Chapter 7

Question 1

More than 60% of businesses each year experience a failure in controlling security and integrity of their computer systems. What are some reasons why organizations have not adequately protected data?

Answer 1

• Some companies mistakenly view loss of crucial information as a DISTANT, UNLIKELY THREAT
• Not all of the control implications of moving from centralized computer systems to internet-based systems are fully understood
• Many companies do not realize information is a strategic resource, it must be a strategic REQUIREMENT
• Productivity and cost pressures - these may be both timely and costly

Question 2

Any potential adverse occurence (to the AIS) is considered a

Answer 2

threat, or event

Question 3

Likelihood of a threat is the:

Answer 3

probability that it will happen

Question 4

Potential dollar loss from a threat is called

Answer 4

impact, or exposure

Question 5

What control objectives are achieved (with reasonable assurance) when Internal controls are put in place?

Answer 5

• SAFEGUARDING OF ASSETS, including preventing or detecting unauthorized acquisition, use, or disposition
• MAINTAIN RECORDS, which provides sufficient detail for accuracy and fairness
• Provides ACCURATE AND RELIABLE information
• Encourages preparation of financial statements with ACCORDANCE to ESTABLISHED CRITERIA
• Promotes and improves OPERATIONAL EFFICIENCY
• Encourages ADHERENCE to policies of management
• encourages COMPLIANCE with applicable laws and regulations

Question 6

Internal Control permeates an organization’s operating activities and is an integral part of management activities. Does it provide complete assurance?

Answer 6

No. It provides REASONABLE assurance. Complete assurance is difficult, expensive, and there are inherent limitations such as:

• simple errors and mistakes
• faulty judgement and decision-making
• collusion
• management overrides

Question 7

What are detective controls?

Answer 7

Deisnged to DISCOVER control problems that were NOT PREVENTED

Question 8

The processes
and procedures implemented to
provide reasonable assurance
that control objectives are known as ____ ____

Answer 8

Internal Controls

Question 9

When do preventive controls deter problems?

Answer 9

Preventive controls deters problems BEFORE THEY ARISE

Question 10

Controls that identify and correct problems as well as correct and recover from the resulting errors are known as

Answer 10

Corrective Controls

Question 11

Internal controls are usually segregated into which two broad categories?

Answer 11

1. General Controls

2. Application Controls

Question 12

Harvard Business Professor Robert Simons has espoused four levels of control that helps management reconcile conflict between creativity and controls. What are they?

Answer 12

1. Belief system
2. Boundary system
3. Diagnostic control system
4. Interactive control system

Question 13

Internal controls are performing three important functions. What are they?

Answer 13

• Preventive Controls
• Detective Controls
• Corrective Controls

Question 14

Security, IT infrastructure, maintenance controls, and software acquisition are an example of which type of broad category of Internal Controls?

Answer 14

General Controls - Make sure the organization’s information system and control environment is stable and well-managed

Question 15

Define the Boundary system

Answer 15

This helps employees act ethically by setting BOUNDARIES ON EMPLOYEE BEHAVIOR

Question 16

One wants to implement control but not tell employees exactly what they have to do. What should they do?

Answer 16

Create a Boundary System that implements a minimum performance standard. This encourages creativity to solve problems while meeting customer needs. It could also shun off-limit activities, a preventive control avoiding actions that may damage company reputation.

Question 17

Define the belief system component of control

Answer 17

A Belief System is how a company:

• Creates Value
• Helps employees understand management’s vision
• Communicates company core values
• Inspires employees to live by expressed values

Question 18

Controls that prevent, detect, and correct transactional errors and fraud in application programs are which type of category of internal control?

Answer 18

Application control. These are concerned with:

• Validity
• Accuracy
• Completeness
• Authorization of all data entered/processed

Question 19

Which system (from Robert Simon) measures, monitors, and compares actual company progress to budgets and performance goals?

Answer 19

Diagnostic control system. an example is feedback, which may help management adjust and fine-tune inputs and processes so future outputs more closely match goals

Question 20

Which act requires all publicly owned corporations to maintain a system of internal accounting controls?

Answer 20

FCPA - Foreign Corrupt Practices Act. The main purpose of the FCPA was to prevent companies from bribing foreign officials to obtain business. Unfortunately, this wasnt sufficient enough to cover all the problems related to internal control

Question 21

Data of which system (from Robert Simon) is often interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers?

Answer 21

Interactive Control System. These help managers to focus employee attention on key strategic issues and to be more involved in decision-making

Question 22

Describe Sarbanes Oxley

Answer 22

An act passed in 2002 in response to large accounting frauds. Its intended to make financial reports more transparent, provide investor protection, strengthen internal controls at public companies, and punish executives who carry out fraud

Question 23

What is the purpose of the PCAOB?

Answer 23

5 people appointed by the SEC. Controls the auditing profession

Sets and Enforces:

• Auditing and other auditing standards
• Quality Control
• Indepencence
• Ethics

Question 24

According to SOX,where must auditors report specific information, such as critical accounting policies and practices?

