Study Unit 4 Flashcards

Question 1

Q

Which control framework is widely accepted as the standard for the design and operation of internal control systems and where was it created?

Answer

A

Internal Control - Integrated Framework (COSO)

- US

Question 2

Q

Where was the Guidance on Control (aka CoCo Model) published?

Question 3

Q

Where was the Internal Control: Revised Guide for Directors on the Combined Code (aka the Turnbull Report) created?

Question 4

Q

Which control framework recommended for sound governance as requiring the CEO and chairperson to be separate individuals?

Answer

A

-Internal Control: Revised Guide for Directors on the Combined Code (Turnbull Report)(UK)

Question 5

Q

What is the best-known framework specifically for IT controls and what is the most recent version?

Answer

A

Control Objectives for Information and Related Technology (COBIT)
COBIT 5

Question 6

Q

What is the name of the alternative control model for IT created by the IIA-Research Foundation?

Answer

A

-Electronic Systems Assurance and Control (eSAC)

Question 7

Q

What is the COSO definition of internal control?

Answer

A

-It is a process, effected by an entity’s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Question 8

Q

What are the three classes of objectives of the COSO framework (hint: “ORC”)?

Answer

A

Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with Laws and Regulations

Question 9

Q

Which of the three classes of objectives of the COSO framework is a system of internal control more likely to provide “reasonable assurance” over and why?

Answer

A

Reporting and Compliance
Because Reporting and Compliance objectives are responses to standards established by external parties. Thus achieving these objectives depends on actions almost entirely w/n the entity’s control.
Whereas operational effectiveness may not be within the entity’s control b/c it is affected by human judgment and many external factors.

Question 10

Q

What are the five components of internal control under COSO (Controls stop “CRIME”)?

Answer

A

Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities

Question 11

Q

What makes up the control environment (COSO)?

Answer

A

-It is a set of standards, processes, and structures that pervasively affects the system of internal control.

Question 12

Q

What are the five principles that make up the control environment (COSO)?

Answer

A

Org. demonstrates a commitment to integrity and ethical values.
Board demonstrates independence from mgmt. and exercises oversight for internal control.
Mgmt. establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities.
Org. demonstrates a commitment to attract, develop, and retain competent individuals.
Org. holds individuals accountable.

Question 13

Q

Risk Assessment (COSO)

Answer

A

-This process encompasses an assessment of the risks themselves and the need to manage organizational change. It is a basis for determining how the risk should be managed.

Question 14

Q

What are the four principles that relate to Risk Assessment?

Answer

A

Org. specifies objectives w/ sufficient clarity to enable the identification and assessment of risks relating to (a) operations, (b) external financial/nonfinancial reporting, (c) internal reporting, and (d) compliance.
Org. identifies risks to the achievement of its objectives across the entity and analyzes risks to determine how the risks should be managed.
Org. considers the potential for fraud in assessing fraud risks. The org. must consider various types of fraud and assess incentives and pressures, opportunities, and assess attitudes and rationalizations.
Org. identifies and assesses changes that could significantly affect the system of internal control.

Question 15

Q

Control Activities (COSO)

Answer

A

-Policies and procedures help ensure that management directives are carried out. Whether automated or manual they are applied at various levels of the org and stages of processes. They may be preventative or detective, and segregation of duties is usually present.

Question 16

Q

What are the three principles that relate to Control Activities?

Answer

A

Org. selects and develops control activities that contribute to the mitigation of risks and the achievement of objectives to acceptable levels.
Org. selects and develops general control activities over technology to support the achievement of its objectives.
Org. deploys control activities through policies that establish what is expected and procedures that put the policies into action.

Question 17

Q

Information and Communication (COSO)

Answer

A

-Enables the org. to obtain, generate, use, and communicate info to (1) maintain accountability and (2) measure and review performance.

Question 18

Q

What are three principles that relate to Information and Communication?

