exam 2 Flashcards
1
Q
Fraud Legal Definition
A
- a false statement, representation, or disclosure is made
- The fact is a material fact that induces a person to act
- the fact was made with the intent to deceive
- a justifiable reliance on the fraudulent fact in which the person was taking action
- an injury or loss was suffered by the victim
2
Q
Three sides of the fraud triangle
A
Opportunity, rationalization, pressure
3
Q
Opportunity triangle
A
commit, conceal, convert
4
Q
Rationalization triangle
A
attitude, lack of personal integrity, justification
5
Q
employee pressure triangle (pressure)
A
financial, emotional, lifestyle incentives
6
Q
financial statement pressure triangle
A
financial, management characteristics, industry conditions
7
Q
missapropriation of assets
A
- theft of company assets
most common, smaller amounts with each instance
8
Q
largest factors for theft of assets
A
- absence of internal controls system
- failure to enforce the internal control system
9
Q
fraudulent financial reporting
A
intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements
10
Q
corruption
A
- wrongful use of a position to procure benefits
- kickbacks, conflicts of interest
11
Q
lapping
A
concealing the theft of cash through delays in posting collections to accounts recievable: often through applying payments to different customer balances
12
Q
kiting
A
creating cash using the lagtime between when a check is deposited and the time it clears the bank
13
Q
auditing standard SAS 99 (now AU-C 240)
A
- understand fraud
- discuss risks of material fraudulent statements amongst audit group
- obtain evidence supporting if fraud has occured or not
- evaluate the results of other audit tests
- document and communicate findings
- professional skepticism
- incorporate technology focus
14
Q
input fraud
A
alteration or falsifying input of data in the AIS: you have the ability to input this data as a part of your responsibilites
15
Q
Processor fraud
A
unauthorized system use, like using work computers for non-work activities or using access you incidentally have in the AIS but shouldnt be using
16
Q
computer instruction fruad
A
modifying software to do unintended things, illegal copying of software, creating software to undergo unauthorized activities
17
Q
output/data fraud
A
stealing, copying or missuing AIS reports/printouts or displaying information
18
Q
Foreign Corrupt Practices Act (FCPA)
A
- first piece of regulation that required internal controls - 1970s
- did not require an audit of the controls
19
Q
Sox act- MGMT rules
A
- Management is responsible for setting up internal controls over financial reporting, other operational controls are good just not necessary for SOX compliance
- auditors are told about material internal controls weaknesses and fraud even if its immaterial
20
Q
Sox act- External audit
A
- Audit partners must rotate periodically
- prohibited from performing certain non- audit services (consulting)
21
Q
SOX- new audit committee rules
A
- still part of board of directors with new independence rules ( cant be employees)
- one member must be a financial expert
- oversees external audit
22
Q
Sox- Creation of PCAOB
A
- entity that oversees the external audit profession includingprocess review and approv
23
Q
COSO
A
committee of sponsoring organizations, like US Gaap rules for internal controls
24
Q
ERM Framework
A
broad focus on strategic planning, setting risk the company is willing to take on
25
Internal controls- integrated framework
this is the cube, many companies claim on their 10k that they follow the IC cube as a part of their internal controls
26
5 elements of the front of the cube
control environment, risk assessment, control activities, information and communication, monitoring activities
27
control environment
- how does management show "tone at the top"
- established by setting up board of directors, and independent audit, communication of ethics and values, organizational structure, HR activities
28
risk assessment
- event identification
- risk assessment
- risk response
29
impact risk assessment
how much money will you lose or how much will your reputation take a hit
30
likelihood risk assessment
how often will this risk happen
31
inherent risk response
cost potential if the risk is not controlled
32
residual risk response
remaining risk after the controls are put in place
33
cost of control
costs that go along with trying to implement a control and setting up cost benefit on this
34
control activities
when determined to be appropriate and cost effective internal controls are set into place- manual automatic, preventative or detective
35
information and communication
management should use a system that gathers information accurately and communicates it on demand
36
monitoring
the 4 above components should be monitored by the company to ensure they are in place and defecencies found in any component are communicated by auditors to the audit committee
37
top of the cube
- operations- day to day decisions and efficiency
- reporting- SOX
