Topic 4 - Control and AIS

Question 0

What is exposure/impact?

Answer 0

The potential dollar loss should a particular threat become a reality.

Question 1

What is a threat/event?

Answer 1

Any potential adverse occurrence or unwanted event that could injure the AIS or the organization.

Question 2

What is likelihood?

Answer 2

The probability that a threat will come to pass.

Question 3

What are the internal controls?

Answer 3

The processes and procedures implemented to provide reasonable assurance that control objectives are met.

Question 4

What are the control objectives?

Answer 4

1. Safeguard assets - prevent or detect their unauthorized acquisition, use, or disposition.
2. Maintain records in sufficient detail to report company assets accurately and fairly.
3. Provide accurate and reliable information.
4. Prepare financial reports in accordance with established criteria.
5. Promote and improve operational efficiency.
6. Encourage adherence to prescribed managerial policies.
7. Comply with applicable laws and regulations.

Question 5

What are preventive controls?

Answer 5

Controls that deter problems before they arise. (i.e. hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information)

Question 6

What are detective controls?

Answer 6

Controls designed to discover control problems that were not prevented (i.e. duplicate checking of calculations and preparing bank reconciliations and monthly trial balances)

Question 7

What are corrective controls?

Answer 7

Controls that identify and correct problems as well as correct and recover from the resulting errors (i.e. maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing)

Question 8

What are general controls?

Answer 8

Controls designed to make sure an organization’s information system and control environment is stable and well managed (i.e. security, IT infrastructure, and software acquisition, development, and maintenance controls)

Question 9

What are application controls?

Answer 9

Controls that prevent, detect, and correct transaction errors and fraud in application programs.

Question 10

What is a belief system?

Answer 10

System that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values.

Question 11

What is a boundary system?

Answer 11

System that helps employees act ethically by setting boundaries on employee behavior.

Question 12

What is the diagnostic control system?

Answer 12

System that measures, monitors, and compares actual company progress to budgets and performance goals.

Question 13

What is the interactive control system?

Answer 13

System that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions.

Question 14

What is the Foreign Corrupt Practices ACT (FCPA)?

Answer 14

Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.

Question 15

What is the Sarbanes-Oxley Act (SOX)?

Answer 15

Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.

Question 16

What is the Public Company Accounting Oversight Board (PCAOB)?

Answer 16

A board created by SOX that regulates the auditing profession; created as a part of SOX. It consists of 5 people who are appointed by the Securities and Exchange Commission (SEC).

Question 17

What is Control Objectives for Information and Related Technology (COBIT)?

Answer 17

A security and control framework that allows:

1. management to benchmark the security and control practices of IT environments
2. users of IT services to be assured that adequate security and control exist
3. auditors to substantiate their internal control opinions and advise on IT security and control matters

Question 18

What is the Committee of Sponsoring Organizations (COSO)?

Answer 18

A private sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.

Question 19

What is the Internal Control - Integrated Framework (IC)?

Answer 19

A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.

Question 20

What is Enterprise Risk Management - Integrated Framework (ERM)?

Answer 20

A COSO framework that improves risk management process by expanding (adds three additional elements) COSO’s Internal Control - Integrated.

Question 21

What are the basic principles behind ERM?

Answer 21

• Companies are formed to create value for their owners.
• Management must decide how much uncertainty it will accept as it creates value.
• Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value.
• Uncertainty results in opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value
• The ERM framework can manage uncertainty as well as create and preserve value

Question 22

What is the internal environment?

Answer 22

The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.

Question 23

An internal environment consists of the following:

Answer 23

1. Management’s philosophy, operating style, and risk appetite
2. Commitment to integrity, ethical values, and competence
3. Internal control oversight by the board of directors
4. Organizational structure
5. Methods of assigning authority and responsibility
6. Human resource standards that attract, develop, and retain competent individuals
7. External influences

Question 24

What is risk appetite?

Answer 24

The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

Question 25

What is an audit committee?

Answer 25

The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.

Question 26

What is a policy and procedures manual?

Answer 26

A document that explains proper business practices, describes needed knowledge and experience, explain document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.

Question 27

What is a background check?

Answer 27

An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.

Question 28

What are strategic objectives?

Answer 28

High-level goals that are aligned with and support the company’s mission and create shareholder value.

Question 29

What are operations objectives?

Answer 29

Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources.

Question 30

What are reporting objectives?

Answer 30

Objectives that help to ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.

Question 31

What are compliance objectives?

Answer 31

Objectives to help the company comply with all applicable laaws and regulations.

Question 32

What is an event?

Answer 32

A positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.

Question 33

What is inherent risk?

Answer 33

The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.

Question 34

What is residual risk?

Answer 34

The risk that remains after management implements internal controls or some other response to risk.

Question 35

What are the four ways management can respond to risk?

Answer 35

1. Reduce: Implement effective internal control
2. Accept: Do nothing, accept likelihood and impact of risk
3. Share: Buy insurance, outsource, or hedge
4. Avoid: Do not engage in the activity

Question 36

What is expected loss?

Answer 36

The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
- Expected loss = Impact x Likelihood

Question 37

What are control activities?

Answer 37

Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.

Question 38

What is authorization?

Answer 38

Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.

Question 39

What is a digital signature?

Answer 39

A means of electronically signing a document with data that cannot be forged.

Question 40

What is specific authorization?

Answer 40

Special approval an employee needs in order to be allowed to handle a transaction.

Question 41

What is a general authorization?

Answer 41

The authorization given employees to handle routine transactions without special approval.

Question 42

What are the five key principles of the COBIT5 framework?

Answer 42

1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management

Question 43

What are the components of the COSO framework?

Answer 43

1. Control (internal) environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring

Question 44

What are the components of the COSO-ERM framework?

Answer 44

1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring