ACCTN578 Test 2 Flashcards
Why are threats to AIS increasing?
More than 60% of organisations expect a major failure in controlling the security and integrity of their computer systems because:
- information is available to unprecedented # of workers
- information on distributed computer networks is hard to control. Each system and each employee = potential control vulnerability point.
- Customers & suppliers have access to eachothers systems and data = confidentiality issues.
Why have organisations not adequately protected data?
- Some companies view the loss of critical info as a distant, unlikely threat
- control implications of moving from centralised computer systems to internet-based systems not fully understood
- many companies don’t realise info is a strategic resource & protecting it must be a strategic requirement
- productivity and cost pressures motivate management to forgo the time consuming control measures.
What is a threat/event?
Any potential adverse occurrence or unwanted event that could injure the AIS or organisation.
What is exposure/impact?
Potential dollar loss should a particular threat become a reality.
What is liklihood/risk?
The probability that a threat will come to pass.
What are internal controls?
The processes & procedures implemented to provide reasonable assurance that control objectives are met.
IC is a process b/c they permeate an organisation’s operational activities and are an integral part of management activities.
IC is one of the three basic functions of an AIS.
Internal control is essential to fraud prevention.
What are the control objectives?
- to safeguard assets -prevent or detect unauthorised acquisition, use or disposition
- maintain records in sufficient detail to report company assets accurately and fairly
- provide accurate and reliable information
- prepare financial reports in accordance with established criteria
- promote and improve operational efficiency
- encourage adherence to prescribed managerial policies
- comply w applicable laws & regulations
Why only reasonable assurance?
Absolute assurance is difficult to achieve and prohibitively expensive.
What are the inherent limitations of IC sytems?
- susceptibility to simple errors/mistakes
- faulty judgements and decision making
- management overrides
- collusion
What does the development of IC system requirements need?
A thorough understanding of IT capabilities and risks, how to use IT to achieve an organisation’s control objectives.
How do accountants & system developers help management achieve control objectives?
- by designing effective control systems, that take a proactive approach to eliminating system threats and that detect, correct & recover from threats when they occur.
- making it easier to build controls into a system at the initial design phase, rather than adding them after the fact.
What are the 3 important functions/purposes of internal controls?
- Preventative Controls
- Detective Controls
- Corrective Controls
What are preventative controls?
- deter problems before they arise.
- eg hire qualified personnel, segregation of duties, control physical access to assets and information.
- eg check digit verification (eg employee numbers contain secret code that employees not aware of. Fake # = instantly blocked from using payroll)
What are detective controls?
- discover problems not prevented.
- eg duplicate checking of calculations, preparing bank reconciliations, monthly trial balances.
What are corrective controls?
- identify and correct problems as well as correct and recover from resulting errors
- eg maintaining back ups, correcting data entry errors, resubmitting transactions for subsequent processing.
What two categories/scope are IC’s often segregated into?
- General Controls
- Application Controls
What are general controls?
Make sure an organisation’s control environment is stable & well managed
eg security, IT infrastructure, software acquisition, development and maintenance controls.
What are application controls?
Prevent, detect and correct transaction errors and fraud in application programs.
Concerned with accuracy, completeness, validity and authorisation of data captured, entered, processed, transmitted to tother systems, and reported.
What are Robert Simon’s 4 levers of control?
Help management reconcile the conflict between creativity and controls.
- Belief System
- Boundary System
- Diagnostic Control System
- Interactive Control System
Describe what the “belief system” lever of control is…
- Belief System - how a company creates value, helps employees understand management’s vision. Communicates company’s core values and inspires employees to live by those values.
Describe what the “boundary system” lever of control is….
- Boundary System - helps employees act ethically by setting boundaries on employee behaviour. Not directly told what to do, rather encouraged to creatively solve problems whilst meeting customer needs and min. performance standards. Shunning of bad behaviour.
Describe what the “diagnostic control system” lever of control is….
- Diagnostic Control System - measures, monitors and compares actual company progress to budgets & performance goals. Feedback helps mgmt adjust & fine tune inputs & processes so future outputs more closely match goals.
Describe what the “interactive control system” lever of control is….
- Interactive Control System - helps managers to focus subordinate’s attention on key strategic issues and be more involved in their decisions.
Interactive system data are interpreted & discussed at face to face meetings.
What is the FCPA?
