Chapter 13 Flashcards
Why does SOX exist and what is it?
- SOX was designed to improve financial transparency and reduce accounting fraud in publicly traded companies.
- Make certain financial disclosures, establish internal controls, and comply with auditing standards
What is SOX section 302
Corporate responsibility for financial reports
management certify financial statements
What is SOX section 404
Management assessment of internal controls
What are the three main functions of internal controls?
- preventative
- Dectective
- Corrective
Preventative:
implement prior to a threat and reduce and/or avoid potential successful threat (authorization)
Detective:
find errors or problems after the transaction has occurred (band reconciliation and monthly trials)
Corrective
put in place when errors or irregularities have been detected (backup files to recover corrupted data)
What are the five components of the COSO Internal Control Framework?
- Control environment
- Risk assessement
- Control assessment
- Control activites
- Information and communication
What is Control environment
Set the foundation of the internal control system
Risk Assessment
Identify the possible internal and external risks and opportunities
Control activities
Policies that ensure firm objectives are being achieved and risk is low while carrying out all duties
Examples of control activites:
1. Authorization
2. SOD
3. Supervision
4. Accounting
5. Access Control
6. Independent verification
- Authorization: ensure transactions are valid
- SOD: separatation of duties
- Supervision: compensate for lack of SOD
- Accounting: documents/ records
- Access Control: who has physical access to assets
- Independent verification: double check errors and misrepresentations
With in Control activites it breaks down to-two further options:
IT controls and Application controls
IT controls:
- IT control environment -sets tone
- Access control: who can access this info
- Change management controls: auhtorized and tested
- Project development and acquisition controls: software development life cycle
- Computer operations control: antivirus, backup, recovers, downtime, patches
Application controls
ensure validity, completeness and accuracy of transactions
What are the following?
- field checks
- size checks
- range checks
- validity checks
- completeness checks
- reasonableness checks
- check digit verifications
- closed-loop verifications
- (character type)
- fits
- within
- refrence
- no missing
- logical relationship
- algorithm
- retrieve and display
Application control has three subpoints which are
input/ processing/ output
Processing contains
- Prenumberd documents
- Sequence checks
- Batch totals
Record count
Financial control
Hash total - Cross footing balances test
- Concurrent updated controls
- *
Output
Authorization, print, copy, encryption
Information and communication:
Ensure information flows within the firm: and external parties
Monitoring activities
Monitor and make adjustments to internal controls on an ongoing basis, findings should be evaluated and deficiencies must be communicated
what are the types of risk responses?
3
- Inherent risk: will happen cannot do anything to prevent it
- Control risk: failure to prevent due to the current internal controls
- Residual risk: the risk that is remaining after taking the proper controls
Risk Responses:
4
- Reduce: reduce by implementing effective processes and internal controls
- Share: outsourcing risk, insurance
- Avoid: not engaging in the activities that would produce the risk
- Accept: accepting risk and hoping to offset it
What are the six types of physical internal controls per COSO?
- Authorization
- Segregation of duties
- Supervision
- Accounting documents/ records
- Access control
- Independent verification
What are the two types of IT internal controls per COSO?
IT general controls
IT application controls
