Exam 3 - Section 3 Internal Controls Flashcards

Question 1

Q

What is an internal control/management control? And why are they implemented?

Answer

A

The systems and method managers use to provide reasonable assurance that their organizations accomplish what is intended in an efficient and effective manner, while avoiding undesirable results, producing reliable reports, and comply with rules and regulations to safeguard its assets

To accomplish certain results, prevent problems or or detect problems that have occurred

Question 2

Q

What is an example of an internal control when you:
1. Want to wake up by a certain time
2. Retire by 60

Answer

A

Getting to work on time
- Control Objective: wake up by a certain time
- Control activity have alarm go off at that time

Retiring by 60
- control objective: to retire by 60
- control activity: contribute to 401(k) plan, or that you save a certain amount each day.

Question 3

Q

What is the expectation of a control?

Answer

A

To provide reasonable assurance of accomplishing the objectives

Controls are not infallible, and could be a circumvented

Question 4

Q

What did the Budget and Accounting Procedure Act of 1950 require?

Answer

A

Requires each federal agency head to establish and maintain internal controls

Question 5

Q

What does the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) require?

Answer

A

Requires GAO to prescribe standards of internal control (GAO issued Standards for Internal Control in the Federal Government?
requires the Director of OMB to establish guidelines for the valuation agencies of their systems of internal control
requires agency heads to evaluate controls on annual basis, report any control weaknesses and provide corrective action plans

Question 6

Q

What did the Single Audit Act of 1984 (amended in 1996) require?

Answer

A

requires audit with state/local governments and NFP organizations receiving federal, financial assistance
the objectives of the audits include the terminate whether the recipient has adequate internal accounting controls and applies with laws and regulations

Question 7

Q

What did the Sarbanes-Oxley Act of 2002 require? Why was it enacted?

Answer

A

requires publicly traded companies to include an assessment of the effectiveness of controls for financial reporting in its annual report
requires the auditor to attest to and report on management’s assessment
it was enacted as a result of financial and accounting scandals in 2000 and 2001

Question 8

Q

Why was the Fraud Reduction and Data Analytics Act of 2015 enacted?

Answer

A

To improve federal agency financial and administrative controls and procedures to assess and mitigate fraud risks
- to improve federal agencies development, and use of data analytics for the purpose of identifying, preventing, and responding to fraud, including improper payments
- required OMB to establish guidelines for federal agencies to use GAO’s A Framework for Managing Fraud Risks in the Federal Programs to implement control, activities related to fraud management
- Requires agencies to based approach to design and implement controls to mitigate identified fraud risks

Question 9

Q

What did the CFO Act of 1990 (CFO Act) require?

Answer

A

Requires the CFO to develop and maintain an integrated agency, accounting and financial management system, including financial reporting and internal controls
Required a pilot of federal agencies produced an annual audited financial report and a report on internal control

Question 10

Q

What did the Government Management Reform Act of 1994 (GMRA) require?

Answer

A

Expanded the requirements of the CFO Act I requiring 24 CFO Act agencies to prepare audited, financial statements, and by mandating and audited annual consolidated financial statement for the executive branch of the federal government

Question 11

Q

What did the Federal Financial Management Improvement Act of 1996 (FFMIA) require?

Answer

A

Requires agencies to follow federal accounting standards, financial management system requirements for the federal government and the treasury, standard general ledger at the transaction level necessitating sound internal controls

Question 12

Q

What did the Accountability of Tax Dollars Act of 2002 require?

Answer

A

It expanded the requirement for an annual audit to virtually every federal agency

Question 13

Q

What does OMB Circular A-123 management responsibility for enterprise risk management and internal control require?

Answer

A

Financial managers must establish and achieve goals and objectives, seizing opportunities to improve efficiency and effectiveness of operations, reliable, reporting, and compliance with laws and regulations
Implementing and managing practices to identify, assess, respond, and report on risks
Requires agencies to integrate risk management and internal control functions

Question 14

Q

What does GAO’s standards for internal controls in the federal government (green book) require?

Answer

A

Required and outlines processes that management must implement in order to
Assess and improve internal controls over compliance, operations, and reporting

Question 15

Q

What compliance requirements should agencies consider when implementing OMB circular A-123?

Answer

A

Management is responsible for governance structure effectively implement, direct oversee the implementation of circular A 123 and all the provisions of a robust internal control and risk assessment process
Agency should leverage existing offices for the monitor risk and the effectiveness of internal control
should develop a maturity approach to the adoption of an ERM framework. And continually update approaches to identify new and emerging risks
Manage must use Greene book to assess internal control

Question 16

Q

What did OMB Circular A 123 Appendix A do?

