Lecture 7 - Control, Fraud & ERM Flashcards
(!) Describe the importance of a code of ethics
Benefits:
- Kind of internal control
- Employee values differ: Eg. Culture
- Promote ethical behavior
- Help decide right & wrong
- Eg. AICPA, ISACA, IIA, IMA
International Ethics Standards Board for Accountants / IESBA:
- Integrity
- Objectivity
- Prof. competence & due care
- Confidentiality
- Professional Behavior
Describe Eurosox
General
- Control regulatory parameters in firm
Key revisions:
- Board members collectively responsible for financial statements & key non-financial info
- Make transactions w. parties more transparent
- Full info on off-balance-sheet arrangements
- Issue annual corporate governance statement
Synopsis of responsibilities & requirements of directives:
1. Assure effective corporate governance, internal controls & risk management
2. Measures safeguarding shareholders’ investments
3. Increased financial disclosure req.
4. Establish audit committees
5. Improved corporate governance standards & codex
(!) Describe corporate governance, what it promotes & its principles
General:
- Processes & policies to manage firm ethically
- In- & external control to safeguard stakeholders interests
- Comply & explain approach: Soft law
Promotes:
- Accountability
- Fairness
- Transparency
Principles:
1. Interact w. shareholders, investors & other stakeholders
2. Duties & responsibilities of board of directors
3. Composition, organization & evaluation of board of directors
4. Remuneration of management
5. Risk management
(!) Describe internal control & the internal control shield
General:
- Process of ongoing tasks & activities: Means to end
- Affected by people: All lvls
- Reasonable > Absolute assurance
- Seek one or more objectives: Separate yet categories overlap
- Adapt to entity structure
____________
Internal control shield:
General:
- Prevent, detect & correct fraud & unintentional errors
- Implement by management & board of directors
Objectives:
- Safeguard assets
- Encourage following policies
- Promote operational efficiency
- Ensure accurate, reliable records
- Comply w. legal req.
(!) Describe the three lines of defense
.
(!) Describe the different control concepts
General:
Preventive control:
- Before problem occur
- Stop desirable events
- Authorization
- Ref. Encryption
- Eg. Sign document
Detective control:
- Discover problem
- When not prevented
- Eg. Monthly trial balance
Corrective control:
- Recover identified problem
- Eg. Back-up file
___________
Computerized environment:
General control:
- Firm-wide problems
- Eg. Control over accessing network
- Eg. Develop & maintain application
- Eg. Document program changes
Application controls:
- Subsystem or application specific
- Eg. Customer account nr.
Ensure transaction:
- Validity
- Completeness
- Accuracy
(!) Describe COSO in general
General
- COSO = Committee of sponsoring orgs.
- Autority on internal cont.
- Improve financial reporting
- Evaluate, report & improve internal cont.
- Address environment changes
- Address stakeholder expectations
- Widely accepted
Elements:
- Accountability
- Effective controls
- Risk management
- Corporate governance
- Fraud detection
Achievement of objectives:
- Effective & efficient operations
- Reliability of reporting
- Compliance w. laws & regulations
COSO ERM:
- Expand internal cont. framework
- Risk-based approach
- Align mission & risk appetite
- Max. firm value
Describe elements of the old COSO Internal control framework
Objectives for effective internal cont. system:
Operations:
- Effective
- Efficient
Reporting:
- In- & external reliability
Compliance:
- W. laws & regulations
_____________
Components to support achieving objectives:
Control environment:
General:
- Management philosophy
- Operating style
- Organize structure
- Methods of assigning authority & responsibility
- HR standards
Steps:
- Commitment to integrity & ethical values
- Board has independent overview over dev. & perf. of internal cont.
- Management establish structure, authority & responsibility
- Firm demonstrate commitment to attract, dev. & retain competence
- Firm enhance accountability to objectives
__________
Risk assessment:
General:
- Likelihood & impact
- Understand extend poss. event affect objectives
Steps:
- Specify suitable objectives to identify risk
- Identify & analyze risk: How to manage?
- Assess fraud in risk to achieve objectives
- Identify & analyze changes w. significant impact on internal cont.
