acc systems exam 2
estimate account balance
(audited value of sample/recorded balance of sample) x recorded balance of pop
Basic Steps in Sampling
-planning -performing -evaluating
Steps in Sampling: Performing
4. Determine sample size 5. select sample items 6. measure sample items
cobit 5 2 main components
5 geit principles and 7 enablers both of these are fundamentally different than the approach used in 4.1 for ex, 4.1 did not have enablers
• Subschema
A description of a portion of a schema
erm
A process, effected by an entity's board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Database Management Systems (DBMS)
A set of integrated programs designed to simplify the tasks of creating, accessing, and managing a centralized database • Integrates a collection of files that are independent of application programs and are available to satisfy a number of different processing needs • Contains data related to: - All the organizations applications, - Supports normal data processing needs, and - Enhances management activities by providing data useful to managers • Enterprise databases are a subset of DBMS
intelligent agent
A software program that may be integrated into a DSS or other software tool (such as word processing, spreadsheet, or database packages) that provides automated assistance, advice, and/or information for decision making.
Third Normal Form (3NF)
A table is in third normal form (3NF) if it is in 2NF and has no transitive dependencies • Transitive dependency - Exists when a non-key attribute is functionally dependent on another non-key attribute - Cust_Name is functionally dependent on Cust_Code, which is a non-key attribute
control matrix
A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans.
control redundancy
Are too many goals directed at the same goal?
steps to precision and reliability
Based on sampling procedure, form sample estimate Based on precision and reliability, form precision interval
Monetary Unit Sampling (MUS)
Basics of MUS Determining Sample Size Selecting and Measuring Sample Items Evaluating Sample Results
Two primary functions of a DBMS
Creation and maintenance of master data 2. Recording of business event data
• Entity-relationship modeling
Designer identifies the important things (entities) about which information will be stored and how the things are related to each other (relationships)
• Data mining
Exploration, aggregation, and analysis of data in data warehouses using analytical tools and exploratory techniques
• 3 steps in analysis of E-R diagram
Identify entities 2. Identify relationships and learn about the characteristics of the relationships 3. Uses info to create database tables and connections among tables
key verification
Input documents are keyed by one individual and then rekeyed by a second individual to detect keying errors. occasionally applied to input of low volume, high value batches of events
3. Define the population
Item(s) about which question is asked (e.g., health club members?) Need to ensure population is carefully and completely define pop= all sales invoices sample unit= 1 sales invoice
Selection and Hiring Control Plans
Job candidates should be carefully screened, selected and hired. companies choose which plans to employ based on the salary level and job duties for the position for which the candidate is applying
reliability (confidence)
Likelihood of achieving a given level of precision
nonsampling risk
Likelihood that an incorrect conclusion is drawn for reasons unrelated to the sample Most common cause is mistakes in evaluating sample items usually errors in judgment or execution of the test (test performed incorrectly or test not created correctly, not bc ur using sampling).
risk response
Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
review tickler file
Manual file of documents, or a computer file, that contains business event data that is pending further action. should be reviewed on a regular basis
DSS (decision support system)
Models information to support managers and business professionals during the decision-making process
Population size
Not applicable unless relatively small once pop reaches 500 it has a much reduced effect on sample size so we dont typically consider it too important
Normalization in Relational Databases Bottom-Up Approach
One of two approaches - Other is top-down, which will be covered later • Designer identifies the attributes of interest and organizes those attributes into tables • Common practice to gather all paper documents currently used and design the computer system so that they can be completed electronically • Limitation is that one tends to automate current practices without leveraging computer technology capabilities • The need for computer-oriented controls may be ignored even though prior manual controls may not be effective
forms
Onscreen presentations that allow users to view data in tables or collected by queries from one or more tables and input new data
Nonstatistical Sampling
Permissible under GAAS Does not allow auditors to control exposure to sampling risk Major differences in: Determining sample size (may judgmentally determine sample size and do not need to quantify expected deviation rate or CI in that case) Selecting sample items (may use nonrandom methods like block or haphazard selection) Evaluating sample results (may judgmentally evaluate sample results based on a sample rate of dev compared to a tol rate and basically ask urself is there enough cushion to allow for sampling risk. based on auditor judgment which is not as precise so be careful with it)
Anomalies or errors
Results when you fail to follow the rules of normal forms - That might occur when adding, changing, or deleting data stored in the database
sample size examples: parameters
Risk of overreliance = 5% Tolerable rate of deviation = 6% Expected population deviation rate = 2%
Risk of Incorrect Rejection occurs when
Sample indicates account is misstated Account is not misstated
Risk of Incorrect Acceptance occurs when
Sample indicates account is not misstated Account is misstated
risk of overreliance occurs when
Sample indicates controls are functioning effectively Controls are not functioning effectively
• Normal forms
Structure of tables must comply with several rules - Include specifications that must be met by relational database tables
hash totals
Sum of any numeric data existing for all batch documents, such as a total of customer numbers or purchase order numbers. Can determine if inputs have been altered (accuracy) , added (validity), or deleted (completeness).
PCAOB Inspection Results
The Firm failed to sufficiently test an important control over the loan grading process that it selected, as the sample size the Firm used in its testing was too small to obtain the necessary level of assurance that the control was operating effectively to prevent or detect material misstatements. For these compensating controls [over revenue and accounts receivable transactions], the sample used by the Firm to test the compensating controls was inadequate because the Firm underestimated the number of times the control operated when computing the necessary sample size.
risk appetite
The amount and type of risk that an organization is willing to take in order to meet their strategic objectives (from Institute of Risk Management)
coding
The creation of substitute values, or codes, to represent classification categories long labels
Cannot afford to prevent all losses
Too expensive to eliminate all risk (if possible)
queries
Tools that allow users to access the data stored in various tables and to transform data into information
applications approach to business event processing
Under this approach, each application collects and manages its own data, generally in dedicated, separate, physically distinguishable files for each application. concentrates on process being performed eACH applicaiton collects and amnages its own data, gernerally in dedicated, separate, physically distinguishable files for each app.