Answer

A

Strengthened management’s risk assessment processes for data quality
Align appendix A with other policies

Question 17

Q

What did OMB Circular A 123 Appendix B do?

Answer

A

Addresses improving management Government charge cards

Question 18

Q

What did OMB Circular A 123 Appendix C do?

Answer

A

Covers requirements for effective measurement and remediation of improper payments

Question 19

Q

What did OMB Circular A 123 Appendix D do?

Answer

A

Guides guidance for determining compliance with the CFO act and FFMIA

Question 20

Q

What does OMB circular a 130 — management of federal information resources require?

Answer

A

Established minimum set of controls in federal automated information Security programs and linked these to agency internal control systems (A123)

Question 21

Q

What does GAO’s standards of internal control for federal government provide?

Answer

A

Provides the overall framework for establishing and maintaining internal control

Question 22

Q

What should internal controls help managers do?

Answer

A

achieve program objectives and organizational goals
operate efficiently and effectively (acquire personnel and resources by reducing waste fraud and abuse)
prepare reliable performance and financial reports (maintaining performance measures, transaction data, and the organization properly processes, records transactions, so reports can be prepared easily)
comply with laws and regulations
Safeguard assets

Question 23

Q

What are agencies accountable for?

Answer

A

achieving program objectives
using resources efficiently
comply with legal requirements
Provide accurate, reliable and relevant data on performance and financial operations
Safeguarding assets

Question 24

Q

What type of assurance do internal controls provide?

Answer

A

Reasonable, not absolute, assurance

They are intended to provide a satisfactory level of confidence that an organization will achieve its programmatic goals, and minimize fraud, waste, and abuse

Question 25

Q

What are some factors outside of the control of management that can affect an entities ability to achieve all of its goals?

Answer

A

human error
judgment error
Collusion to circumvent control

Question 26

Q

What must management consider with regard to the cost and extent of control?

Answer

A

consider the cost (dollars and intangibles ) an extent of the control for the given program
Cost cannot exceed its benefit
Internal controls should be designed and implemented related to their cost and benefit
can you develop an alternative control with slightly less benefit, but cost a lot less
prevention controls cost more than detection controls

Question 27

Q

What are some examples of costs of controls?

Answer

A

documented an action is inexpensive
supervisory approval is inexpensive when the dollar amount is high
supervisor approval is expensive when the dollar low
Developing reports can be expensive but necessary

Question 28

Q

What are some non-financial factors that management should consider with regard to internal controls?

Answer

A

A control can be costly and not save that much money. However, some financial factors such as losing private data can lead to privacy concerns, litigation, loss of reputation, etc.

Question 29

Q

What did the Committee of Sponsoring Organizations (COSO) of the Treadway Commission do?

Answer

A

Developed the internal control framework

Question 30

Q

When was the Treadway Commission developed and why?

Answer

A

1980s
created as a result of instances of fraudulent, financial reporting and audit failures, particularly in the private sector

Question 31

Q

What standards use the COSO framework?

Answer

A

Generally Accepted Auditing Standards, developed by the AICPA
International standards for the professional practice of internal auditing, developed by the IIA
Government auditing standards issued by GAO

Question 32

Q

What did the May 2013 COSO update do?

Answer

A

It did not change the basic structure of the framework, but it did enhance and clarify it
17 principles were added (to align with the five components)
87 points of focus were added (GAO calls these attributes)

Question 33

Q

What did GAO’s 2014 update of the standards of internal control for the federal government (green book ) do?

Answer

A

Mirrors, the COSO framework, but eliminates the reference to the private sector board Directors ([GAO calls them an oversight body)

Question 34

Q

What does COSO state are the three objectives that agencies must meet with their internal controls?

Answer

A

Operations. — the efficiency and effectiveness of agency operations.
Reporting. — internal and external, financial, and non-financial.
Compliance.

Question 35

Q

What’s the first internal control component there should be considered?

Answer

A

Control environment

Question 36

Q

What is control environment and what does it provide?

Answer

A

It’s the foundation for an internal control system
Discipline and structure which affect the overall quality of internal control
It’s the piece upon which other four components of internal controls rest
People within and out that the organization is trustworthy and reports can be relied on

Question 37

Q

How many COSO principles are there for control environment and what are they?

