389 Exam 2 Flashcards
Internal Controls
Policies, plans and procedures designed to protect the assets of the company.
Internal Control System
the methods used to achieve the following objectives:
- safeguarding assets
- checking the accuracy and reliability of accounting data
- promoting operational efficiency
- encouraging adherence to prescribed managerial policies.
Threat
any potential adverse occurrence or unwanted event that could injure the AIS or the organization
Exposure / Impact
the potential dollar loss that would occur if the threat becomes a reality
risk / likelihood
the probability that the threat will occur
Types of threats:
natural and political, software errors and equipment malfunction, unintentional acts, intentional acts.
internal controls perform three important functions:
- preventive controls
- detective controls
- corrective controls.
preventive controls? examples?
deter problems before they arise
i. e. firewall
i. e. locking doors before leaving home
detective controls? examples?
discover problems when they do arise.
i. e. an alarm system. if someone were to get in your home the alarm would sound.
i. e. bank reconciliation
i. e. a trial balance making sure debits and credits balance and making sure nothing crazy is going on.
Corrective controls? examples?
remedy problems that have occurred by:
identifying the cause, correcting the resulting errors, modifying the system to prevent future problems of this sort.
What are some regulations of controls?
Foreign Corrupt Practices Act, COSO, SOX
COSO meaning and what they do:
Committee of Sponsoring Organizations of Internal Control
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
Control environment:
establishes the tone of a company, influencing the control awareness of the company’s employees.
Is the general attitude towards the control environment within a company
Factors included within the control environment are:
integrity, ethical values and competence of employees
management philosophy and operating style
Assignment of authority and responsibility
effectiveness of the board of directors.
Control environment starts ___ and ___
at the top and works it way down.
Risk assessment:
an important consideration when designing controls for a company
Risks come from
internal and external sources
Risks that may affect the accomplishment of a company’s goals and objectives should be ____
identified, analyzed and promptly addressed
cost-benefit analysis
does the benefits of a particular control implementation outweigh the costs?
A measure of lost should include ___
both the exposure and risk
Control activities:
relate to the policies and procedures that help ensure that management directives are carried out in an effective manner.
Audit trail
enables auditors and accountants to follow the path of a transaction
Sound personal policies and competent employees
specific hiring procedures… rotation of certain key employees in different jobs, enforced vacations… regular performance reviews.
Separation of Duties:
A control activity within an internal control system that essential says that one employees serves as a monitor for another employee. Keep separate custody of assets, recording transactions, and authorizing transactions.
Separation of duties, custodial functions:
handling cash, inventories, tools, or fixed assets, writing checks, receiving checks in the mail
Separation of duties, recording functions:
Preparing source documents, maintaining journals, ledgers or other files, preparing reconciliations, p preparing performance reports.
separation on duties, authorization functions:
authorization of transactions
collude:
come together.
this makes segregation of duties impotent and controls can be overridden.
Physical protection of assets:
a process to safeguard inventory… how about cast?
internal audits
perform periodic reviews
opperational audits:
performed to evaluate the efficiency and effectiveness of that particular department
information:
refers to the output of the accounting system
- it includes the methods used to record, process, summarize and report a company’s transactions and maintain accountability for assets, liabilities, and equity.
Communication:
refers to providing a company’s personnel with an understanding of their role and responsibilities pertaining to internal control over financial reporting.
Monitoring:
relates to the process that assesses the quality of internal control performance on continuous basis.
examples of monitoring:
perform internal control evaluations, implement effective supervision, use responsibility accounting systems such as budgets, schedules, standard costs, etc., tract purchased software and mobile devices, periodic audits
9-14 why?
a. separate cash payments from cash receipts
Both are custody
9-14 why?
b. lock up signature plates
prevents unauthorized use
9-14 why?
c. match invoices to receiving reports
ensure item was received and invoice quantity is correct
9-14 why?
d. checks mailed by person not preparing check
separation of duties: person mailing may notice suspicious payments
9-14 why?
e. match invoices to POs
Ensure purchase is authorized and invoice price is correct
9-14 why?
f. keep checks under lock
prevent unauthorized payments
9-14 why?
g. impress payroll account (deposit inly payroll amt.)
identify payroll fraud / error and limit loss
9-14 why?
h. separate bank reconciliation from writing checks or handling cash
separation of duties- prevents concealing a theft by making it appear that GL cash reconciles to bank statement cash.