- compliance- OSHA, IRS, HIPAA, PCI
38
COSO-IC and COSO-ERM
Address organizational-wide internal controls
39
business process controls
designed to address specific financial risks
40
COBIT
focuses on information technology internal control
41
IT general control
- the risks that information stored electronically is complete and accurate
- developed by the information systems audit and control association (ISACA)
42
IT Controls
intended to secure information and protect the functionality of any financially impacted system- broad and not linked to just one cycle
43
Business process controls
intended to address a specific business process cycle risks. this may be automated or manual
44
IT department responsibility
recording and custody
45
accounting department responsibility of IT controls
Authorization
46
Risk: Innapropriate user gains access to the AIS or database
controls:
- each user given unique ID
- authentication layers
- new user ID should be approved prior to access
- User ID of employee who leaves should be promptly removed
- users who change job responsibility should have access to AIS updated
- access reviewed periodically
- ability to change user access is restricted
- strong passwords
- physical access to databases is limited
- employees required to take security training
47
tasks
the individual function a user can do in the AIS
48
roles
the AIS groups together tasks to save time in granting access and assign a role (clerk, manager)
49
Authentication examples
Passwords
randomized PINS that are required in addition to the password
biometrics
-requiring more than one of these is referred to as multifactor authentication
50
physical access controls
```
requiring keys
security guards
laptops should be locked down in work places
camera survelience
visitor escorts
```
51
Risk: unauthorized disclosure of financial data or privacy data
controls
- read only access should be restricted
- encryption
- shredding of printed reports
- firewalls
- virus detection software
- review suspiscious activity
- penetration tests
52
encrpytion
makes it to where you have to have a key to access a certain document and if you dont when you open it all you will see is gibberish
53
digital certificates
built into electronic documents/transactions, this certifies the owner of the document is who they say they are
54
digital signitures
confirms who created the file and that it is has not been altered since it was last saved by the creator
55
what should be encrypted
- financial data
- EDI, FEDI, EFT transactions
- Ecommerce activity
- employee activity over the corporate network (VPN)
- company info stored on personal devices
- emails with sensitive data
- excels with sensitive data
56
Encryption regulations
- Payment card industry (PCI)
- HIPPA
- customer data mainatained in the financial services industry (gramm-leach bliley act)
- EEOC- personal info of company employees
57
firewall
brick wall around the server so no one outside can get in
58
hacking
when firewalls fail or other control weaknesses are identified, hackers obtain unauthorized access to systems and data by
- exploiting weaknesses in the code
- guessing passwords
- viruses
- keystroke loggers
59
intrusion detection systems
helps identify if anyone has gained access to the system
60
risk: changes are made to the AIS code that makes financial data incomplete or inaccurate
controls-
- changes to the AIS should be tested and approved
- ability to implement coding changes is restricted
- changes are logged by IT
- AIS updates/patches offered by the vendor
61
development version
dummy version of the system to test on
62
production version
the live scale version of the AIS
63
testing is done by
developers and managers
64
risk: transactions are not processed/saved by the AIS completely or accurately
controls
-online processing integrity controls and batch process controls
- real time or batch processing transactions that fail/error should notify IT and ACCT to be reviewed
- reviews of financial information should be performed periodically
(this risk is generally addressed by business process controls)
65
Risk: AIS data is not available when needed, resulting in inaccurate or incomplete financial data
controls-
- backups
- data center controls reduce the risk of system downtime
- disaster recovery plans clearly defined
- business continutity plans should be defined for non-IT functions
66
data center controls
- natural disaster proof
- adequate AC
uniterupped power supply or backup generators
- physical access is restricted
67
incrementally backups
captures all activity since the last backup was performed
68
differential backup
captures all activity since last full backup was performed
69
disaster recovery plans
how a company will restore its IT functions when the data center fails due to disaster
70
business recovery plans
how a company restores business process functions the compans operations are affected by disaster
71
cold site ( disaster recovery)
cheapest slow and the company purchases rughts to an empty warehouse to set up
