Module 3 Flashcards
What is covered by SOX?
- create PCAOB
- Auditor independence
- Corporate governanace and responsibility
- Disclosure requirements
- Federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers
- new reporting requirements
What is Section 302 of SOX and what does it require?
Financial statements should include certifications that the signing officers:
* are responsible for establishing and maintaining internal controls (over disclosures and financial reporting)
* have designed such controls
* have evaluated the effectiveness of these controls and reported their conclusion about internal controls effectiveness
* have reported any change in internal controls over financial reporting
* have disclosed to their auditors and audit committee:
- a list of internal controls weaknesses
- any fraud involving management or employees
What is Section 404 of SOX and what does it require?
Financial statements should include Management’s Assessment of Internal Controls, covering:
* an assessment of the effectiveness of the internal controls
* the framework used in the assessment of internal controls (COSO is endorsed, which SAS 78 is based on)
The organization’s external auditor should issue an attestation report on the company’s internal controls
What are the internal controls per COSO?
Internal controls are processes designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
* effectiveness and efficiency of operations
* reliability of financial reporting
* compliance with laws and regulations
What are the 5 components of the SAS78/COSO Internal Control Framework?
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
What is the control environment?
This sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Factors include:
* Integrity and ethical values
* Commitment to competence
* Role of the board of directors and the audit committee
* management’s philosophy and operating style
* organizational structure
* assignment of authority and responsibility
* human resource policies and procedures
What do organizations do when they perform a risk assessment?
- identify objectives
- identify events
- risk assessment
- risk response
What are the two ways that organizations can monitor the effectiveness of their internal controls?
- ongoing monitoring
- separate evaluations
What is monitoring?
A component that oversees the effectiveness of the other components or internal controls
What are ongoing monitoring?
routine activities that are performed continually, typically performed by management and employees that are part of the control system
What are separate evaluations?
Performed periodically to test the design and effectiveness of implemented controls, typically performed by internal and external auditors
What are control activities?
The policies and procedures that help ensure management directives are carried. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives
What are the two broad categories of control activities?
- manual controls
- IT controls
What are manual controls?
controls related to transaction processing activities
What are IT controls?
Controls related to the computer environment
* general computer controls
* application controls