9-14 why?
i. use check protector:
keep people from changing check amount
9-14 why?
j. conduct surprise counts of cash
catch thieves who do not generate fictitious support documents at the time of the theft.
9-14 why?
k. use approved vendors:
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
9-14 why?
l. all purchases made by purchasing department
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
electronic eavesdropping:
security risk with wireless technology
data encryption
this can stop eavesdropping. this means the data is scrambled and only receiver can de-scramble
VPN
Virtual private network:
security appliance that allows remote access to a company’s system.
Security for wireless system:
electronic eavesdropping, data encryption, VPN
Security for hard-wired system:
in distributed data processing processing, data processing is handled by many PCs
Routing verification procedures -
message acknowledgment procedures -
in distributed data processing processing, data processing is handled by many PCs
PCS are linked to a central computer
Electronic eavesdropping could be a problem here as well
Routing verification procedures
ensure that messages are routed to the correct computer
Header label: i.e. identify message destination
checked before acceptance of message
message acknowledgment procedures
prevent loss of part of message
trailer label: i.e. data indicating message length
checked after data received
Management is responsible for:
directing and controlling operations and establishing, communication, monitoring all company policies and procedures.
security policies:
help protect the organization from internal and external threats
5 components of internal control process
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
Types of general computer controls:
personnel controls, file security, backup, contingency planning, computer facility controls, access to computer files.
file security controls:
purposes:
examples:
protect computer files from either accidental or intentional abuse.
i.e. external file labels, internal file labels, lockout procedures (prevents 2 applications from simultaneously updating file, read-only files
fault-tolerant systems
purpose:
core concept:
types:
to tolerate computer errors and keep functioning.
Redundancy
consensus-based protocols, watchdog processor, disk mirroring or disk shadowing
consensus-based protocols:
have odd number or processors, ignore incongruent processor
watchdog processor:
second processor that takes over if main processor fails
disk mirroring or disk shadowing
write all data to two disks
backup procedures:
similar to fault-tolerant systems but not exactly the same.
purpose of backup procedures:
mitigate risk of losing data before, during, or after processing work
Grandparent-parent-child procedure:
a backup procedure that
keep three generations of the master file
electronic vaulting:
a backup procedure that
electronically transmit data to a remote location for backup.
contingency planning purpose:
ready the organization for disaster that could affect data processing capabilities
offsite location types:
cold site
hot site
flying start site
Disaster recovery plan:
procedures to be followed in case of an emergency
cold site:
location where system could be installed quickly.
literally a room with nothing.
hot site:
location with a working system.
room plus you have a site and software you just don’t have data
flying start site:
hot site with backup data
location, data, system and software.
computer facility controls purpose:
protect the physical assets of a data processing center
key points of computer facility controls
data center location should be safe, employee access to data center should be listed, physical assets should be insured.
access to computer files purpose:
safeguards sensitive data.
key points to access to computer files
strong password policies, limiting logical access by authority, removing users from system after termination, limiting controlling remote login capability
application controls:
controls designed to prevent errors in transaction processing
three classifications of application controls:
input controls
processing controls
output controls
types of inputs control:
observations
edit tests
input controls - observation:
dual observation - having multiple employees involved in input process
recording safeguards- UPC, barcode scanners, POS devices
Standard AJEs
input controls - edit tests:
edit checks
Field check:
proper type of characters in a field
i.e. 9o210.
it won’t process that because it is suppose to be 90210
Field Size check:
ensures that the input data will fit into the assigned field
i.e. twitter character count.
sign check
appropriate arithmetic sign
limit check
tests a numerical amount against a fixed value
floor or ceiling
reasonableness check:
determines the correctness of a logical relationship between two data items
types of processing controls
data access controls
data manipulation controls
types of data access controls:
financial totals
has totals
record count
social security numbers
types of data manipulation controls:
review software documentation
ensure proper programming using test data.