Answer

A

Oversight body and management to demonstrate a commitment to integrity and ethical values.
Overlay body should oversee the entities internal control system.
Management to establish organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
Management to demonstrate commitment to recruit, develop, and routine, competent individuals
Management performance and hold individual accountable for internal control responsibilities.

Question 38

Q

What should be considered with regard to integrity and ethical values?

Answer

A

what is the tone at the top?
does Top management believe in ethics and demonstrate belief
do the organizations incentives emphasize short-term results and expense of long-term results?
How does management communicate its moral values?

Question 39

Q

What does tone at the top refer to?

Answer

A

management’s reputation for integrity, for dealing fairly with employees and customers, and for not tolerating unethical behavior

Question 40

Q

What are some indicators of management’s commitment to integrity and ethical values?

Answer

A

having a code of ethics (post around premises, ensure all new employees know it, periodic training, taking action in code is violated)
top management communicating it’s moral guidance in both in organized format and by its actions
Informing employees how to report behavior, and they must believe management will take action when notified (sexual harassment)
Doesn’t routinely override controls
Emphasis on long-term goals and not just short term goals (emphasizing short term can lead people into distorting accounting or performance records, or taking inappropriate actions to accelerate short-term accomplishments)
Actively discourages, unethical behavior when dealing with employees, customers, vendors, and creditors

Question 41

Q

What are some indicators of management’s commitment to competence?

Answer

A

clear understanding of knowledge/skills/abilities needed to perform a job and is considered successful performance
job descriptions are clear, realistic, current
employee are periodically evaluated and counseled
Organized training development programs
Supervision is properly matched organization needs
promotions are consistent with evaluation results

Question 42

Q

What are some good management and operating style philosophies?

Answer

A

not overly aggressive (focuses on long-term over short term)
Measures risk and assesses its consequences
Not taking excessive risks
Not making things seem better than they are
not seeking glory or agenda conflict with organizations core values
respect for accounting and internal controls
Supporting internal and external audit functions and cooperating with them
Self-discipline in accomplishing its objectives and comply with budgetary constraints

Question 43

Q

What are indicators of a good control environment regarding HR policies and procedures?

Answer

A

Policies and procedures that emphasize commitment to goals
Maintaining a competent staff
insuring ethical behaviors of staff
run background checks on new employees
appraise employee performance and counsel those not meeting performance requirements
Promote based on high-performance and encourage ethical behavior
conduct ethical training
take action when ethics or policies violated

Question 44

Q

How many risk assessment principles are there and what are they?

Answer

A

objectives should be clearly defined to identify risks and define risk tolerances
Identify, analyze, respond to risks related to objectives
consider fraud when identifying, analyzing, and responding to risks
Identify, analyze, and respond to significant changes that may impact internal control systems.

Question 45

Q

What are risk assessments and what do they provide?

Answer

A

what could prevent us from achieving our objectives?
Provide management with information on weaknesses in internal control

Question 46

Q

After identifying risks, what risk assessments consider?

Answer

A

The likeliness the risk will occur
The impact if it does occur

Question 47

Q

Which is more important: the likelihood of risk or the impact?

Answer

A

The impact. However, both likelihood and impact should be considered.

Question 48

Q

What are some steps that can be performed in a risk assessment process?

Answer

A

List all the risk that an organization believes can impact accompany it from achieving it’s objective.
Assess the likelihood of the risk occurring. (based on the quality of the internal controls in place.)
Assess the impact if it were to occur
assign a high, medium or low rating (or point value.) for both the likelihood and impact.
Assign an overall risk two event
6.

Question 49

Q

When is an overall low rating issued, and when is an overall high rating issued?

Answer

A

A low rating = low likelihood of occurring and low impact
A high rating = both likelihood and impact are high

Question 50

Q

What is a vulnerable item? What are some examples?

Answer

A

Items susceptible of being stolen or misused

Examples:
- cash
- Personal data
- electronics
- Bond bears
- other property that others are willing to risk a lot to obtain it (prescription drugs)

Question 51

Q

When are companies most vulnerable to risk?

Answer

A

When it doesn’t install controls for inherent risk

Question 52

Q

What type of risks are more difficult to mitigate?

Answer

A

External risks

Internal risks are easier to mitigate

Question 53

Q

What are the biggest risks for banks?

Answer

A

The value of collateral received for large loans

Question 54

Q

What are the biggest risk for not for profit organizations that provide grants to the federal government?