Logical Versus Physical Database Models
Underlying concept of centralized database approach - Decouple data from applications • Data independence - Data is decoupled from the system applications to make it independent of the application or other users • Three-tier architecture - Systems that are decoupled are referred to as having 1. User or presentation tier 2. Application or business logic tier - Middleware 3. Database tier
Variables Sampling
Used to estimate the amount (or value) of some characteristic of a population Used in the auditor's substantive procedures
data redundancy
When the same data is stored in multiple locations and files • For example, customer information Can cause inconsistencies among the same data in different files. Increases storage and labor costs and data may not be shareable
automated data entry
a strategy for the capture and entry of event-related data using technology such as OCR, bar codes, RFID, and EDI. these methods use fewer human resources and capture more data in a period of time than is possible w manual entry. by eliminating the keying errors that can occur in manual data entry, these methods improve the accuracy of the entered data. finally, in some cases, the input method can validate the authenticity of the input. for ex, when the rfid chip on a box is read, we know that the box exists. completeness
continuous data protection (CDP)
all data changes are date stamped and saved to secondary systems as the changes are happening. u can have server here and one in another location and a keystroke is made here and almost simultaneously itll be on the server at another location. ex: invoice here, computer dies, go to starbs and invoice is there. ensures security of resources/ securing ur assets/computer files. this process is not the periodic backup of files mentioned previously but is a process for continuous and immediate replication of any data changes for many organizations, it is not cost-effective to maintain duplicate computer facilities, although they still need cdp. these orgs might contract w third parties for electronic vaulting
risks
are those events that would have a neg impact on an orgs objectives require assessment and response, whereas opportunities are channeled back to the strategy-setting process. ex: a new mkt op might have opened up that mgmt could decide to pursue.
Approving a customer credit purchase would be an example of which basic events processing function?
authorizing events
the best way to mitigate password risk is to put in additional authentications, such as a
biometric identification (i.e., something they are) or a smartcard (i.e., something they have) that users must use along w their passwords
As described in COSO, elements of a control environment might include the following:
commitment to the importance of control reward systems tone at the top of the org
incorrect acceptance is the same as
confidence level
COSO's 5 Elements of Internal Control
control environment, risk assessment, control activities, information and communication, monitoring
to overcome the roadblocks to quality decision making, managers use
decision support systems (DSSs), exec info sys (EISs), group support sys (GSSs), expert sys (ESs), neural networks (NNs), and intelligent agents
One-for-one checking
detailed comparison of the individual elements of two or more data sources to determine that they agree differences indicate errors in input or update expensive, reserved for low volume high value events
control efficiency
do individual control plans address multiple goals?
tolerable misstatements vs tolerable rate of deviation
dollar values that we are willing to tolerate as misstatements vs how many times can this control not function b4 we can consider it to be broken
impact
effect of an event's occurrence
timeliness
effectiveness
a mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a
fidelity bond
GSSs facilitate
group interaciton and group consensus building
as summation of customer account numbers taken from a batch of sales invoices would be classified as
hash total
coso places integrity and ethical values at the
heart of what is called the control environment (captured in erm as internal environment)
personnel security control plans
help prevent the organization's own personnel from committing acts of fraud or theft of assets
object-relational databases
incldues a relational dbms framework w the capability to store complex data types. companies like either rn.
fidelity bond
indemnifies a company in case it suffers losses from defalcations committed by its employees employees who have access to cash and other negotiable assets are usually bonded
DSSs structure the available data to provide
info ab alternative courses of action w/o offering a solution. DSSs work well w unstructured or semistructured problems that have a quantifiable dimension.
knowledge
information that has been formatted and distributed in accordance w an orgs standards
supervision control plans
involve the processes of approving, monitoring, and observing the work of others
forced vacations
is a policy that requires an employee to take leave from the job and substitutes another employee in his or her place irregularity of skipping vacays will be detected by this (detective control) if these are in place, they should act as a deterrent to the irregularity ever occuring in the first place (preventive)
sampling
is the process of making a statement about a population of interest by examining only a subset (or sample) of that population
• Chief advantage of a DBMS is
it contains a query language
cobit 4.1 supports it governance by providing a framework to ensure that
it is aligned w the bus it enables the bus and maximizes benefits it resources are used responsibly it risks are managed appropriately
matrix
key tool in the assessment of a sys of ic that is used to determine whether a sys of ic is designed well and can help an org achieve objectives and respond to risks
use control matrix to
match bus process controls to the goals will allow us to access the effectiveness of design of the system of ic by examining, easily, which goals are being addressed and which goals are not. use it only to assess bus process controls
Classical Variables Sampling Approaches
mean per unit difference estimation ratio estimation
EISs use
menus, graphics, and color to provide a friendly interface to DSSs for execs who want to minimize their interaction w the sys
controls that ensure input accuracy and completeness do not
necessarily ensure update accuracy and completeness if the events ir trans are processed using an online real time (olrt) processing system, the input and update will occur nearly simultaneously. this will minimize the possibility that the update will occur nearly simultaneously.