Fraud:
any act of deception with intent to gain an unfair advantage over another person.
Computer fraud:
illegal act that requires computer knowledge / use to perpetuate.
Types of fraud:
misappropriation of assets, corruption, fraudulent financial reporting
Examples of misappropriation of assets
Embezzlement, theft of money or property
Examples of Corruption
Using your position to take advantage
Example of Fraudulent financial reporting
intentional manipulation of financial statements i.e. Healthsouth
Computer Crime:
the us of a computer for illegal financial gain or infliction of measurable loss on a person.
Computer abuse:
mischievous, unauthorized use of a computer that is contrary to the owner’s wishes i.e. invasion of privacy.
The Computer Fraud and Abuse Act of 1986 covers the following issues:
- Use of, or conspiracy to use computer resources to commit a felony
- Theft, use, access, modification, copying or destruction of software or data.
- Theft of money by altering computer records, or theft of computer time.
- Theft or vandalism of computer hardware.
- Intent to illegally obtain information or property using the computer.
- Trafficking in passwords or other login information.
- Extortion using a computer system as a target.
What are some techniques used to commit computer crimes?
Trojan Horse
Data diddling
Hacking
Phishing
What is a trojan horse?
unauthorized commands hidden in authorized programs/
What are different types of trojan horses?
Virus
Worm
Logic Bomb
Salami Technique
What is a virus?
A program that attaches to other files or programs and spreads by copying itself. They can destroy programs and data and perform denial of service attacks.
What is a worm?
A stand-alone program that replicates itself until all memory is utilized. Can also be used in denial of service attacks.
Target puts a worm on walmart. If walmart is slow, customers will choose target instead.
What is a logic bomb?
A program that remains dormant until triggered by some event.
- Logic bombs can destroy programs and data.
What is the salami technique?
A program that makes small adjustments to many accounts in an effort to steal large amounts of money in small increments.
What is data diddling?
changing data before, during, or after an entry.
What is hacking?
Gaining unauthorized access to a system.
What is phishing?
e.g. pose as legitimate company.
Types of security technologies:
- Antivirus software
- Firewalls
- Access controls
- Physical security
- Intrusion detection systems
- Data encryption
Steps to identifying computer crime:
- Look for accounting irregularities, or anomalous data.
- Look for employees with lifestyle changes or unusually extravagant lifestyles given their income.
- Look for employees with bizarre behavior. i.e. secretive and unwilling to take vacation.
Forensic accountants:
specialize in preventing or detecting fraud or white-collar crime.
Is it okay for your employer to read emails from your work account?
Yes
Is it fair for your potential or current employers to use Facebook or Twitter to monitor employees?
Yes it is okay.
When does the accounting cycle begin?
When the accounting personnel analyze a transaction from a source document.
What is a source document?
A puede of paper or electronic form that records a business activity such as the purchase or sale of goods.
Subsidiary ledger:
contains detailed records pertaining to a type of account (e.g. A/R, A/P, Payroll)
General Ledger:
a collection of account balances.
What is coding?
AIS depend on it to record, store, classify, and retrieve financial data.
What is the purpose of coding?
uniquely identify transactions and accounts, compress data, aid in classification process, and convey special meaning.
Types of codes:
mnemonic codes
Sequence codes
Block Codes
Group Codes
Mnemonic Codes:
give visible clues concerning the objects they represent (e.g. S, M, L, XL)
Sequence Codes
assign numbers or letters in consecutive order
Block Codes
sequential codes in which blocks of numbers are reserved for particular use.
Group codes:
Combines two or more codes.
A payroll clerk created a ghost employee and entered the name into the payroll system. He then prepared a paycheck for this employee, endorsed it to himself, took the paycheck to the bank, and deposited the check.
Require supervisors to approve time worked.
Have someone other than payroll clerk distribute signed checks.
Use direct deposit
Have employees sign for checks.
Have employees clock-in electronically (use badged)
Use a record count of employees
Use a hash total.
In a charitable organization, a cashier set aside checks for donations, endorsed them, and cashed them. She then sent gift acknowledgement cards to the donors.
- Use restrictive endorsement only (remove authority to cash checks).
