Romney C10: Controls & AIS

Question 1

Internal controls

Answer 1

The processes & procedures implemented to provide reasonable assurance that control objectives are met

Question 2

Objectives of Internal Controls

Answer 2

1. Safeguard assets - prevent/detect unauthorized access
2. Maintain records is sufficient detail to report company assets accurately
3. Provide accurate & reliable information
4. Prepare financial reports with established criteria
5. Promote & improve operational efficiency
6. Comply with applicable laws & regulations

Question 3

Threat

Answer 3

Any potential adverse occurrence or unwanted event that could injure the AIS or the organization

Question 4

Exposure/Impact

Answer 4

The potential dollar loss if a particular threat becomes a reality

Question 5

Likelihood/risk

Answer 5

The probability that a threat will come to pass

Question 6

Functions of Internal Controls

Answer 6

1. Preventive Controls
2. Detective Controls
3. Corrective Controls

Question 7

Preventive controls:

Answer 7

Controls that deter problems before they arise

Ex: hiring qualified employee, segregating employee duties, and controlling physical assets

Question 8

Detective Controls

Answer 8

Controls designed to discover control problems that were not prevented

Ex: Duplicate checking of calculations, bank reconciliations & monthly trial balances.

Question 9

Corrective controls

Answer 9

Controls that identify and correct problems as well as correct and recover from the resulting errors

Ex: maintaining back up copies of files, correcting data entry errors

Question 10

2 Categories of Internal Controls:

Answer 10

1. General controls

2. Application controls

Question 11

General Controls:

Answer 11

Make sure an organization’s control environment is stable and well manage.

Ex: security, IT infrastructure, software acquisition, maintenance controls

Question 12

Application Controls:

Answer 12

Prevent, detect and correct transactions errors and fraud in application programed.

Question 13

What Application Controls are concerned with?

Answer 13

Accuracy, completeness, validity, and authorization of data captured, entered, processed stored etc
.

Question 14

Who espoused 4 Levers of Control?

Answer 14

Robert Simons

Question 15

4 Levers of Control (BBDI)

Answer 15

1. A belief system
2. A boundary system
3. A diagnostic control system
4. An interactive control system

Question 16

Belief system:

Answer 16

Describes how a company creates value, help employees understand management’s vision, communicates company core values, and inspires employees to live by those values

Question 17

Boundary System:

Answer 17

Helps employee act ethically by setting boundaries on employees behaviour

Question 18

Diagnostic Control System

Answer 18

Measures, monitors and compares actual company progress to budgets and performance goals

Question 19

Interactive Control System:

Answer 19

Helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions

Question 20

Foreign Corrupt Practices Act

Answer 20

Was passed in 1977 to prevent companies from bribing foreign officials to obtain business.

Question 21

Sarbanes-Oxley Act (SOX)

Answer 21

Applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen IC.

Question 22

Important aspects of SOX:

Answer 22

• Public Company Accounting Oversight Board (PCAOB) was created
• New rules for auditors - report specific info to company’s audit committee.
• New roles for audit committee - audit committees must be on the co’s BOD and be independent.
• New rules for management - CEO & CFO to certify that financial statements are fairly stated and the auditors were told about all material internal control weaknesses & fraud.
• New internal control requirements

Question 23

Control Frameworks:

Answer 23

1. COBIT - Control & Objectives for Information and Related Technology
2. COSO - Committee of Sponsoring Organization
3. Control Environment

Question 24

COBIT - Controls Objectives for Information and Related Technology (COBIT)

Answer 24

Control framework that allows:

1. Management to to benchmark the security and control practices of IT environments
2. Users of IT services to be assured that adequate security & Control exist
   3: Auditors to substantiate their internal control opinions and advise on IT security & control matters.

Question 25

COBIT is

Answer 25

describe as best practices for the effective governance and management of IT

Question 26

5 Keys of COBIT IT Governance and Management

Answer 26

1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management.

Question 27

Objective of Governance

Answer 27

To create value by optimizing the use of organizational resources to produce desired benefits in a manner that effectively address risk & reward

Question 28

1. Meeting stakeholder needs:

Answer 28

Helps users customize business processes & procedures to create an information system that adds value to its stakeholders

• allow company to create proper balance between risk & rewards

Question 29

Covering the enterprise end-to-end:

Answer 29

Integrates all IT functions and processes into companywide functions and processes

Question 30

Applying a single, integrated framework

Answer 30

Can be aligned at a high level with another standards & frameworks so that an overarching framework for IT governance & management is created

Question 31

Enabling a holistic approach

Answer 31

Results in effective governance and management of all IT functions in the company

Question 32

Separating governance from management

Answer 32

Distinguishes between governance and management

Question 33

Governance & Management Objectives:

Answer 33

G:
1. EDM (evaluate, direct & monitor)

M:

1. APO (align, plan, organize)
2. BAI (build acquire, implement)
3. DSS (deliver, service, support)
4. MEA (monitor, evaluate, assess)

Question 34

Governance Obj: EDM

Answer 34

Evaluate strategic options, direct the chosen options, and monitor strategy achievement

Question 35

Management Obj: APO

Answer 35

Organization, strategy & supporting activities for I&T

Question 36

BAI

Answer 36

Definition, acquisition, and implementation of I&T solutions

Question 37

DSS

Answer 37

Operational delivery & support of I&T services

Question 38

MEA - Monitor, evaluate, assess

Answer 38

Performance & conformance monitoring I&T

Question 39

Committee of Sponsoring Organizations

Answer 39

A private sector group consisting of the American Accounting Association, AICPA, Institute of Internal Auditors, the Institute of Management Accountants & the Financial Executives Institute

Question 40

Internal Control - Integrated Framework (IC)

Answer 40

A COSO frameworks that defines internal controls and provides guidance for evaluating and enhancing ICS

Question 41

5 Components & 17 Principles of IC Framework

Answer 41

Components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information & Communication
5. Monitoring

Question 42

Control Environment:

Answer 42

Company’s culture that is the foundation for all other internal control components, as it influences how organizations establish strategies & objective, structure business activities, and identify, assess and respond to risk

Question 43

Control environment consists of:

Answer 43

1. management’s philosophy, operating style & risk appetite
2. Commitment to intergrity, ethical values & competence
3. Internal control oversight by the BOD
4. Organizational structure
5. Methods of assigning authority & responsibility
6. HR that attract, develop and retain competent individual
7. External influences

Question 44

Management’s philosophy, operating style & risk appetite

Answer 44

philosophy, or shared beliefs and attitudes, about risk that

affects policies, procedures, oral and written communications, and decisions

Question 45

Risk appetite

Answer 45

The amount of risk a company is willing to accept
to achieve its goals and objectives. To avoid undue risk
risk appetite must be in alignment with company strategy.

Question 46

COMMITMENT TO INTEGRITY, ETHICAL VALUES, AND COMPETENCE

Answer 46

Companies endorse integrity by:

• Developing a written code of conduct that explicitly describes honest and dishonest behaviors.
• Put processes in place to use the company’s code of conduct to evaluate individual and team performance
• Actively teaching and requiring the code of conduct
• Avoiding unrealistic expectations that motivate dishonest/illegal acts

Question 47

IC oversight by BOD

Answer 47

An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions

Question 48

Audit Committee

Answer 48

The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors

Question 49

Organizational Structure

Answer 49

Company’s organizational structure provides a framework for planning, executing, controlling & monitoring operations

Question 50

important aspects of organizational structure

Answer 50

• de/centralization of authority
• a direct or matrix reporting relationship
• organization by industry, product line, location
• how allocation of responsibility affects information requirements
• size and nature of company activities

Question 51

Methods of assigning authority and responsibility

Answer 51

Authority and responsibility are assigned and communicated using formal job descriptions, employee training, operating schedules, budgets, a code of conduct, and written policies
and procedures.

Question 52

policy and procedures manual

Answer 52

a document that explains proper business practices, describes needed knowledge and experience, explains document procedure, explains how to handle transactions and lists the resources provided to carry our specific duties

Question 53

HR standards that attract, develop & retain competent individuals

Answer 53

HR policies should convey the required level of expertise, competence, ethical behavior, and integrity required

ex: plan & prepare for succession, hiring, compensating, training, discharging, vacations & job rotations

Question 54

COSO IC Framework: Risk Assessment & Response

Answer 54

Management is responsible for identifying & assessing the threats the company faces.

Inherent risk: susceptibility of a set of accounts or transactions to significant control in the absence of internal control

Residual risk: risk that remains after management implements IC/response to risk.

Question 55

4 ways to respond to risk

Answer 55

1. reduce
2. Accept
3. Share
4. Avoid

Question 56

Reduce:

Answer 56

reduce the likelihood & impact of risk by implementing an effective system of IC

Question 57

Accept:

Answer 57

accept the likelihood and impact of risk

Question 58

Share

Answer 58

Share risk/transfer to someone else by buying insurance, outsourcing, entering into hedging transaction

Question 59

Avoid:

Answer 59

Avoid risk by not engaging in the activity that produces the risk

Question 60

Expected loss:

Answer 60

The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood ).

expected loss = impact x likelihood

Question 61

Control Activities

Answer 61

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

Question 62

Categories of control procedures:

Answer 62

1. Proper authorization of transactions and activities.
2. Segregation of duties.
3. Project development and acquisition controls.
4. Change management controls.
5. Design and use of documents and records.
6. Safeguarding assets, records, and data.
7. Independent checks on performance.

Question 63

Authorization

Answer 63

Establishing policies for employees to follow and then empowering them to perform certain organizational functions.

Authorization are often documented by signing, initializing, or entering an authorization code on a document or record

Question 64

digital signature

Answer 64

A means of electronically signing a document with data that cannot be forged

Question 65

Specific authorization

Answer 65

special approval an employee needs in order to be allowed to handle a transaction

Question 66

General authorization

Answer 66

the authorization given employees to handle routing transactions without special approval

Question 67

Segregation of duties:

Answer 67

separating the accounting functions of authorization, custody and recording to minimize an employee’s ability to commit fraud.

Question 68

Separation of duties functions

Answer 68

1. authorization: approving transactions and decisions
2. Recording: preparing source documents, entering data into computer, maintaining journals, ledgers, files or database
3. custody: handling cash, tools, inventory, FA writing checks etc

Question 69

segregation of system duties:

Answer 69

implementing control procedures to clearly divide authority and responsibility within the information system function

Question 70

data entry

Answer 70

responsible for entering or capturing the data for all business transactions

Question 71

users

Answer 71

people who record transactions, authorize data processing, use system output

Question 72

Personnel Management

Answer 72

1. Systems admin: ensure all info system components operate smoothly
2. Network managers: ensure that devices are linked to the org’s internal external networks works properly
3. Security mgmt: ensure systems are secure & protected from internal & external threats
4. Change mgmt: ensure changes are made smoothly and does not negatively impact system
5. data control: ensure data sources have been properly control, monitors the flow
   Database admin - responsible for coordinating controlling & managing the database

Question 73

Information & Communication

Answer 73

systems should capture and exchange the information needed

to conduct, manage, and control the organization’s operations

Question 74

Primary purpose of AIS

Answer 74

to gather, record, process, store, summarize and communicate information about an organization

Question 75

Audit trail

Answer 75

Allows transactions to be tracked back and forth between their origination and the FS

Question 76

3 principles Information & communication

Answer 76

Obtain/generate relevant, high-quality information to support internal control

Internally communicate the information, necessary to support other components

communicate relevant internal control matters to external parties

Question 77

Monitoring

Answer 77

The internal control system that is selected or developed must be continuously monitored, evaluated, and modified as needed

Question 78

Monitoring

Answer 78

• perform internal control evaluations
• Implement effective supervision
• use responsibility accounting systems
• monitor system activities
• conduct periodic audits
• employ computer security officer
• install fraud detection software