Answer

A

Providing services to the wrong recipient and the federal agency, considering all costs unallowable

Question 55

Q

What type of risk is greater: programmatic or financial?

Answer

A

Programmatic because it can cause financial and reputational damage

Question 56

Q

What type of risk is always present?

Answer

A

Fraud

Management should determine which activities are susceptible to fraud risk, and take steps to mitigate that risk
Management cannot do his job, unless there are steps to perfect and detect fraud

Question 57

Q

What does OMB Circular A-123 state needs decided after risk is assessed?

Answer

A

if the risk is accepted, and nothing will be done (low risk, or the cost is more than a benefit)
stop doing activity because the risk is too high
Except risk and put an internal control system in place to reduce it

Question 58

Q

What does OMB A-123 require with regard to risk?

Answer

A

Agencies must establish an ERM governance structure
The risk assessment process must be led by a high-ranking official (COO or equivalent)
May establish a chief risk officer, but not required
Should include a process for determining risk appetite and risk tolerance
Integrate ERM with management evaluation of internal control

Question 59

Q

What are control activities?

Answer

A

Actual procedures that organizations establish to help ensure they call the schools and avoid what they want to avoid

Question 60

Q

How many principles are there for control activities and what are they?

Answer

A

Management design control activities to achieve objectives and respond to risks
Management should define the entity, information system and related control activities to achieve objectives and respond to risk.
Management should implement control activities through policies.

Question 61

Q

What is a control activity?

Answer

A

Any process put into operation to ensure that the organization succeeds
can be a provision in a law, regulation, procedure, report, requirement to segregate duties, operating strategy, cash register, inspection process, documentation, training program

Example: lock on front door; reconciling bank statement; reviewing kids report card

Question 62

Q

What are some examples of control activities?

Answer

A

Assessing annual program performance targets
conducting top level reviews of performance
Managing human capital
Controls over information processing
Physical control over vulnerable assets
Accurately recording transactions
Separating duties
Establishing and reviewing performance measures and indicators

Question 63

Q

If there is a conflict between effectiveness and efficiency, which prevails?

Answer

A

Effectiveness virtually, always prevails over efficiency

It doesn’t make a difference how cheaply you can do something if it doesn’t achieve your goals

Controls must be efficient, effective, and cost-effective

Question 64

Q

What are the four ways that control activities can be classified?

Answer

A

Efficient and effective program operations
Validity and reliability data.
Compliance with laws and regulations.
Safeguarding of resources.

Answer 65

A

Written definition of an organization policy and procedures.
It’s record of actual events.

Policy statements and procedure handbook, as well as accounting and personnel records

Answer 66

A

Quality information to achieve the entities objectives should be used.
Internally communicate the necessary quality information to achieve the entities objectives
Should externally communicate the necessary quality information to achieve the entities objectives.

Answer 67

A

Policy and procedures that management has implemented to reasonably ensure resources are predicted against fraud, waste, loss and misuse

Answer 68

A

Cash.— access to cash should be restricted in cash should be periodically counted in compared with recorded accountability.
Inventory.— procedures should be in place to only order those types and amounts of materials and supplies needed and to ensure proper receipt, storage, and use of the item. Also access to inventory should be restricted, and withdrawals made only one authorized.
Equipment.— procedures should exist to tag equipment periodically count items.

Answer 69

A

Separation of duties (cornerstone)
Restricting access to resources and records.
Periodic reconciliation.

Answer 70

A

Techniques that organizations use to ensure they continue to operate effectively and efficiently
Involves both day-to-day reviews and separate evaluations

Answer 71

A

Establish and monitoring activities to monitor the internal control system and evaluate the results
Remediate identified internal control deficiencies on a timely basis.

Answer 72

A

Supervision

Can be a regular ongoing formal process (quarterly review of the budget or annual performance evaluation) or it can be informal (frequently comparing budget, cost with actual or regular feedback to employees regarding their performance)

Answer 73

A

Requires department and agency heads to evaluate and provide annual assurance statements to the president and Congress on their internal controls

Answer 74

A

Referred to the person responsible for the operation, and at least one level of management above that person

Serious matters should go to higher levels of management

Answer 75

A

Management must promptly addressed incorrect deficiencies

Organizations should have systems in place to evaluate any findings

Answer 76

A

Management

Answer 77

A

General controls (applies to all IT systems)
Application controls (designed to cover the processing of data within application software)

Answer 78

A

Information system, general controls (at the entity, wide, system, and application levels) are the policies and procedures that apply to all or large segment of an entities information systems.

