Control, Security & Audit Flashcards

1
Q

An internal control is…

A

…any action taken by management to enhance the likelihood that established objectives and goals will be achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The internal control system comprises…

A

…the control environment and control procedures.
It includes all the policies and procedures adopted by the directors and management of an entity to assist in achieving their objective of ensuring, the orderly and efficient conduct of its business, including:
1. Adherence to internal policies
2. Safeguarding of assets
3. Prevention and detection of fraud and error
4. Accuracy and completeness of accounting records
5. The timely preparation of reliable financial information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The control environment is…

A

…the overall context of control; the attitude of directors and managers towards control
…the overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity
…management style, corporate culture and values shared by all employees
…the background against which the various other controls operate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Control procedures are…

A

…the detailed controls in place
…policies and procedures in addition to the control environment which are established to achieve the entity’s specific objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Elements of a strong control environment: (6)

A
  1. Clear strategies
  2. Culture, code of conduct, HR policies and performance reward systems support objectives, risk management and internal control systems
  3. Senior management’s commitment to competence, integrity and fostering a climate of trust
  4. Clear definition of authority, responsibility and accountability
  5. Communication
  6. Knowledge, skills and tools to support objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Controls can be classified in various ways:

A
  1. Administrative & accounting
  2. Prevent, detect & correct
  3. Discretionary & non-discretionary
  4. Voluntary & mandated
  5. Manual & automated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Classification of controls: Administration:

A

Concerned with achieving objectives and implementing policies; Relate to channels of communication and reporting responsibilties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Classification of controls: Accounting:

A

Aim to provide accurate accounting records and achieve accountability;
Apply to recording transactions and establishing responsibilities for records, transactions and assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Classification of controls: Prevent:

A

Prevent errors from happening in the first place;

Checking invoices from suppliers against GRN’s before paying

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Classification of controls: Detect:

A

Detect errors once they have happened;

Bank reconciliations; Physical checks of inventory against inventory records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Classification of controls: Correct:

A

Designed to minimise or negate the effect of errors;

Backup of computer input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Classification of controls: Discretionary:

A

Subject to human discretion

Checking a signature on a PO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Classification of controls: Non-discretionary:

A

Provided automatically by the system; cannot be overridden;

Pin at an ATM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Classification of controls: Voluntary:

A

Chosen by the organisation to support the management of the business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Classification of controls: Mandated:

A

Required by law; imposed by external authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Classification of controls: Manual:

A

Demonstrate a one-to-one relationship between the processing functions and the controls, and the human functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Classification of controls: Automated:

A

Programmed procedures designed to prevent, detect and correct errors all the way through processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Classification of controls: General:

A

Used to reduce the risks associated with the computer environment; Relate to the environment in which the application is operated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Classification of controls: Application:

A

Used to reduce the risks associated with the computer environment; Prevent, detect and correct errors

20
Q

Classification of controls: Financial:

A

Focus on key transaction area, emphasis being on safeguarding assets and maintenance of proper accounting records and reliable financial information

21
Q

Types of Financial Control Procedures: (8 - ‘SPAMSOAP’)

A
  1. Segregation of duties
  2. Physical
  3. Authorisation & approval
  4. Management
  5. Supervision
  6. Organisation
  7. Arithmetical and accounting
  8. Personnel
22
Q

Internal controls should not be confused with internal checks which are…

A

…the checks on the day-to-day transactions whereby the work of 1 person is proved independently or is complementary to the work of another, the object being the prevention / early detection of errors and fraud;
Delegation
Allocation of authority and the division of work
Method of recording transactions
Use of independently ascertained totals

23
Q

Arithmetical internal checks include: (3)

A
  1. A pre-list drawn up before any processing takes place
  2. A post-list drawn up during or after processing
  3. A control total used for control purposes by comparing to another total that ought to be the same
24
Q

Characteristics of a good internal control system: (11)

