Risk Assessment 3 Flashcards
What are examples of controls to lower “Control Risk” for assertion level risk?
- Controls over admin access to server(s) for app
- Controls to limit user access to app
- Controls over how changes are authorized, developed and deployed to app
What are the 2 levels where RMM exists/resides?
(1) FS level or
(2) Assertion level
- Bc RMM exists at 2 levels, auditor should assess RMM at both of levels separately and in aggregate
How does an auditor assess “Control Risk” at the assertion level?
- Auditor determine if entity has controls (policies) to limit access to all aspects of app (db, program code and user apps)
What does “Financial Statement Level Risks” require?
- “FS level risks” requires an overall response, like more supervision to engagement team or modifying selection of audit procedures
How are “Assertion Level Risks” addressed?
- Assertion level risks are addressed by the nature, timing, and extent of FAP, which may include substantive procedures or combo of ToCs and substantive procedures
What is the “Risk Score” formula?
- Risk Score formula = Probability x Significance
- Higher score = higher risk
Describe the 4 response types or test to an Assess Level of Risk?
(List from least to most assurance/reliance on test results)
IOIR
(1) Inquiry - Low
(2) Observation - Moderate
(3) Inspection - High
(4) Re-perform/Confirm - High
What is a primary factor in prevention and deterrence?
- Increase the Perception of detection (PoD)
What is Perception of Detection (PoD)?
- PoD is the environment that leads potential fraudsters to perceive/believe that if commit fraud, will get caught, and go to jail
- Potential results cause some potential fraudsters to forego frauds out of fear
What are examples of anti-fraud activities that can increase Perception of Detection (PoD)?
- Surveillance, anonymous tips and complaints system, surprise audits, mandatory vacation/rotation of duties, prosecution of a fraudster who was caught and background checks
- Some of these considered “detective measures”, if entity does them effectively, can increase PoD bc potential fraudster fears s/he will get caught by detective activity (surprise audit)
- Early “detection controls” might serve as “Preventive Control” bc might increase PoD