___________
Control activities:
General:
- Ensure objectives achieved & risk mitigation strategies carried out
- In all levels & functions
Steps:
- Firm select & dev. cont. activities: Mitigate risk
- Select & dev. general cont. over tech
- Deploy cont. activities by policies: By procedures
___________
Info & communication:
General:
- Support other functions
- Ensure info flow: Up, down & across firm
Steps:
- Use quality info
- Comm. internally: Objectives & responsibility
- Comm. externally: Customers, suppliers, regulators & shareholders
Monitoring activities:
General:
- By management
- Ongoing basis
- Evaluate findings
- Deficiencies must be communicated timely
- Needed modifications should be made: Improve processes & internal cont. system
Steps:
- Ongoing evaluation of internal cont. are present & functions
- Evaluate & communicate what misses
(!) Describe the new COSO ERM framework
General:
- Enterprise risk management
- Approach to objectives: Risk > Control
- Broader view on risk management
- Process affected by board, management & other personnel
- Try max. firm value
- Identify affecting event
- Act within risk appetite
- Reasonable ensure achieving objectives
___________
New to this model:
- Strategic
- Objective setting
___________
Categories:
Strategic:
- High lvl goals
- Align to & support mission & vision
Operations:
- Also in old
- Effective
- Efficient
Reporting:
- Also in old
- In- & external reliability
Compliance:
- Also in old
- W. Laws & regulations
___________
Components:
Internal environment:
- Tone in firm
- Risk conciousness
- Risk view
- Risk handling
- Risk appetite
- HR policies
- Competence commitment
- Training
- Responsibility
Objective setting:
- Set at strategic lvl.
- Basis for operations, reporting & compliance
- Support & align w. mission
- Should align w. risk appetite
Event identification:
- In-& external threats & opportunities
Risk assessment:
- See other card
Risk response:
- Actions align w. risk appetite & tolerance
- 1. Reducing
- 2. Sharing
- 3. Avoiding
- 4. Accepting
Control activities:
- See other card
Info & communication:
- See other card
Monitoring:
- Evaluate quality of internal cont.
- Lacks reported to TM
(!) Describe risk appetite
- Accepted risk amount to pursuit mission & vision
- Boundary for strategy to achieve goals
- Multiple risk appetite statements
- Eg. Green, yellow & red
(!) Describe event identification & key management questions
General:
- In- or external events poss. affect achieving obj.
- Distinguish btw. risk & opportunity
- Opportunity = Strategy & obj.
- Risk = Future
Key management questions:
- What could go wrong?
- How can it go wrong?
- What is the potential harm?
- What can be done about it?
(!) Describe risk assessment & risk types
General:
- Systematic identify & analyze risk
- Determine risk response & cont. activities
- Understand effect on objectives
____________
Types of risk:
Inherent risk:
- From firm activity
- Exist before plan to address it
- Eg. Competitors
Control risk:
- Errors not prevented, detected or corrected by internal cont. system
Residual risk:
- Inherent * Control risk
- Remaining risk
- Handled at last
(!) Describe risk response & cost benefit analysis
General:
- Must align w. risk tolerance: Risk appetite & cost vs. benefit
- Reduce risk:
- Design effective process
- Internal cont. system - Share risk:
- Outsource process
- Buy insurance
- Enter hedge transaction - Avoid risk:
- Dont do risky activity - Accept risk:
- Allow likelihood & impact
___________
Process:
- 1. Identify risk
- 2. Estimate likelihood
- 3. Estimate impact: Eg. Lost kr.
- 4. Controls to lower risk
- 5. Estimate cost & benefits
- 6. Cost & benefit analysis
- 7. Choose risk response
__________
Cost-benefit analysis:
- Help determine if implement internal cont.
- Cost = Quantitative
- Benefit = Often qualitative
- Internal cont. benefit > Implementation cost
- CALC: Benefit = Impact * Decreased likelihood
- CALC: Benefit = Estimated risk impact * Decreased likelihood implement cont.
(!) Describe control activities
General:
- Based on risk assessment & response
- Actions to address risk
___________
Physical Controls:
General:
- Mainly manual: Could incl. physical computing tech
Examples:
- Authorize if valid transaction & activity
- Segregate duties to prevent fraud & mistakes
- Supervise to compensate imperfect duty segregation
- Accounting docs. & records to maintain audit trails
- Project dev. & acquisition controls
- Change management controls
- Design & use of documents & records
- Safeguard assets, records & data
- Independent performance checks
___________
IT controls:
___________
General:
- Assure info
- Help lower tech use risk
___________
IT general controls / ITGC:
General:
- Enterprise-lvl cont. over IT
IT control environment:
- Tone at top
- Form IT culture
Access controls:
- Restrict IT, programs & data access
- Authorize & segregate duty
Change management cont.:
- Authorized & document changes in programs
- Test before so no effect on system available & reliable
Project dev. & acquisition cont.:
- Ref. SDLC: System dev. LC
- Analysis, design, test, implement, evaluate project
- Formal method established
Computer operations controls:
- Antivirus
- Back-up
- Recovery
- Less downtime
_____________
IT application controls:
General:
- Specific for subsystem
Input controls:
- Authorize & verify data
- Eg. control matrix specify users access
- Eg. Field checks size, range, validity, completeness, reasonableness, digit verifications & closed- loop verifications
Processing controls:
- Ensure accurate process of transactions
- 1. Pre-numbered docs generated internal for no duplicates or missing
- 2. Sequence checks,
- 3. Batch totals
- Cross-footing balance tests
- Concurrent update controls
Output controls:
- Eg. Only required number of copies printed
Describe the COCO updated ERM framework from 2017
(!) Describe the COBIT framework
General:
- COBIT = Control Obj. for Info & related tech
- Governance & management of firm IT
- Bridge gap btw. tech issues, cont. req. & firm risk
- Align IT & business
- Increase firm value
- Reduce firm risk
- Ensure ress. used responsible
- Define scope & ownership of IT process & control
- Provide common language
- Meet requirements
- Ensure objectives are met
- Align w. good practices & accepted standards
- Popular for IT governance & management
(??) Principles:
- 1. Meet stakeholder needs
- 2. Cover firm end-2-end
- 3. Apply single integrated framework
- 4. Enable holistic approach
- 5. Separate governance from management
__________
Business requirements:
Effectiveness:
- Relevant & timely info
Efficiency:
- Prod. economically
Confidentiality:
- Protect sensitive info
Integrity:
- Valid, accurate & complete info
Availability:
- Info when needed
Compliance:
- Comply w. laws & regulations
Reliability:
- Reliable for daily DM
? Describe the governance system
Describe performance management by COBIT 2019
(!) Describe information technology infrastructure library / ITIL
General:
- Concepts & practices for IT service management
- IT service understanding business objectives
- Provide details to COBIT
- Lifecycle approach to IT services
- Standard in Europe
- Best practice
- Understand priorities
Categories:
Service Strategy / SS:
- Here we start
- Align IT-service & firm strategy
- Strategic planning of IT service management cap.
- Identify user & expectation
Service Design / SD:
- Design & dev. IT services & service management processes
- New & changed IT services
- Meet expectations cost-effective
Service Transition / ST:
- Ensure desired value
- Build, test & operate
- Realize req. of strategy design
- Maintain cap. for ongoing delivery of service
- Manage changes
Service Operation / SO:
- Effective & efficient delivery & support of services
- Benchmark: Event, incident, requests, problems & access
- Ongoing basis: Manage disruption fast
- Detect trends & problems
Continual Service Impr. / CSI:
- Ongoing impr. of service
- Measure process performance req. for service
- Efficiency & effectiveness
(!) Describe the ISO 27000 series
General:
- Series of popular standard
- Address info security issues
- Model to establish, implement, operate, monitor, maintain & improve Info Security Management System (ISMS)
- Process approach
Major areas:
- Info security policies
- Organization of info security
- HR security
- Asset management
- Access control
- Cryptography
- Physical & environmental security
- Operations security
- Communications security
- System acquisition & maintenance
- Supplier relationships
- Security incident management
- Business continuity management
- Compliance
Steps to establish ISMS following ISO 27001/27002:
- See insert picture
Compare ISO 27001 to ITIL
ISO 27001:
- International standard
- Requirements to establish, implement, maintain & continual improve ISMS
- Apply to any type or size firm
- Implementation & certificate is optional
ITIL:
- Best practice IT framework
- Practices for IT service management guide quality IT services & processes functions needs to support
- Apply to all IT environments
- Implementation don’t need certification
(!) Give an overview of the control frameworks
COSO Internal control framework:
- More strategic than COBIT
- To evaluate, report & improve internal cont.
- Widely accepted
- Provide method
COSO Enterprise Risk Management Framework:
- Expands COSO IC framework taking risk-based approach
COBIT:
- More operational than COSO
- More strategic than ITIL
- Focus: Governance & IT
- As COSO but for IT perspective
- Control objectives for info & related technology
- For governance & management of enterprise IT
ITIL:
- Provide details to COBIT
- More operational than COBIT
- Focus: Service man. & delivery
- Information technology infrastructure library
- For IT service management
ISO:
- Focus: Info security
- Ref. ISMS
- Don’t provide method
(!) Describe information security management & the terms confidentiality, integrity, availability & algoritm
Information security management:
- Top tech issue for CPAs
- Integrated, systematic approach
- Coordinate people, policies, standards, processes & controls
- Safeguard critical systems & info from in- & external threats
- Critical to maintain system integrity: No manipulation or degrading when user
__________
Terms:
Confidentiality:
- Info only for authorized individual & process
Integrity:
- Accurate & complete info
- Content remain constant: No manipulation
Availability of data:
- Info & system access on demand
Algorithm:
- Series of steps
(!) Describe encryption
General:
- Preventive control
- For confidential & privat data
- Both transmission & storage
- Key to decrypt message
- More bits if sensitive data
- Key management: Strong policy required
- Encourage sharing
(!) Compare the symmetric & assymmetric key encryption methods
Symmetric key encryption:
- Fast
- Suit large data sets
- Distribution difficult in secure way
- One key: Cost ineffective & problematic
__________
Assymmetric key encryption:
- Slow
- Don’t suit large data sets
- More secure
- Two keys: Less problematic
- Public key: Wide use + Decryption
- Private key: Secret + Encryption
- Transmit conf. info
- Process must be repeated in reverse
(!) Describe authentication
General:
- Establish origin of info
- Identify user, process or device
- Prevent rejections online
- Critical in e-business
(?) Describe how secure shell works (SSH)
Describe the key factors of encrypting assymmetric keys
Certificate authority (CA):
- Trusted entity
- Issue & recall digital certificate
Digital certificate:
- Digital document issued
- Digital signed by private key of CA: Bind subscriber name to public key
- Subscriber sole control & access to private key
Public key infrastructure (PKI):
- Policies, processes, server platforms, software & workstations used to administering certificates & public-private key pairs to issue, maintain & revoke public key certificates
(!) Describe hashing process, message digest & digital signature
Message digest / MD:
- Short code
- Generated through hashing
Hashing process:
- Original docs pass through algorithm
- Generate MD
- Irreversible: Differ from encryption
Digital signatures:
- MD of doc/data encrypt w. creator’s private key
- Need both hashing & encryption process to create
- Ensure data integrity & prevent repudiation of transactions
- Need creators own private key to encrypt MD so the digital signature also authenticates the document creator for creation of digital signature
- Ensure one held responsible
(?) Describe the process to ensure data integrity in digital signatures
General:
- Sender: A
- Receiver: B
- Asymmetric-key encryption method to authenticate each other
- Copy doc & use SHA-256 to hash copy & get MD
- A encrypts MD by A’s private key & to get A’s digital signature
- A uses B’s public key to encrypt original doc & A’s digital signature: For confidentiality
- A send encrypted package to B
__________
- B receive package & decrypts it using B’s private key. B now has the original doc & A’s digital signature
- B decrypt A’s DS by A’s public key to get A’s original MD. B also authenticate that A is creator: Assure nonrepudiation
- B make copy of received doc and uses SHA- 256 to hash copy & get a calc. MD: Must be same algorithm used by sender
- If original MD same as the calc. MD, B ensure data integrity: No changes in original doc
Describe the criteria for cybersecurity risk management framework / AICPA
General:
- Reporting framework
- Important for risk management
Criteria:
Describe firms cybersecurity risk management system:
- Nature of business & operations
- Nature of info at risk
- Cybersecurity objectives
- Factors significantly affecting inherent cybersecurity risks
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process,
- Cybersecurity communications & quality of cybersecurity info
- Monitoring cybersecurity risk management program
- Cybersecurity control processes
Evaluate firms cybersecurity controls:
- Trust services criteria
- Principles for security, availability, processing integrity, confidentiality & privacy
(!) Describe fraud & the fraud triangle
General:
- Intended illegal act
- Deceit, conceal or violate trust
- To obtain money, property, service, avoid payment or secure own firm
- Acts not dependent upon threat of violence or physical force
- Risk employees sell confidential info
Fraud triangle:
Incentive:
- Reason for fraud
Opportunity:
- Absence or ineffective cont.
- Poss. to override cont.