DSS and EIS similarities
neither tells the decision maker what to do. both primarily provide views for interpreting the info. users generally use a dss to arrive at estimated or "recommended" solutions to problems being considered. statistical methods rarely used for eis. eis mainly ab collecting and presenting info desired by an exec and less ab doing additional processing calculations. eis's are more liekly to have the ability to drill down (from summarized into to the primary docs) than DSSs. no matter the type of decision aid being used, the knowledge and experience required to analyze the info, to make the judgements, and to take the actions required reside w the decision maker.
ensure input validity
no false transactions are put into the system ex: order entry clerk requested processing of 50 customer orders. 2 of the 50 orders are ficticious.
another useful and common way to classify controls is in relation to the timing of their
occurrence
Before a completed input screen is recorded the data entry clerk is asked if the data should be accepted. This is which control plan?
online prompting
erm is a process for
org governance. orgs create value for their stakeholders by establishing objectives and identifying and managing risks that might result in failure to achieve objectives.
MUS: Measuring Sample Items
perform appropriate substantive testing procedure for each misstatement, calculate tainting percentage as: (recorded bal - audited val)/recorded balance gives u the % it is tainted/misstated
personnel management control plans
personnel planning control plans job description control plans supervision control plans personnel security control plans
second level of protection
pervasive control plans
Control Activities
policies and procedures are established and implemented to help ensure the risk responses are effectively carried out includes approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures, supervision, audit trails, and segregation of duties
likelihood
possibility that an event will occur
In a control matrix the coding P-1 means:
present control plan
best control
preventive controls bc in the lr they're less expensive and less disruptive to ops to prevent, rather than to detect or correct, problems. however, bc no control can be made to be 100% effective, we need to implement a combination of preventive, detective, and corrective controls. detective can help prevent or deter fraudulent or careless acts. if someone knows that plans exist to detect or uncover fraud and carelessness, such knowledge can serve as one additional preventive measure
The goal of normalization is to
produce a database model that contains relations that are in third normal form (3NF)
personnel planning control plans
project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions
ESs apply expertise extracted froma human expert to
provide specific recs on problems or decisions
systems documentation
provides an overall description of the application, including the systems purpose; an overview of sys procedures; and sample source docs, outputs, and reports
Agree run-to-run totals
reconcile totals prepared before a computer process has begun to totals prepared at the completion of the computer process reconciled manually or by the computer
specific attention must be paid to
recruitment promotion personnel qualifications training backup performance evaluation job change termination honesty is key to implement other control plans
which of the following database types has dominance in orgs
relational
a policy that requires employees to alternate jobs periodically is called
rotation of duties
sequential sampling process
select initial sample options -conclude control is operating effectively -conclude control is not operating effectively -sample is inconclusive; examine additional items
process
series of actions or operations leading to a particular and usually desirable result. results could be risk mgmt as described by erm, effective ic as proposed by coso, or a specified output of an ops process for a particular mkt or customer
process
set of procedures and practices also thought of as controls
domain
set of processes
Principle 1: Meeting Stakeholder Needs.
since enterprises exist to create value for their stakeholders, it makes sense that the key objective of governance and mgmt should be value creation. in turn, value creation has 3 objectives or components: benefits realization, risk optimization, and resource optimization
intelligent agents can be embedded in
software to perform tasks for u or help u more effectively complete certain tasks
Approaches to sampling
statistical sampling nonstatistical sampling Both statistical sampling and nonstatistical sampling are appropriate under GAAS
preventive control plans
stop problems from occurring ex: programmed edits, such as validation of the customer name and address
relational database model
stores information in the form of logically related two-dimensional tables more flexible model each individual fact or type of into (i.e. entity) is stored in its own table allows users to query the tables to obtain info from 1 or more tables in a very flexible way
Elements of Relational Databases
tables queries forms reports
monitoring
the entirety of erm is monitored, and modifications are made as necessary. monitoring is accomplished through ongoing mgmt activities, separate evaluations, or both. should not be considered a final activity
variables sampling decisions
ul on misstatements <= tolerable misstatements = acct bal is not misstated ul on misstatements > tolerable misstatement = acct bal is misstated
turnaround documents
used to capture and input a subsequent event picking ticket, inventory count sheets, remittance advice stubs, etc
A data model depicts the requirements for data as specified by the:
user
applying the framework
• Let's walk through the controls on matrix and flowchart • P-1: Document design - Source document designed to make it easier to prepare the document and to input data from the document into a computer or other input device. • P-2 Written approvals - Signature or initials to indicate someone authorized the event. Ensures data input arises from a valid business event and appropriate authorizations have been obtained. - Electronic approvals • Route events using a computer system's workflow facility to persons authorized to approve. • P-3: Preformatted screens - Defines acceptable format of each data field. Includes drop-down data lists, automatic cursor move to the next field, mandatory inputs and auto population of certain fields. - System may automatically populate fields with data (current date, sales tax, etc.) • P-4: Online prompting - Requests user input or asks questions user must answer. Includes context-sensitive help. - In a sense, advising you to check your work. • P-5: Populate input screens with master data - Clerk enters identification code for an entity and system retrieves data about that entity from the master data. - Reduces number of key strokes. • P-6: Compare input data with master data - Performed manually or by the computer to determine the accuracy and validity of input data. - Three comparisons made: • Input/master data match. - Test that correct ID code has been manually entered. • Input/master data dependency check. - Test logical relationship. • Input/master data validity and accuracy check. - Test whether master data supports the validity and accuracy of the input. • P-7: Procedures for rejected inputs - Ensures that erroneous data are corrected and resubmitted for processing. - Suspense file of rejected inputs. • P-8: Programmed edit checks: - Automatically performed by data entry programs upon entry of data to highlight actual or potential input errors and allow them to be corrected quickly and efficiently. - Erroneous data highlighted for corrective action - Most common are: • Limit checks - Test whether the contents of the data entered fall within predetermined limits. • Reasonableness checks - Compares entered data with a calculated amount to discover inputs that may be incorrect. - Does the customer really want to order this amount. • P-8: Programmed edit checks: - Most common are (continued): • Document/record hash totals: - Summarization of any numeric data field within the input document or record. Calculated before and then again after entry of the document or record, total is used to determine that the applicable fields were entered accurately. - Total usually serves no function than control. • Mathematical accuracy checks: - Compare calculations performed manually to those performed by the computer to determine whether a document has been entered correctly. - If they don't agree, something was likely entered erroneously • P-10: Automated data entry: - Capture and entry of event-related data using items like OCR, bar codes, RFID, and EDI. - May also confirm validity of input (i.e., RFID) • P-11: Enter data close to the originating source: - Strategy for the capture and entry of event-related data close to the place and time that an event occurs. - Databases more current, no lag. - Lowers the risk of error in data entry. • P-12: Digital signatures: - Validates sender identity and electronic message integrity. - Uses data encryption and public key cryptography. • PCAOB AU 5 asserts that auditors must consider the impact of entity-level controls (i.e., control environment, pervasive, general, and IT controls) have on business process controls and application controls
Implications of Computer Fraud and Abuse
• Computer crime - Includes crime in which the computer is the target of the crime or the means used to commit the crime. • Two basic categories of computer crime - Tool - Target • Malware - Short for malicious software - Software designed specifically to damage or disrupt a computer system • Computer virus - A program code that can attach itself to other programs thereby "infecting" those programs and macros. • Real issue with computer fraud and abuse - It characterizes a s poorly controlled process
The COBIT 4.1 Framework
• Control Objectives for Information and Related Technology (COBIT) • Widely adopted framework for IT governance and control • Provides guidance on the best practices for the management of information technology • Supports IT governance by providing a framework that ensures: - IT is aligned with the business - IT enables the business and maximize benefits - IT resources are used responsibly - IT risk are managed appropriately
Steps in Sampling: Evaluating
7. Evaluate sample results • In statistical sampling, evaluating sample results controls exposure to sampling risk • Parameters -Sample estimate -Precision -Reliability
Programming Errors
-Softwares error resulting from bad code in some program involved in producing the erroneous result -There are two types: logic and syntax errors (-Logic errors-where conditions or variables are not correctly described -Syntax errors-where a variable is misspelled or a function is used incorrectly) for instnace, instead of reducing inventory for each order, the inventory balances were increased
doc design
-effectiveness goal a, efficient employment of resources: a well designed doc can be completed more quickly (effectiveness goal A) and can be prepared and entered into the computer w less effort (efficiency) -input accuracy: we tend to fill in a well designed doc completely and legibly. if a doc is legible, data entry errors will occur less frequently
Compare input data with master data
-effectiveness goal a, efficient employment of resources: events can be processed on a timelier basis and at a lower cost if errors are detected and prevented from entering the sys in the 1st place. making sure 2 match -input validity: the edits identify erroneous or suspect data and reduce the possibility of the input of invalid events -input accuracy: the edits identify erroneous or suspect data and reduce input errors. completeness by control matrix.
risk of underreliance
(Risk of Assessing Control Risk too High) Also referred to as Type I error, false rejection
ERM Framework
1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring
cobit groups it control processes into 4 broad domains
1. plan and organize 2. acquire and implement 3. deliver and support 4. monitor and evaluate (provides feedback to other 3 domains)
Schema
A complete description of the configuration of a record types, data items, and the relationship between them
• Sequential (serial) coding
Assigns numbers to objects in chronological sequence - Provides limited flexibility and tells nothing about the object's attributes - Limitations with adding and deleting exist
suprina control matrix
Note: Four elements of the control matrix (a) control goals (b) recommend control plans (c) cell entries (d) explanation of cell entries
residual risk
The risk that remains after a risk response is chosen - Avoid, reduce, share, accept
sample control plan for data input
This discussion describes generic controls • Knowing these controls will help you identify present and missing controls • Data entry step - Usually inefficient and susceptible to errors • As we discuss these controls, keep in mind that the following improvements can help address inefficiencies and errors - Data entry automated - Purchasing initiated by the buying organization and transmitted to the selling organization via the Internet or electronic data interchange (EDI) - In an ERP system, multiple steps may be integrated
organizational governance
a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance
cobit 5's domains and governance process
cobit 5 is diff from 4.1 in how they specify their domains and processes cobit 4.1 has 4 sets of domains and 34 high level processes. 5 has 5 domains and 37 high level processes. 4.1's domains are plan and organize, acquire and implement, deliver and support, and monitor and evaluate. 5's domains are evaluate, deliver, and monitor, align, plan, and organize, build, acquire, and implement, deliver, service, and support, and monitor, evaluate, and assess
isaca is in the process of releasing a new cobit framework
cobit 5, at the publication time of this edition. not merely an update of cobit 4.1 but instead takes us in a radicallly new direction, according to isaca. siwtch to cobit 5 or merge 4.1 and 5
it steering committee
coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan guides the it org in establishing and meeting user info requirements and in ensuring the effective and efficient use of its resources. this and the cio are the main authorizing bodies within the it dept. come up with plan for it sys. tell ppl in comp what task they need done. rank as most important. look at budget. choose projects to do. important bc its putting a priority intact
alternative names for contingency planning include
disaster recovery planning business interruption planning business continuity planning
ESs can automate portions of the decision making act
hey can func independently and actually make the decision, or they can assist the decision maker and recommend a course of action. the goal of Ess is not to replace ppl. these sys make it possible for valuable expertise to be avail in multiple locations
Acquire and Implement Domain
• Processes designed to identify, develop or acquire, and implement IT solutions • Failure to successfully implement these processes can lead to significant risks throughout the organization • Systems development life cycle (SDLC) - Covers the progression of information systems through the systems development process, from birth, through implementation, to ongoing use and modification
If attribute A determines a single value for attribute B at any time, we say that attribute B is ____.
functionally dependent on attribute A
monitoring
in an internal control system means assessment by management to determine whether the control plans in place are continuing to function appropriately over time further involves making sure that any control weaknesses are communicated to responsible parties on a timely basis and that responsible parties take appropriate action typicallly underused by orgs. ineffective monitoring can result in a failure of the control sys itself or, less severely, in a failure to implement control plans to correct identified problems
updating master data
info processing activity whose function is to incorporate new data into existing master data 2 types of updates that can be made to master data: info processing (analogous to the posting step in a manual bookeeeping cycle) and data maintenancce our analysis of the ics related to data updates is restricted to data updates from info processing
organizational design
involves the creation of roles, processes, and formal reporting relationships in an org. one aspect of org design includes establishing departmental relationships, including the degree of centralization in the org. another aspect involves personnel reporting structures such as chain of command and approval levels. ex: upper mgmt of a comp reporting to the bod. ex: separation of op units (sales and production) from accting units. org design is a key component of a companys ic structure
cobit 5
is a new departure in the corporate governance of info tech. the most sig change is restructuring and reorganizing the framework from being an it process model into an it governance model w a set of governance practices for it, a mgmt sys for the continuous improvement of it acts, and a process model w baseline practices. thus, cobit 5 is, for one thing, more inclusive than 4.1 cobit 5 moved from it governannce as its overall objective to governance of enterprise it (geit) shifting the center of attention from it to governance. more strategic or big pic oriented than 4.1 holistic approach. this is a complete, comprehensive approach that an enterprise tailors to its own specific needs, putting ic control w the larger context of tnerprise wide governance and mmgmt. more flexible and adaptable more principles based and less procedures based
internal control
is a process -- effected by an entity's board of directors, mgmt, and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness (degree to which and objective is accomplished) and efficiency (the ability to accomplish an objective w minimal waste of resources) of ops reliability of fin reporting compliance w applicable laws and regulations
Business Continuity Planning
is a process by which a business identifies its critical processes, or those areas of its business that must occur without failure lest the business will also fail. Such planning defines specific lengths of time for acceptable outages, responsible parties, contact information, and partners that have assumed the risk of supporting emergency continuity services. also called disaster recovery planning, contingency planning, and business interruption planning
Variables sampling
is used to estimate the amount (or value) of a population find diff between true value and recorded value and determine if its material or not substantive procedures (used for substantive test of details): Estimate account balance or misstatement Compare estimated account balance or misstatement to recorded balance or tolerable misstatement approaches (use 1 of 2): Monetary unit sampling (MUS) (use a variation of attribute sample principles applied to a monetary pop. using a theoretical statistical framework very similar to our previous module but applying it to a monetary pop) Classical variables sampling (use more traditional types of statistical techniques to calculate an estimate of the pop)
orgs that must ensure continuous ops may
maintain and operate two or more sites that separately contain identical equipment and identical copies of all programs, data, and documentation. should the primary facility become unavail, one of the secondary sites takes over, sometimes automatically and without noticeable delay. in these situations, data must be replicated in real time on both systems. this data replication strategy is called continuous data protection (cdp)
Establishing a viable internal control system is primarily the responsibility of:
management
control plans
reflect information-processing policies and procedures that assist in accomplishing control goals • Starts with the control environment • Pervasive control plans - They relate to a multitude of goals and processes, They are broad in scope and apply equally to all business processes. • General controls (also known as IT general controls) - Are applied to all IT service activities. doc control plans: 2 flavors. doc code and new code. reading proc book
pervasive control plans
relate to a multitude of goals and processes. Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate. they are broad in scope and apply equally to all business processes; hence, they pervade all systems
completeness
reliability of reporting
controls implemented to respond to risks must be
reviewed to determine that the activities have been performed and to determine whether additional actions must be taken to respond to the risk
residual risk
risk that remains after one of these responses is chosen.
Events that could have a negative impact on organizational objectives:
risks
seg of duties
separating: authorizing events executing events recording events safeguarding resources resulting from consummating events no employee in a position both to perpetrate and to conceal frauds, errors, or other kinds of system failures. applies not only to classic accting trans, such as a cash disbursement or credit sale, but also to other events and activities, such as planning a company dinner or implementing a new general ledger system.
four categories of management objectives
strategic: high level goals aligned with and supporting its mission operations: effective and efficient use of its resources reporting: reliability of reporting compliance: compliance w applicable laws and regs
program change controls take on an even higher level of significance w enterprise systems
the challenges are the result of the interdependence of the bus processes and the complexity of these processes and their connections. should unauthorized or untested changes be made to such systems, the results could be disastrous. ex: assume that a change is made to the inventory module of an erp sys w/o testing to see the impact that change will have on the sales module used to enter customer orders. bc these 2 modules work together, and orders from customers for inventory cannot be processed w/o the inventory module, changes to either module must be carefully planned and executed
Populate input screens with master data
the clerk enters the identification code for an entity, such as a customer, and the system retrieves data about that entity from the master data ex: entering a customer order. user might be prompted to enter customer id code. then, by accessing the customer master data, the sys automatically provides data such as cust name and address, salespersons name, and the sales terms. this reduces the number of key strokes required, making data entry quicker and more efficient. fewer keystrokes=fewer mistakes. to enable this control, numeric, alphabetic, and other designators are usually assigned to entities such as customers, vendors, and employees
data mining
the exploration, aggregation, and analysis of large quantities of varied data from across the org used to bettter understnd an orgs bus processes, trends within these processes, and potential opps to imprve effectiveness and efficiencyof org. requires training and expertise large amts of this so u could identifty relationships between factors that appear relevent but in fact are not (spurious correlations)
COBIT 4.1 (Control Objectives for Information and Related Technology)
the framework that has been widely adopted for it governance and it controls developed by the it governance institute to provide guidance to managers, suers, and auditors on the best practices for the mgmt of info tech it resources must be managed by it control processes to ensure that an organization has the information it needs to achieve its objectives organizes control processes
some auditors differentiate between
the point in a system where a control is "established" and the later point where it is "exercised"
data warehousing
the use of information systems facilities to focus on the collection, organization, integration, and long-term storage of entity wide data purp is to provide users w easy access to large quantities of varied data from across the org for the sole purp of improving dec making capabilities copying data periodically from 1 db to another analyze to gain insight
Principle 3: Applying a Single, Integrated Framework
there are numerous it standards, best practices, and guidance procedures available to enterprises. sobit 5 can align with any of these at a high level and thereby provide an enterprise w a single, integrated, overarching framework for it governance and mgmt. this overall framework is context and principles based, allowing for flexibility and dealing w open ended situations
bc control is an ongoing process,
there are periodic iterations of the steps. could be fraud! so periodic reviews are conducted to determine the effectiveness of fraud prevention programs.