Facility the proper operation of information systems by creating the environment for proper operation of application controls

Answer 79

A

security management
Logical and physical access
Configuration management
Segregation of duties
Contingency planning

Answer 80

A

Back up in recovery procedures
contingency and disaster planning
Job set up and scheduling procedures and controls over operator activities

Answer 81

A

Control over the acquisition, implementation, and maintenance of all system software, including the operating system, database management systems, telecommunications, security, software, and utility programs

Answer 82

A

restrictions on system users that restrict access to only system functions they need
Software and hardware firewalls to restrict access to assets, computers, and networks by external persons
Frequent changes of passwords and deactivation of former employees passwords

Answer 83

A

provide structure for safely developing new systems and modifying existing systems

Includes:
- Documented requirements
- Authorizations for undertaking projects
- Reviews, testing, and approvals of development and modification activities before placing systems into operation

Answer 84

A

Ensure completeness, accuracy, authorization, and validity of all transactions during application processing

Answer 85

A

At an application, interfaces with other systems, to ensure that all inputs are received in our valid and outputs, are correct, and properly distributed

An example is a systems, computerized checks, built into the system to review the format, existence, and reasonableness of the data before processing

Answer 86

A

A management concept that seeks to promote efficiency and effectiveness in government operations within an organization

Different than outsourcing, where a third-party is paid to provide a service

Answer 87

A

human resource transactions
Financial management
Grants management
Contract
IT support

To reduce cost and increase efficiencies

Answer 88

A

-Sharing purchases to reduce cost
- Sharing investments in modern technology and experts
- Creating a single or reduced number of locations in federal government for certain core services

Answer 89

A

Establish context.
Identify risks.
Analyze and evaluate.
Develop alternatives.
Respond to risks.
Monitor and review.
Continuous risk identification and assessment.

Answer 90

A

ERM is an effective agency wide approach to assessing the full spectrum of the organization significant risks by understanding a combined impact a risks as an enter related portfolio, rather than addressing risks only within silos. ERM provides an enterprise wide, strategically aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize and manage risks to mission delivery.

Answer 91

A

Aid the organization and identifying opportunities to further improve and benefit from the potential advantages of ERM over traditional risk management practices

Answer 92

A

ERM seeks to manage risk in a holistic, collaborative fashion across the entire organization
It is intended to optimize the ability of the overall organization, to deliver maximum stakeholder value by insuring, organizational strategy, is directly linked to, and informed by, the trade-off of performance objectives, resource, allocations, and resulting risks across the enterprise.
Facilitate a discussion horizontally across all elements of the organization to ensure that decisions on managing risks are aligned with top organizational strategy and stakeholder value

Answer 93

A

Meeting, lower level, organizational, functional, or programmatic needs, without consideration of how to balance those needs with resource availability, and risk appetite across the overall organization

Answer 94

A

consider internal and external environments relative to the organization, in which risks are to be managed
Defining the organizations objectives
understand overall risk appetite for achieving various objectives
Risk tolerance

Answer 95

A

external context is outside the boundaries of the specific organization in question

Factors include:
- Understanding of the influence of social, cultural, political, legal, regulatory, financial, technological, economic, and competitive environments
- Understanding, key drivers, and trend affecting the objectives of the organization
- Relationships, perceptions, values, and expectations of external stakeholders
- Contractual, relationships, and commitments

Answer 96

A

Internal context may include but not limited to:
- vision, mission and values
- governance processes, organizational structure, strategies and policies
- Capabilities, such as budget allocation, time, people, organizational culture
- Contractual, relationships, and commitments
- The organizations risk appetite, which forms the basis for evaluating acceptability of risks to the organizations objectives

Answer 97

A

Clearly defining objectives

Identification of risks to achieving objectives, cannot be achieved until the organization first establishes what those objectives are intended to be

Answer 98

A

The amount in type of risk that an organization is prepared to pursue, retain, or take

A risk appetite statement is a higher level statement that broadly considers the levels of risk that management deems appropriate

Answer 99

A

The acceptable level of variation in performance, relative to the achievement of a specific objective

Risk tolerances are initially set as part of the objective setting process

Answer 100

A

Using a structured and systematic approach to recognizing where the potential for undesired outcomes, or opportunities can arise, relative to organizational objectives

Elements at all levels of the organization should identify risks to achieving objective set for the particular part of the organization

Answer 101

A

brainstorming
Interviews
Checklist
Structured what if technique
Scenario analysis
Fault tree analysis
Bowtie analysis
Direct observations
Incident analysis
Surveys

Answer 102

A

Considering the causes, sources, probability of risk occurring, the potential positive or negative outcomes, and then prioritizing the results of the analysis

Answer 103

A

They must be analyzed in terms of their likelihood of occurrence and impact of those risks to transition into actual events

Risk, identification, and risk analysis, frequently overlap as the techniques for identifying risks, often yield insight into the likelihood and impact of the risk

Answer 104

A

Systematically, identifying and assessing arrange of risk response options, guided by risk appetite

Answer 105

A

Avoid.
Reduce.
Share or transfer.
Except.

Answer 106

A

Not accepting cash payments for goods or services

Answer 107

A

Transferring large cash at casino tables immediately and monitoring the casino through videos

Risk reduction can focus on reducing the likelihood of an event occurring or/and the impact of the event if it does occur

Answer 108

A

Risk sharing/transferring is beneficial when the likelihood of an adverse event is small, but the potential impact is beyond what we are willing to bear

An example is insurance for small risks (fire, or auto) but we prefer to pay an insurance premium, then bear the low probabilities/high impact damage of an auto accident

Answer 109

A

Making decisions about the best options among a number of alternatives, and then preparing an executing the selection response strategy

Answer 110

A

Whether or not the risk treatment will reduce the treated risk to within the organizations risk appetite
The return on investment, when considering the level of risk reduction versus the cost of achieving that reduction.

Answer 111

A

Evaluating and monitoring performance to determine whether the implemented risk management options achieved the desired level of remaining risk

Monitoring on a timely basis to ensure schedules for treating risks are met, and the proposed risk treatment is actually implemented and achieves the intended results

Answer 112

A

Iterative process, occurring throughout the year, to include surveillance of leading indicators of future risk from internal and external environments. This includes a evaluation of prior risk responses to ensure they were successful in meeting the target level of risk. If not, the risk management process would be repeated for those risks and risk responses.

Answer 113

A

New risks continually arise
The environment in which every organization operates is constantly changing so new risks constantly arise

Answer 114

A

It depends upon the nature of the organization and the environment within which they operate

Rapidly changing environments (political environment, advancing IT, financial conditions) Should be reviewed more frequently

Public sector organizations review, organizational wide risks on a quarterly or semi annual basis, but organizations operating in a rapidly changing environment or risks are tightly controlled, will conduct more frequent reviews

Answer 115

A

Better link organizational strategy, and performance, by managing risk in an integrated fashion across the organization

Answer 116

A

Linking resources across the organization and a manner that maximizes value aligned with strategic priorities

Maximizing overall return of investment by balancing delivery of products or services, available resources, and acceptable risks

Example: DOD, evaluating security, threats, and considering what defense systems and personnel most cost effectively meet the nations needs at an acceptable level of risk. Redeployment of resources from one military service branch may generate overall value for the nation despite reducing contributions of another military branch

Answer 117

A

Effective governance structure for ERM will support the integration of internal controls with broader risk management concerns, horizontally across the enterprise, and vertically from the lowest levels of the organization (where many risks originate) to the top of the organization (that must ultimately ensure management of the most critical risks)

Answer 118

A

Changing behaviors of individuals that impeded effective ERM implementation

Not developing policies, training, implementation of risk management processes, or government — these tasks are straightforward

Answer 119

A

The need for effective risk management
The value of strategically aligned portfolio approach to risk management
The need for appropriate governance processes
modification of individual performance incentives, where appropriate to motivate a willingness to identify, share, and manage risks for the benefit of the overall organization

Answer 120

A

internal control is a critical element of managing the risk associated with existing business processes and risk assessment
internal controls are applied to business processes (payroll, hiring, contracting) and considered when new processes created or existing processes modified
strategic planning can lead to building an operating new processes. Employing new controls, and planners must consider risks for which internal controls may not exist yet or risk that occur in the external environment. (government shut down)
internal control is a key element of managing the risk to current business operations within the control of the agency. However, other risks must be considered that are outside the control of the business processes (risk management) and all risks across the enterprise should be evaluated as a portfolio of risk to inform the appropriate balancing or risk across the organization (ERM)

Answer 121

A

Organizing the process.
Segmenting the agency.
Conducting risk assessments.
4., developing control plans
Conducting control reviews.
Taking corrective action.
Tracking corrections
Reporting results.

