Lecture 7 - Control, Fraud & ERM Flashcards
(!) Describe the importance of a code of ethics
Benefits:
- Kind of internal control
- Employee values differ: Eg. Culture
- Promote ethical behavior
- Help decide right & wrong
- Eg. AICPA, ISACA, IIA, IMA
International Ethics Standards Board for Accountants / IESBA:
- Integrity
- Objectivity
- Prof. competence & due care
- Confidentiality
- Professional Behavior
Describe Eurosox
General
- Control regulatory parameters in firm
Key revisions:
- Board members collectively responsible for financial statements & key non-financial info
- Make transactions w. parties more transparent
- Full info on off-balance-sheet arrangements
- Issue annual corporate governance statement
Synopsis of responsibilities & requirements of directives:
1. Assure effective corporate governance, internal controls & risk management
2. Measures safeguarding shareholders’ investments
3. Increased financial disclosure req.
4. Establish audit committees
5. Improved corporate governance standards & codex
(!) Describe corporate governance, what it promotes & its principles
General:
- Processes & policies to manage firm ethically
- In- & external control to safeguard stakeholders interests
- Comply & explain approach: Soft law
Promotes:
- Accountability
- Fairness
- Transparency
Principles:
1. Interact w. shareholders, investors & other stakeholders
2. Duties & responsibilities of board of directors
3. Composition, organization & evaluation of board of directors
4. Remuneration of management
5. Risk management
(!) Describe internal control & the internal control shield
General:
- Process of ongoing tasks & activities: Means to end
- Affected by people: All lvls
- Reasonable > Absolute assurance
- Seek one or more objectives: Separate yet categories overlap
- Adapt to entity structure
____________
Internal control shield:
General:
- Prevent, detect & correct fraud & unintentional errors
- Implement by management & board of directors
Objectives:
- Safeguard assets
- Encourage following policies
- Promote operational efficiency
- Ensure accurate, reliable records
- Comply w. legal req.
(!) Describe the three lines of defense
.
(!) Describe the different control concepts
General:
Preventive control:
- Before problem occur
- Stop desirable events
- Authorization
- Ref. Encryption
- Eg. Sign document
Detective control:
- Discover problem
- When not prevented
- Eg. Monthly trial balance
Corrective control:
- Recover identified problem
- Eg. Back-up file
___________
Computerized environment:
General control:
- Firm-wide problems
- Eg. Control over accessing network
- Eg. Develop & maintain application
- Eg. Document program changes
Application controls:
- Subsystem or application specific
- Eg. Customer account nr.
Ensure transaction:
- Validity
- Completeness
- Accuracy
(!) Describe COSO in general
General
- COSO = Committee of sponsoring orgs.
- Autority on internal cont.
- Improve financial reporting
- Evaluate, report & improve internal cont.
- Address environment changes
- Address stakeholder expectations
- Widely accepted
Elements:
- Accountability
- Effective controls
- Risk management
- Corporate governance
- Fraud detection
Achievement of objectives:
- Effective & efficient operations
- Reliability of reporting
- Compliance w. laws & regulations
COSO ERM:
- Expand internal cont. framework
- Risk-based approach
- Align mission & risk appetite
- Max. firm value
Describe elements of the old COSO Internal control framework
Objectives for effective internal cont. system:
Operations:
- Effective
- Efficient
Reporting:
- In- & external reliability
Compliance:
- W. laws & regulations
_____________
Components to support achieving objectives:
Control environment:
General:
- Management philosophy
- Operating style
- Organize structure
- Methods of assigning authority & responsibility
- HR standards
Steps:
- Commitment to integrity & ethical values
- Board has independent overview over dev. & perf. of internal cont.
- Management establish structure, authority & responsibility
- Firm demonstrate commitment to attract, dev. & retain competence
- Firm enhance accountability to objectives
__________
Risk assessment:
General:
- Likelihood & impact
- Understand extend poss. event affect objectives
Steps:
- Specify suitable objectives to identify risk
- Identify & analyze risk: How to manage?
- Assess fraud in risk to achieve objectives
- Identify & analyze changes w. significant impact on internal cont.
