萨班斯法案与ISO9001内部控制体系的比较

比较了萨班斯法案与ISO9001的内部控制体系,认为二者在许多章节上有对应关系,或者在法律精神上有类似的应用,ISO9001作为质量管理体系认证标准对财务控制风险每个环节都实施了控制;类似地,COSO框架的五个要素在ISO9001中也均有充分的体现.     

Risk Management in Small- and Medium-Sized Businesses and How Accountants Contribute*

We investigate how owners of small- and medium-sized enterprises (SMEs) perceive, make sense of, and practice risk management. Drawing on Schatzki's practice theory, we theorize on how and why risk management happens in SMEs. Thus, we fill a gap in the extant literature, which focuses almost exclusively on risk management within large organizations. We interview entrepreneurs and conduct site observations to gain insight into their risk management activities, the drivers that lead to the adoption of said activities, their attitudes toward risk management, and how their accountants may shape and contribute to risk management in SMEs. We find that rather than a specific set of formal processes, entrepreneurs view risk management as a mindset that emphasizes the preservation of key assets, creation of competitive advantages, and development of local talent and expertise. We observe practices that are mainly informal yet planned, deliberate, and fully integrated within the fabric of organizations that align with ideal forms of risk management. We also find that full-time, in-house accountants do help entrepreneurs with risk management, while external accountants, whose main activities relate to financial statement preparation and tax filings, do not systematically help entrepreneurs manage risk. We contribute to both the theory and practice of risk management by sharing empirical insights into how SME owners perceive, make sense of, and manage risk.     

Exploring the information content of cyber breach reports and the relationship to internal controls

A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports.