ch 6 review (exam 2) Flashcards
Internal Control Integrated Framework (COSO) addresses what three objectives of internal controls
- operations
- reporting
- compliance
why bother gaining an understanding of Internal COntrols
assess the control risk portion of risk of material misstatement (IR * CR)
what are the 8 steps in assessing controls risk
- understand document at entity level
- understand the flow of transactions
- WCGW for FS assertions
- identify and document relevant transaction-level controls
- evaluate strengths and weaknesses and determine preliminary audit strategy
- perform test of controls
- evaluate the evidence, assess control risk, and reevaluate audit strategy (if necessary)
- report internal control weaknesses to those charged with governance
What is the acronym for Step 1 in assessing control risk- the five components of internal controls (entity-level controls)
CRIME
what do the letters in CRIME stand for
C- control environment
R- risk assessment
I- information and communication systems
M- monitoring
E- existing control activities
what are some factors in control environment
- organization demonstrates commitment to integrity and ethical values
- BOD directors is independent from management and oversees IC
- management establishes appropriate org structure
- quality HR policies
- org holds individuals accountable for IC responsibilites
Things management does is risk assessment
-specifies clear objectives to enable identification and assessment of risk
- analyzes risk to determine how it should be managed
- considers fraud risk
- identifies changes that could affect IC
things the organization does in Information and Communication systems
- uses relevant quality information to support IC
- internally communicates information to support IC
- communicates with external parties about IC
things the organization does in Monitoring
-performs ongoing evaluations of IC
- communicates IC deficiencies in a timely manner to those responsible for taking action
What is the acronym for step 2 in assessing control risk- understanding the flow of transactions and control activities at the transaction level
PAID TIPS
What do the letters in paid tips (step 2) stand for
P- prenumbering of documents
A- authorization of transactions
I- independent checks to maintain asset accountability
D- documentation
T-timely and appropriate performance reviews
I- information processing controls (computer controls)
P- physical controls for safeguarding assets
S- segregation of duties
what are auditors looking for under prenumbering of documents
- all transactions are recorded
- no transactions recorded more than once
what is being looked for under the authorization of transactions
signed approval before commitment of resources
what are some independent checks to maintain asset accountability
- internal auditors
- verify work of others (mgt/ owners)
what are some documentation in step 2
- evidence of transactions
-evidence of authorization
what are some timely and appropriate performance reviews
compare actual results to budgets
what are some information processing controls (computer controls)
- general controls
- application controls
what are some physical controls for safeguarding assets
locks, security guard, alarm system
what happens in step three in assessing control risks
identify what can go wrong for financial statement assertions
what happens in step five in assessing control risks
identify strengths and weaknesses in a system of internal control and determine preliminary audit strategy
what are some key terms used in step five
control deficiency, material weakness. significant deficiency
what is a control deficiency
exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis
what is a material weakness
very bad; a deficiency, or combo of deficiencies, in Internal Controls over financial reporting, such that there is reasonable possibility that a material misstatement of the FS will not be prevented or detected on timely basis
what is significant deficiency
kinda bad; a control deficiency, or combo of deficiencies, in IC over financial reporting that is less severe that a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting
what is magnitude
is it material or immaterial
what is likelihood
the possibility of a misstatement
what are the 4 types of likelihood
remote, reasonable, possibility, probable
what are the two types of Systems Organization and Controls (SOC) 1 report
Type I and Type II
which SOC 1 report is typically used more
Type II
what do service auditors do in a SOC 1 Type I report
obtains an understanding of service organization controls
what do service auditors do in a SOC Type II report
obtains an understanding of service organization controls and tests the operating effectiveness of these controls
what type of service is the service auditor for a SOC 1 report performing
attestation service
does a service auditor performing a SOC 1 report have to be independent
yes
what are the 4 trust factor criteria the SOC 2 report that focuses on a service organization’s controls
- information security
- information availability
- processing integrity of the user’s data by the service organization’s information system
- confidentiality and privacy of the information processes by the service organization’s systems