389 Exam 2 Flashcards
Internal Controls
Policies, plans and procedures designed to protect the assets of the company.
Internal Control System
the methods used to achieve the following objectives:
- safeguarding assets
- checking the accuracy and reliability of accounting data
- promoting operational efficiency
- encouraging adherence to prescribed managerial policies.
Threat
any potential adverse occurrence or unwanted event that could injure the AIS or the organization
Exposure / Impact
the potential dollar loss that would occur if the threat becomes a reality
risk / likelihood
the probability that the threat will occur
Types of threats:
natural and political, software errors and equipment malfunction, unintentional acts, intentional acts.
internal controls perform three important functions:
- preventive controls
- detective controls
- corrective controls.
preventive controls? examples?
deter problems before they arise
i. e. firewall
i. e. locking doors before leaving home
detective controls? examples?
discover problems when they do arise.
i. e. an alarm system. if someone were to get in your home the alarm would sound.
i. e. bank reconciliation
i. e. a trial balance making sure debits and credits balance and making sure nothing crazy is going on.
Corrective controls? examples?
remedy problems that have occurred by:
identifying the cause, correcting the resulting errors, modifying the system to prevent future problems of this sort.
What are some regulations of controls?
Foreign Corrupt Practices Act, COSO, SOX
COSO meaning and what they do:
Committee of Sponsoring Organizations of Internal Control
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
Control environment:
establishes the tone of a company, influencing the control awareness of the company’s employees.
Is the general attitude towards the control environment within a company
Factors included within the control environment are:
integrity, ethical values and competence of employees
management philosophy and operating style
Assignment of authority and responsibility
effectiveness of the board of directors.
Control environment starts ___ and ___
at the top and works it way down.
Risk assessment:
an important consideration when designing controls for a company
Risks come from
internal and external sources
Risks that may affect the accomplishment of a company’s goals and objectives should be ____
identified, analyzed and promptly addressed
cost-benefit analysis
does the benefits of a particular control implementation outweigh the costs?
A measure of lost should include ___
both the exposure and risk
Control activities:
relate to the policies and procedures that help ensure that management directives are carried out in an effective manner.
Audit trail
enables auditors and accountants to follow the path of a transaction
Sound personal policies and competent employees
specific hiring procedures… rotation of certain key employees in different jobs, enforced vacations… regular performance reviews.
Separation of Duties:
A control activity within an internal control system that essential says that one employees serves as a monitor for another employee. Keep separate custody of assets, recording transactions, and authorizing transactions.
Separation of duties, custodial functions:
handling cash, inventories, tools, or fixed assets, writing checks, receiving checks in the mail
Separation of duties, recording functions:
Preparing source documents, maintaining journals, ledgers or other files, preparing reconciliations, p preparing performance reports.
separation on duties, authorization functions:
authorization of transactions
collude:
come together.
this makes segregation of duties impotent and controls can be overridden.
Physical protection of assets:
a process to safeguard inventory… how about cast?
internal audits
perform periodic reviews
opperational audits:
performed to evaluate the efficiency and effectiveness of that particular department
information:
refers to the output of the accounting system
- it includes the methods used to record, process, summarize and report a company’s transactions and maintain accountability for assets, liabilities, and equity.
Communication:
refers to providing a company’s personnel with an understanding of their role and responsibilities pertaining to internal control over financial reporting.
Monitoring:
relates to the process that assesses the quality of internal control performance on continuous basis.
examples of monitoring:
perform internal control evaluations, implement effective supervision, use responsibility accounting systems such as budgets, schedules, standard costs, etc., tract purchased software and mobile devices, periodic audits
9-14 why?
a. separate cash payments from cash receipts
Both are custody
9-14 why?
b. lock up signature plates
prevents unauthorized use
9-14 why?
c. match invoices to receiving reports
ensure item was received and invoice quantity is correct
9-14 why?
d. checks mailed by person not preparing check
separation of duties: person mailing may notice suspicious payments
9-14 why?
e. match invoices to POs
Ensure purchase is authorized and invoice price is correct
9-14 why?
f. keep checks under lock
prevent unauthorized payments
9-14 why?
g. impress payroll account (deposit inly payroll amt.)
identify payroll fraud / error and limit loss
9-14 why?
h. separate bank reconciliation from writing checks or handling cash
separation of duties- prevents concealing a theft by making it appear that GL cash reconciles to bank statement cash.
9-14 why?
i. use check protector:
keep people from changing check amount
9-14 why?
j. conduct surprise counts of cash
catch thieves who do not generate fictitious support documents at the time of the theft.
9-14 why?
k. use approved vendors:
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
9-14 why?
l. all purchases made by purchasing department
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
electronic eavesdropping:
security risk with wireless technology
data encryption
this can stop eavesdropping. this means the data is scrambled and only receiver can de-scramble
VPN
Virtual private network:
security appliance that allows remote access to a company’s system.
Security for wireless system:
electronic eavesdropping, data encryption, VPN
Security for hard-wired system:
in distributed data processing processing, data processing is handled by many PCs
Routing verification procedures -
message acknowledgment procedures -
in distributed data processing processing, data processing is handled by many PCs
PCS are linked to a central computer
Electronic eavesdropping could be a problem here as well
Routing verification procedures
ensure that messages are routed to the correct computer
Header label: i.e. identify message destination
checked before acceptance of message
message acknowledgment procedures
prevent loss of part of message
trailer label: i.e. data indicating message length
checked after data received
Management is responsible for:
directing and controlling operations and establishing, communication, monitoring all company policies and procedures.
security policies:
help protect the organization from internal and external threats
5 components of internal control process
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
Types of general computer controls:
personnel controls, file security, backup, contingency planning, computer facility controls, access to computer files.
file security controls:
purposes:
examples:
protect computer files from either accidental or intentional abuse.
i.e. external file labels, internal file labels, lockout procedures (prevents 2 applications from simultaneously updating file, read-only files
fault-tolerant systems
purpose:
core concept:
types:
to tolerate computer errors and keep functioning.
Redundancy
consensus-based protocols, watchdog processor, disk mirroring or disk shadowing
consensus-based protocols:
have odd number or processors, ignore incongruent processor
watchdog processor:
second processor that takes over if main processor fails
disk mirroring or disk shadowing
write all data to two disks
backup procedures:
similar to fault-tolerant systems but not exactly the same.
purpose of backup procedures:
mitigate risk of losing data before, during, or after processing work
Grandparent-parent-child procedure:
a backup procedure that
keep three generations of the master file
electronic vaulting:
a backup procedure that
electronically transmit data to a remote location for backup.
contingency planning purpose:
ready the organization for disaster that could affect data processing capabilities
offsite location types:
cold site
hot site
flying start site
Disaster recovery plan:
procedures to be followed in case of an emergency
cold site:
location where system could be installed quickly.
literally a room with nothing.