- Have donations sent to a lockbox (remove custody).
- Accept donations online.
- Have 2 clerks open mail together.
- Have gift acknowledgement cards sent by someone other than cashier (separation of duties).
- Independently reconcile donations to gift acknowledgements (independent check).
A computer programmer obtained the payroll master file, loaded it into the system, and changed his salary.
- Have someone independent of payroll review all changes to the employee master file.
- Limit access to payroll data entry.
- Outsource payroll.
- Use a financial total (hourly or other pay rates).
A programmer quit in the middle of an assignment. Because no other programmers could make sense of the work already completed, the project was started over from scratch.
• Document systems in the planning and implementation phases.
- During keying in a customer’s payment, the digit 0 in a payment of $102.34 was mistakenly entered as the letter O. As a result, the transaction was not processed correctly, and the customer received an incorrect statement.
• Use a field check (preventive control).
- An employee gained unauthorized access to the system by observing her supervisor’s user name and then correctly guessing her password after 12 attempts.
- Limit numbers of attempts to enter system.
- Use smart passwords
- Change passwords frequently
- A salesperson for a PC manufacturer, keying in a customer order from a remote laptop computer, entered an incorrect stock number. As a result, an order of 50 printers was placed for a customer who wanted to order 50 PCs.
- Redundant data check
* Confirmation of order with customer
- A salesperson keying in a customer order from a remote computer inadvertently omitted the delivery address from the order.
- Completeness check
* Confirmation of order with customer
Acme Glass Company makes glass windows. In the final step, the windows are cleaned on a raised table in order to protect workers from work-related injuries. During cleaning the windows are secured by a tether to avoid damage. In 2% of the cases, the tether malfunctions and the window falls off the table. In 5% of the falls, the window is broken. Each broken window costs Acme $800. Acme makes 24,000 windows each year.
The Enron Tether Maintenance Company has agreed to provide monthly tether maintenance to Acme at a cost of $1,000 per month. If Enron provides tether maintenance, the likelihood of a window falling off the table is cut in half. The likelihood of breakage as the result of a fall is not affected by Enron’s tether maintenance.
- Without purchasing tether maintenance, what is the expected loss due to breakage each year?
Expected cost = Risk * Exposure
Risk is 2% of windows fall and 5% of those break. Risk = 2% * 5% = 0.001.
If 0.001 of all windows break, and there are 24,000 windows per year, there are 24 breaks (on average) per year.
Exposure is $800 per window.
24 breaks @ $800 each = $19,200 expected cost
Acme Glass Company makes glass windows. In the final step, the windows are cleaned on a raised table in order to protect workers from work-related injuries. During cleaning the windows are secured by a tether to avoid damage. In 2% of the cases, the tether malfunctions and the window falls off the table. In 5% of the falls, the window is broken. Each broken window costs Acme $800. Acme makes 24,000 windows each year.
The Enron Tether Maintenance Company has agreed to provide monthly tether maintenance to Acme at a cost of $1,000 per month. If Enron provides tether maintenance, the likelihood of a window falling off the table is cut in half. The likelihood of breakage as the result of a fall is not affected by Enron’s tether maintenance.
- Without purchasing tether maintenance, what is the expected loss due to breakage each year?
Expected cost without Enron Maintenance $19,200
Expected cost with Enron Maintenance $9,600*
Savings with Enron Maintenance $9,600 Cost of Enron Maintenance $12,000 Net Cost ($2,400)
*with Enron Maintenance, cost is ½ of current cost or: 1% * 5% = 0.0005 * 24,000 windows = 12 window breaks @ $800 each
Design of an effective AIS begins by
considering the outputs from the system.
Outputs of an AIS include:
- Reports to MGT
- Reports to investors and creditors.
- Files that retain transaction data.
- Files that retain current data about accounts.
Business process:
a collection of events
what are the two types of events in a business process?
- an economical event (accounting transaction)
- a business event does not affect the financial statements but still needs to be recorded (a sales order)
What are the 2 core business processes?
sales
purchasing.
The sales process begins with…
a customer order of goods or services and ends with the collection of cash from the customer.
Simple description of Sales Process
GOODS OUT, CASH IN.