of the following options, a database that is in _____ form has the best design
third normal (3NF)
purp of ic
to provide reasonable assurance that objectives are achieved and that risk responses are carried out
dss and eis managers
typiccally work alone and make decisisns
attributes sampling decision
ulrd <= trd = rely on controls as planned ulrd > trd = reduce planned reliance on controls
attributes sampling decisions
ulrd<=trd = rely on controls as planned ulrd>trd = reduce planned reliance on controls
what goals are aimed at minimizing processing errors
update completeness and accuracy
no sepate goal for
update validity. there would be invalid updates only if the inut completeness or update completeness control goals are not met (i.e. inputs or updates are to be processed once and only once)
in a manual based system, the goals of ensure update completeness and ensure update accuracy relate to
updating varius ledgers (ex: accts receivable subsidiary ledger) for data items entered into the books of original entry ( sales and cash receipts journals)
if u want to assess the design of a sys of ic
use the matrix to ask the Q " can these processes/controls provide reasonable assurance that the objectives are achieved?" an org should have at lease 1 process for each objective. otherwise, the org may achieve its objectives, but the odds are not v good. assessment concludes w recommendations for changes to the processes and controls that might be necessary. make changes carefully and take into acct cost benefits.
important data elements
usually all fin data elements, such as numbers that enter into a calculation. ex: amt ordered, selling price, discount, and net sales amt are crucial reference numbers, such as those for inventory items, customer numbers, and general ledger cording. accurate reference numbers are crucial to the proper classification of items in the fin stmts dates so we can determine that events are recorded in the proper time period
monitoring control plans differ from normal control plans in that they
verify the operation of the normal control plans. a normal control plan only serves to deetect and correct errors. monitoring control plans lead to the identification of the root cause of the error and ideally the implementation of normal control plans to prevent future errors. ex of monitoring: creating a periodic exception report listing all employees who have not taken vacations within a specified time frame and ensuring that report was reviewed and acted upon by mgmt. ex: writing and distributing the code of conduct outlining appropriate employee behavior is a normal control plan; a monitoring control plan would involve periodically collecting and reviewing letters signed by the employees that they have read, understand, and will follow the code of conduct
computer agreement of batch totals
works in the following manner: 1. First, one or more of the batch totals are established manually. 2. The manually prepared total is entered into the computer and written to the computer batch control totals data. 3. As individual source documents are entered, computer program accumulates independent batch totals and compares totals to the ones prepared manually and entered at start of the processing. 4. Computer prepares report, which usually contains details of each batch, together with an indication of whether totals agreed or disagreed. - Batched that do not balance are rejected, and discrepancies are manually investigated.
Fraud and Its Relationship to Control
• Accounting Profession Proactive in Dealing with Fraud • SAS No. 99 (Consideration of Fraud in a Financial Statement Audit) - Emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns and detecting management override of internal controls. • SEC - "Management's evaluation of risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity..." • PCAOB AS5 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements) - An auditor's assessment of internal control should take into account the fraud risk assessment
University Housing Controls
• App State Safety & Security Policies: - Residents are issued an Appalachian State University ID card used to gain access to their residence hall. - Residents should not allow non-residents to follow them through the open door when entering/leaving the building. - This practice of "tailgating" compromises the safety of all residents. - Non-residents should contact a resident of the building to escort them while in the residence hall. - Residence hall staff are on duty from 8:00pm - 3:30am to monitor activity in each building. • Break Into Groups and Discuss the Following: - How well do these policies work? - In the context of this chapter, what improvements could be made?
Applying the Control Framework for Data Entry with Batches
• Batch control plans: - Regulate processing by calculating control totals at various points in a processing run and subsequently comparing these totals. - To be effective, batch control plans must ensure that: • All documents are included in the batch. • All batches are submitted for processing. • All differences are investigated and corrected on a timely basis. • All batches are accepted by the computer.