A
  1. Clearly defined organisation structure (overall coordination of company activities)
  2. Adequate internal checks
  3. Acknowledgment of work done (Signatures)
  4. Physical security
  5. Formal documents acknowledging transfer of goods
  6. Pre-review
  7. Clearly defined system for authorising transactions
  8. Post-review
  9. Authorisation, custody and re-ordering procedures (Access to assets limited to authorised personnel)
  10. Capable and qualified personnel
  11. Internal audit department
25
Q

Internal audit is…

A

…an independent appraisal activity established within an organisation as a service to it; control which functions by examining and evaluating the adequacy and effectiveness of other controls; Part of the internal control system

26
Q

The need for internal audit will depend on: (7)

A
  1. Scale, diversity and complexity of activities
  2. Number of employees
  3. Cost-benefit consideration
  4. Changes in structure, reporting processes or information systems
  5. Changes in key risks
  6. Problems with internal control systems
  7. Increased number of unexplained or unacceptable events
27
Q

Objectives of Internal Audit: Work may cover the following tasks: (8)

A
  1. Review of accounting and internal control systems
  2. Examination of financial and operating information
  3. Review of the economy, efficiency and effectiveness of operations
  4. Review of compliance
  5. Review of safeguarding assets
  6. Review of implementation of corporate objectives
  7. Identification of significant business & financial risks
  8. Special investigations
28
Q

The 2 main features of internal audit:

A
  1. Independence

2. Appraisal (not carry out any organisational work themselves)

29
Q

Accountability: The internal auditor is accountable to the Audit committee for 3 main reasons:

A
  1. Auditor needs access to all parts of the organisation
  2. Auditor should be free to comment on management performance
  3. Auditor’s report may need to be actioned at the highest level
30
Q

External audit is…

A

…a periodic examination of the books of account and records of an entity carried out by an independent third party to ensure:

  • they have been properly maintained
  • accuracy and compliance with established concepts, principles, accounting standards and legal requirements
  • Give a true and fair view of the financial state of the entity
31
Q

IT Systems: Security can be divided into a number of aspects: (6)

A
  1. Prevention
  2. Detection
  3. Deterrence
  4. Recovery procedures
  5. Correction procedures
  6. Threat avoidance
32
Q

Physical access controls: (4)

A
  1. Personnel
  2. Door locks
  3. Key pad / card entry system
  4. Intruder alarms
33
Q

Controls in an information system: (3)

A
  1. Security controls
  2. Integrity controls
  3. Contingency controls
34
Q

Security controls can be defined as…

A

…the protection of data from accidental or deliberate threats which might cause unauthorised modification, disclosure or destruction of data and the protection of the information system from the degradation or non-availability of services

35
Q

Risks to data: (8)

A
  1. Human error
  2. Technical error
  3. Natural disasters
  4. Deliberate actions
  5. Commercial espionage
  6. Malicious damage
  7. Industrial action
  8. Malware programs
36
Q

Integrity controls consist of: (2)

A
  1. Data integrity

2. Systems integrity

37
Q

Data integrity is…

A

…preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed

38
Q

Systems integrity is…

A

…system operation conforming to the design specification despite attempts to make it behave incorrectly

39
Q

Integrity controls include: (5)

A
  1. Input controls:
    a. Data verification (Matches source documents)
    b. Data validation (Check digits, control totals, hash totals, range checks, limit checks)
  2. Processing controls
  3. Output controls
  4. Back up controls
  5. Archiving
40
Q

Back up means…

A

…to make a copy in anticipation of future failure or corruption. A back-up copy is a duplicate kept separately from the main system; only used if the original fails

41
Q

A password is…

A

…a set of characters which may be allocated to a person, a terminal or a facility which is required to be keyed into the system before further access is permitted

42
Q

An audit trail is…

A

…a record showing who has accessed a computer system and what operations he or she has performed.

43
Q

A contingency is…

A

… an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures

44
Q

A disaster recovery plan must provide for: (3)

A
  1. Standby procedures
  2. Recovery procedures
  3. Personnel management policies
45
Q

Types of audit: (5)

A
  1. Operational audit
  2. Systems audit
  3. Transactions audit
  4. Social audit
  5. Management investigations
46
Q

An operational audit may also be known as a(n):

A
  1. Management audit
  2. Efficiency audit
  3. Value for money audit