Deck 14: Enterprise System Risks and Controls

Management may choose to ignore risks that have a low impact and a low likelihood of occurrence unless controls to mitigate those risks are costless.

The control environment sets the tone of the enterprise and can contribute to a high-risk environment.

The attitudes and actions of top management typically do not affect the climate of an enterprise, because they are rarely onsite.

An error is an intentional effort to do something undesirable to an enterprise, while an irregularity is an unintended mistake on the part of an employee.

Corrective controls focus on preventing an error or irregularity.

Economy risks include those resulting from war, epidemics, financial market changes, terrorist attacks, and natural disasters such as floods, hurricanes, and drought.

The risk of recording incomplete, inaccurate, or invalid data about a business event is considered a business process risk.

Enterprises should create contingency plans for transferring operations to a backup location in case of business interruptions.

Lapping is a method of stealing cash in which an employee steals a customer payment and uses funds from a subsequent customer payment to post to the first customer's account, using funds from a third customer payment to post to the second customer's account, and continuing on in that pattern until a valid account is written off as a bad debt, the perpetrator is caught, the perpetrator leaves the firm, or some combination of those three possibilities.

Radio frequency identification tags are increasingly used to track the chain of custody of resources.

Many of the risks associated with instigation events in the sales/collection process relate to the salesperson's efficiency and effectiveness.

Accepting duplicate cash receipts for the same sale is a mutual commitment event risk.

Encryption requires fingerprint matches of the authorized sender and the authorized receiver.

An uninterruptible power supply (UPS) is a combination of hardware and software used to shield a computer network from unauthorized users or from file transfers of unauthorized types.

A worm is more insidious than a normal computer virus.

A master reference check highlights illogical balances in a master file, for example a negative value for quantity on hand.

What is risk?

Why do enterprises take risks?

What factors should an organization consider when determining whether to implement controls to reduce a particular risk?

Name two examples of economy risk.

What kind of risk is a crisis involving a major business partner?

List two important control principles for business process risks related to all types of resources.

What type of risk is a mistake made in the advertising or promotions regarding a product available for sale?

What is an independent check on performance?

To what business process risk are economic increment events particularly susceptible, and why?

Discuss the importance of an enterprise's control environment and describe each of the seven areas within the control environment.

Think of a local convenience store in your town. List at least three risks associated with this store's sale of merchandise to customers, and propose one or more internal controls that would mitigate those risks.

Bartt's Boxes manufactures and distributes boxes of various sizes and strengths. They take mail and telephone orders from customers. They ship the boxes according to the customer orders and send monthly statements to the customers who pay on a monthly basis. What are at least three risks associated with Bartt's sales/collection process, and what are internal controls that would mitigate these risks?

Explain the grandparent-parent-child backup and file reconstruction procedure. Should this procedure be used for real-time processing systems? If not, what alternative procedure should be followed?