Page 223 - COSO Guidance Book
P. 223

For example, a denial-of-service attack by hackers at a local faith-based organization’s donation
                           3
                   website.
              The framework provides the following types of internal factors to be considered in risk identification
               (the list may not be all-inclusive):
               –  Infrastructure — Decisions on the use of resources that can affect operations

                   An example is a local pawnshop that decides to open another location. The expansion plan allows
                   for the hiring of additional personnel who need on-the-job training. During this training period,
                   customer service might suffer because of transactions being conducted by inexperienced staff.

               –  Management structure — Changes in management responsibilities that affect how certain
                   controls are performed
                   For example, a recession may cause an entity to lay off many members of senior and middle
                   management. The remaining managers have a wider span of responsibility for additional areas,
                   including the related internal controls for those areas. The entity could have erroneous or
                   fraudulent transactions enter the financial reporting system resulting from management’s fatigue
                   or their “rubber-stamping” of transactions prepared by a subordinate.

               –  Personnel — The quality of personnel

                   Many smaller entities, for example, lack resources to employ technical personnel to manage the
                   local area network. The entity could compensate for this weakness in IT skills by outsourcing
                   management of the local area network or adopting services provided by cloud service providers.

               –  Access to assets — An entity’s employee access to assets that can result in their theft

                   Assets subject to a high risk of misappropriation should have additional controls to mitigate this
                   risk. For example, the most valuable items in a jewelry store are not in the display cabinets but in
                   a locked safe that can be opened only by the owner-manager.

               –  Technology — An interruption in IT processing that can adversely affect the entity’s operations

                   For example, an entity might not have an IT disaster recovery plan or perform routine backup. An
                   equipment failure could destroy critical data files that would require extensive effort to recreate.

              Point of focus — Involves appropriate levels of management
               The entity puts into place risk assessment mechanisms that involve appropriate levels of
               management.

               For example, members of senior management would be involved in establishing entity-wide policies
               and procedures.



            3
              The purpose of a denial-of-service attack is to make IT resources unavailable to its users. A common method of
            attack is to send an inordinate amount of requests to a website so that intended users of the website are denied
            access.


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-9
   218   219   220   221   222   223   224   225   226   227   228