72
hot site (disaster recovery location)
Expensive and fast, a duplicate of the current data center and backed up frequently
73
warm site ( disaster recovery site)
in between the two and may have stuff in it but not a duplicate site
74
Changes in AIS (waterfall method)
request- authorization- development- testing- approval- implementation
75
changes in AIS ( agile method)
request (auth)- development- test- user- devlop-user......- test- approve implement
little sprints rather than one long marathon
76
Sales organization
the organizational unit that is responsible for the sale and distribution of goods and services
77
distribution channel
the structure through which salable materials or services reach customers
78
a sales organization must be linked to
a plant
79
controlling module
assigns costs and revenues to appropriate subledgers
80
outbound delivery
picking, packing, and transportation scheduling are accomplished through the creation of this
81
material master record
automatically proposes data for pricing, delivery, schedule, weight volume and tax determination
82
a given delivery can be carried out by multiple shipping points
false
83
a delivery cannot be created if the order is for less than the minimum order quantity
false
84
document flow
processing status of a given sale can be determined by referencing this
85
delivery unit
unit in which sold materials can be delivered is the
86
Database
where all data (transaction and master data) used by an AIS is stored
87
Relational Database Model
data is stored in separate tables but structured together to where they are linked
88
who is the database administrator (DBA)
IT
89
attributes
columns
90
records
rows
91
fields
individual cells
92
primary key
every item has one of these and it is an attribute or combination of attributes that can be used to uniquely identify a specific row in a table
93
Foreign key
an attribute in one table that is a primary key in another table
94
Non-Key
an attribute that describes a key (name, color, price)
95
Design requirements for relational databases
1. every attribute must be single valued
2. primary keys must contain data (not null) and cannot have duplicates
3. foreign keys must be the primary key in another table
4. all other non key attributes must identify a characteristic of the table identified by the primary key
96
update anomaly
changes to existing data on one table may not update another table that uses the data (when not properly linked)
97
insert anomaly
unable to add a new record to the database tables if the primary key is not defined
98
delete anomaly
removing a record also removes other unintended data from the database (delete one thing messes up something else)
99
Data integration
if properly set up a database can be accessed by various programs
100
data sharing
with data in one place it is more easily accessed by- and limited to - only authorized users
101
minimizing data redundancy and data inconsistency
eliminates the same data being stored in multiple files/places, thus reducing inconsistency in multiple versions of the same data
102
data independence
data is separate from the programs that access it
103
cross functional analysis
relationships between data from various organizational departments can be more easily combined
104
risk: info stored in the database is not complete/accurate
controls
- access is approved upon hire and taken away upon termination (prevent)
- access should be reviewed periodically (detective)
- non-routine changes to the DBMS should be tested and approved (prevent)
- log of changes is reviewed to make sure appropriate (detective)
- log of changes cannot be edited (detective)- this one supports the prior one
105
Risk: info stored in the database is leaked to unauthorized users
controls
- login with password required
- encryption
106
SELECT
required and shows the output of attributes
107
FROM
required and shows from what table
108
WHERE or HAVING
optional, applies a filter to the data
109
GROUP BY
optional, consolidates like records together
110
ORDER BY or SORT BY
optional- organizes the output by date, alphabetically, numerically, etc
111
JOIN or JOIN ON
used to link together two or more tables
112
customer master record
Financial accounting and sales logistics are linked primarily through the
113
vendor number
The account used to track amounts owed to a vendor is the
114
procurement logistics
Authorization to make payments to vendors for goods purchased comes from
115
primary costs
The costs transferred from financial accounting to controlling are known as
116
distribution
The allocation method in which a primary cost is allocated to a receiver cost object is a
117
The use of allocations helps enhance data entry accuracy by increasing the amount of data entry at the time the cost is initially recorded.
False
118
An entry to a primary expense account in Financial Accounting results in an automatic entry to the related cost object in Controlling.
true
119
A given company code may have multiple controlling areas
False