Rationalization:
- Attitude
Describe computer fraud schemes
Describe computer fraud prevention & detection
Fraud prevention program:
Risk assessment across entire firm:
- Consider critical areas
Auditor has oversight role:
- Ensure program ongoing
Auditor work w. in- & external people:
Make employees aware of fraud obligations & misconduct:
- Begin w. practical communication & training
___________
Fraud detection program:
- Internal auditor evaluate effectiveness of business processes
- Analyze transaction data: Evidence on effectiveness of internal cont. & identify indicators of fraud risk or actual fraudulent activities
- Continuous monitoring system is effective: W. detailed logs for transaction-lvl test
(!) Describe GDPR
- GDPR = General data protection regulation
- Protect EU citizens from privacy & data breaches
- Control personal data
- Fine up to 4% of turnover
(!) Describe vulnerability assessment & compare vulnerability management to risk management. Give some examples
Vulnerability:
- Characteristics of IT ress. poss. exploited by threat to cause harm. Dansk: Udnyttet
- Weakness or exposure in IT assets or processes poss. leading to business-, compliance- or security risks
__________
Vulnerability management & risk management:
General:
- Seek reducing probability occurred harming events
Risk management:
- More complex
- Strategic
- Mostly top-down
- Risk-based approach
Vulnerability management:
- Tactical
- Short-term effort
- Often IT asset-based approach
__________
Threats & vulnerability:
Physical IT environment examples:
- Natural disaster + Outdated measures for environmental threats
- Electric black-out + Insufficient back-up power supply
Information system examples:
- Interruption of system + Poor service level agreement
- System intrusion + Open ports on main server w/o router access
Processes of IT operations examples:
- Social engineering + No training in this
- Disclosing sensitive employee info + Inappropriate data classification rule
(!) Describe the framework for vulnerability assessment & management
Prerequisites (Forudsætninger):
Determine main objectives:
- Since limited ress.
- Eg. Comply w. law
Assign roles & responsibility:
- Eg. Internal audit group
(!) Describe system availability & back ups
General:
- Key component
- Ensure data available all time or when needed
- DRP & BCM the most critical corrective controls
Back-ups:
Uninterruptible power supply:
- Battery power
- System operate until back up
- Shut down properly if no power
Fault tolerance:
- Ability to still function when system part fail
- By redundant array: RAID
Virtualization or cloud computing:
- Good alternatives to backup
- Redundant servers at multiple locations
- Cost-effective
- Credibility, control & security must be considered
Describe computer fraud
Common computer fraud:
- Theft, misuse or misappropriation of assets, info or hardware
- Corruption, illegal copying, or intentional destruct computer software
- Eg. Change computer-readable records & files
- Eg. Change logic of computer software
___________
Computer fraud risk assessment:
General:
- Systematic discover where & how fraud may occur & whom may commit it
- Component of firms enterprise risk management program: ERM
- Fraud schemes & scenarios to determine whether controls exist & how controls might be circumvented
- Assist management & internal auditors
Steps:
1. Identify relevant IT fraud risk factors
2. Identify potential IT fraud schemes & prioritize them based on likelihood & impact
3. Map existing controls to potential fraud schemes & identify gaps
4. Test operating effectiveness of fraud prevention & detection controls
5. Assess likelihood & impact of control failure
(!) Describe Business continuity management / BCM & Disaster recovery planning / DRP
Business continuity management / BCM:
- Activities to keep firm running in time of interruption of normal operations
- Broader than DRP: Entire business
Disaster recovery planning / DRP:
- Part of BCM
- Identify significant events w. poss. threat
- Outline procedure to smooth resume operations if event occur
- Req. Regular test
- Eg. Natural disaster
(!) Describe different risk & attacks
General:
- In- or external: Employees or competitors & hackers
Virus:
- Self-replicating program
- Run & spread by modifying other programs/files
Worm:
- A self-replicating, self-propagating, self-contained program
- Spread by network mechanisms
Trojan horse:
- Non-self-replicating program
- Look useful but oth. purpose
Spam:
- Send bulk info not asked for
Botnet / Bot:
- Software robot overrun computer to act in bot-herder’s control
- Through Internet.
Denial-of-service /DoS:
- Prevent authority res. access
- Delay time-critical operations
- Eg. Server
Spyware:
- Software secretly installed into IS
- Gather info on individuals or firm w/o their knowledge
- A type of malicious code
Spoofing
- Network pack coming from other source than proclaimed
Social engineering:
- Manipulate to take action not in person’s best interest
- Eg. Reveal confidential info
- Eg. Grant access to assets, networks, or info.
Describe segregation of duty
- Splitting process to more than one
- To hinder fraud
- Min. 2 persons