The Foreign Corrupt Practises Act (1977)
- passed to prevent companies from bribing foreign officials to obtain business; required all publically owned corporations to maintain a system of internal acc. controls.
- the FCPA was not sufficient. 1990’s and 2000’s saw huge accounting fraud. World.Com, Enron - biggest bankruptcy in history
- Arthur Anderson, once the largest CPA firm, collapsed.
What was the goal of the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act (2002)
- Legislation intended to prevent financial statement fraud
- make financial reports more transparent
- provide protection to investors
- strengthen internal controls at public companies
- punish executives who commit fraud
SOX changed the way Board of Directors & Management operate. Had an impact on CPA’s who audit them.
What are the most important aspects of SOX?
- PCAOB - Public Company Accounting Oversight Board
- new rules for auditors
- new rules for audit committees
- new rules for management
- new IC requirements
What is the PCAOB?
The Public Company Accounting Oversight Board
- created by SOX to control the auditing profession
- sets & enforces auditing, quality control, ethics, independence & other auditing standards.
What were SOX’s new rules for auditors?
- auditors must report specific information to audit committee eg critical acc policies & practices.
- SOX prohibits auditors from performing certain non audit services (eg info system design).
- audit firm can’t provide service to companies if top management was employed by audit firm and worked on company’s audit in previous 12 months.
Where were SOX’s new rules for audit committees?
- members must be on the company’s Board of Directors and be independent of the company.
- one member must be a financial expert.
- the audit cttee hires, compensates & oversees the auditors, who report directly to them.
What were SOX’s new rules for management?
Requires CEO & CFO to certify:
1. F/S & disclosures are fairly presented, were reviewed by management, not misleading.
2. Auditors were told about all material IC weaknesses and fraud.
Prosecution & fines if mgmt knowingly violate.
Companies must disclose in plain english material changes to fin. condition on a timely basis.
What were SOX’s new IC requirements?
Section 404 requires companies to issue a report accompanying the F/S stating that mgmt is responsible for establishing and maintaining an adequate IC system.
Report must include mgmt’s assessment of the company’s IC’s, attest to their accuracy & report significant weaknesses or material non compliance.
Mmgt have to base their eval. on a recognised control framework; and conclude that a company doesn’t have effective financial reporting IC’s if there are material weaknesses.
What are the 3 frameworks used to develop IC systems?
- COBIT5 Framework (Control Objectives for Information Related Technology)
- COSO’s Internal Control Framework (Committee of Sponsoring Organisations) (IC)
- COSO’s Enterprise Risk Management Framework (ERM)
What is the COBIT5 framework?
Developed by Information Systems Audit & Control Association.
A security and control framework that allows:
1. Mgmt to benchmark security & control practises of IT environments.
2. Users to be assured that adequate IT security & controls exist
3. Auditors to substantiate their IC opinions & to advise on IT security and control matters.
COBIT5 framework describes best practises for effective governance & mgmt of IT.
Based on 5 key principles of IT governance and management that protect stakeholder’s investments & produce best possible information system.
Governance and mgmt of IT ongoing process.
Board of Dirs & mgmt monitor orgn’s activities, use that feedback to modify existing plans & procedures or develop new strategies to respond to changes in business objectives & new developments in IT.
What are the COBIT5 key principles?
- Meeting stakeholder needs.
- through customising business processes and procedures. Allows company to create proper balance between risk and reward. - Covering the enterprise end to end
- integrates all IT functions & processes into company wide functions and processes. - Applying a single, integrated framework
- can be aligned at high level w other stds & framework so that overarching framework for IT governance & mgmt created. - Enabling a holistic approach
- resulting in effective governance & mgmt of all IT functions in the company - Separating governance from management
In the COBIT5 framework, what is the objective of governance?
To create value by optimising the use of organisational resources to produce desired benefits in a manner that effectively addresses risk.
The responsibility of Board of Directors who:
1. evaluate stakeholder needs to identify objectives
2. provide mgmt w direction by prioritising objectives
3. monitor mgmt’s performance
In the COBIT5 framework, what is management responsible for?
Planning, building, running and monitoring the activities & processes used by the organisation to pursue the established objectives.
Provide periodic feedback to Board of Dir’s that can be used to monitor orgn’s objectives, and if necessary revaluate and modify objectives.
What is the strength/advantage of the COBIT5 framework?
It’s comprehensiveness.
What is the COBIT5 Process Reference Model?
5 governance processes:
- evaluate, direct, monitor
32 management processes, split into 4 domains
- Align, Plan, Organise (APO)
- Build, Acquire, Implement (BAI)
- Deliver, Service, Support (DSS)
- Monitor, Evaluate, Assess (MEA)
What are the portions of COBIT 5 that are most directly relevant to accountants, auditors and AIS?
The business processes and control activities that affect the accuracy of an organisation’s f/s and it’s compliance with external regulations.
What is COSO’s Internal Control - Integrated Framework?
A framework that defines IC’s and provides guidance for evaluation & enhancing IC systems.
Issued in 1992, updated in 2013.
Widely accepted as the authority on internal control.
Has been incorporated into policies, rules, regulations used to control business activities.
Has five components, and 17 principles.
What are the five components of COSO’s IC Integrated Framework?
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring
NB: Control activities are built into databases
Describe the “control environment” component in COSO’s IC Integrated Framework.
This is the foundation for all other components of IC.
“Tone at the top”
The core of any business is its people, including individual attributes (integrity, discipline, ethical values, competence), and the environment in which they operate.
What are the 5 principles of COSO’s IC Integrated Framework’s “control environment” component?
- Commitment to integrity and ethics
- IC oversight by Board of Dirs, independent of management
- Structures, reporting lines, appropriate responsibilities in pursuit of obj. established by mgmt & oversee by Board.
- Commitment to attract, develop & retain competent individuals in alignment w obj.
- Holding individuals accountable for IC responsibilities in pursuit of objectives.
Describe the “risk assessment” component in COSO’s IC Integrated Framework.
The organisation must identify, analyse, and manage its risk. Managing risk is a dynamic process.
Mgmt must consider changes in external environment and within the business that may be obstacles to its objectives.
What are the 4 principles of COSO’s IC Integrated Framework’s “risk assessment” component?
- Specifying objectives clearly enough for risks to be identified and assessed
- Identifying & analysing risks to determine how they should be managed.
- Considering the potential of fraud
- Identifying and assessing changes that could significantly impact the system of IC
Describe the “Control Activities” component in COSO’s IC Integrated Framework.
Control policies and procedures help ensure that the actions identified by mgmt to address risks and achieve the organisation’s objectives are effectively carried out.
Control activities are performed at all levels and at various stages within the business process & over technology.
What are the 3 principles of COSO’s IC Integrated Framework’s “control activities” component?
- Selecting and developing controls that might help mitigate risks to an acceptable level
- Selecting and developing general control activities over technology
- Deploying control activities as specified in policies and relevant procedures.
Describe the “Information & Communication” component in COSO’s IC Integrated Framework.
Information and communication systems capture and exchange the information needed to conduct, manage and control the organisation’s operations. Communication must occur internally and externally to provide information needed to carry out day to day IC activities. All personnel must understand their responsibilities.
What are the 3 principles of COSO’s IC Integrated Framework’s “information & communication” component?
- Obtaining or generating relevant, high-quality information to support internal control
- Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control
- Communicating relevant internal control matters to external parties
Describe the “Monitoring” component in COSO’s IC Integrated Framework.
The entire process must be monitored, and modified as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of IC is present & functioning. Deficiencies are communicated in a timely manner, w serious matters reported to senior mgmt and Board.
What are the 2 principles of COSO’s IC Integrated Framework’s “monitoring” component?
- Selecting, developing and performing ongoing evaluations of the components of IC
- Evaluating and communicating deficiencies to those responsible for corrective action, including senior mgmt & Board of Directors where appropriate.
What is COSO’s ERM Framework?
Enterprise Risk Management Framework
- improves the risk management process, by expanding the IC - integrated framework (adding 3 additional elements).
- ERM is the strategy the Board of Dir & Mgmt use to set strategy, ID events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its goals & objectives.
What are the basic principles behind ERM?
- Companies are formed to create value for their owners
- mgmt must decide how much uncertainty it will accept as it creates value
- uncertainty results in risk (ie the possibility that something negatively effects the company’s ability to create or preserve value)
- uncertainty results in opportunity (ie the possibiity that something positively affects …..)
- ERM framework can manage uncertainty and create & preserve value.
Describe the ERM cube model
4 columns along the top are the obj. mgmt must meet to achieve company’s goals
- strategic, operations, reporting, compliance
4 columns on the right are the company’s units
- Entity-Level, Division, Business Unit, Subsidary
Horizontal rows are 7 interrelated risk and control components.
