
-Tasks: The individual functions a user can do in an AIS. ex: create/approve purchase orders
-Roles: The AIS groups together tasks to save time in granting access; assign a role to a user instead of
Reviewing User Access
Access to the AIS should be reviewed on a periodic basis.
Good reviews include:
1. Assumptions that
--If only users and roles are reviewed, the access granted to roles is thoroughly understood, or
--Tasks/roles reviewed are together with users
2. An appro
Strong Passwords
If possible, passwords should have the following requirements that make passwords harder to guess:
Length
Multiple characters
Randomness
Should be changed frequently
User cannot re-use old passwords
Physical Access Risks - Data Center
Limit access because a person might be able to:
Login to an unlocked computer
Steal computers
Steal computer components, plug into another computer, and then steal data from it
Wiretap into the network
Install a keystroke logger on computers
Physical Access Risks - Corp HQ
Limit access because a person might be able to:
Same reasons as data center
Steal sensitive information printed and left out on desks/printers
Steal laptops or cell phones with company data on them
Steal other assets
Install a keystroke logger on computer
Physical Access Controls
Requiring Key (or key cards) to enter the building - Man traps
Security guards at the parking lot and building entrances
No windows (data centers or high security locations like cashier printing rooms)
Laptops should be locked down to the workspace
Visito
Risk: Unauthorized disclosure of financial data or privacy data
Read-only access to sensitive information/reports in the AIS should be restricted
The AIS database and sensitive info exported from the AIS should be encrypted; if printed, the printer and output should be secured
Shred of sensitive printed reports; prope
Encryption Keys
1. Public Key
2. Private Key
Encryption Types
Digital Certificates-Built into electronic documents/transactions, this certifies the owner of the document is who they say they are
Digital Signatures/E-Signatures-A form of encryption for documents and EDI transactions that confirms
1. who created the f
What should be encrypted?
AIS's should encrypt financial data it saves into its database so that it can only be opened by the AIS
EDI, FEDI, and EFT transmissions between customers, vendors, and banks
E-commerce activity ex: customer data passing through the internet
Employee acti
Regulations that require encryptions
1. Payment Card Industry (PCI)-Customer credit card data
2. Health Insurance Portability and Accountability Act (HIPAA)-Individual health record information, called protected health information (PHI)
3. Gramm-Leach-Bliley Act-Customer data maintained in t
Cloud Computing
Using a network of computers to manage files or software (usually accessed through the internet)
Hacking
When firewalls fail or workarounds are identified, hackers obtain unauthorized access to systems and data by:
Exploiting known weaknesses in systems' code
Guessing passwords, usually by brute force
Viruses
Keystroke Loggers
Intrusion Detection System
Systems can be purchased to monitor network activity for "strange" attempts to access the network or certain programs
Risk: Transactions are not processed by the AIS completely or accurately
#NAME?
Risk: Inappropriate changes are made to AIS code (Change Management)
#NAME?
Risk: AIS data is not available when needed
-Critical data should be saved in more than one place (redundant arrays of independent drives RAID, or Real-Time Mirroring)
-Data center controls reduce the risk of system downtime
-Backups of financial data are performed on a periodic basis
-Disaster Rec
Data Center Controls
-The building is natural-disaster proof (at least flood, fire, and lightning)
-The data center should have adequate A/C
-Uninterrupted Power Supply (UPS) or Backup generator that will turn on if the power goes down
-Access to the data center should be res
Backups
Full backups of data usually are inefficient because of the large volume of data involved, so they are done infrequently (weekly)
-In between full backups, companies choose to backup their data
--Incrementally
--Differentially
-In addition to performing b
Backups - Incrementally
Captures all activity since the last backup was performed
Cheaper-better for when system slows down
Backups - Differentially
Captures all activity since the last FULL backup was performed
Disaster Recovery Plans
How a company will restore its IT functions (including the AIS) when the data center fails due to disaster
Business Recovery Plans
How a company restores business process functions the company's operation are affected by disaster
Cold Site
Cheapest
Companies purchase rights to a location that is "empty" (no computers). This takes the most time to set up if it is ever needed.
Hot Site
Essentially a duplicate of the current data center. Uses RAID or Real-Time Mirroring and other data redundancy techniques to have a "back up" data center 24/7 which the company can switch to at any time if needed
Warm Site
In between a Hot Site and a Cold Site on price
Database
#NAME?
A database is like a...
filing cabinet
Cabinet Controls
Cabinet should be locked so only authorized users can open it (encrypted)
Relational Database
Relational data model means that data are stored in separate tables but tables are structured so they link together
Attributes
Like Column Heading
Records
An entire row of information
Fields
Individual Cells
Primary Key
An attribute or combination of attributes that can be used to uniquely identify a specific row (record) in a table
Foreign Key
An attribute in one table that is a primary key in another table
-Used to link two tables
Non-Key
An attribute that describes the primary key
ex: date or quantity
Unique to each order
Design Requirements for Relational Databases
1. Every attribute (column) must be single valued
2. Primary keys must contain data (not null) and cannot have duplicates
3. Foreign keys must be the primary key in another table
4. All other non-key attributes must identify a characteristic of the table
Advantages of Relational Databases
Data Integration
-If properly set up, a database can be accessed by various programs (not just an AIS)
Data Sharing
-With data in one place it is more easily accessed by - and limited to - only authorized users
Minimizing Data Redundancy and Data Inconsis
Advantages of Database
Data Independence
-Data is separate from the programs that access it. Changes can be made to the data without necessitating a change in the programs and vice versa
Cross-Functional Analysis
-Relationships between data from various organizational departmen
Risk: Data stored in the database is not complete/accurate
#NAME?
Risk: Data stored in the database is leaked to unauthorized users
Login required for database server
The database files should be encrypted
SQL Coding
SQL: Structured Query Language
A programming language used across any database platform (Access, Oracle, SQL Server, etc.)
Accountants that query data rarely write-but do not interpret-the language
-We are responsible for making sure the query/report run
SQL: Reading Data
SELECT: (required)
FROM: (required)
WHERE: (optional)
ORDER BY or GROUP BY: (optional)
Example: SELECT Id, Name FROM Genre ORDER BY Name
Id and Name are columns in a table
Genre is the table
Name is the column we choose to sort by