___________
Control activities:
General:
- Ensure objectives achieved & risk mitigation strategies carried out
- In all levels & functions
Steps:
- Firm select & dev. cont. activities: Mitigate risk
- Select & dev. general cont. over tech
- Deploy cont. activities by policies: By procedures
___________
Info & communication:
General:
- Support other functions
- Ensure info flow: Up, down & across firm
Steps:
- Use quality info
- Comm. internally: Objectives & responsibility
- Comm. externally: Customers, suppliers, regulators & shareholders
Monitoring activities:
General:
- By management
- Ongoing basis
- Evaluate findings
- Deficiencies must be communicated timely
- Needed modifications should be made: Improve processes & internal cont. system
Steps:
- Ongoing evaluation of internal cont. are present & functions
- Evaluate & communicate what misses
(!) Describe the new COSO ERM framework
General:
- Enterprise risk management
- Approach to objectives: Risk > Control
- Broader view on risk management
- Process affected by board, management & other personnel
- Try max. firm value
- Identify affecting event
- Act within risk appetite
- Reasonable ensure achieving objectives
___________
New to this model:
- Strategic
- Objective setting
___________
Categories:
Strategic:
- High lvl goals
- Align to & support mission & vision
Operations:
- Also in old
- Effective
- Efficient
Reporting:
- Also in old
- In- & external reliability
Compliance:
- Also in old
- W. Laws & regulations
___________
Components:
Internal environment:
- Tone in firm
- Risk conciousness
- Risk view
- Risk handling
- Risk appetite
- HR policies
- Competence commitment
- Training
- Responsibility
Objective setting:
- Set at strategic lvl.
- Basis for operations, reporting & compliance
- Support & align w. mission
- Should align w. risk appetite
Event identification:
- In-& external threats & opportunities
Risk assessment:
- See other card
Risk response:
- Actions align w. risk appetite & tolerance
- 1. Reducing
- 2. Sharing
- 3. Avoiding
- 4. Accepting
Control activities:
- See other card
Info & communication:
- See other card
Monitoring:
- Evaluate quality of internal cont.
- Lacks reported to TM
(!) Describe risk appetite
- Accepted risk amount to pursuit mission & vision
- Boundary for strategy to achieve goals
- Multiple risk appetite statements
- Eg. Green, yellow & red
(!) Describe event identification & key management questions
General:
- In- or external events poss. affect achieving obj.
- Distinguish btw. risk & opportunity
- Opportunity = Strategy & obj.
- Risk = Future
Key management questions:
- What could go wrong?
- How can it go wrong?
- What is the potential harm?
- What can be done about it?
(!) Describe risk assessment & risk types
General:
- Systematic identify & analyze risk
- Determine risk response & cont. activities
- Understand effect on objectives
____________
Types of risk:
Inherent risk:
- From firm activity
- Exist before plan to address it
- Eg. Competitors
Control risk:
- Errors not prevented, detected or corrected by internal cont. system
Residual risk:
- Inherent * Control risk
- Remaining risk
- Handled at last
(!) Describe risk response & cost benefit analysis
General:
- Must align w. risk tolerance: Risk appetite & cost vs. benefit
- Reduce risk:
- Design effective process
- Internal cont. system - Share risk:
- Outsource process
- Buy insurance
- Enter hedge transaction - Avoid risk:
- Dont do risky activity - Accept risk:
- Allow likelihood & impact
___________
Process:
- 1. Identify risk
- 2. Estimate likelihood
- 3. Estimate impact: Eg. Lost kr.
- 4. Controls to lower risk
- 5. Estimate cost & benefits
- 6. Cost & benefit analysis
- 7. Choose risk response
__________
Cost-benefit analysis:
- Help determine if implement internal cont.
- Cost = Quantitative
- Benefit = Often qualitative
- Internal cont. benefit > Implementation cost
- CALC: Benefit = Impact * Decreased likelihood
- CALC: Benefit = Estimated risk impact * Decreased likelihood implement cont.
(!) Describe control activities
General:
- Based on risk assessment & response
- Actions to address risk
___________
Physical Controls:
General:
- Mainly manual: Could incl. physical computing tech
Examples:
- Authorize if valid transaction & activity
- Segregate duties to prevent fraud & mistakes
- Supervise to compensate imperfect duty segregation
- Accounting docs. & records to maintain audit trails
- Project dev. & acquisition controls
- Change management controls
- Design & use of documents & records
- Safeguard assets, records & data
- Independent performance checks
___________
IT controls:
___________
General:
- Assure info
- Help lower tech use risk
___________
IT general controls / ITGC:
General:
- Enterprise-lvl cont. over IT
IT control environment:
- Tone at top
- Form IT culture
Access controls:
- Restrict IT, programs & data access
- Authorize & segregate duty
Change management cont.:
- Authorized & document changes in programs
- Test before so no effect on system available & reliable
Project dev. & acquisition cont.:
- Ref. SDLC: System dev. LC
- Analysis, design, test, implement, evaluate project
- Formal method established
Computer operations controls:
- Antivirus
- Back-up
- Recovery
- Less downtime
_____________
IT application controls:
General:
- Specific for subsystem
Input controls:
- Authorize & verify data
