Unit 6: Computer Controls and IT Auditing Flashcards
What are the four areas of business ethics?
Equity
Rights
Honesty
The Exercise of Corporate Power
In the case of ethical responsibility, define proportionality.
The benefit from a decision must outweigh the risks. There must be no alternative decision that provides the same or greater benefit with less risk.
Define computer ethics
Analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Includes details about software as well as hardware and concerns about networks connecting computers as well as computers themselves.
What are the three levels of computer ethics?
Pop - the exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. Society at large needs to be aware of such things as computer viruses and computer systems designed to aid handicapped persons.
Para - taking a real interest in computer ethics cases and acquiring some level of skill and knowledge to the field
Theoretical - of interest to multidisciplinary researchers who apply the theories of philosophy, sociology, and psychology to computer science with the goal of bringing some new understanding to the field.
What does Section 406 of the Sarbanes-Oxley Act (SOX) (2002) require?
Section 406 of SOX requires public companies to disclose to the SEC whether they have adopted a code of ethics that applies to the organization’s chief executive officer (CEO), CFO, controller, or persons performing similar functions. If the company has not adopted such a code, it must explain why.
The SEC has ruled that compliance with Section 406 necessitates a written code of ethics that addresses what ethical issues?
Conflicts of Interest
Full and Fair Disclosures - Overly complex and misleading accounting techniques were used to camouflage questionable activities that lie at the heart of many recent financial scandals. The objective of this rule is to ensure that future disclosures are candid, open, truthful, and void of such deceptions.
Legal Compliance
Internal Reporting of Code Violations
Accountability
What are the four broad objectives of the internal control system?
1) To safeguard assets of the firm
2) To ensure the accuracy and reliability of accounting records and information
3) To promote efficiency in the firm’s operations
4) To measure compliance with management’s prescribed policies and procedures
What are the four modifying assumptions that guide designers and auditors of internal controls?
1) Management Responsibility - this concept holds that the establishment and maintenance of a system of internal control is a management responsibility
2) Reasonable Assurance - the internal control system should provide reasonable assurance that the four broad objectives of internal control are met in a cost-effective manner. This means that no system of internal control is perfect and the cost of achieving improved control should not outweigh its benefits.
3) Methods of Data Processing - Internal Controls should achieve the four broad objectives regardless of the data processing method used. The control techniques used to achieve these objectives will, however, vary with different types of technology.
4) Limitations - Every system of internal control has limitations on its effectiveness. These include:
the possibility of error - no system is perfect
circumvention - personnel may circumvent the system through collusion or other means
management override - management is in a position to override control procedures by personally distorting transactions or by directing a subordinate to do so
changing conditions - conditions may change over time and render existing controls ineffective
What are the three layers of the preventive-detective-corrective control model (PDC)?
Preventive Controls:
-first line of defense
-passive techniques designed to reduce frequency of occurrence of risks
Detective Controls:
-second line of defense
-devices, techniques, and procedures designed to identify and expose risks that have eluded preventive controls
-reveal specific types of errors by comparing actual occurrences to pre-established standards
-identify anomalies and draw attention to them
Corrective Controls:
-actions taken to reverse the effects of errors detected in the previous step
What management responsibilities are codified in Sections 302 and 404 of SOX?
Section 302 requires that corporate mangement (including the CEO) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires corporate management to certify internal controls on a quarterly and annual basis
Section 404 requires the management of public companies to assess the effectiveness of the organization’s internal controls over financial reporting
What is the Committee of Sponsoring Organizations of the Treadway Commission (COSO)?
A joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.
Control framework endorsed by the PCAOB and the SEC
What are the five components of the COSO Internal Control Framework?
The Control Environment
Risk Assessment
Information and Communication - By gaining an understanding of the process and following a transaction through the system an auditor can assess how the system processes information (transaction processing) and communicates the results (reporting). Testing a single transaction would not qualify as testing of the control environment , ensuring monitoring or showing how management assesses risk. It would help in gaining an understanding of what information is in the system and how it is reported.
Monitoring
Control Activities
What is the grandfather-father-son (GFS) technique?
A back-up technique employed by systems that use sequential master files (whether tape or disk). It is an integral part of the master file update process.
The process begins when the current master file (the father) is processed against the transaction file to produce a new updated master file (the son). Note that the son is a physically different file from the father. With the next batch of transactions, the son becomes the current master file (the new father), and the original father becomes the backup file (grandfather). This procedure is continued with each new batch of transactions, creating several generations of backup files. When the desired number of backup copies is reached, the oldest backup file is erased (scratched). If the current master file is destroyed or corrupted, it is reconstructed by processing the most current backup file against the corresponding transaction file.
The COSO model identifies two broad groupings of IT controls. What are they?
Application controls - ensure the validity, completeness, and accuracy of financial transactions; application specific
General controls - not application specific, apply to all systems; include controls over IT governance, IT infrastructure, network and operating system security, database access, program changes
What is the most common access point for perpetrating computer fraud?
At the data collection stage