Lecture 1. Introduction to the course
Why do companies need information?
- Delegation and accountability
- Decision making
- Operating the business
Data engineering: all operational activities that pertain to defining, collecting, transforming,
processing and recording data. Aimed at enhancing the reliability of those data in such a
way that they don’t contain errors, doubles and inconsistencies.
Data analysis helps the organization by supporting the provision of relevant information,
but also helps to the auditor in checking whether client data and information are reliable.
Information-based control framework
- Business domain→ models the essence of a company and as such pertain to what a
company does to create value. Including selling products, purchasing raw materials,
hiring personnel, and making investment in fixed assets
- Information & communication domain→ models the information that will be
provided to the business domain for decision making and operating the business, as
well as the information that is provided by the business domain for delegation and
accountability.
- Data domain→ models the data that is needed for information provisions
- IT domain→ models the required information and communication technology
applications and hardware
The strategy formation level embodies the processes that lead to the business strategy,
information strategy, data strategy and the IT strategy.
The underlying theory of the information-based control framework is that the resulting 8
cells need to be continuously aligned with one another for optimal problem solutions→
change in one cell will always lead to changes in at least one of the other cells.
Risk assessment:
- Operation risks may include foregone revenues, excessive waste, goods being stolen
- Information provisions risks may include missing product information on the
company’s website, overstated financial statements
- Data engineering risks may include incomplete sales transaction data, invalid input of
purchase transaction data
- IT infrastructure risks may include a data breach, corrupted data warehouse, a
store’s website becoming unavailable
Control layer:
- Internal control→ it is designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting and compliance
- Information control→ internal control aimed at information provision
- Data control→ internal control aimed at the data engineering of an organization
- IT control→ internal control aimed at the IT infrastructure of an organization
1
,Information system: an organized collection of software and hardware (IT domain) for
inputting, processing and storing data (data domain) and providing information (information
and communication domain) aimed at the attainment of organizational goals
Lecture 2. Internal control and accounting information systems
Fraud cases because of weak internal control.
Management has a direct interest in securing the quality of its operations.
Auditor has interest in securing the reliability of information.
COSO Internal Control Framework
- Committee Of Sponsoring Organizations of the Treadway Commission→ the
treadway commission was tasked with finding explanation for high profile fraud
cases.
- COSO→ “Internal control is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting and
compliance.
- Internal control objectives:
o Effectiveness and efficiency of operations
o Reliability of (internal and external) reporting
o Compliance with applicable laws and regulations
The five components of internal control are:
- Monitoring
- Information & communication
- Risk assessment
- Control activities
- Control environment
Five principles that apply to the control environment (= the
organization’s culture with respect to the importance of internal control):
- The organization is committed to integrity and ethical values
- The supervisory board or non-executive directors in the board of directors are
independent of management in exercising oversight on internal controls
- Management, with board oversight, puts in place structures, reporting lines,
authorities and responsibilities
2
, - The organization demonstrates a commitment to attract, develop, and retain
competent personnel in alignment with its objectives
- The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives
A good control environment is one where people in the organization are aware of the
importance of internal control and behave accordingly
Risk: an uncertain future event that, if it becomes reality, will have negative consequences
for the realization of the organization’s goals
- Don’t mix up risk with cause and consequence. For example, a risk is not that there is
unsatisfactory pairing of duties (potential cause), neither is foregone revenues a risk
(consequence)
- If you know the cause(s) of a risk, then you know the direction of your control
solution
Risk assessment: the identification, analysis and evaluation of relevant risks to the
achievement of objectives. Objectives fall withing three broad internal control categories:
- Operations objectives
- Reporting objectives
- Compliance objectives
Use some model for risk assessment to avoid overlooking certain risks. It also helps you to
work systematically and simplify the often too complex control environment.
Risks:
- Business risks → future uncertain event that if becoming a reality will lead to
organizational underperformance
- Information risks → future uncertain event that if becoming a reality will lead to
poor information quality
- Data risks → future uncertain event that if becoming a reality will lead to poor data
quality
- IT risks→ future uncertain event that if becoming a reality will lead to poor IT
deployment (inzet)
Stages in risk assessment
1. Risk identification, which is identifying the future uncertain events that may have
negative consequences
2. Risk analysis, which is assessing the likelihood and impact of each risk
3. Risk evaluation, which is categorizing each risk so that an appropriate risk response
can be given with respect to that risk
→ risk management = risk assessment + risk response
Four principles that apply to risk assessment
- The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
- The organization identifies risks to the achievement of its objectives across the entity
and analyses risks as a basis for determining how the risks should be managed
3
, - The organization considers the potential for fraud in assessing risks to the
achievement of objectives
- The organization identifies as assesses changes that could significantly impact the
system of internal control
Control activities→ distinction between preventive (aim to prevent risks of becoming
reality) and detective (detect and correct deviations that results from certain risk haven
become reality) controls
Examples of preventive internal controls include: segregation of duties, physical protection
of assets and setting procedures for executing certain activities.
Examples of detective controls include tests of relationships, analytical review, stocktaking,
variance analysis and reperformance of certain calculations.
Three principles that apply to control activities
- The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels
- The organization selects and develops general control activities over technology to
support the achievement of objectives
- The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action
Managers should always think of the level
of residual risk that they are willing to
accept. This is their risk appetite.
4
Why do companies need information?
- Delegation and accountability
- Decision making
- Operating the business
Data engineering: all operational activities that pertain to defining, collecting, transforming,
processing and recording data. Aimed at enhancing the reliability of those data in such a
way that they don’t contain errors, doubles and inconsistencies.
Data analysis helps the organization by supporting the provision of relevant information,
but also helps to the auditor in checking whether client data and information are reliable.
Information-based control framework
- Business domain→ models the essence of a company and as such pertain to what a
company does to create value. Including selling products, purchasing raw materials,
hiring personnel, and making investment in fixed assets
- Information & communication domain→ models the information that will be
provided to the business domain for decision making and operating the business, as
well as the information that is provided by the business domain for delegation and
accountability.
- Data domain→ models the data that is needed for information provisions
- IT domain→ models the required information and communication technology
applications and hardware
The strategy formation level embodies the processes that lead to the business strategy,
information strategy, data strategy and the IT strategy.
The underlying theory of the information-based control framework is that the resulting 8
cells need to be continuously aligned with one another for optimal problem solutions→
change in one cell will always lead to changes in at least one of the other cells.
Risk assessment:
- Operation risks may include foregone revenues, excessive waste, goods being stolen
- Information provisions risks may include missing product information on the
company’s website, overstated financial statements
- Data engineering risks may include incomplete sales transaction data, invalid input of
purchase transaction data
- IT infrastructure risks may include a data breach, corrupted data warehouse, a
store’s website becoming unavailable
Control layer:
- Internal control→ it is designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting and compliance
- Information control→ internal control aimed at information provision
- Data control→ internal control aimed at the data engineering of an organization
- IT control→ internal control aimed at the IT infrastructure of an organization
1
,Information system: an organized collection of software and hardware (IT domain) for
inputting, processing and storing data (data domain) and providing information (information
and communication domain) aimed at the attainment of organizational goals
Lecture 2. Internal control and accounting information systems
Fraud cases because of weak internal control.
Management has a direct interest in securing the quality of its operations.
Auditor has interest in securing the reliability of information.
COSO Internal Control Framework
- Committee Of Sponsoring Organizations of the Treadway Commission→ the
treadway commission was tasked with finding explanation for high profile fraud
cases.
- COSO→ “Internal control is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting and
compliance.
- Internal control objectives:
o Effectiveness and efficiency of operations
o Reliability of (internal and external) reporting
o Compliance with applicable laws and regulations
The five components of internal control are:
- Monitoring
- Information & communication
- Risk assessment
- Control activities
- Control environment
Five principles that apply to the control environment (= the
organization’s culture with respect to the importance of internal control):
- The organization is committed to integrity and ethical values
- The supervisory board or non-executive directors in the board of directors are
independent of management in exercising oversight on internal controls
- Management, with board oversight, puts in place structures, reporting lines,
authorities and responsibilities
2
, - The organization demonstrates a commitment to attract, develop, and retain
competent personnel in alignment with its objectives
- The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives
A good control environment is one where people in the organization are aware of the
importance of internal control and behave accordingly
Risk: an uncertain future event that, if it becomes reality, will have negative consequences
for the realization of the organization’s goals
- Don’t mix up risk with cause and consequence. For example, a risk is not that there is
unsatisfactory pairing of duties (potential cause), neither is foregone revenues a risk
(consequence)
- If you know the cause(s) of a risk, then you know the direction of your control
solution
Risk assessment: the identification, analysis and evaluation of relevant risks to the
achievement of objectives. Objectives fall withing three broad internal control categories:
- Operations objectives
- Reporting objectives
- Compliance objectives
Use some model for risk assessment to avoid overlooking certain risks. It also helps you to
work systematically and simplify the often too complex control environment.
Risks:
- Business risks → future uncertain event that if becoming a reality will lead to
organizational underperformance
- Information risks → future uncertain event that if becoming a reality will lead to
poor information quality
- Data risks → future uncertain event that if becoming a reality will lead to poor data
quality
- IT risks→ future uncertain event that if becoming a reality will lead to poor IT
deployment (inzet)
Stages in risk assessment
1. Risk identification, which is identifying the future uncertain events that may have
negative consequences
2. Risk analysis, which is assessing the likelihood and impact of each risk
3. Risk evaluation, which is categorizing each risk so that an appropriate risk response
can be given with respect to that risk
→ risk management = risk assessment + risk response
Four principles that apply to risk assessment
- The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
- The organization identifies risks to the achievement of its objectives across the entity
and analyses risks as a basis for determining how the risks should be managed
3
, - The organization considers the potential for fraud in assessing risks to the
achievement of objectives
- The organization identifies as assesses changes that could significantly impact the
system of internal control
Control activities→ distinction between preventive (aim to prevent risks of becoming
reality) and detective (detect and correct deviations that results from certain risk haven
become reality) controls
Examples of preventive internal controls include: segregation of duties, physical protection
of assets and setting procedures for executing certain activities.
Examples of detective controls include tests of relationships, analytical review, stocktaking,
variance analysis and reperformance of certain calculations.
Three principles that apply to control activities
- The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels
- The organization selects and develops general control activities over technology to
support the achievement of objectives
- The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action
Managers should always think of the level
of residual risk that they are willing to
accept. This is their risk appetite.
4
