Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Audit > CIA - Part 1 > Flashcards

CIA - Part 1 Flashcards

1
Q

CH 1.1: Internal Audit Charter

A
  • Defines the IA Activity’s purpose, authority, responsibility.
  • Must be adopted and it should contain a grant of sufficient authority.
  • Final approval resides with the Board.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CH 1.1: Assurance Service

A
  • Involves IA’s objective assessment of evidence to provide opinions of conclusion regarding an entity, operation, function process, system or, other subject matters.
  • Objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CH 1.1: Consulting Service

A
  • Are advisory in nature and are generally performed at a specific request of an engagement client.
  • Activities intended to add value and improve an org’s governance, risk management, & control processes without the internal auditor assuming managements responsibility.
  • Providing counsel, advice, facilitation, and training.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CH 1.1: International Professional Framework (IPPF)

A

Defines the mission of IA as follows:

  1. To enhance and protect the organizational value by providing risk-basked and objective assurance, advice, and insight.
  2. Facilitating the achievement of the mission in the IPPF.
  • Contains mandatory & recommended guidance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CH 1.1: Recommended Guidance

A

Describe practices for effective implementation of core principles, the definition of internal auditing, the code of ethics , and the standards.

  • 2 recommended elements (1) Implementation and (2) Supplemental.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CH 1.1: Attribute Standards

A

Number in 1000s, governs the responsibilities, attitudes, and actions of the organization’s internal audit activity and the people who serve as internal auditors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CH 1.1: Performance standards

A

Number of 2000s govern the nature of the internal auditing and provide quality criteria for evaluation the internal audit function performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CH 1.1: Standards

A

A) Guide Adherence
B) Provide a framework for performing and promoting a broad range of value added internal auditing services
C) Establish the basis for evaluation of internal audit performance
D) Foster improved organizational processes and operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CH 1.1: Definition of Internal Auditing

A

Is an independent objective assurance and consulting activity designed to add value and improve an organizations operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined, approach to evaluate and improve the effectiveness of risk management, control, ad governance processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CH 1.1: Mandatory Guidance

A

Adherence to the mandatory guidance is essential for the professional practice of internal auditing.

Consist of 4 elements (1) Core Principles, (2) Definition of Internal Auditing, (3) Code of Ethics, and the (4) Standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CH 1.2: Code of Ethics

A

Reasons for Codes of Ethical Conduct: The primary purpose of a code of ethical conduct for a professional organization is to promote an ethical culture among professionals who serve others.
Additional functions of a code of ethical conduct for a professional organization include
Communicating acceptable values to all members,
Establishing objective standards against which individuals can measure their own performance, and
Communicating the organization’s values to outsiders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CH 1.2: Code of Ethics Components

A

(1) Integrity - A refusal to compromise professional values for personal gain. Another facet of integrity is performance of professional duties in accordance with relevant laws.
(2) Objectivity - A commitment to providing stakeholders with unbiased information. Another facet of objectivity is a commitment to independence from conflicts of economic or professional interest.
(3) Confidentiality - A refusal to use organizational information for private gain.
(4) Competency - A commitment to acquiring and maintaining an appropriate level of knowledge and skill.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CH 1.8: Board

A
  • Is the highest-level governing body (e.g., a board of directors, a supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold senior management accountable.
  • Although governance arrangements vary among jurisdictions and sectors, typically the board includes members who are not part of management.
  • If a board does not exist, the word “board” in the Standards refers to a group or person charged with governance of the organization.
  • Furthermore, “board” in the Standards may refer to a committee or another body to which the governing body has delegated certain functions (e.g., an audit committee).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Chapter 1: Internal Auditing is..

A

Independent, objective, assurance/consulting, designed to add value, improve an org’s operations, help and org accomplish objectives, evaluate and improve effectiveness of governance, risk management, and control processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chapter 1: Generally, Internal Auditors…

A
  • Review, Assess, and Provide Assurance

- They DO NOT: Design, Secure, Implement, Management, or Take responsibility for controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Chapter 1: IA Charter

A

The IA charter does NOT specify the resources needed or available for the IA Activity.