Caveat about the COBIT 4.1 Framework
• COBIT 5 framework has been adopted by ISACA • There are firms that are, and will continue, to utilize the COBIT 4.1 framework • PCAOB suggest finding a suitable framework to comply with SOX Section 404 - No specific framework is required • You may see this or another suitable framework in practice - Unlike accounting standards that do require adherence to changes in standards • I.e., PCAOB AU's and FASB's GAAP
Ethical Considerations and the Control Environment
• Control environment - Reflects the organization's general awareness of and commitment to the importance of control throughout the organization - Primarily the board of directors' and management's awareness • COSO places integrity and ethical values at the heart of the of control environment and states that ethical behavior and management integrity are products of the "corporate culture." - Corporate culture determines what actually happens and which rules are obeyed, bent, or ignored • Rewards system can pressure employees to bend the rules to attain unrealistic performance targets • Code of conduct
the control framework
• Control matrix - A tool designed to assist in analyzing the effectiveness of controls in a particular business process by matching control goals with their associated control plan • PCAOB Auditing Standard Number 5 calls this "Effectiveness of Control Design" - Compliance with SOX Section 404 • Provides a means to explain and analyze the controls that have been annotated on a systems flowchart • Caveat for this chapter: - Not learning a specific control plan - Overview of control matrix elements and how they relate to each other • Let's get real why we're learning about evaluating controls
A framework for Assessing the Design of an Internal Control System
• Control matrix - A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans - Analyze objectives and related risk - Establish processes and controls to provide reasonable assurance that objectives will be met • Control goals - Business process objectives that an internal control system is designed to achieve • Control plans - Reflect information-processing policies and procedures that assist in accomplishing control goals
Pervasive Control Plans
• Control plans that relate to a multitude of goals and processes • Provide a climate or set of surrounding conditions in which the various business processes operate - Similar to the control environment • Influence the effectiveness of control plans at lower levels in the control hierarchy • PCAOB AS5 includes them under "entity-level" controls • 4 pervasive controls we'll disuses - Organizational design (focus on segregation of duties) - Corporate policies (focus on personnel policies) - Monitoring controls - IT general controls
PWC 2011 Global Economic Crime Survey
• Cybercrimes - Crimes involving computers and the Internet - Now rank as one of the top four economic crimes worldwide. • Frauds reported within the previous 12 months occurred in 34% of companies in 2011, up from 30% in 2009. • For the first time in 12 years, computerized internal controls was the most effective method for detecting fraud. • Internal audit was the second most effective fraud detection method at 14%, down from 17% in 2009. • Suspicious transactions monitoring led to 18% of fraud detections in 2011, up from 5% in 2009. • Cybercrime represented 23% of all economic crime. • Strong correlation exists between fraud risk management activities and higher chances of fraud detection. • Accounting fraud decreased 37% from 2009 to 2011 but was still the second most reported fraudulent activity at 24%. • Most reported fraud was asset misappropriation at 72%
Control and Audit Implications of Data Warehouses
• DBs are normalized and emphasize data integrity • Data warehouses are primarily meant for decision support, which requires speed to perform data analysis - Data integrity relaxed as a tradeoff for speed • Relevance vs. Reliability • DB approached differently than a data warehouse • Auditor must be attentive to the possibility that bad data is present as a result of weak data integrity • GIGO
control plans for manual and automated entry
• Data entry program presents the clerk with a preformatted screen that prompts entry of certain data • In the following slide, the left-hand side presents manual entry and the right-hand is automated entry • The flowchart stops without depicting the update of master data - In this example we're focusing on input controls
Acquire and Implement Domain: IT Process 4 Develop and Acquire IT Solutions
• Develop and acquire or develop application software and technology infrastructure • Application software: - General term used for the software that is used to facilitate the execution of a given business process • Service level requirements: - Include such items as availability, reliability, performance, capacity for growth, disaster recovery, security, minimal system functionality, and service charges • Develop service level requirements and application documentation which typically includes the following: - Systems and program documentation - Operations run manual and user manual - Training materials
The Segregation of Duties Control Plan A Couple of Questions
• Do you agree with the following comment? - No matter how sophisticated the internal controls, success ultimately requires that a company place trust in a small number of trusted employees • Do you think it is possible for a small company to adequately implement segregation of duties? • Compensatory controls - Alternative controls - Placing greater reliance on management supervision, ownership involvement in the day-to-day operations of the business, and personnel control plans that focus on hiring honest employees
COBIT 5's Seven Enablers
• Enablers - Means to achieve governance objectives • Seven categories of enablers 1. Processes 2. Principles, policies and frameworks 3. Organizational structures 4. People, skills, and competencies 5. Culture, ethics, and behavior 6. Services, infrastructure, and applications 7. Information
Acquire and Implement Domain: IT Process 6 Manage Changes to Existing IT Systems
• Ensures integrity between versions of the systems • Ensures consistency of results • Changes to IT infrastructure must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures • Improper changes can allow a programmer to make changes that are improper - Create opportunity for fraud • Program change controls - Provide assurance that all modifications to programs are authorized, and that changes are completed, tested, and properly implemented • These controls take a higher level of importance with an enterprise system
Monitor and Evaluate Domain: IT Process 10 Monitor and Evaluate the Processes
• Establish a system for defining performance indicators (service levels). • Gather data about processes and generate performance reports. • Measure progress toward identified goals. • Obtain outside confirmation based on independent review. • AICPA and Canadian Institute of Chartered Accountants have developed professional assurance and advisory services based on a common set of Trust Principles
Acquire and Implement Domain: IT Process 9 Provide Support Services
• Identify training needs of all personnel - internal and external - who use the organization's IT services. • Conduct timely training sessions. • Help desks - Provide advice and assistance to users with problems encountered in using IT resources so that they can effectively use those resources.
