Module 3: Internal Controls Flashcards
Process affected by the Board, Managent, and Personnel to provide reasonable assurance on the achievement of business objectives
Internal Control
Internal Control: Who affects the internal control
BoD, Management, Personnel
Internal Control: What are the 3 categories of interest?
- Reliability of Financial Statements/ Reports
- To provide reasonable assurance that operations achieve business Objectives
- Comply with regulations
Internal Controls: What are the limitations of internal controls?
- It only provides reasonable, not absolute, assurance
- It is subject to human judgement in decision making
- It can be circumvented through collusion and overriding of controls
Internal Controls: What are the things that auditors consider when looking at controls?
- Internal Controls can be assessed in groups or individually
- Controls can encompass different business objectives
- Not all controls are relevant to an audit
- Having an understanding of controls is not enough to test its operational effectiveness
Internal Controls: When can an understanding of a control be sufficient enough to test its operational effectiveness
When there’s automation that ensure the consistent application of controls
What are the components of the enterprise risk management cube?
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
Set of standards, procedures, and processes that is the basis for internal controls across the organization
Control Environment
Cube - Control Environment: Who sets the tone at the top?
The BoD and the management
Cube - Control Environment: Auditors must check if the Management has created what?
A culture of honesty and ethical behavior
Cube - Control Environment: What must be considered when auditing the control environment?
- Controls may mitigate fraud but not entirely deter the existence of fraud
- Weak Controls do not necessarily necessitate the existence of fraud
- The control environment cannot mitigate material misstatements
Cube - Control Environment: Enumerate the relevant elements to be assessed by the auditor.
- Communication and enforcement of integrity and ethical behavior
- Commitment to competence
- Participation of those in charge of governance
- Organizational Structure
- Management philosophy and operating style
- Assignment of authority and responsibility
- Human resource practices and policies
Cube - Risk Assessment: two aspects that management sees risk assessment
Likelihood and Impact
Dynamic and Iterative way for identifying and assessing risks to the achievement of business objectives
Risk Assessment
The process of which the management strives to achieve its business objectives
Control Activities
Cube - Control Activities: What are given to ensure that risk responses are properly carried out?
Policies and procedures
Acts as support for the other functions
Information and communication
Cube - Information and communication: Information only comes from internal sources as it is more reliable (T or F)
False. Must consider both internal and external
To monitor the performance of controls over time
Monitoring Activities
Cube - Monitoring Activities: Evaluated using on going evaluation or separate evaluations (T or F)
False. Monitoring activities can be both on going and separate evaluations
Cube - Monitoring Activities: May consider external sources (T or F)
True
Cube - Monitoring Activities: What must the auditor know with regards to monitoring of controls?
- The source of the information
- The basis of management to know which controls are effective and reliable
Objectives of a department or role to pursue the achievement of strategic goals of a company
Controls objectives
Cube - Control Objectives: Implicitly related to the strategy of the company (T or F)
False. It must be EXPLICITLY related.
Cube - Control Objectives: Statements of the desired result or purpose to be achieved
by implementing control activities
Procedures
Cube - Control Objectives: Control objectives are applicable to which type of control?
All. Manual, Automated or Combination
Cube - Control Objectives: is an activity contributing to the fulfillment
of a control objective
Control Measure
What should the management do with regards to controls?
- What controls should be implemented
- How to implement it (freq., span, automation)
Specific Information Systems Control Objectives: What are the specific objectives?
- Safeguarding Assets
- Established SDLC proesses
- Ensure the integrity of OS environments
- Ensure the integrity of Sensitive and critical application system environment
- Ensure appropriate identification and authentication of the users of IS resources
- Ensure the efficiency and effectiveness of operations
- Ensure the compliance towards user requirements, policies, and regulations
- Ensure the availability of IT services through proper DRP and BCP.
- Enhance the protection of data through incident response plan
- Ensuring the integrity and reliability of systems through proper change management procedures
- Ensure that outsourced IS processes have detailed service-level agreements and contracts to ensure the safety of assets.
Specific Information Systems Control Objectives: information on automated systems must be?
up to date
Specific Information Systems Control Objectives: Ensuring integrity of general OS environments, including?
Network management and operations
Specific Information Systems Control Objectives: Ensuring the integrity of sensitive and critical application system environments, including
- Accounting information
- Managerial information
- Customer Data
Specific Information Systems Control Objectives: Ensuring availability of IT services by developing efficient
business continuity plans and disaster recovery plans that
include?
Backup and recovery
Compensating Control: Can back up or duplicate multiple controls but cannot operate across multiple process and risks
False. It can also operate across multiple processes and risk
Type of Controls: What is the on the risks depending on the type of control?
1. Preventive
2. Detective
3. Directive
4. Corrective
- Preventive - Reduce likelihood of risk
- Detective - Reduce likelihood of risk
- Directive - Reduce likelihood of risk and impact
- Corrective - Reduce likelihood of impact
Determine what type of control (Manual or Automated) is the advantage describing?
1. Enhance segregation of duties
2. Enhance timelines availability and accuracy of information
3. Monitoring the effectives of automated control
4. Outside the scope of existing IT controls
5. Minimize cirvumention of controls
- Automated
- Automated
- Manual
- Manual
- Automated
Determine what type of control (Manual or Automated) is the disadvantage describing?
1. Heavy reliance on defective systems
2. High Volume and recurring transactions
3. Failure to affect necessary changes
- Automated
- Manual
- Automated
T or F: Manual Controls can be replaced by automated controls if adequately designed
True
General Controls: that are primarily directed at
accounting operations—controls that concern the
safeguarding of assets and reliability of financial records
Internal Accounting Controls
General Controls: that concern day-to-day operations,
functions and activities, and ensure that the operation is
meeting the business objectives
Operational Controls
General Controls: that concern operational efficiency
in a functional area and adherence to management
policies
Administrative Controls
General Controls: What are the general controls that must be followed?
- Policies and procedures for proper usage of assets
- Policies for audit rails
- Procedures for safeguarding the access and use of assets
- Physical and logical security policies for all facilities, data centers and IT resources
T or F: Each general control can be traced to an IS-specific control
False. General controls are translated into IS specific controls
