Chapter 5&7

Question 1

Primary scope of SAS No. 99

Answer 1

Audit standard that defines procedures to identify potential fraud

Question 2

Why is computer fraud more difficult to detect than other types of fraud?

Answer 2

Computer fraud leaves little to no evidence

Question 3

5 Components of the COSO Internal Control (IC) framework

Answer 3

1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring

Question 4

A cost/benefit analysis should be performed to determine the extent of controls needed to address risks in the __________ component of the COSO framework.

Answer 4

Risk Assessment

Question 5

5 Components of Fraud

Answer 5

1) False statement/representation
2) Action is material
3) There was an intent to deceive
4) There is a justifiable reliance on the fraudulent fact
5) Victim suffers injury or loss

Question 6

Fraud triangle components

Answer 6

1) Opportunity
2) Rationalization
3) Pressure

Question 7

Misappropriation of assets

Answer 7

1) Most common type of fraud
2) Theft/misuse of a company’s assets

Question 8

Corruption

Answer 8

Kickbacks or wrongful use of position to get a benefit

Question 9

Lapping

Answer 9

Hiding the theft of cash by delaying collections to accounts receivable

Question 10

Kiting

Answer 10

Creating cash using the lagtime between cashing a check and when it clears the bank

Question 11

SAS 99 fraud requirements of auditors

Answer 11

1) Understand and obtain evidence of fraud
2) Evaluate other audit tests
3) Document findings
4) Professional skepticism

Question 12

Types of computer fraud

Answer 12

1) Input fraud
2) Processor fraud
3) Computer instructions fraud
4) Output/data fraud

Question 13

Input fraud

Answer 13

Alteration of input data in the AIS; must have input/recording abilities

Question 14

Processor fraud

Answer 14

Using work computers for non-work activities, or using access you shouldn’t have been given.

Question 15

Incidental access

Answer 15

When a user is accidentally given access they shouldn’t have

Question 16

Computer instructions fraud

Answer 16

Modifying software to do unintended things; illegal copy of software and viruses

Question 17

Output/data fraud

Answer 17

Stealing, copying, or misusing AIS reports

Question 18

Biggest opportunity for fraud

Answer 18

Lack of segregation of duties

Question 19

Foreign Corrupt Practices Act

Answer 19

1) First act of regulation that required US companies to have internal controls. Passed in the 1970s.
2) Did NOT require audits of controls

Question 20

Sarbanes-Oxley (SOX)

Answer 20

1) Management is required to have internal controls over financial reporting. If controls aren’t about financial reports, not relevant to SOX compliance.
2) Audit partners must rotate periodically
3) Audit committee must be independent on the board of directors, and have at least one financial expert
4) Created Public Accounting Oversight Board (PCAOB)

Question 21

PCAOB responsibilities

Answer 21

Oversees the external auditing profession. They review audits and set standards. Audit standards are GAAS.

Question 22

Audit Committee responsibilities

Answer 22

1) Oversees external and internal auditors
2) Subordinate to the Board of Directors
3) Must be external to the company & have one financial expert

Question 23

Committee of Sponsoring Organizations

Answer 23

Group that creates the internal control frameworks, either ERM or IC

Question 24

ERM

Answer 24

Enterprise Risk Management - Broad focus, sets the risk level the company is willing to accept

Question 25

Restriction on companies that cannot address the 5 components of the COSO Internal Controls

Answer 25

Companies cannot say that they have strong controls in the 10-K, and auditors must not have a clean opinion on those controls

Question 26

Aspect of controls that SOX is primarily concerned with

Answer 26

How controls impact financial reporting

Question 27

Control Environment

Answer 27

How management/board of directors emphasizes integrity and honesty. What’s the “tone at the top?”

Question 28

How companies respond to risk

Answer 28

cost/benefit analysis to determine the controls needed; if costs are less than risk impact, implement control

Question 29

Impact vs likelihood of risks

Answer 29

Impact - how much damage the risk can cause
Likelihood - the probability of the risk occurring

Question 30

Inherent Risk

Answer 30

Cost impact if the risk is not controlled

Question 31

Residual Risk

Answer 31

Remaining risks after controls are put in place

Question 32

When should controls be implemented?

Answer 32

When the cost to implement is less than the inherent risk

Question 33

Categories of risk according to COSO Internal controls framework (top of the cube)

Answer 33

1) Operations
2) Reporting
3) Compliance

Question 34

Deficiencies found in any controls are communicated to who?

Answer 34

The audit committee