Answer 24

Audit commitee

Question 25

What does SOX do?

Answer 25

- Created PCAOB - New rules for Auditors - New roles for audit committees - New rules for management - New internal control requirements

Question 26

What must management do according to mandates by the SEC?

Answer 26

- Base its evaluation on a RECOGNIZED CONTROL FRAMEWORK - DISCLOSE all MATERIAL Internal Control WEAKNESSES - Conclude that a company does NOT have effective financial reporting internal control if there are MATERIAL WEAKNESSES

Question 27

Provide an example of top management conflict with regards to performing audit services according to SOX

Answer 27

Acc to p 191 of text, "Audit firms cannot provide services to companies if top management was employed by the auditing firm and worked on the company’s audit in the preceding 12 months"

Question 28

According to SOX, would a firm that performs information systems design and implementation for a company be able to also perform an audit of the same company?

Answer 28

No. Sox prohibits auditors from doing certain nonaudit services.

Question 29

A weak or deficient internal environment could result in

Answer 29

breakdonws in risk management and control. The Internal Environemnt is essentially the same thing as the "control environment" in the IC framework.

Question 30

An internal environment consists of what?

Answer 30

1. Management's philosophy 2. Commitment to integrity, ethical values, and competence 3. Internal control oversight by BOD 4. Organizational structure 5. Methods of assigning authority and responsibility 6. Human resource standards that attract, develop, and retain competent individuals 7. external influences

Question 31

One seeking guidance for Internal Control can refer to the ?

Answer 31

"Internal Control - Integrated Framework" of COSO. Widely accepted as the authority on internal controls. The framework is usually incorporated into policies, rules, and regulations used to control business activities

Question 32

The more responsible the philosophy and strategy of management, along with the operating style and risk appetite, the more likely employees will behave responsibly. What questions may be asked to assess this?

Answer 32

●Does management take undue business risks to achieve its objectives, or does it assess potential risks and rewards prior to acting? ●Does management manipulate performance measures, such as net income, so they are seen in a more favorable light? ●Does management pressure employees to achieve results regardless of the methods, or does it demand ethical behavior? In other words, do the ends justify the means?

Question 33

The second framework made by COSO to improve risk management is called

Answer 33

Enterrise Risk Management (ERM). Process the BOD and management would use to set strategy, identify events that affect the entity, assess risk, and provide reasonable assurance that company is achieving goals.

Question 34

Amount of risk willing to be accepted by a company to achieve their goals is the

Answer 34

risk appetite

Question 35

Five basic principles of ERM

Answer 35

1. Companies are formed to create value for their owners 2. Management must decide how much uncertainty would be accepted as it creates value 3. Uncertainty results in risk, possibility something negatively affects ability to create or preserve revenue 4. Uncertainty also results in opportunity, possibility something positively affects ability to create or preserve value 5. Thus, ERM framework can manage uncertainty as well as create and preserve value.

Question 36

What is the internal environment?

Answer 36

Company culture. influences how strategies and objectives are established, structures business activities, and identifes/responds to risk.

Question 37

SEE p. 196 for ERM figure

Answer 37

p. 196

Question 38

According to SOX, public companies must have an audit committee of outside, independent directors. These are responsible for what?

Answer 38

- Financial reporting - Regulatory compliance - internal control - and hiring and overseeing internal and external auditors.

Question 39

Commitment to integrity, ethical values, and competence begins at the top. Companies can endorse integirty by (2 of 2)

Answer 39

- Developing a written code of conduct. Companies should document that employees ahve rad and understand the code of conduct so employees know right-from-wrong, rather than relying on expediency which may lead them to dishonesty - Requiring employees to report dishonest or nillegal acts. Employees should be dismissed and prosecuted to show that such behavior is not allowed

Question 40

the organizational structure provides a framework for planning, executing, controlling, and monitoring operations. Important aspects of the organizational structure are:

Answer 40

- Centralization or decentralization of authority - Direct or matrix reporting relationship - Organization by industry, product line, location, or marketing networjk - Allocation of responsibility affects information requirements - Organization and lines of authoirty for accounting, auditing,and IS functions - sizen and nature of company activities.

Question 41

Commitment to integrity, ethical values, and competence begins at the top. Companies can also endorse integirty by (1 of 2)

Answer 41

- Actively teaching and requiring it (making clear honest reports are more important than favorable ones, for example) - Avoiding unrealistic expectations or incentives that motivate dishonest or illegal acts (overly aggressive sales practices, unfair or unethica negotitaton tactics, or bonuses excessively based on reported financial results) - Consistently rewarding honesty and giving verbal labels to certain types of behaviors

Question 42

Give an example of how a complex, unclear oeganizationa structure can indicate serious problems

Answer 42

it can hide fraud. For example, ESM used a multi-layered organizational structure to hide b300 million in fraud.

Question 43

What could be used as a guide for authority and responsibility for employees?

Answer 43

Job descriptions, employee training, operating schedules, budgets, code of conduct, but especially the written policies and procedures

Question 44

Who should be responsible for assignting authority and responsibily, as well as holding those individuals accountable for achieving or not achieving goals?