The Charter is:
Prepared = CAE
Approved = Management
Accepted = Board
Communicated = Engagement Client
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CH 2.1: Dual Reporting

A

Separates functional reporting and administrative reporting.

Organizational independence is effectively achieved when the CAE reports functionally to the BOARD and administratively to SR. MGMT (aka CAE).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CH. 2.1: Independence

A

An Org attribute of the internal audit activity as a whole.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

CH 2.2: Objectivity

A

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their product and that no quality compromises are made.

IA must have an impartial, unbiased attitude and avoid any conflict of interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CH 2.1: Independence vs. Objectivity

A

IA Activity MUST be independent and internal auditors MUST be objective in performing work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CH 2.3: Scope Limitation

A

A restriction placed on the IA Activity that precludes the activity from accomplishing its objectives and plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CH 2.4: Proficiency

A
  • Internal Auditor must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities.
  • The IA Activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
  • Includes knowledge sufficient to evaluate fraud risk and IT risks and controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CH 2.6: Due Professional Care

A

IA must apply the care and skills expected of a reasonably prudent and competent internal auditor. Does not imply infallibility (it is never wrong/fails).

  • Conformance with code of ethics and org’s code
  • Proper application of IPPF
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CH 2.7: Deming Cycle

A

4 Steps

(1) Plan - establish standards and expectations for operating a process to meet goals
(2) Do - Executes the process and collects data for further analyses
(3) Check - Compares actuals to expectations
(4) Act - Provides feedback by identifying and implementing improvements to the process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CH 2.8: Quality Assurance Improvement Program (QAIP)

A
  • Designed to enable an evaluation of the Internal Auditing Activity’s conformance with the Standards and the evaluation of whether internal auditors apply the Code of Ethics.
  • The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
  • CAE should encourage board oversight.
  • Ongoing measurement and analysis of performance metrics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

CH 2.8: QAIP Components

A

5 Components

  • Internal Assessment
  • External Assessment
  • Communication of QAIP Results
  • Proper use of a conformance Statement
  • Disclosure of non conformance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

CH 2.8: Internal Assessment

A
  • Ongoing monitoring of the performance of IA Activity
  • Periodic self assessment/assessments by others within the organization
  • Provides an effective structure for the IA Activity to continuously assess its conformance with the Standards and whether IA apply the Code of Ethics.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Ch 2.8: External Assessment

A
  • Must be conducted once every 5 years
  • Provide independent/objective evaluation of the IA Activity’s conformance with the Standards and Code of Ethics
    (A) Full External Assessment - level of conformance/ efficiency and effectiveness, and meet expectations
    (B) Self Assessment (SAIV) - with independent external validation - self assessment/onsite validation/limited attention to other areas
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Chapter 2: Independence Achieved

A

Largely through the organization placement of the IA Activity, including the CAE’s reporting lines, as well as the direct interaction of the CAE with the board and sr. management through dual reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Chapter 2: Manage IA Objectivity

A

To manage IA objectivity effectively, many CAEs have a internal audit policy manual or handbook that describes expectations and requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Chapter 2: IA Gift Accepting

A

Whenever IA is offered a gift (other than minor value promotional items), the required course of action is to report the issue to the CAE or audit management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Chapter 2: IA Audit Areas - NO

A

An IA must NOT be involved in auditing areas where he/she was responsible for previous year or if the auditor has been promoted (i.e., will be transferred to the operating department under audit). If involved, adequate reporting and disclosure MUST be made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

CH 3.1: Governance

A

The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Corporate governance can be influences by internal or external mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

CH 3.1: Internal/External Mechanisms

A

Internal - Corporate charters, by laws, board of directors, and internal audit function.

External - Laws, regulations, and the government regulators who enforce them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

CH 3.1: Board

A

As the highest level governing body (i.e., a board of directors, a supervisory board, or a board of governors of trustees) charged with the responsibility to direct and/or oversee the organization’s activities and hold sr. management accountable.

A group or person charged with governance of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

CH 3.1: Board Duties

A

The board has the following duties:
- Selection and removal of officers
- Decisions about capital structure (mix of debt and equity, consideration to be received for shares, etc.)
- Adding, amending, or repealing bylaws (unless this authority is reserved to the shareholders)
Initiation of fundamental changes (mergers, acquisitions, etc.)
- Decisions to declare and distribute dividends
- Setting of management compensation (sometimes performed by a subcommittee called the compensation committee)
- Coordinating audit activities (most often performed by a subcommittee called the audit committee)
- Evaluating and managing risk (sometimes performed by a subcommittee called the risk committee)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

CH 3.1: Stakeholders

A

Persons or entities who are affected by the activities of the entity. Among others, these include shareholders, employees, suppliers, customers, neighbors of the entity’s facilities, and government regulators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

CH 3.1: Governance Principles

A

Governance does not exist independently of risk management and control. Rather, governance, risk management, and control (collectively referred to as GRC) are interrelated.

(1) Effective governance considers risk when setting strategy, and risk management relies on effective governance (e.g., tone at the top, risk appetite and tolerance, risk culture, and the oversight of risk management).
(2) Effective governance relies on controls to manage risks and on communication of their effectiveness to the board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

CH 3.1: Governance Process & Roles

A

Governance has two major components: strategic direction and oversight.
1) Strategic direction determines
a. The business model,
b. Overall objectives,
c. The approach to risk taking (including the risk appetite), and
d. The limits of organizational conduct.
2) Oversight is the governance component with which internal auditing is most concerned. It is also the component to which risk management and control activities are most likely to be applied. The elements of oversight are
Risk management activities performed by senior
a. management and risk owners and
b. Internal and external assurance activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

CH 3.1: Risk Committee

A

May be created that (1) Identifies key risks, (2) Connects them to risk management processes, (3) Delegates them to risk owners, and (4) Considers whether tolerance levels delegated to risk owners are consistent with the organization’s risk appetite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

CH 3.1: Management

A

Performs day-to-day governance functions. Senior management carries out board directives (within specified tolerances for unacceptable outcomes) to achieve objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

CH 3.1: Risk Owners

A

Are responsible for:

  1. Evaluating the adequacy of the design of risk management activities and the organization’s ability to carry them out as designed;
  2. Determining whether risk management activities are operating as designed;
  3. Establishing monitoring activities; and
  4. Ensuring that information to be reported to senior management and the board is accurate, timely, and available.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

CH 3.1: Culture

A

Consists of the attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

CH 3.2: Effective Governance

A

The design and practice of effective governance vary with:

  • Size, complexity, and life cycle maturity
  • Its Stakeholders structure
  • Legal and Cultural Requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

CH 3.2: IA Governance Responsibility

A

The internal audit activity’s ultimate responsibility is to evaluate and improve governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

CH 3.3: CSR

A

CSR refers to (a) social responsibility, (b) sustainable development, and (c) corporate citizenship.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

CH 3.3: CSR Strategies

A

(1) Reaction - The organization denies responsibility and tries to maintain the status quo.
(2) Defense - The organization uses legal action or public relations efforts to avoid additional responsibilities.
(3) Accommodation - The organization assumes additional responsibilities only when pressured.
(4) Proaction - The organization takes the initiative in implementing a CSR program that serves as an example for the industry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

CH 4.1: Risk & Risk Management

A

Risk - is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood (The IIA Glossary).
Risk management - is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives (The IIA Glossary)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

CH 4.1: Risk Management Process

A
  • Assessment, treatment, monitoring, and reporting of risk are aggregated across the organization.
  • Risk management processes include (1) identification of context, (2) risk identification, (3) risk assessment and prioritization (i.e., risk analysis), (4) risk response, and (5) risk monitoring.
50
Q

CH 4.1: Risk Governance

A

Across the organization, personnel who are competent and skilled participate in the risk management process.

51
Q

CH 4.1: Risk Culture

A

Risk is considered and built into the decision-making, objective-setting, and compensation structure.

52
Q

CH 4.1: Risk Identification

A

Risk identification should consider past events (trends) and future possibilities. Methods used include the following:

  • Event inventories
  • Questionnaires and surveys
  • Leading event indicators and escalation triggers
  • Facilitated workshops and interviews
  • Loss event data methodologies
53
Q

CH 4.1: Risk Modeling

A

Risk modeling is a method of risk assessment and prioritization.

  • Risk modeling ranks and validates risk priorities when setting the priorities of engagements in the audit plan.
  • Risk factors may be weighted based on professional judgments to determine their relative significance, but the weights need not be quantified.
54
Q

CH 4.1: Risk Response

A
  • Risk responses are the means by which an organization elects to manage individual risks.
  • Each organization selects risk responses that align risks with the organization’s risk appetite (the level of risk the organization is willing to accept).(A) Controls - are actions taken by management to manage risk and ensure risk responses are carried out.
    (B) Control risk - is the risk that controls fail to effectively manage controllable risks.
    (C) Residual risk - is the risk that remains after risk responses are executed.
55
Q

CH 4.1: Responsibility for Aspects of Organizational Risk Management

A

(1) Risk management is a key responsibility of senior management and the board.
(2) Boards - have an oversight function. They determine that risk management processes are in place, adequate, and effective.
(3) Management - ensures that sound risk management processes are functioning.
(4) The internal audit activity - may be directed to examine, evaluate, report, or recommend improvements.
It also has a consulting role in identifying, evaluating, and implementing risk management methods and controls.

56
Q

CH 4.2: Enterprise Risk Management (ERM)

A

Is based on the premise that every organization exists to provide value for its stakeholders.

Accordingly, ERM is defined as; the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

57
Q

CH 4.2: Risk Profile

A

Is a composite view of the types, severity, and interdependencies of risks related to a specific strategy or business objective and their effect on performance.

58
Q

CH 4.2: Portfolio View

A
  • Portfolio view is similar to a risk profile.
  • The difference is that it is a composite view of the risks related to entity-wide strategy and business objectives and their effects on entity performance.
59
Q

CH 4.2: Risk Appetite

A

Consists of the amount and types of risk the organization is willing to accept in pursuit of value.

60
Q

CH 4.2: Value

A

(1) Created - when the benefits obtained from the resources used exceed their costs.
(2) Preserved - when the value of resources used is sustained.
(3) Realized - when benefits are transferred to stakeholders.
(4) Eroded - when management’s strategy does not produce expected results or management does not perform day-to-day tasks.

61
Q

CH 4.2: ERM Roles and Responsibilities

A

Management = Responsibility
Board = Oversight
IA Activity = Assistance/Assurance

62
Q

CH 4.2: ERM COSO Components

A

The COSO ERM framework consists of five interrelated components. Twenty principles are distributed among the components.

  • The supporting aspect components are: (1) Governance and culture and (2) Information, communication, and reporting.
  • The common process components are: (1) Strategy and objective-setting, (2) Performance, and (3) Review and revision.
63
Q

CH 4.2: Risk Response Categories

A

The following are the five categories of risk responses:

  1. Acceptance (retention) - No action is taken to alter the severity of the risk. Acceptance is appropriate when the risk is within the risk appetite. This term is synonymous with self-insurance.
  2. Avoidance - Action is taken to remove the risk. Avoidance typically suggests no response would reduce the risk to an acceptable level. For example, the risk of pipeline sabotage can be avoided by selling the pipeline.
  3. Pursuit - Action is taken to accept increased risk to improve performance without exceeding acceptable tolerance.
  4. Reduction (mitigation) - Action is taken to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite. For example, the risk of systems penetration can be reduced by maintaining an effective information security function within the entity.
  5. Sharing (transfer) - Action is taken to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners.
64
Q

CH 4.3: IS300

A

Is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management.

65
Q

CH 4.3: Maturity Model

A

Approach is based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. The basic principle is that risk management must add value.
- Accordingly, this approach determines where the risk management process is on the maturity curve and evaluates whether it (1) is progressing as expected, (2) adds value, and (3) meets organizational needs.

66
Q

CH 5.1: Control

A

Is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

67
Q

CH 5.1: Control Process

A

Are the policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.

68
Q

CH 5.1: Control Enviroment

A

Is the attitude and actions of the board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

  • Integrity and ethical values
  • Management’s philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices
  • Competence of personnel
69
Q

CH 5.1: Internal Controls Inherent Limitations

A

Internal control only provides reasonable assurance of achieving objectives. It cannot provide absolute assurance because any system of internal control has the following inherent limitations:

  • Human judgment is faulty, and controls may fail because of simple errors or mistakes.
  • Management may inappropriately override internal controls, e.g., to fraudulently achieve revenue projections or hide liabilities.
  • Manual or automated controls can be circumvented by collusion.
  • The cost of internal control must not be greater than its benefits.
70
Q

CH 5.1: Control Roles and Responsibilities

A

The roles and responsibilities are as follows:

  • Senior management oversees the establishment, administration, and assessment of the system of controls.
  • Managers assess controls within their responsibilities.
  • The internal auditors provide assurance about the effectiveness of existing controls.
71
Q

CH 5.2: Primary Controls

A

(1) Preventive controls deter the occurrence of unwanted events.
(2) Detective controls alert the proper people after an unwanted event. They are effective when detection occurs before material harm occurs.
(3) Corrective controls correct the negative effects of unwanted events.
(4) Directive controls cause or encourage the occurrence of a desirable event.

72
Q

CH 5.2: Secondary Controls

A

(1) Compensatory (mitigative) controls may reduce risk when the primary controls are ineffective. However, they do not, by themselves, reduce risk to an acceptable level.
(2) Complementary controls work with other controls to reduce risk to an acceptable level. In other words, their synergy is more effective than either control by itself.

73
Q

CH 5.2: IT General Controls

A

Controls over information and related technologies can be broadly classified into two categories: (1) IT general controls and (2) application controls.

  • According to The IIA’s Global Technology Audit Guides (GTAGs), IT general controls are those that pertain to all systems components, processes, and data present in an organization’s IT environment.
  • The objectives of IT general controls are to ensure the appropriate development and implementation of applications, as well as the integrity of program and data files and of computer operations.
74
Q

CH 5.2: Batch Input Controls

A

(1) Financial totals - summarize monetary amounts in an information field in a group of records. The total produced by the system after the batch has been processed is compared to the total produced manually beforehand.
(2) Record counts - track the number of records processed by the system for comparison to the number the user expected to be processed.
(3) Hash totals - are control totals without a defined meaning, such as the total of vendor numbers or invoice numbers, that are used to verify the completeness of the data.

75
Q

CH 5.2: Online Input Controls

A

(1) Preformatting - of data entry screens, i.e., to make them imitate the layout of a printed form, can aid the operator in keying to the correct fields.
(2) Field/format checks - are tests of the characters in a field to verify that they are of an appropriate type for that field.
(3) Validity checks - compare the data entered in a given field with a table of valid values for that field.
(4) Limit (reasonableness) and range checks - are based on known limits for given information.
(5) Check digits are an extra reference number that follows an identification code and bears a mathematical relationship to the other digits. This extra digit is input with the data. The identification code can be subjected to an algorithm and compared to the check digit.
(6) Sequence checks - are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field, called the “key,” before operations such as matching. If the system discovers a record out of order, it may indicate that the files were not properly prepared for processing.
(7) Zero balance checks will reject any transaction or batch thereof in which the sum of all debits and credits does not equal zero.

76
Q

CH 5.2: Processing Controls

A

Ensure that data are complete and accurate during updating.

77
Q

CH 5.2: Concurrency controls

A

Manage situations where two or more users attempt to access or update a file or database simultaneously. These controls ensure the correct results are generated while getting those results as quickly as possible.

78
Q

CH 5.2: Output Controls

A

Ensure that processing results are complete, accurate, and properly distributed.
An important output control is user review. Users should be able to determine when output is incomplete or not reasonable, particularly when the user prepared the input. Thus, users as well as computer personnel have a quality assurance function.

79
Q

CH 5.2: Integrity Controls

A

Monitor data being processed and in storage to ensure it remains consistent and correct.

80
Q

CH 5.2: Management trail (or audit trail)

A

Are processing history controls that enable management to track transactions from their source to their output.

81
Q

CH 5.2: Time-Based Classification

A

(1) Feedback controls - report information about completed activities. They permit improvement in future performance by learning from past mistakes.
For example, the inspection of completed goods followed by performing variance analysis procedures helps identify deviations from what was expected. Thus, inspection and the analysis of variance provide feedback on how well the completion of goods meets expectations.
(2) Concurrent controls - adjust ongoing processes. These real-time controls monitor activities in the present to prevent them from deviating too far from standards. An example is close supervision of production-line workers.
(3) Feedforward controls - anticipate and prevent problems. These controls require a long-term perspective. Organizational policies and procedures are examples.

82
Q

CH 5.3: COSO Objectives

A

The three classes of objectives direct organizations to the different (but overlapping) elements of control.

(1) Operations
a. Operations objectives relate to achieving the entity’s mission.
b. Objectives related to protecting and preserving assets assist in risk assessment and development of mitigating controls.
(2) Reporting
a. To make sound decisions, stakeholders must have reliable, timely, and transparent financial information.
b. Reports may be prepared for use by the organization and stakeholders.
c. Objectives may relate to (1) Financial and nonfinancial reporting, (2) Internal or external reporting
(3) Compliance
a. Entities are subject to laws, rules, and regulations that set minimum standards of conduct.

83
Q

CH 5.3: Components of Internal Control (CRIME)

A
  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring
84
Q

CH 5.3: Control Enviroment

A

The control environment is a set of standards, processes, and structures that pervasively affects the system of internal control. Five principles relate to the control environment.

85
Q

CH 5.3: Risk Assessment

A

The risk assessment process encompasses an assessment of the risks themselves and the need to manage organizational change. It is a basis for determining how the risks should be managed. Four principles relate to risk assessment.

86
Q

CH 5.3: Control Activties

A

These policies and procedures help ensure that management directives are carried out. Whether automated or manual, they are applied at various levels of the entity and stages of processes. They may be preventive or detective, and segregation of duties is usually present. Three principles relate to control activities.

87
Q

CH 5.3: Information and Communication

A

Information systems enable the organization to obtain, generate, use, and communicate information to (a) maintain accountability and (b) measure and review performance. Three principles relate to information and communication.

88
Q

CH 5.3: Monitoring Activities

A

Control systems and the way controls are applied change over time. Monitoring is a process that assesses the quality of internal control performance over time to ensure that controls continue to meet the needs of the organization.

89
Q

CH 5.3: COCO Model

A

The CoCo model is thought to be more suited for internal auditing purposes. It consists of 20 criteria grouped into 4 components:

  • Purpose
  • Commitment
  • Capability
  • Monitoring and Learning
90
Q

CH 5.3: COBIT Model

A

Best-known control and governance framework that addresses information technology

91
Q

Chapter 5: Effective Internal Control Systems

A

Effective systems of internal controls are most likely to detect an irregularity perpetrated by a single employee. Detection of irregularities resulting from collusion of a group or employees or a management position by more difficult since collusion of employees allows them to successfully perpetrate the control systems and managers are able to override existing controls.

92
Q

CH 6.1: Flowcharts

A

Are graphical representations of the step-by-step progression of information through preparation, authorization, flow, storage, etc. The system depicted may be manual, computerized, or a combination of the two.

  • Flowcharting allows the internal auditor to analyze a system and to identify the strengths and weaknesses of internal controls and the appropriate areas of audit emphasis.
  • Flowcharting is typically used during the preliminary survey to gain an understanding of the client’s processes and controls.
93
Q

CH 6.1: Horizontal Flowcharts

A

Sometimes called system flowcharts, depict areas of responsibility (departments or functions) arranged horizontally across the page in vertical columns. Accordingly, activities, controls, and document flows that are the responsibility of a given department or function are shown in the same column.

94
Q

CH 6.1: Vertical Flowcharts

A

Sometimes called program flowcharts, present successive steps in a top-to-bottom format.
Their principal use is in the depiction of the specific actions carried out by a computer program.

95
Q

CH 6.1: Data Flow Diagrams

A

Show how data flow to, from, and within an information system and the processes that manipulate the data. A data flow diagram can be used to depict lower-level details as well as higher-level processes.
- A system can be divided into subsystems, and each subsystem can be further subdivided at levels of increasing detail. Thus, any process can be expanded as many times as necessary to show the required level of detail.

96
Q

CH 6.1: Process Mapping

A

A simple form of flowcharting used to depict a client process.

97
Q

CH 6.2: Internal Controls

A

A properly designed system of internal controls should reduce the risk of errors and prevent an individual from perpetrating and concealing fraud. The structure of an organization and the assignment of job duties should be designed to segregate certain functions within this environment.
- Cost-benefit criteria must be considered.

98
Q

CH 6.2: Segregation of Duties (SoD)

A

For any given transaction, the following three functions preferably should be performed by separate individuals in different parts of the organization:

  • Authorization of the transaction
  • Recording of the transaction
  • Custody of the assets associated with the transaction
99
Q

CH 6.3: Management Controls - Roles & Responsibilities

A

Management

  • The chief executive officer (CEO) should establish the tone at the top. Organizations reflect the ethical values and control consciousness of the CEO.
  • The chief accounting officer also has a crucial role to play. Accounting staff have insight into activities across all levels of the organization.

Board of Directors

  • The entity’s commitment to integrity and ethical values is reflected in the board’s selections for senior management positions.
  • To be effective, board members should be capable of objective judgment, have knowledge of the organization’s industry, and be willing to ask the relevant questions about management’s decisions.
  • Important subcommittees of the board in organizations of sufficient size and complexity include the audit committee, the compensation committee, the finance committee, and the risk committee.

Internal Auditors

  • Management is ultimately responsible for the design and function of the system of internal controls. However, an organization’s internal audit function may play an important consulting and advisory role.
  • The internal audit function also evaluates the soundness of the system of internal control by performing systematic reviews according to professional standards.
  • To remain independent in the conduct of these reviews, the internal audit function cannot be responsible for selecting and executing controls.
100
Q

CH 7.1: Fraud & Fraud Risk

A

Fraud - is any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
Stated differently, fraud is any act characterized by intentional deception or misrepresentation.

Fraud risk - is the possibility that fraud will occur and the potential effects to the organization when it occurs.

101
Q

CH 7.1: Characteristics of Fraud

A
  1. Pressure or incentive - is the need a person tries to satisfy by committing the fraud.
    - Situational pressure - can be personal (e.g., financial difficulties in an employee’s personal life) or organizational (e.g., the desire to release positive news to the financial media).
  2. Opportunity - is the ability to commit the fraud.
    • Opportunity to commit is a factor in low-level employee fraud. Lack of controls over cash, goods, and other organizational property, as well as insufficient segregation of duties, are enabling factors.
    • Opportunity is the characteristic that the organization can most influence, e.g., by means of controls.
  3. Rationalization - is the ability to justify the fraud. It occurs when a person attributes his or her actions to rational and creditable motives without analysis of the true and, especially, unconscious motives.
    - Feeling underpaid is a common rationalization for low-level fraud.
    - Fraud awareness training minimizes rationalization by
    - Supporting the ethical tone at the top,
    - Promoting an environment averse to fraud, and
    - Emphasizing that the organization does not tolerate misconduct of any kind.
102
Q

CH 7.1: Effects of Fraud

A

Monetary losses from fraud are significant, but its full cost is immeasurable in terms of time, productivity, and reputation, including customer relationships.

Thus, an organization should have a fraud program that includes awareness, prevention, and detection programs. It also should have a fraud risk assessment process to identify fraud risks.

103
Q

CH 7.1: Symptoms of Fraud

A
  1. A document symptom - is any tampering with the accounting records to conceal a fraud. Keeping two sets of books or forcing the books to reconcile are examples.
  2. A lifestyle symptom - is an unexplained rise in an employee’s social status or level of material consumption.
  3. A behavioral symptom - (i.e., a drastic change in an employee’s behavior) may indicate the presence of fraud. Guilt and other forms of stress associated with perpetrating and concealing the fraud may cause noticeable changes in behavior.
104
Q

CH 7.3: Forensic Auditing

A

Uses accounting and auditing knowledge and skills in matters having civil or criminal legal implications. Engagements involving fraud, litigation support, and expert witness testimony are examples. Forensic auditing procedures include interviewing, investigating, and testing.

Forensic auditors are primarily engaged in audit assignments since they possess knowledge of what constitutes evidence acceptable in a court of law.

105
Q

CH 7.3: Fraud Investigation

A

An investigation gathers sufficient information to determine (1) whether fraud has occurred, (2) the loss exposures, (3) who was involved, and (4) how fraud occurred. It should discover the full nature and extent of the fraud.

Internal auditors, lawyers, and other specialists usually conduct fraud investigations.
The investigation and resolution activities must comply with local law, and the auditors should work effectively with legal counsel and become familiar with relevant laws.

Management implements controls over the investigation. They include (1) developing policies and procedures, (2) preserving evidence, (3) responding to the results, (4) reporting, and (5) communications.

106
Q

CH Fraud: Fraud always..

A

Fraud always involves scienter i.e., intentional false representation or concealment of material facts.

107
Q

CH Fraud: IA must..

A

The IA must have sufficient knowledge to identify indicators that fraud may have been committed, must be able to identify control weaknesses that could allow fraud to occur, and must be able to evaluate the indicators of fraud sufficiently to determine if a fraud investigation in warranted.

108
Q

CH Fraud: Red Flags

A

Are items or actions that have been associated with fraudulent conduct.

The auditor need only be aware of red flags that may warrant further search for facts and need not document identified red flags during the engagement.

The mere existence of red flags does not mean an employee is actually committing fraud and would not immediately warrant a fraud investigation nor should the auditor discuss the issue with management, legal counsel, or the audit committee. These discussions occur only after the auditor has gathered sufficient factual evidence that suggests the occurrence of fraud.

109
Q

CH Fraud: Reporting

A

If an internal auditor has sufficient corroborated evidence to suspect fraud, the next step would be to notify the appropriate level of audit management, which ultimately considers all information, and notifies the correct level of management within the organization and NOT external parties (i.e., external auditors, external legal counsel, the police, SEC, etc).

110
Q

CH Fraud: Interview

A

During the interrogation, the interrogator should:
- Attempt to obtain general information prior to obtain specific information.
- Consider making follow-up questions based upon interviewee’s response and should not strictly adhere to predetermined order.
- Avoid leading questions, that is, questions that suggest an answer.
- Concentrate on certain subject or topic so as not to confuse the interviewee.
Take the role of the one seeking the truth and avoid attempting to obtain a confession.

111
Q

Enterprise Risk Management (ERM) encompasses..

A

ERM considers the more traditional view of potential hazards (threats), as well as opportunities. Management must consider how managing risk might create new opportunities for the organization. as well as how to de-risk any new or existing opportunities.

112
Q

ISO 31000 Key Characteristics

A

Using ISO 31000 recommends the documentation of key characteristics of risk management process such as the following:

  • An overall strategy for risk management
  • Risk communication structures
  • Allocation of resources
  • Analysis of cost-effectiveness of controls using technology
  • Performance of Monitoring
  • Inclusion of risk management as a principle in decision making an performance management decisions
113
Q

ISO 31000 Components

A

Risk Assessment process has three steps:

  • Risk Identification
  • Risk Analysis
  • Risk Evaluation
114
Q

Detective Control

A

Four units associated are the following:

  • Review - Seek errors
  • Find - Identify errors
  • Define - Determine the nature of the errors
  • Correct - Correct the errors
115
Q

Net Worth Analysis

A

Logic behind a net worth analysis is that one cannot spend more than one makes.

116
Q

Check Digit

A

A type of input control, consisting of a single digit at the end of an identification code that is computed from other digits in a field. If the identification code is mis-keyed, an algorithm will reveal that the check digit is not correct, and the field will not accept the entry.

117
Q

CSR Elements

A

CSR program can be audited by their program elements or their stakeholder groups. When auditing by elements, the audit should consider how compliance with laws, regulations, and contractual obligations are managed. Elements to audit by include the following:

  • Governance
  • Ethics
  • Environment
  • Transparency
  • Heath, Safety, and Security
  • Human rights an work conditions
  • Community investment
118
Q

IS31000 Definition of Risk

A

The effect of uncertainty on objectives.

119
Q

CSR Program CAE approaches..

A

Auditing, facilitating, and consulting are all approaches the CAE may take in evaluating an organization’s CSR program.

120
Q

Checklist

A

Increase the uniformity of data acquisition because the same data must be collected each time the checklist is used.

121
Q

Programmed Balancing Control

A

Mitigate the risk of processing the wrong file. It ensures the accuracy and completeness of file updating by verifying consistency of opening and closing balances and thus ensuring the right files is processed.

Audit (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions