Romney C10: Controls & AIS Flashcards
1
Q
Internal controls
A
The processes & procedures implemented to provide reasonable assurance that control objectives are met
2
Q
Objectives of Internal Controls
A
- Safeguard assets - prevent/detect unauthorized access
- Maintain records is sufficient detail to report company assets accurately
- Provide accurate & reliable information
- Prepare financial reports with established criteria
- Promote & improve operational efficiency
- Comply with applicable laws & regulations
3
Q
Threat
A
Any potential adverse occurrence or unwanted event that could injure the AIS or the organization
4
Q
Exposure/Impact
A
The potential dollar loss if a particular threat becomes a reality
5
Q
Likelihood/risk
A
The probability that a threat will come to pass
6
Q
Functions of Internal Controls
A
- Preventive Controls
- Detective Controls
- Corrective Controls
7
Q
Preventive controls:
A
Controls that deter problems before they arise
Ex: hiring qualified employee, segregating employee duties, and controlling physical assets
8
Q
Detective Controls
A
Controls designed to discover control problems that were not prevented
Ex: Duplicate checking of calculations, bank reconciliations & monthly trial balances.
9
Q
Corrective controls
A
Controls that identify and correct problems as well as correct and recover from the resulting errors
Ex: maintaining back up copies of files, correcting data entry errors
10
Q
2 Categories of Internal Controls:
A
- General controls
2. Application controls
11
Q
General Controls:
A
Make sure an organization’s control environment is stable and well manage.
Ex: security, IT infrastructure, software acquisition, maintenance controls
12
Q
Application Controls:
A
Prevent, detect and correct transactions errors and fraud in application programed.
13
Q
What Application Controls are concerned with?
A
Accuracy, completeness, validity, and authorization of data captured, entered, processed stored etc
.
14
Q
Who espoused 4 Levers of Control?
A
Robert Simons
15
Q
4 Levers of Control (BBDI)
A
- A belief system
- A boundary system
- A diagnostic control system
- An interactive control system
16
Q
Belief system:
A
Describes how a company creates value, help employees understand management’s vision, communicates company core values, and inspires employees to live by those values
17
Q
Boundary System:
A
Helps employee act ethically by setting boundaries on employees behaviour
18
Q
Diagnostic Control System
A
Measures, monitors and compares actual company progress to budgets and performance goals
19
Q
Interactive Control System:
A
Helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions
20
Q
Foreign Corrupt Practices Act
A
Was passed in 1977 to prevent companies from bribing foreign officials to obtain business.
21
Q
Sarbanes-Oxley Act (SOX)
A
Applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen IC.
22
Q
Important aspects of SOX:
A
- Public Company Accounting Oversight Board (PCAOB) was created
- New rules for auditors - report specific info to company’s audit committee.
- New roles for audit committee - audit committees must be on the co’s BOD and be independent.
- New rules for management - CEO & CFO to certify that financial statements are fairly stated and the auditors were told about all material internal control weaknesses & fraud.
- New internal control requirements
23
Q
Control Frameworks:
A
- COBIT - Control & Objectives for Information and Related Technology
- COSO - Committee of Sponsoring Organization
- Control Environment
24
Q
COBIT - Controls Objectives for Information and Related Technology (COBIT)
A
Control framework that allows:
- Management to to benchmark the security and control practices of IT environments
- Users of IT services to be assured that adequate security & Control exist
3: Auditors to substantiate their internal control opinions and advise on IT security & control matters.
25
COBIT is
describe as best practices for the effective governance and management of IT
26
5 Keys of COBIT IT Governance and Management
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management.
27
Objective of Governance
To create value by optimizing the use of organizational resources to produce desired benefits in a manner that effectively address risk & reward
28
1. Meeting stakeholder needs:
Helps users customize business processes & procedures to create an information system that adds value to its stakeholders
- allow company to create proper balance between risk & rewards
29
Covering the enterprise end-to-end:
Integrates all IT functions and processes into companywide functions and processes
30
Applying a single, integrated framework
Can be aligned at a high level with another standards & frameworks so that an overarching framework for IT governance & management is created
31
Enabling a holistic approach
Results in effective governance and management of all IT functions in the company
32
Separating governance from management
Distinguishes between governance and management
33
Governance & Management Objectives:
G:
1. EDM (evaluate, direct & monitor)
M:
1. APO (align, plan, organize)
2. BAI (build acquire, implement)
3. DSS (deliver, service, support)
4. MEA (monitor, evaluate, assess)
34
Governance Obj: EDM
Evaluate strategic options, direct the chosen options, and monitor strategy achievement
35
Management Obj: APO
Organization, strategy & supporting activities for I&T
36
BAI
Definition, acquisition, and implementation of I&T solutions
37
DSS
Operational delivery & support of I&T services
38
MEA - Monitor, evaluate, assess
Performance & conformance monitoring I&T
39
Committee of Sponsoring Organizations
A private sector group consisting of the American Accounting Association, AICPA, Institute of Internal Auditors, the Institute of Management Accountants & the Financial Executives Institute
40
Internal Control - Integrated Framework (IC)
A COSO frameworks that defines internal controls and provides guidance for evaluating and enhancing ICS
41
5 Components & 17 Principles of IC Framework
Components:
1. Control environment
2. Risk assessment
3. Control activities
4. Information & Communication
5. Monitoring
42
Control Environment:
Company's culture that is the foundation for all other internal control components, as it influences how organizations establish strategies & objective, structure business activities, and identify, assess and respond to risk
43
Control environment consists of:
1. management's philosophy, operating style & risk appetite
2. Commitment to intergrity, ethical values & competence
3. Internal control oversight by the BOD
4. Organizational structure
5. Methods of assigning authority & responsibility
6. HR that attract, develop and retain competent individual
7. External influences
44
Management's philosophy, operating style & risk appetite
philosophy, or shared beliefs and attitudes, about risk that
| affects policies, procedures, oral and written communications, and decisions
45
Risk appetite
The amount of risk a company is willing to accept
to achieve its goals and objectives. To avoid undue risk
risk appetite must be in alignment with company strategy.
