Chapter 14 - Enterprise system risks and controls. A consideration of utmost importance for enterprise system designers, managers, and auditors is the consideration of risk and control. The objective of this chapter is to introduce some types of risk that occur in enterprises and discuss how these risks may be lessened by controls designed into enterprise information systems. This chapter uses the REA pattern as a framework for identifying types of risks and controls to mitigate those risks. | Chapter 14 Enterprise System Risks and Controls Chapter Learning Objectives Describe the relationship between enterprise risks, opportunities, and controls Explain the levels at which enterprise risks occur Use the REA pattern to identify sources of enterprise risk Identify specific controls to prevent, detect, and recover from enterprise risks 14- The Relationship between Risks, Opportunities, and Controls Risks A risk is any exposure to the chance of injury or loss (also known as a threat). Opportunities and Objectives Opportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity. Controls A control is an activity performed to minimize or eliminate a risk. 14- Internal Control Systems Congress passed the Sarbanes-Oxley Act requiring publicly traded companies to issue reports on their internal control systems along with their annual financial reports Management is responsible for establishing and maintaining adequate internal controls for financial reporting Reports must include assessments of the effectiveness of the internal controls and the financial reporting procedures Sarbanes-Oxley also requires auditors to attest to and report on management’s assessments AICPA’s Statement on Auditing Standards No. 94 established standards for auditing internal controls COSO Reports stress the importance of examining control at many levels of detail 14- Likelihood Of Loss Size of Potential Impact High Low Small Large Materiality of Risk Materiality and Risk 14- COSO Internal Control Integrated Framework The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of the AAA, AICPA, IIA, IMA, and FEI. COSO’s internal control integrated framework is considered the authority on internal controls. COSO’s internal control model has five components: Control environment Risk assessment Control Activities Information and communication Monitoring 14- Control | Chapter 14 Enterprise System Risks and Controls Chapter Learning Objectives Describe the relationship between enterprise risks, opportunities, and controls Explain the levels at which enterprise risks occur Use the REA pattern to identify sources of enterprise risk Identify specific controls to prevent, detect, and recover from enterprise risks 14- The Relationship between Risks, Opportunities, and Controls Risks A risk is any exposure to the chance of injury or loss (also known as a threat). Opportunities and Objectives Opportunity and risk go hand in hand. You can't have an opportunity without some risk and with every risk there is some potential opportunity. Controls A control is an activity performed to minimize or eliminate a risk. 14- Internal Control Systems Congress passed the Sarbanes-Oxley Act requiring publicly traded companies to issue reports on their internal control systems along with their annual financial reports Management is responsible for establishing and