Answer 44

Management. It is especially omportant to identify who is responsible for company's information security policy.

Question 45

Policy and Procedures manual is what?

Answer 45

Explains proper business activities, descirbes needed knwoelege and experience, explaines document procuderes, how to handle transactions, and lists out resources prvided to carry out specific duties. Helpful on-the-job reference

Question 46

One of the greatest control strengths is employee ____. Reciprocally, one of the greatest control weaknesses is ___ of employees. Hint: think HR

Answer 46

Honesty / Dishonesty

Question 47

What must HR think about when hiring employees?

Answer 47

Hiring employees based on factors like educational background, experience, achievements, honesty, integrity, and whether job requirements are met. This also goes for people like cleaning crews and temps (fraudsters can pose of these to gain physical access to things like computers)

Question 48

Applicant qualifications can be evaluated using resumes, reference letters, interviews, and background checks. What are background checks?

Answer 48

Talking to references, checking criminal records, and verifying work or education experience. People who fail to do this could employ someone who actually may be a criminal and embezzle funds. Background check specialists can be use to validate bogus education sites or to detect applicants who used hackers to enter fake data into university databases

Question 49

What should HR consider when thinking about compensating, evaluating, and promoting employees?

Answer 49

Poorly compensated employees are more likely to feel resentment. Financial pressures from things like this can motivate fraud. Fair pay and appropriate bonuses can hep motivate performance, and promotions should be based on performance and qualifitication. Periodic performance appraisals should be given so employees know weaknesses and strengths

Question 50

HR considerations in regards to training employees?

Answer 50

programs shpuld be taught to teach responsibilites, expected levels of performance, as well as culture and norms.

Question 51

examples of hr training programs

Answer 51

Informal or formal discussions and meeting, issuing periodic memos, distributing written guidelines and codes of conduct/ethics, circulations reports of unethical behavior and its consequences, and promoting security and fraud trainign programs

Question 52

What can HR do to make fraud less likely to occur?

Answer 52

Fraud is less liekly to occur when employees recognize the need to report it. Such a culture of employees believing security is everyone's business must be taught and practiced. In addition, the conseuquences of unwanted behavior should be taught and reinforced.

Question 53

Who are disgruntled employees and how may they be managed?

Answer 53

Some disgruntled employees that may be seeking reeinge for a perceived wrong. Thus, they perpetrate fraud or sabotage systems. HR needs procedures to identify these employees, help them resolve their feelings, or remove them from sensitive jobs. Not easy as employees may fear that admitting these feelings may have bad consequences

Question 54

Why is most fraud not reported or prosecuted?

Answer 54

1. PR disaster (could also attract more hackers) 2. Law Enforcement (LE)/ courts are busy with violent crimes 3. difficult, costly, and time-consuming 4. Many LE/Judges do not ahve computer skills needed to instigate and prosecute cybercrimes 5. Fraud sentences light.

Question 55

Why is it important to especially have increased control activities around holiday time the end of the year?

Answer 55

(1) extended employee vacations mean that there are fewer people to “mind the store”; (2) students are out of school and have more time on their hands; and (3) lonely counterculture hackers increase their attacks.

Question 56

What is fidelity bond insurance?

Answer 56

protects companies from acts of deliberate frauds

Question 57

Differences between Risk Assessment and Risk Response?

Answer 57

basis. Inherent risk is the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control. Residual risk is the risk that remains after management implements internal controls or some other response to risk. Companies should assess inherent risk, develop a response, and then assess residual risk.

Question 58

What are the one of four ways management can respond to risk?

Answer 58

●Reduce. Reduce the likelihood and impact of risk by implementing an effective system of internal controls. ●Accept. Accept the likelihood and impact of the risk. ●Share. Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. ●Avoid. Avoid risk by not engaging in the activity that produces the risk. This may require the company to sell a division, exit a product line, or not expand as anticipated.

Question 59

Differences between preventive, detective, and corrective controls?

Answer 59

Preventive controls are usually superior to detective controls. When preventive controls fail, detective controls are essential for discovering the problem. Corrective controls help recover from any problems. A good internal control system should employ all three.

Question 60

Difference between specific and general authorization.

Answer 60

``` Specific "- Special approval an employee needs in order to be allowed to handle a transaction. eg - anything +500k must be approved. The authorization given employees to handle routine transactions without special approval. ```

Question 61

Segregation of accounting duties is achiev when which of the following functions are seperated?

Answer 61

Authorization/recording/and custdy (handiling of cash and assets/writing checks)

Question 62

See figure 7-5 p 206

Answer 62

p 206

Question 63

Three types of accounts that are most manipulative

Answer 63

1. Revenue 2. Inventory 3. A/R

Question 64

Substantive testing is used to

Answer 64

test internal controls

Question 65

inherent risk is

Answer 65

risk in place before any internal controls are implemented

Question 66

5000 is transaction amount where things tend to get valuable (in this example). Anything under 5000 has ___ authorization. Anything over 5000 has ____ authorization

Answer 66

general / specific