46
COMMITMENT TO INTEGRITY, ETHICAL VALUES, AND COMPETENCE
Companies endorse integrity by:
- Developing a written code of conduct that explicitly describes honest and dishonest behaviors.
- Put processes in place to use the company’s code of conduct to evaluate individual and team performance
- Actively teaching and requiring the code of conduct
- Avoiding unrealistic expectations that motivate dishonest/illegal acts
47
IC oversight by BOD
An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions
48
Audit Committee
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors
49
Organizational Structure
Company's organizational structure provides a framework for planning, executing, controlling & monitoring operations
50
important aspects of organizational structure
- de/centralization of authority
- a direct or matrix reporting relationship
- organization by industry, product line, location
- how allocation of responsibility affects information requirements
- size and nature of company activities
51
Methods of assigning authority and responsibility
Authority and responsibility are assigned and communicated using formal job descriptions, employee training, operating schedules, budgets, a code of conduct, and written policies
and procedures.
52
policy and procedures manual
a document that explains proper business practices, describes needed knowledge and experience, explains document procedure, explains how to handle transactions and lists the resources provided to carry our specific duties
53
HR standards that attract, develop & retain competent individuals
HR policies should convey the required level of expertise, competence, ethical behavior, and integrity required
ex: plan & prepare for succession, hiring, compensating, training, discharging, vacations & job rotations
54
COSO IC Framework: Risk Assessment & Response
Management is responsible for identifying & assessing the threats the company faces.
Inherent risk: susceptibility of a set of accounts or transactions to significant control in the absence of internal control
Residual risk: risk that remains after management implements IC/response to risk.
55
4 ways to respond to risk
1. reduce
2. Accept
3. Share
4. Avoid
56
Reduce:
reduce the likelihood & impact of risk by implementing an effective system of IC
57
Accept:
accept the likelihood and impact of risk
58
Share
Share risk/transfer to someone else by buying insurance, outsourcing, entering into hedging transaction
59
Avoid:
Avoid risk by not engaging in the activity that produces the risk
60
Expected loss:
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood ).
expected loss = impact x likelihood
61
Control Activities
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
62
Categories of control procedures:
1. Proper authorization of transactions and activities.
2. Segregation of duties.
3. Project development and acquisition controls.
4. Change management controls.
5. Design and use of documents and records.
6. Safeguarding assets, records, and data.
7. Independent checks on performance.
63
Authorization
Establishing policies for employees to follow and then empowering them to perform certain organizational functions.
Authorization are often documented by signing, initializing, or entering an authorization code on a document or record
64
digital signature
A means of electronically signing a document with data that cannot be forged
65
Specific authorization
special approval an employee needs in order to be allowed to handle a transaction
66
General authorization
the authorization given employees to handle routing transactions without special approval
67
Segregation of duties:
separating the accounting functions of authorization, custody and recording to minimize an employee's ability to commit fraud.
68
Separation of duties functions
1. authorization: approving transactions and decisions
2. Recording: preparing source documents, entering data into computer, maintaining journals, ledgers, files or database
3. custody: handling cash, tools, inventory, FA writing checks etc
69
segregation of system duties:
implementing control procedures to clearly divide authority and responsibility within the information system function
70
data entry
responsible for entering or capturing the data for all business transactions
71
users
people who record transactions, authorize data processing, use system output
72
Personnel Management
1. Systems admin: ensure all info system components operate smoothly
2. Network managers: ensure that devices are linked to the org's internal external networks works properly
3. Security mgmt: ensure systems are secure & protected from internal & external threats
4. Change mgmt: ensure changes are made smoothly and does not negatively impact system
5. data control: ensure data sources have been properly control, monitors the flow
Database admin - responsible for coordinating controlling & managing the database
73
Information & Communication
systems should capture and exchange the information needed
| to conduct, manage, and control the organization’s operations
74
Primary purpose of AIS
to gather, record, process, store, summarize and communicate information about an organization
75
Audit trail
Allows transactions to be tracked back and forth between their origination and the FS
76
3 principles Information & communication
Obtain/generate relevant, high-quality information to support internal control
Internally communicate the information, necessary to support other components
communicate relevant internal control matters to external parties
77
Monitoring
The internal control system that is selected or developed must be continuously monitored, evaluated, and modified as needed
78
Monitoring
- perform internal control evaluations
- Implement effective supervision
- use responsibility accounting systems
- monitor system activities
- conduct periodic audits
- employ computer security officer
- install fraud detection software