Answer

A

Org. obtains or generates and uses relevant, quality information to support the functioning of IC.
Org. internally communicates information, including objectives and responsibilities for IC, necessary to support the function of IC.
Org. communicates w/ external parties regarding matters affecting the functioning of IC.

Question 19

Q

Monitoring Activities (COSO)

Answer

A

-Because control systems and the way controls are applied change over time, monitoring is the process that assesses the quality of IC performance over time to ensure the controls continue to meet the needs of the org.

Question 20

Q

What are the two principles related to Monitoring Activities?

Answer

A

Org. selects, develops, and performs ongoing or separate evaluations (or both) to determine whether the components of IC are present and functioning.
Org. evaluates and communicates control deficiencies in a timely manner.

Question 21

Q

Which control framework is thought to be more suited for IA purposes?

Answer

A

CoCo model (Guidance on Control)

Question 22

Q

What are the four components of the CoCo Model that 20 criteria are grouped into?

(Pneumonic: “Police Can Catch Many Lawbreakers”)

Answer

A

Purpose
Commitment
Capability
Monitoring and Learning

Question 23

Q

What are the five key principles of COBIT 5?

Answer

A

Meeting Stakeholder Needs
Covering Enterprise End-to-End
Applying a Single Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management

Question 24

Q

COBIT 5 asserts that _________ _________ is the most basic stakeholder need.

Answer

A

-Value Creation

Question 25

Q

According to COBIT 5, what is the most fundamental goal of any enterprise, commercial or not?

Answer

A

-The creation of stakeholder value.

Question 26

Q

According to COBIT 5, what are the three components necessary for value creation?

Answer

A

Realization of benefits
Optimization (not minimization) of risk
Optimal use of resources

Question 27

Q

According to COBIT 5, what are stakeholder drivers?

Answer

A

-They are both internal and external factors that influence stakeholder needs.

Question 28

Q

According to COBIT 5, once stakeholder needs are identified, what needs to be established?

Answer

A

-Enterprise goals

Question 29

Q

COBIT 5 translates the # generic enterprise goals into __ related goals.

Answer

A

-17 and IT

Question 30

Q

According to COBIT 5, ________ are identified that support pursuit of the IT related goals. A _____ is broadly defined as anything that helps achieve objectives.

Answer

A

-enablers

Question 31

Q

True/False: COBIT 5 provides an overarching framework that addresses specific technical issues.

Answer

A

-False: COBIT 5 is an overarching framework that does not address specific technical issues; i.e., its principles can be applied regardless of the particular hardware and software in use.

Question 32

Q

Enabling a Holistic Approach: What are the 7 categories of enablers that support comprehensive IT governance and management?

Answer

A

Principles, policies, and frameworks;
Processes;
Org. structures
Culture, ethics, and behavior
Information*
Service, infrastructure, and applications*
People, skills, and competencies*

*-These three enablers are also resources that must be optimized.

Question 33

Q

True/False: Enablers are interconnected because they:

a) Need the input of other enablers to be fully effective and
b) Deliver output for the benefit of other enablers.

Question 34

Q

Define Governance vs. Management

Answer

A

Governance: is the setting of overall objectives and the monitoring of progress towards those objectives
- (COBIT 5 associates the Board w/ governance)
Management: is the carrying out of activities in pursuit of enterprise goals
- (COBIT 5 associates executive mgmt. under the leadership of the CEO with mgmt.)

Question 35

Q

Within the Governance practice, what are the three practice that must be addressed?

Answer

A

-Evaluate, direct, and monitor.

Question 36

Q

Within the Management practice, what are the four responsibility areas that must be addressed?

Answer

A

-Plan, build, run, and monitor.

Question 37

Q

True/False: In the eSAC model, the entity’s internal processes accepts inputs and produce outputs.

Question 38

Q

What are the four inputs of the eSAC model?

Answer

A

-Mission, values, strategies, and objectives.

Question 39

Q

What are the three outputs of the eSAC model?

Answer

A

-Results, reputation, and learning.

Question 40

Q

True/False: The eSAC model’s broad control objectives are influenced by the CoCo model.

Answer

A

-False: The eSAC model’s broad control objectives are influenced by the COSO model.

Question 41

Q

What are eSAC’s five IT business assurance objective?

Pneumonic: A Court Finds People Accountable

Answer

A

Availability
Capability
Functionality
Protectability
Accountability

Question 42

Q

What two control framework models emphasize soft controls?

Answer

A

-COSO and CoCo

Question 43

Q

True/False: Soft controls should not be distinguished from hard controls, such as compliance with specific policies and procedures imposed upon employees from above.

Answer

A

-False: Soft controls should be distinguished from hard controls.

Question 44

Q

Soft controls have become (more or less) necessary as technology advances have empowered employees.

Answer

A

-Soft controls have become more necessary.

Question 45

Q

What is a Control Self-Assessment used for?

Answer

A

-It is an approach used to audit soft controls. It is the involvement of mgmt. and staff in the assessment of internal controls within their workgroup.

Question 46

Q

Can hard and soft controls be measured? If so, how?

Answer

A

-Yes, hard and soft controls can be associated with particular risks and measured. The vulnerability addressed can be stated as the product of the probability of occurrence and the significant of the occurrence (V = P x S).

Question 47

Q

Enterprise Risk Management - Integrated Framework

Answer

A

-Describes a model that incorporates COSO control framework while extending it to the broader subject of enterprise risk management (ERM).

Question 48

Q

What is ERM based on and what is its emphasis on?

Answer

A

-Based on key concepts applicable to many types of organizations. The emphasis is on (a) the objectives of the specific entity and (b) establishing a means for evaluation the effectiveness of ERM.

Question 49

Q

How does the COSO framework define ERM?

Answer

A

-ERM is a process, effected by an entity’s board of directors, mgmt., and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity’s objectives.

Question 50

Q

Risk

Answer

A

-the probability that an event will occur and adversely affect the achievement of objectives.

Question 51

Q

Inherent Risk

Answer

A

-risk in the absence of a risk response.

Question 52

Q

Residual Risk

Answer

A

-risk after a risk response.

Question 53

Q

Risk Appetite

Answer

A

-the amount of risk an entity is willing to accept in pursuit of value. It reflects an entity’s risk mgmt. philosophy and influences the entity’s cultured operating style.

Question 54

Q

Opportunity

Answer

A

-the possibility that an event will positively affect the achievement of objectives.

Question 55

Q

What are the ERM Components

Answer

A

Internal Environment
Objective Setting (precedes event identification)
Event Identification
Risk Assessment
Risk Responses (5 Strategies)
Control Activities
Identification and Communication
Monitoring

Question 56

Q

What are the five strategies for Risk Response?

Answer

A

Risk Avoidance (ends activity)
Risk Retention (accepts risk)
Risk Reduction (Lowers risk)
Risk Sharing (shares risk)
Risk Exploitation (seeks high risk for high return on inv.)

Question 57

Q

Who had the ultimate responsibility for ERM?

Question 58

Q

_____ _____ should ensure that sound risk management processes are in place and functioning.

Answer

A

-Senior Management

Question 59

Q

Who determines the entity’s risk management philosophy?

Answer

A

-Senior Management

Question 60

Q

What is the Board of Directors responsibility regarding ERM?

Answer

A

Oversight role

- It should determine that risk management processes are in place, adequate, and effective

Question 61

Q

What qualities must the directors possess for them to be effective in ERM?

Answer

A

A majority of the board should be outside directors
Should have years of experience either in industry or in corporate governance
Must be willing to challenge mgmt. choices (complacent directors increases the chances of adverse consequences).

Question 62

Q

Larger entities may wish to establish a _____ _______ composed of _____ that also includes _____, the individuals most familiar with the process.

Answer

A

risk committee
directors
management

Question 63

Q

True/False: IA’s may be directed by the board to evaluate the effectiveness and contribute to the improvement of risk management processes?

Question 64

Q

The IAs’ determination of whether risk management processes are effective is a ______ resulting from the assessment that:

i) Appropriate \_\_\_\_\_ \_\_\_\_\_ are selected that align risks and the entity's \_\_\_\_ \_\_\_\_.    ii) Relevant risk information is captured and communicated in a timely manner across the entity.

Answer

A

judgment

- risk responses, risk appetite

Answer 59

A

faulty human judgment
cost-benefit considerations
simple errors or mistakes
collusion
management override of ERM decisions

Answer 60

A

-IA must evaluate the effectiveness and contribute to the improvement of risk management processes.

Answer 61

A

-Risk management processes are monitored through ongoing management activities, separate evaluations, or both.

Answer 62

A

IA must evaluate risk exposure relating to the org’s governance, operations, and information systems regarding the following:
- Achievement of the org’s strategic objectives;
- Reliability and integrity of financial and operational info.
- Effectiveness and Efficiency of operations and prog.
- Safeguarding of assets and
- Compliance w/ laws, regs, policies, procedures, and contracts.

-IA must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

Answer 63

A

-Establishing a risk-based audit model and participating in the organization’s risk management processes.

Answer 64

A

-senior management and the board

Answer 65

A

-The Board of Directors in their oversight role.

Answer 66

A

-The CAE must formally discuss with mgmt. and the board their obligations to understand, manage, and monitor risks within the organization and the need to satisfy themselves that there are processes operating w/n the organization, even if informal, that provide the appropriate level of visibility into the key risks and how they are being managed and monitored.

Answer 67

A

-False: It is the role of senior management and the board.

Answer 68

A

-sufficient and appropriate

Answer 69

A

-any illegal act characterized by deceit, concealment, or violation of trust.

Answer 70

A

-False: the full cost of fraud is immeasurable.

Answer 71

A

-fraud program, fraud risk

Answer 72

A

Pressures or incentive: is the need the fraudster is trying to satisfy.
Opportunity - ability to commit the fraud (org. can influence this factor the most by means of controls and procedures)
Rationalization - fraudsters justify

Answer 73

A

-Management

Answer 74

A

-IA; however, they are not responsible for designing and implementing fraud prevention controls.

Answer 75

A

-False: IA’s are only required to have “sufficient knowledge”. IA’s are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Answer 76

A

-Due professional care

Answer 77

A

Identifying and prioritizing fraud risk factors and fraud schemes.
Mapping existing controls to potential fraud schemes and identifying gaps
Testing the operating effectiveness of fraud prevention and detection controls
Documenting and reporting the final risk assessment

Answer 78

A

-IA is not responsible for the detection of all fraud, but must always be alert to the possibility of fraud.

Answer 79

A

-evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.

Answer 80

A

-any kind of tampering with the accounting records to conceal a fraud (e.g. keeping 2 sets of books or forcing the books to reconcile)

Answer 81

A

-an unexplained rise in an employee’s social status or level of material consumption

Answer 82

A

-a drastic change in an employee’s behavior

Answer 83

A

-Analytical procedures are routinely used in many engagements. They may provide an early indication of fraud.

Answer 84

A

Lack of employee rotation
Inappropriate combination of job duties
Unclear lines of responsibility and accountability
Unrealistic sales or production goals
Employee refuses to take vacation or promotion
Established controls not applied consistently
High reported profits when competitors are suffering from an economic downturn
High turnover among supervisory positions in finance and accounting areas
Excessive or unjustifiable use of sole-source procurement
An increase in sales far out of proportion to the increase in cost of goods sold.

Brainscape's Knowledge GenomeTM

Study Unit 4 Flashcards

Brainscape's Knowledge Genome^TM