Chapter 5&7 Flashcards
Primary scope of SAS No. 99
Audit standard that defines procedures to identify potential fraud
Why is computer fraud more difficult to detect than other types of fraud?
Computer fraud leaves little to no evidence
5 Components of the COSO Internal Control (IC) framework
1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring
A cost/benefit analysis should be performed to determine the extent of controls needed to address risks in the __________ component of the COSO framework.
Risk Assessment
5 Components of Fraud
1) False statement/representation
2) Action is material
3) There was an intent to deceive
4) There is a justifiable reliance on the fraudulent fact
5) Victim suffers injury or loss
Fraud triangle components
1) Opportunity
2) Rationalization
3) Pressure
Misappropriation of assets
1) Most common type of fraud
2) Theft/misuse of a company’s assets
Corruption
Kickbacks or wrongful use of position to get a benefit
Lapping
Hiding the theft of cash by delaying collections to accounts receivable
Kiting
Creating cash using the lagtime between cashing a check and when it clears the bank
SAS 99 fraud requirements of auditors
1) Understand and obtain evidence of fraud
2) Evaluate other audit tests
3) Document findings
4) Professional skepticism
Types of computer fraud
1) Input fraud
2) Processor fraud
3) Computer instructions fraud
4) Output/data fraud
Input fraud
Alteration of input data in the AIS; must have input/recording abilities
Processor fraud
Using work computers for non-work activities, or using access you shouldn’t have been given.
Incidental access
When a user is accidentally given access they shouldn’t have
Computer instructions fraud
Modifying software to do unintended things; illegal copy of software and viruses
Output/data fraud
Stealing, copying, or misusing AIS reports
Biggest opportunity for fraud
Lack of segregation of duties
Foreign Corrupt Practices Act
1) First act of regulation that required US companies to have internal controls. Passed in the 1970s.
2) Did NOT require audits of controls
Sarbanes-Oxley (SOX)
1) Management is required to have internal controls over financial reporting. If controls aren’t about financial reports, not relevant to SOX compliance.
2) Audit partners must rotate periodically
3) Audit committee must be independent on the board of directors, and have at least one financial expert
4) Created Public Accounting Oversight Board (PCAOB)
PCAOB responsibilities
Oversees the external auditing profession. They review audits and set standards. Audit standards are GAAS.
Audit Committee responsibilities
1) Oversees external and internal auditors
2) Subordinate to the Board of Directors
3) Must be external to the company & have one financial expert
Committee of Sponsoring Organizations
Group that creates the internal control frameworks, either ERM or IC
ERM
Enterprise Risk Management - Broad focus, sets the risk level the company is willing to accept
Restriction on companies that cannot address the 5 components of the COSO Internal Controls
Companies cannot say that they have strong controls in the 10-K, and auditors must not have a clean opinion on those controls
Aspect of controls that SOX is primarily concerned with
How controls impact financial reporting
Control Environment
How management/board of directors emphasizes integrity and honesty. What’s the “tone at the top?”
How companies respond to risk
cost/benefit analysis to determine the controls needed; if costs are less than risk impact, implement control
Impact vs likelihood of risks
Impact - how much damage the risk can cause
Likelihood - the probability of the risk occurring
Inherent Risk
Cost impact if the risk is not controlled
Residual Risk
Remaining risks after controls are put in place
When should controls be implemented?
When the cost to implement is less than the inherent risk
Categories of risk according to COSO Internal controls framework (top of the cube)
1) Operations
2) Reporting
3) Compliance
Deficiencies found in any controls are communicated to who?
The audit committee