Module 3 Flashcards
What is covered by SOX?
- create PCAOB
- Auditor independence
- Corporate governanace and responsibility
- Disclosure requirements
- Federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers
- new reporting requirements
What is Section 302 of SOX and what does it require?
Financial statements should include certifications that the signing officers:
* are responsible for establishing and maintaining internal controls (over disclosures and financial reporting)
* have designed such controls
* have evaluated the effectiveness of these controls and reported their conclusion about internal controls effectiveness
* have reported any change in internal controls over financial reporting
* have disclosed to their auditors and audit committee:
- a list of internal controls weaknesses
- any fraud involving management or employees
What is Section 404 of SOX and what does it require?
Financial statements should include Management’s Assessment of Internal Controls, covering:
* an assessment of the effectiveness of the internal controls
* the framework used in the assessment of internal controls (COSO is endorsed, which SAS 78 is based on)
The organization’s external auditor should issue an attestation report on the company’s internal controls
What are the internal controls per COSO?
Internal controls are processes designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
* effectiveness and efficiency of operations
* reliability of financial reporting
* compliance with laws and regulations
What are the 5 components of the SAS78/COSO Internal Control Framework?
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
What is the control environment?
This sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Factors include:
* Integrity and ethical values
* Commitment to competence
* Role of the board of directors and the audit committee
* management’s philosophy and operating style
* organizational structure
* assignment of authority and responsibility
* human resource policies and procedures
What do organizations do when they perform a risk assessment?
- identify objectives
- identify events
- risk assessment
- risk response
What are the two ways that organizations can monitor the effectiveness of their internal controls?
- ongoing monitoring
- separate evaluations
What is monitoring?
A component that oversees the effectiveness of the other components or internal controls
What are ongoing monitoring?
routine activities that are performed continually, typically performed by management and employees that are part of the control system
What are separate evaluations?
Performed periodically to test the design and effectiveness of implemented controls, typically performed by internal and external auditors
What are control activities?
The policies and procedures that help ensure management directives are carried. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives
What are the two broad categories of control activities?
- manual controls
- IT controls
What are manual controls?
controls related to transaction processing activities
What are IT controls?
Controls related to the computer environment
* general computer controls
* application controls
What are the 6 categories of manual control activities?
- Authorization
- Segregation of duties
- Supervision
- Accounting records
- Access
- Independent verification
What is transaction authorization used for?
To ensure that employees are only carrying out authorized transactions
customer orders = adequate credit
invoice payments = invoice is accurate + items received
What is segregation of duties?
Separate individuals are responsible for the custody of assets and for initiating, authorizing, processing, recording and reconciling transactions
What control is a compensating control for lack of segregation of duties?
supervision
What does supervision focus on?
Overseeing that transactions are processed correctly
How does supervision differ from ongoing monitoring?
Supervision focuses on overseeing the processing of transactions rather than the effectiveness of internal controls
What two primary functions do audit trails (created by accounting records) serve?
- support day-to-day operations
- supports financial statement audits
What are access controls used for?
They help to safeguard assets by restricting physical or logical access to them
What is independent verification?
Independent verification is a control activity done after the fact that verifies the accuracy of transactions being processed
