Organizations must a perform risk assessment to identify, analyze, and manage risk relevant to financial reporting. Controls should be implemented depending on the risks identified and a proper combination of manual and CBIS controls should ensure an adequate climate for the organization. Aligned with this approach the COSO framework brings guidance to accountants and auditors.
The Committee of Sponsoring Organizations of the Tradeway Commission (COSO) and its Enterprise Risk Management, ERM Framework activities are a must-know for accountants and auditors that want to help organizations achieve their financial goals. COSO activities include:
o Articulating and communicating the organization's objectives.
o Determining the organization's risk appetite.
o Establishing an appropriate internal environment, including a risk management framework.
o Identifying potential threats to the achievement of objectives.
o Assessing risks, including their impact and likelihood of occurring.
o Selecting and implementing responses to risks.
o Undertaking control and other response activities.
o Communicating information on risks consistently at all levels in the organization.
o Centrally monitoring and coordinating the risk management processes and the outcomes.
o Providing assurance on the effectiveness with which risks are managed.
Computer Based Information Systems, CBIS, is a powerful tool than enhances manual controls over transaction authorization, segregation of duties, supervision, access control, adequate accounting records, and independent verification. COSO ERM Framework activities are deemed to minimize risks through effective controls.
From the CBIS environment perspective, transactions are authorized by rules often embedded within computer programs. For example, if an employee is deemed to work only 40 hours per week an error message should appear when someone has worked 42 hours in a given week. Authorization procedures are controls that ensure the process of valid transactions only. Valid transactions must be within the scope of a prescribed authority.
The proper segregation of duties ensures that an individual is not in a position to steal and conceal. Incompatible duties during a transaction process must be separated. For example, transaction authorization must be separated from transaction processing. Asset custody should be separated from record keeping responsibilities. If fraud were going to happen, it would be accomplished only by collusion between two or more individuals with incompatible duties. In a CBIS environment the activities of program development, program operation, and program maintenance should be properly separated.
When an adequate segregation of duties is not feasible, supervision plays an important role compensating the lack of proper segregation. In a CBIS environment supervisory controls should be designed to mitigate lack of direct supervision. For example, it would be cumbersome for a manager to directly supervise a computer programmer while doing his or her job.
The accounting records in a manual system provide an audit trial while in a CBIS environment the audit trial is provided by different techniques that take the form of pointers, indexes, or embedded keys.
Access controls should prevent asset misappropriation, by far the largest fraud scheme, according to the Association of Certified Fraud Examiners, ACFE. CBIS tends to centralize records in a single location, which entails threats of fraud and losses from disasters. A great control is to ensure that individuals are granted access to data, programs, and restricted areas only strictly necessary.
Independent verification identify errors and misrepresentations. For example an independent count of inventory, a reconciliation of assets to accounting records, etc. In a CBIS environment, accountants and auditors evaluate controls over system development and the logic of computer programs.
The COSO ERM framework and control activities whether manual or through CBIS strive for a common goal: help the organization with its quest for financial sustainability through proper controls in response to risks identified.