3D model - each of the 8 risk & control components applies to each of the 4 objectives and to the company and/or one of it’s subunits.
Compare the IC (Integrated Framework) with ERM framework…
ERM is more comprehensive.
ERM takes a risk based approach. IC framework takes controls based approach.
ERM adds 3 additional components to IC
- Objective Setting
- Event identification
- Risk Response
Resulting controls are flexible & relevant b/c linked to current obj. of the organisation.
Recognises that risk, in addition to being controlled, can be accepted, avoided, diversified, shared or transferred.
Describe the “internal environment” component of the ERM framework.
The company culture that is the foundation for all other ERM components.
Influences how organisations establish strategies and objectives, structure business activities and identify, assess & respond to risk.
Weak or deficient results in breakdowns in risk mgmt and control.
What are the 7 principles of COSO’s ERM framework’s “internal environment” component?
- Management’s philosophy, operating style & risk appetite.
- Commitment to integrity, ethical values, competence
- IC oversight by Board of Directors
- Organisational Structure
- Methods of assigning authority & responsibility
- HR standards that attract, develop, retain competent individuals
- External influences.
The more responsible the style, and more clearly communicated, more likely employees will behave responsibly. If mgmt have little concern for IC’s and risk mgmt, employees less diligent in achieving control objectives.
What is risk appetite?
The amount of risk a company is willing to accept to achieve its goals & objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
What is an audit committee?
The outside, independent Board of Dir members responsible for financial reporting, regulatory compliance, IC, and hiring & overseeing internal and external auditors, who report all critical accounting policies & practices to them.
What does a company’s organisational structure do?
Provides a framework for planning, executing, controlling and monitoring operations.
- centralised/decentralised authority
- direct/matrix reporting
- organisation by industry, product line, location or marketing network
- allocation of responsibility affects info reqs
- organisation of and lines of authority for acc, auditing & IS functions
- size & nature of company activities.
How have organisational structures changed?
- Hierarchical structures being replaced w flat organisations of self directed work teams, that make decisions without needing multiple layers of approval.
- emphasis on continuous improvement rather than periodic reviews & appraisals
- these org. structure changes impact the nature and types of controls used.
What is a policy procedures manual?
A document that explains proper business practises, describes needed knowledge and experience, explains documentation procedures, explains how to handle transactions and lists the resources provided to carry out specific duties.
Manual including chart of accounts, copies of forms and docs.
What is one of the greatest control strengths?
The honesty of employees. HR policies & practices governing working conditions, job incentives, career advancement can be a powerful force in encouraging honesty, efficiency and loyal service.
What HR Policies & procedures are important?
Hiring
(based on education BG, experience, achievement, ethical values. Eval. through resumes, ref letters, IV’s, BG checks)
Compensating, evaluating & promoting
(poorly compensated = resentful= more likely fraud. Fair pay, incentives help motivate. Periodic appraisals to understand strengths/weaknesses. Promos based on perf. and quals)
Training
(teach responsibilities, expected levels of perf & behaviour, company’s policies, culture, op style. Ongoing training - tackle new challenges, adapt to changing tech)
Managing disgruntled employees
(disgruntled seek revenge - fraud, sabotage systems. Grievance channels, counsellors)
Discharging
(dismissed employees removed from sensitive jobs immediately, denied access etc)
Vacations & Rotation of Duties
(helps discover fraud from ongoing perpetrations)
Confidentiality Agreements, Fidelity Bond Insurance
Prosecute & Incarcerate Perpetrators
Why is most fraud not reported or prosecuted?
- PR disaster - reveal system vulnerable to further hackers/fraud
- Law enforcement & Courts busy w violent crimes
- Fraud is difficult, costly & time consuming to prosecute.
- Lack of skills req. to investigate and prosecute in judges, lawyers, police etc
- fraud sentences often light
Describe the “objective setting” component of the ERM framework.
Mgmt determines what the company hopes to achieve (corporate vision/mission)
Mgmt sets objectives at corporate level & then subdivides them into more specific objectives for company subunits.
Company determines what must go right to achieve the objectives & establishes performance measures to determine whether they are met.
What are the four types of objectives in the “objective setting” component of the ERM framework?
Strategic Objectives
Operations Objectives
Compliance Objectives
Reporting Objectives
Describe strategic objectives.
Strategic Objectives
- high level goals that are aligned with & support company’s mission & create S/H value.
