Governance, Risk, and Compliance Flashcards
Describe SOX Section 201
Prohibits external auditors from performing non audit services
Describe SOX Section 203
The lead audit partner should be rotated every 5 years
Describe SOX Section 204
The audit firm must report findings/recommendations back to the audit committee in a timely manner.
Describe SOX Section 302
Corporate responsibility for financial reports should be taken by the principal officers.
Describe SOX Section 404
Annual reports must contain managements assessment of internal controls & the responsibility for certifying and maintaining them.
Describe SOX Section 407
One member of the audit committee should be a financial expert.
Identify the 5 major components of COSO
CRIME: Control Activities Risk Assessment Information & Communication Monitoring Control Environment
Describe Control Enviroment
Sets the tone of an organization. Foundation for all other components such as internal control, discipline & structure.
Describe Risk Assessment
identification & analysis of relevant risk to achievement of objectives, forming a basis for determining how the risks should be managed.
Describe Control activies
the policies & procedures that help ensure that management directives are carried out.
Describe Information & communication
Identification, capture, & exchange of information in a form & time frame that enables people to carry our their responsibilities.
Describe Monitoring
A process that assesses the quality of internal control performance over time
Describe the types & limits of internal controls
Preventative: Keep errors & irregularities from happening
Detective: Attempts to find errors after they occurred
Corrective: controls placed to correct errors after detection
Directive: Serve to steer positive results (i.e. organic trade)
Compensating: to mitigate lapses & shortcomings in the control framework (independent review or multiple reviewing)
Define business continuity planning
Creating a strategy for continuing operations in the event of a major disruption
Define the objective of a disaster recovery plan & identify the components.
Steps that should be taken in the event of a major disruption;
Assess Risk, Identify critical components, determine method of recovery, test recovery.
Identify & describe system application controls
Input controls: Support complete & accurate input of data by authorized users & identify rejected & duplicate items.
Processing Controls: Preserve the integrity of the inputs while processing.
Output Controls: Address final validity of information plus its dissemination.
Identify & Describe Audit risks
Inherent Risk: Likelihood of material misstatement before considering effectiveness of controls.
Control Risk: Likelihood of material misstatement will not be prevented or detected by internal controls
Detection Risk: Errors not detected or prevented by control structure will be missed by auditors.
