C6 Control & CIS

Introduction

  • Threat: any potential adverse occurrence or unwanted event, to be injurious to either AIS or organization

  • Exposure / impact of the threat: potential dollar loss if a particular threat comes true

  • Likelihood: probability to happen

  • Internal control: the process by the board of directors / management / those under their direction, to provide reasonable assurance of a number of goals

  • Preventive controls: deter before problems

  • Detective controls: discover as soon as problems

  • Corrective controls: remedy after problems discovered

  • Levers of control: to reconcile the conflict between creativity and controls

  1. Belief system: communicates company core values to employees, and inspire them to live by them
  2. Boundary system: helps employees act ethically by setting forbidding rules
  3. Diagnostic system: measures company process by comparing actual to planned
  4. Interactive control system: helps top managers with high level activities, that demand frequent and regular attention

ERM (Enterprise risk management - integrated framework)

  • Objectives:
  • Provide reasonable assurance to achieve goals and minimize problems
  • Achieve financial & performance targets
  • Assess risks continuously, and identify instructions and resources against risks
  • Avoid adverse publicity and disreputes
  • Basic principles:
  • Companies are formed to create value for owners
  • Company management must decide how much uncertainty can be acepted
  • Uncertainty results in risk or opportunity
  • ERM framework is to help management manage uncertainty, and risk & opportunity, to build or preserve value
  • Components
  1. Internal environment
  2. Objective setting
  3. Event identification
  4. Risk assessment
  5. Risk response
  6. Control activities
  7. Information & communication
  8. Monitoring

The Internal Environment (most important part of ERM)

  1. Management's philosophy, operating style, and risk appetite
  2. The board of directors
  • Oversee management & scrutinize its plans, performance, andactivities
  • Approve company stretegy
  • Review financial results
  • Annually review security policy
  • Interact with internal & external auditors
    • Audit committee: non-employee independent directors
  1. Commitment to integrity, ethical values, and competence
  • To create an organization culture that stresses integrity and commitment of ethical values and competence
    • To endorse integrity as a basic operating principle, teach & require
    • To reward and encourage honesty, give verbal label to honest and dishonest behavior
    • To develop clear policies explicitly describe honest and dishonest behavior
    • To require employees to report dishonest, illegal, or unethical acts, discipline who not
    • To make a commitment to competence by competent employees
  1. Organizational structure
  • Lines of authority, responsibility, and reporting
  • Overall framework for planning, directing, executing, controlling & monitoring operations
  1. Methods of assigning authority and responsibility
  • To make sure employees understand entity's objectives, assign authority & responsibility for business objectives to specific departments and individuals, encourage them to use initiative to solve problem, then hold them accountable for achieving objectives
  1. Human resource standards
  • Employees can be both the greatest control strength and weakness
  1. External influences

Objective Setting

  • Precedes the later six
  • Cooperate vision / mission: why the company exists and that it hopes to achieve
  • Strategic objectives: supporting mission, intended to create shareholder value
  • Operator objectives: a product of management preferences, judgments, and style, varying among entities
  • Compliance & reporting objectives: many imposed by external entities

Event Identification

  • Event: incident or occurrence emanating from internal or external sources to affect strategy or objectives

Risk Assessment & Response

  • Inherent / residual risk: unable / able to avoid before
  • Estimate likelihood and impact (with softwares)
  • Identify controls (to protect from each event)
  • Estimate costs & benefits & determine cost/benefit effectiveness
  • Implement control or avoid, share, or accept the risk

Control Activities

  • Policies, procedures & rules to provide reasonable assurance for objectives and anti-risk
  • Must also ensure compliance & enforcement
  • Segregation of duties: no single employee given too much responsibility
  • Segregation of accounting duties: authorization, recording, custody
  • Project development & acquisition controls: to have a formal, appropriate & proven methodology to govern
  • Change management: making sure changes do not harm reliability, security, confidentiality, integrity & availability

Information & Communication

Monitoring

  1. Perform ERM evaluations
  2. Implement effective supervision
  3. Use responsibility accounting
  4. Monitor system activities
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 211,348评论 6 491
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,122评论 2 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 156,936评论 0 347
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,427评论 1 283
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,467评论 6 385
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,785评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,931评论 3 406
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,696评论 0 266
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,141评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,483评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,625评论 1 340
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,291评论 4 329
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,892评论 3 312
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,741评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,977评论 1 265
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,324评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,492评论 2 348

推荐阅读更多精彩内容