What are the steps in the sales process?
sales order, shipment of goods, bill customer, and cash receipt. (maybe sales return)
What are the o objectives of the sales process?
tracking sales, filing customer orders, billing customers, collecting payment, forecasting sales and cash receipts.
Inputs to the sales process (or source documents)
sales order, sales invoice, check, remittance advice, shipping notice, debit/ credit memo.
Outputs of the sales process:
customer billing statement, aging report, bad debt report, cash receipts forecast, approved customer list.
Threat: incomplete or inaccurate customer orders:
control?
data entry edit checks.
threat: credit sales to customers with poor credit.
credit approval by credit manager, not by sales function; accurate records of customer account balances.
threat: legitimacy of orders:
signatures on paper documents; digital signatures and digital certificates for e-business.
threat: stockout, carrying costs, and markdowns.
inventory control systems, improved sales forecast, supply chain management.
threat: Shipping errors:
reconciliation of sales order with picking ticket and packing slip; bar code scanners ; data entry control application controls.
threat: theft of inventory:
restrict physical access to inventory.
documentation of all internal transfers of inventory and reconciliation of counts of recorded amounts.
Separate inventory custody from recording inventory usage from authorization to ship.
threat: failure to bill customers:
separation of shipping and billing functions.
renumbering of all shipping documents and periodic reconciliation to invoices; reconciliation of picking tickets and bills of lading with sales orders.
threat: billing errors:
data entry edit control.
price lists
reconcile the sales order and shipping documents to the invoice.
posting errors in updating account receivables
reconciliation of subsidiary accounts receivable ledger with general ledger; monthly statements to customers.
threat: theft of cash:
segregation of duties; minimization of cash handling; lockbox arrangements; prompt endorsement and deposit of all receipts
periodic reconciliation of bank statements with records by someone not involved in cash receipts processing.
threat: loss of data
backup and disaster recovery procedures. access controls.
threat: poor performance.
preparation and review of performance reports.
the purchasing process begins with
a request for goods or services and ends with a payment to the vendor.
the purchasing process simplified:
goods in; cash out.
steps in the purchasing process:
purchase requisition, purchase order, receive goods, approve payments and cash disbursements.
objectives of the purchasing process:
tracking purchases of goods and services from vendors.
tracking amounts owed (A/P)
Maintaining vendor records.
controlling inventory
making timely and accurate vendor payments
forecasting purchases and cash outflows.
inputs to the purchasing process:
purchase requisitions purchase order invoice from vendor. receiving report bill of lading packing slip debit/credit memo.
outputs of the purchasing process.
discrepancy reports
vendor checks
check register
cash requirements forecast.
threat: prevent stockout or excess inventory:
inventory control systems bar code scanners; periodic counts of inventory
threat: request unnecessary items:
accurate perpetual inventory records; require purchase requisition approval
threat: inflated prices.
bids; approved suppliers; approved purchase orders; budget review.
threat: inferior quality:
approved suppliers; approved purchase orders; monitory supplier performance.
threat: unauthorized suppliers:
require purchase order approval; restrict access to supplier master files approved suppliers.
kickback threat:
require disclosure of financial interests in suppliers; vendor audits.
threat: receive unordered goods.
receiving department require the existence of valid purchase order prior to acceptance.
threat: errors in counting goods.
bar code scanners; accuracy incentives.
threat: theft of inventory:
restrict physical access; decrement all internal transfers of inventory’ periodic physical counts; reconciliation of counts to recorded amounts
Separate inventory custody from recording inventory usage from authorization to receive goods.
threat: uncaught errors in invoice:
train AP staff
Reconcile invoice to PO and receiving report.
threat- pay for goods not received.
reconcile invoice to receiving report
threat- missed purchase discounts
proper filing; cash flow budgets.
threat- pay same invoice twice-
support invoice with original voucher package.; timely cancel voucher package.
threat- recording pristine errors in aP
Data entry and processing edit controls
threat- theft of cash:
Segregation of duties between AP (approval and recording) and cashier; reconciliation of bank account by someone independent of cash disbursement; restrict access to blank checks; two signatures for higher check amounts
