mod 3

General controls

(ITGC) are controls that apply to all systems, components, processes, and data for a given organization or information technology (IT) environment.

The goal of flowcharting is to create a document that is

concise and understandable

Foreign Corrupt Practices Act (FCPA)

1977 mandate preventing companies from bribing foreign officials to obtain business; requires companies to maintain accounting records and system of internal controls

Sarbanes Oxley Act (SOX)

2002; designed to prevent financial statement fraud, enhances transparency of reports for investors, punish executives who are frauds

Which capability level is used for a process that achieves its purpose, is well designed, and its performance is quantitatively measured?

4

SAS 94 requires auditors to document their understanding of the system of internal control. Which organization issued SAS 94?

AICPA

Which of the following is not a component of a governance system?

AIS

Which profession certification exam is most likely to test your knowledge of COBIT?

CISA- certified info systems auditor

Compliance Objectives

Compliance officers within the compliance department have a duty to their employer to work with management and staff to identify and manage regulatory risk. Their objective is to ensure that an organization has internal controls that adequately measure and manage the risks it faces.

Policies & procedures are part of which component of internal control?

Control activities

Which of the following best describe the interrelated components of internal control?

Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls.

The COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. What is the name of the updated Document?

ERM- integrating with strategy and performance

Which organization created COBIT?

ISACA; used to stand for something but now just letters

Operations Objectives

In business, also known as tactical objectives are short-term goals whose achievement brings an organization closer to its long-term goals.

parallelogram

It indicates the process of inputting and outputting data, as in entering data and displaying results.

off-page connector

It is a labeled connector for use when the target is on another page.

inverted triangle

It is used for manual filing such as a filing cabinet.

terminator symbol

It is used to start or end a process.

on-page connector

It replaces long or confusing lines with a pair of labeled connectors on the same page.

electronic file

It represents a data file or database.

process symbol

It represents a set of operations that changes value, form, or location of data

decision diamond

It shows a conditional operation that determines which one of two paths the program will take. The operation is commonly a yes/no question or a true/false test.

predefined process

It shows named process which is defined elsewhere.

Who is the author of coso erm updated document?

Pricewaterhouse coopers or PwC

What is the PCAOB?

Public Company Accounting Oversight Board

When Congress passed the Sarbanes-Oxley Act of 2002, it imposed greater regulation on public companies and their auditors and required increased accountability. Which of the following is not a provision of the act?

a. Auditors may not provide specific nonaudit services for their audit clients. b. Executives must certify the appropriateness of the financial statements. (c.) Audit firms must be rotated on a periodic basis. THE PARTNER FROM THE FIRM NOT THE WHOLE FIRM NEEDS TO BE ROTATED d. The act provides criminal penalties for fraud.

Expected loss

all possible losses multiplied of the loss occurring; impact * likelihood

Threat or Event

any potential adverse occurrence or unwanted event that could injure the AIS of organization

Application controls

are a form of security that is designed to improve the quality of the data that is input into a database. An example is the validity check, which reviews the data entered into a data entry screen to ensure that it meets a set of predetermined range criteria.

Directive controls

are actions taken to cause or encourage a desirable event to occur. They are broad in nature and apply to all situations. Preventive Controls deter undesirable events. Detective Controls detect undesirable events so corrective actions can be taken.

Internal controls

are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud.

Preventative controls

are used to keep a loss or an error from occurring. Examples are segregated duties and the physical protection of assets. These controls are typically integrated into a process, so that they are applied on a continual basis

flowchart symbols

as defined by American National Standards Institute (ANSI)

Which of the following is the correct listing of accounting-related functions that must be segregated?

authorization, custody, and recording

Reporting Objectives

be useful to investors and lenders, be helpful in determining a company's cash flows, and report the company's assets, liabilities, and owner's equity and the changes in them.

Monitoring

conduct ongoing and separate evaluations and communicates deficiencies

COSO Internal Control - Integrated Framework (IC)

control environment, control activities, risk assessment, info & communication, and monitoring are their duties

What is COBIT?

control objectives for information and related technologies; It is a framework for the governance and management of information and technology, applied to the whole organization.

The diamond shaped symbol is commonly used in flowcharting to show or represent a

decision point, conditional testing, or branching

Which of the following flowcharts illustrate the flow of information among areas of responsibility in an organization?

document flowchart

Internal control cannot be designed to provide reasonable assurance regarding the achievement of objectives concerning

elimination of all fraud

What is the COSO organization name that is represented as FEI?

financial executives international

another trapezoidish shape

for manual input.

trapezoid

for manual input.

Which legislation originally required companies to maintain a system of internal controls?

foreign corrupt practices act of 1977

According to COSO, which component of enterprise risk management (ERM) addresses an entity's operating structures and core values?

governance and culture

Risk Assessment

identify risk factors that have the potential to harm

Your current system is deemed to be 90% reliable. A major threat has been identified with an impact of $3,000,000. Two control procedures exist to deal with the threat. Implementation of control A would cost $100,000 and reduce the likelihood to 6%. Implementation of control B would cost $140,000 and reduce the likelihood to 4%. Implementation of both controls would cost $220,000 and reduce the likelihood to 2%. Given the data, and based solely on an economic analysis of costs and benefits, what should you do?

implement control B only current situation- 10% chance/ $3 mil impact control A- 6% chance/$100,000 cost .06x3mil= $180,000 100k+180k= $280,000 control B- 4% chance/ $140,000 cost .04x3mil= $120,000 120k+140k= $260,000 both A & B- 2% chance/ $220,000 cost .02x3mil= $60,000 60k+220k= $280,000

Corrective controls

include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity.

Detective controls

is an accounting term that refers to a type of internal control intended to find problems within a company's processes. these may be employed in accordance with many different goals, such as quality control, fraud prevention, and legal compliance.

Internal controls are designed to provide reasonable assurance that

material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.

Risk Appetite

max amount of risk a company is willing to accept in pursuit of an objective

Public Company Accounting Oversight Board (PCAOB)

oversight of auditing profession, rotate partners periodically, and prohibit non-audit services

Which of the following describe management, as opposed to governance?

plans, builds, and monitors activities

Exposure or impact

potential dollar loss should a particular threat become realized

Requiring certain fields to be entered is which type of control?

preventative controls

All other things being equal, which of the following is true?

preventative controls are superior to detective controls

Likelihood or risk

probability a threat will come to pass

The COSO definition of internal control specifies that it is a

process involving many groups of people

Control Objectives for Information and Related Technology (COBIT)

provide users with measures, indicators, processes, best practices to maximize IT benefit

Which of the following controls is preventative?

requiring two people to open the mail

Which component of internal control contains the principle: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives?

risk assessment

Inherent risk

risk posed by an error or omission in a financial statement due to a factor other than a failure of internal control. In a financial audit, is most likely to occur when transactions are complex, or in situations that require a high degree of judgment in regard to financial estimates.

COSO Enterprise Risk Management - Integrated Framework (ERM)

risk vs control based models; stresses risk management activities are an inherent part of business operations and should be considered during strategy setting

Control Activities

segregation of duties, physical controls, performance reviews, authorization and info processing

Policy & Procedures manual

set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals

Control environment

sets tone of organization influencing the control consciousness of people

SAS 94 requires auditors to document their understanding of the system of internal control. What does SAS stand for?

statements on auditing standards

Strategic Objectives

statements that indicate what is critical or important in your organizational strategy. In other words, they're goals you're trying to achieve in a certain period of time—typically 3-5 years. Your objectives link out to your measures and initiatives.

Expected loss

sum of the values of all possible losses, each multiplied by the probability of that loss occurring.

Committee of Sponsoring Organizations (COSO)

systematic approach of integrating IT with business strategy and risk

Audit Committee

the IAA and manages the relationship with external auditor

Residual risk

the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls.

Documentation methods such as DFDs and flowcharts save both time and money, adding value to an organization.

true

Information & Communication

uses relevant info to communicate internally and externally