- Mgmt should ID alternative ways of accomplishing strategic objectives.
- Identify and assess the risks & implications of each alternative.
- Formulate a corporate strategy & set operations, compliance and reporting objectives.
Describe Operations objectives
Operations Objectives
- deal with the effectiveness and efficiency of company operations.
- determine how to allocate resources
- reflect mgmt’s preferences, judgements & style
- key factor in corporation’s success.
- Can vary substantially eg early adapter of tech, adopt once proven, only when generally accepted.
Define Reporting Objectives
Reporting Objectives
- help ensure the accuracy, completeness & reliability of company reports
- improve decision making
- monitor company activities & performance
Define Compliance Objectives
Compliance Objectives
- help the company comply w all applicable laws & reg’s
- most compliance objectives, and many reporting objectives imposed by external entities in response to laws and regulations.
- how well a company meets compliance and reporting objectives can significantly impact it’s reputation.
Describe the “event identification” component of the ERM framework.
An event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both.
Positive event = opportunity
Negative event = risk
An event represents uncertainty. May or may not occur, if it does, hard to know when. Until it occurs hard to determine impact. When it does occur, may trigger another event. Events may occur individually or concurrently.
Mgmt must try & anticipate all possible positive & negative events, determine which are most & least likely to occur & understand interrelationship of events.
What techniques do companies use to identify events?
- using a comprehensive list of events
- performing an internal anlaysis
- monitoring leading events & trigger points
- conducting workshops & IV’s
- using data mining
- analysing business processes.
Describe the “risk assessment” component of the ERM framework.
During objective setting process, mgmt must specify their objectives clearly enough for risks to be ID’d & assessed.
Should include assessment of all threats:
- natural and political disasters
- software errors & equipment failures
- unintentional acts
- possibility of intentional acts like fraud.
Must ID and analyse risks to determine how they should be managed.
Must also ID and assess changes that could significantly impact the system of internal control.
To align identified risks w the company’s tolerance for risk, mgmt must take an entity wide view of risk.
Assess likelihood, impact, as well as costs & benefits of alternative responses.
How is the risk of an identified event assessed?
Likelihood
Positive & Negative Impacts
Individually & by Category
Their effect on organisational units
On an inherent & residual basis
Companies should asses inherent risk, develop a response and then assess residual risk.
Describe inherent and residual risk.
Inherent Risk:
- the susceptibility of a set of accounts, or transactions to significant control problems in the absence of internal control.
Residual Risk:
- the risk that remains after mgmt implements IC’s or some other response to risk.
Describe the “risk response” component of the ERM framework.
Management can respond to risk in 1 of 4 ways:
- Reduce
Reduce likelihood & impact of risk by implementing an effective system of IC’s
- Accept
Accept the likelihood & impact of risk - Share
Share risk or transfer it to someone else (buying insurance, outsourcing an activity, hedging transactions) - Avoid
Avoid risk by not engaging in the activity that produces the risk (sell a division, exit a product line, not expand)
How are accountants & system designers involved in risk assessment & response?
Accountants & system designers help mgmt design effective control systems to reduce inherent risk.
They also evaluate IC systems to ensure they are operating effectively.
They assess and reduce risk using a risk assessment & response strategy.
What are the steps in the risk assessment approach to designing internal controls?
- Identify the events, or threats, that confront the company
- Estimate the likelihood, or probability of each threat occurring.
- Estimate the impact, or potential loss, from each threat.
- Identify controls to guard against each threat.
- Estimate the costs and benefits from instituting controls
- Is it cost-beneficial to protect the system from a threat? No - Avoid, share, or accept risk. Yes - see 7.
- Reduce risk by implementing controls to guard against the threat.
Why must likelihood and impact be considered together?
As either increases, both the materiality of the event & the needs to protect against it rise.
How does ERM software help with assessing risk?
ERM software lets managers enter perceived risks, assess their nature, likelihood and impact, and assign them a numerical rating.
An overall assessment of corporate risk is developed by aggregating all the rankings.
What kind of controls should a good IC system employ?
Preventative
Detective
Corrective
Why can’t an IC system offer foolproof protection?
Because having too many controls is cost prohibitive and affects operational efficiency.
What are some of the benefits of an IC procedure?
Benefits can be hard to quantify accurately
- increased sales & productivity
- reduced losses
- better integration w customers & suppliers
- increased customer loyalty
- competitive advantage
- lower insurance premiums