- Eg. control matrix specify users access
- Eg. Field checks size, range, validity, completeness, reasonableness, digit verifications & closed- loop verifications
Processing controls:
- Ensure accurate process of transactions
- 1. Pre-numbered docs generated internal for no duplicates or missing
- 2. Sequence checks,
- 3. Batch totals
- Cross-footing balance tests
- Concurrent update controls
Output controls:
- Eg. Only required number of copies printed
Describe the COCO updated ERM framework from 2017
(!) Describe the COBIT framework
General:
- COBIT = Control Obj. for Info & related tech
- Governance & management of firm IT
- Bridge gap btw. tech issues, cont. req. & firm risk
- Align IT & business
- Increase firm value
- Reduce firm risk
- Ensure ress. used responsible
- Define scope & ownership of IT process & control
- Provide common language
- Meet requirements
- Ensure objectives are met
- Align w. good practices & accepted standards
- Popular for IT governance & management
(??) Principles:
- 1. Meet stakeholder needs
- 2. Cover firm end-2-end
- 3. Apply single integrated framework
- 4. Enable holistic approach
- 5. Separate governance from management
__________
Business requirements:
Effectiveness:
- Relevant & timely info
Efficiency:
- Prod. economically
Confidentiality:
- Protect sensitive info
Integrity:
- Valid, accurate & complete info
Availability:
- Info when needed
Compliance:
- Comply w. laws & regulations
Reliability:
- Reliable for daily DM
? Describe the governance system
Describe performance management by COBIT 2019
(!) Describe information technology infrastructure library / ITIL
General:
- Concepts & practices for IT service management
- IT service understanding business objectives
- Provide details to COBIT
- Lifecycle approach to IT services
- Standard in Europe
- Best practice
- Understand priorities
Categories:
Service Strategy / SS:
- Here we start
- Align IT-service & firm strategy
- Strategic planning of IT service management cap.
- Identify user & expectation
Service Design / SD:
- Design & dev. IT services & service management processes
- New & changed IT services
- Meet expectations cost-effective
Service Transition / ST:
- Ensure desired value
- Build, test & operate
- Realize req. of strategy design
- Maintain cap. for ongoing delivery of service
- Manage changes
Service Operation / SO:
- Effective & efficient delivery & support of services
- Benchmark: Event, incident, requests, problems & access
- Ongoing basis: Manage disruption fast
- Detect trends & problems
Continual Service Impr. / CSI:
- Ongoing impr. of service
- Measure process performance req. for service
- Efficiency & effectiveness
(!) Describe the ISO 27000 series
General:
- Series of popular standard
- Address info security issues
- Model to establish, implement, operate, monitor, maintain & improve Info Security Management System (ISMS)
- Process approach
Major areas:
- Info security policies
- Organization of info security
- HR security
- Asset management
- Access control
- Cryptography
- Physical & environmental security
- Operations security
- Communications security
- System acquisition & maintenance
- Supplier relationships
- Security incident management
- Business continuity management
- Compliance
Steps to establish ISMS following ISO 27001/27002:
- See insert picture
(!) Compare the symmetric & assymmetric key encryption methods
Symmetric key encryption:
- Fast
- Suit large data sets
- Distribution difficult in secure way
- One key: Cost ineffective & problematic
__________
Assymmetric key encryption:
- Slow
- Don’t suit large data sets
- More secure
- Two keys: Less problematic
- Public key: Wide use + Decryption
- Private key: Secret + Encryption
- Transmit conf. info
- Process must be repeated in reverse
(?) Describe how secure shell works (SSH)
(?) Describe the process to ensure data integrity in digital signatures
General:
- Sender: A
- Receiver: B
- Asymmetric-key encryption method to authenticate each other
- Copy doc & use SHA-256 to hash copy & get MD
- A encrypts MD by A’s private key & to get A’s digital signature
- A uses B’s public key to encrypt original doc & A’s digital signature: For confidentiality
- A send encrypted package to B
__________
- B receive package & decrypts it using B’s private key. B now has the original doc & A’s digital signature
- B decrypt A’s DS by A’s public key to get A’s original MD. B also authenticate that A is creator: Assure nonrepudiation
- B make copy of received doc and uses SHA- 256 to hash copy & get a calc. MD: Must be same algorithm used by sender
- If original MD same as the calc. MD, B ensure data integrity: No changes in original doc
(!) Describe fraud & the fraud triangle
General:
- Intended illegal act
- Deceit, conceal or violate trust
- To obtain money, property, service, avoid payment or secure own firm
- Acts not dependent upon threat of violence or physical force
- Risk employees sell confidential info
Fraud triangle:
Incentive:
- Reason for fraud
Opportunity:
- Absence or ineffective cont.
- Poss. to override cont.
Rationalization:
- Attitude
Describe computer fraud schemes
(!) Describe the framework for vulnerability assessment & management
Prerequisites (Forudsætninger):
Determine main objectives:
- Since limited ress.
- Eg. Comply w. law
Assign roles & responsibility:
- Eg. Internal audit group