Answer 122

A

Management

Answer 123

A

establishing the control environment
Instituting controls
Maintaining controls
Reviewing controls
Improving controls

Answer 124

A

Deciding where control needed (vulnerability, or inherent residual risk)
Deciding and documenting control components
Placing control into operation
Continually monitoring and improving the effectiveness controls
Periodically testing controls
Reporting status and effectiveness of controls
Taking time and effective actions to correct deficiencies
Tracking progress on corrective actions

Answer 125

A

Inherent risk— risk an entity in the absence of management response to the risk

Residual risk— risk that remains after management’s response to inherent risk

Answer 126

A

Inherent risk— exposure arising from a specific risk before any action has been taken to manage it beyond normal operations

Residual risk— exposure, remaining from risk after action has been taken to manage it

Answer 127

A

GAO’s definition of an air risk implies there is no control in place and the OMB definition implies there is internal control in place.

GAO and OMB seem define residual risk the same way— the remaining risk after internal has been put in place

Answer 128

A

You get trapped into thinking you’re organization has identified the critical risks to the organization, and all we need to do is work on potentially improving the existing system

Answer 129

A

vulnerability assessments
-, Risk assessments
Control self assessment

Answer 130

A

A clear assignment of responsibilities
before commitment and support of the agency head who ultimately the process in setting the control environment

Answer 131

A

-. Define the manner in which the evaluation will be conducted.
- establish procedures to documents process in a way that could be readily understood by a reasonably knowledgeable reviewer
- Internal reporting procedures, with which the review team can report on its progress and evaluation as well as an early warning system to signal, if things do not go well

Answer 132

A

The leader must choose team members who consider the assignment a serious responsibility
Team members must have sufficient knowledge, skills, abilities, and experience perform the assessment
The team must receive adequate training in internal controls
The leader must ensure that each team member understands his or her responsibilities

Answer 133

A

To develop a inventory of assessable units (also referred to as accountable units)

Answer 134

A

an organizational unit (like a bureau)
Process within an organizational unit
Process that cuts across organizational units

Answer 135

A

A documented review of each assessable unit by management
it considers the likelihood and impact

Answer 136

A

All the things that will prevent an organization from achieving its mission and goals, complied with laws and regulation, producing financial or non-financial information, or safeguarding its assets

Impact is driven by
- dollars lost, stolen, wasted
- Health and safety issues
- Reputation lost

Answer 137

A

It starts with an evaluation of inherent risk and is driven by the internal control system in place

Answer 138

A

high: preclude or highly impair an entities ability to achieve one or more objective or performance measures
medium: an entities ability to achieve one or more objective or performance measures, can be seriously impaired
low: in entities ability to achieve one or more objective or performance measures not impaired

Answer 139

A

high (lack of good internal control): risk is very likely or reasonably likely to occur
Medium (controls in place but not working): more likely than not to occur
Low (appropriate controls in place): not likely to occur

Answer 140

A

Identifying functions to be assessed
Defining each functions control objectives
obtaining information before risk assessments
identifying inherent risk
Identifying other risks that may exist even if the inherit risk is low.
Identifying each functions internal controls system
Self-assessment using knowledge of controlled environment, inherent risk, and existing controls
forming conclusions, as to the extent of risk

Answer 141

A

management knowledge from daily operations
management reviews (internal control reviews, specific process, risk)
audit reports
Program evaluations
Annual performance plans

Answer 142

A

lack of management commitment to a control environment
High turnover and key management positions
inability to recruit and retain competent staff
Significant ADP/information resource problems
significant health/safety issues
significant findings and audits or special studies
many reported material weaknesses
prolonged, corrective action process for material weaknesses
changing environment
Lack of effective control activities, and or Control activities, not functioning

Answer 143

A

A written plan summarizing the agencies risk assessments, planned actions and internal control evaluations there are intended to provide reasonable assurance that controls it are in place and working effectively

Answer 144

A

The purpose of the review is to determine whether necessary controls are in place and producing intended results such as
1. All assessable units should have periodic reviews, some more than others, based on inherent risk and potential impact.
2. Reviews should identify control gaps and test effectiveness of controls.
3. Reviews provide the basis for meeting reporting requirements.

Answer 145

A

Analyze the general control environment and identify the event cycles/major functions
Document event cycles, using either a narrative statement or a flow chart.
Identify a document the objectives (what the organization wants to accomplish) and techniques (the processes to accomplish those objectives) for each event cycle
Evaluate the adequacy of the existing internal control system using observation, examination, interview, and analysis, etc..
Recommend corrections for any identified control deficiencies.

Answer 146

A

The objective of the cycle
Risks that would prevent achievement of the objective
Controls used to offset and adequately mitigate the risks
how the controls were tested, determine whether they were effective. Test may include testing transactions, observing the operation of the control and making inquiries of responsible personnel.
Results of the tests
Whether the control is adequate, weak, excessive, or redundant
The cost of the control compared to its benefit
Any additional findings or comments related to risk

Answer 147

A

The agency should update the internal control plan to include information on the various steps that will occur for each assessable unit and the frequency of those steps

The plan should consider it’s previous priority ranking for each assessable unit, it’s current priority, ranking, the time of the previous review, and the planned year and type of official responsible for performing the internal control review

Answer 148

A

Installing new controls
Improving existing control
Eliminating excessive controls

** all proposed changes should be coordinated with with all concerned units to ensure the necessary resources will be available as well as support for the changes

Answer 149

A

Establish timetables for corrective actions, including assigning the responsible individual
Tracking progress to ensure timely and effective results
Establish follow up procedures

Answer 150

A

A week internal control environment

If an assessable unit had the same weaknesses for years and years, at the onset, their team will know that there’s a problem for which solutions must be developed and management held accountable

Answer 151

A

External reporting varies, according with the laws, regulations, and policies governing the individual organization

Answer 152

A

It requires federal agency managers to issue a statement of assurance annually.

The statement represents the agency, heads informed, judgment and assurance to the president, Congress and the public as to the overall adequacy and effectiveness of internal controls within the agency

It enables the agency to:
- Reflect the status of its internal control program
- It’s plan to correct material weaknesse
- Report progress against those plans

Answer 153

A

Requires for the statement of assurance and sets for the type of management, assertions regarding internal controls. The statement of assurance represents the agency, heads informed judgment, as to the overall adequacy and effectiveness of internal control within the agency.

Answer 154

A

The 2018 update, balanced rigorous implementation of internal controls with giving agencies, the flexibility to determine which control activities are necessary to achieve reasonable assurance over internal controls and processes that support overall data quality contained in agency reports.

It provides a methodology for agency management to assess, document, and report on internal control over reporting (ICOR) which includes financial reporting, performance, reporting, and accountability reporting.

It requires weaknesses to be identified and corrective action plan presented for each

Answer 155

A

Performance and accountability reports (PAR) or agency financial report (AFR)

Answer 156

A

reviewing and relying upon internal controls when conducting an audit
Rendering an opinion regarding the effectiveness of the design and operation of the internal controls over an operation or process

Answer 157

A

The objectives of the audit and the standards, under which it is conducted

The type of audit will dictate the scope of work and the reporting requirement for auditors

Answer 158

A

Auditors generally confine their concerns to the controls over financial reporting

Answer 159

A

GAGAS/yellow book issued by GAO, which incorporates, in their entirety, the financial audit standards issued by the AICPA

Answer 160

A

The entities activities for effectiveness and efficiency
-? Monitor the effectiveness of governance, risk and control
reviews to ensure the organization follows rules and regulations, and properly safeguards its assets

Answer 161

A

Government internal auditors, who work under the direction of the oddity entities management are considered structurally independent if the head of the audit organization meets all of the following criteria: is accountable to the head or deputy head of the government entity, or to those charged with governments; reports the engagement to the head or deputy head of the government entity, and those charged with governments; is located organizationally outside the staff or line function under audit; has access to those charge with governance; and is sufficiently removed from pressures to conduct engagements and report findings, and conclusions objectively without fear of reprisal
Certain entities employee auditors to work for entity management, and maybe subject to administered of direction from persons involved in the entity management process. They are encouraged to use the Institute of internal auditor international standards for the professional practice of internal audited in conjunction with GAGAS

Answer 162

A

Supports the overall objectives of the organization
## Provides another check and balance to the organizations processes

Answer 163

A

audit work fulfill, the general purposes and responsibilities approved by management
Resources of the audit function are efficiently and effectively employed
Audit work forms to professional standards

Answer 164

A

planning
Policies and procedures
Personnel management
Coordinating with the external audit function
Quality

Brainscape's Knowledge GenomeTM

Exam 3 - Section 3 Internal Controls Flashcards

Brainscape's Knowledge Genome^TM