Organizational Governance Objective Setting
• Includes defining mission, vision, purpose and strategies to establish relationships
Plan and Organize Domain: IT Process 1 Establish Strategic Vision for Information Technology
• Information service (IS) management should establish a process for developing a strategic plan and converting it into short-term goals • IS strategic planning effort must ensure the strategic plan is supported and that IT is optimally deployed • Plan must ensure the organization is prepared to anticipate competitors' actions and take advantage of emerging technology
Common Ground on Working Definition of Internal Control
• Internal control is a process - Process is a series of actions or operations leading to a particular and usually desirable result • It is management's responsibility to establish and maintain internal control system • Strength of internal control system largely dependent on people who operate it • Internal control cannot provide absolute assurance - But can provide reasonable assurance
Organizational Design Control Plans
• Involves the creation of roles, processes, and formal reporting relationships in an organization • Is a key component of a firm's internal control • Without proper structure, greater likelihood of fraud
Using a Matrix to Evaluate Internal Controls
• Key tool for evaluating internal controls • Check marks show which process address which objective • At least one process for each objective • Concludes with recommendations for changes to processes and controls - Shown as "-n " process
Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service
• Mirror site - Site that maintains copies of the primary site's programs and data. • Electronic vaulting - Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. • Hot site - Fully equipped data center that can accommodate many businesses and made available to subscriber companies for a monthly fee. • Cold site - Facility usually with air-conditioned space, a raised floor, telephone connections, and computer ports into which a subscriber can move equipment. • Denial-of-service attack - A Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. • Distributed denial-of-service attack - Uses many computers (called zombies) that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web sites.
Monitoring Control Plans
• Monitoring - An internal control system - Means management assessment to determine whether control plans are functioning appropriately • Consist of two parts 1. Putting controls in place and periodically following up on the operations of the controls • Set a baseline to compare or test the control 2. Ensuring that proper communications take place • Verifies operation of control plan • Identifies root causes of errors and implementation of control plans that mitigate future errors
IT General Controls and the COBIT 4.1 Framework
• Organizational governance - The processes employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance • IT governance - A process that ensures the enterprise's IT sustains and extends the organization's strategies and objectives
2012 ACFE RttN's - Employees
• Over 75% of the frauds were committed by employees. • Most fraudsters were first-time offenders whose record was previously clean • Top 6 behavioral red flags same since the RttN's tracked (2008) - Living Beyond Means (45.80%) - Financial Difficulties (30.00%) - Unusually Close Association with Vendor/Customer (20.10%) - Wheeler-Dealer Attitude (15.30%) - Control Issues, Unwillingness to Share Duties (15.30%) - Instability in Life Circumstances (13.40%) • Small businesses disproportionally victimized by fraud
pcaob stuff
• PCAOB Inspection Reports critical of performance of audit firms • PCAOB wants to ensure compliance with auditing standards • Critical nature indicates how serious PCAOB is • The statistics bear this out - In 15% of 2009 engagements inspected, firms failed to gather sufficient audit evidence to support their internal control audit opinions due to one or more deficiencies. - Of those engagements, 10% had two or more deficiencies. - In 13% of the engagements, there was not sufficient evidence to support the financial statement audit opinion. - In 2011, the percent of engagements in which firms failed to gather sufficient evidence to support their internal control audit opinion climbed to 22%.
COBIT 4.1's Four Broad IT Control Process Domains
• Plan and organize • Acquire and implement • Deliver and support • Monitor and evaluate
Personnel Policy Control Plan
• Policy - A plan or process put in place to guide actions and achieve goals • Selection and hiring control plans - Job candidates should be carefully screened, selected and hired • Retention control plans - Companies should provide create and challenging work opportunities as well as channels for advancement whenever possible • Personnel development control plans - Training must occur regularly and be a top priority - Performance reviews should assess strengths and weaknesses and identify opportunities for promotion, training and personal growth • Personnel management control plans - Personal planning control plans • Project future staff skills, anticipate turnover and develop strategies for filling positions. - Job description control plans • Lay out position responsibilities and identify necessary resources for performing such responsibilities. - Personnel security control plans • Help prevents employee acts of fraud and theft of assets. • Rotation of duties • Forced vacations • Fidelity bond • Personnel termination control plans - Procedures when an employee leaves an organization - Voluntary and involuntary fidelity bond (insurance ur buying). used on any1 that handles cash. required to prosecute employee.
Acquire and Implement Domain: IT Process 8 Restricting Logical Access to Stored Programs, Data, and Documentation
• Preventing unauthorized disclosure and loss of data has become almost impossible. Employees and others can use iPods, flash drives, cameras, and PDAs, such as iPhones and iPads, to download data and remove it from a company's premises. • Access control software ensures; 1. Only authorized users gain access to a system through identification and authentication, 2. Restricts authorized users to specific data they require and sets action privileges for data, and 3. Monitors access attempts and violations. • The best way to mitigate password risk is additional authentications such as a biometric identification system (something they are) or a smartcard that must be used along with passwords and user ID's. • Intrusion-detection systems (IDS) - Log and monitor who is on or trying to access a network. • Intrusion-prevention systems (IPS) - Actively block unauthorized traffic using rules specified by an organization. • Library controls - Restrict access to data, programs, and documentation through a combination of people, procedures and computer software • Data encryption - Is a process that employs mathematical algorithms and encryption keys to encode data so that it is unintelligible in its encrypted form. • Public-key cryptography - Employs a pair of matched keys for each system user, one private (i.e., known only to the party who possesses it) and one public. The public key corresponds to but is not the same as the user's private key • Computer hacking and cracking - Is the intentional, unauthorized access to an organization's computer system, accomplished by bypassing the system's access security controls. • Hacker - Is someone who gets a kick out of breaking into a computer system but does not hold malicious intentions to destroy or steal. • Cracker - Is a term used when a hacker's motive is crime, theft, or destruction.
Acquire and Implement Domain: IT Process 3 Identify Automated Solutions
• SDLC must include procedures to: - define information requirements - formulate alternative courses of action - perform feasibility studies and assess risks • Solutions should be consistent with the strategic IT plan and may be developed in house or by third parties.
Types of Malware
• Salami slicing - Instructions inserted in programs to steal very small amounts of money. • Back door - Special code that allows a programmer to bypass its security features and can be used to attack the program. • Trojan horse - Module of unauthorized code that performs a damaging, unauthorized act. Often used in phishing emails. • Logic bomb - Code secretly inserted in a program that is designed to execute or explode at a specific date or event. ACC 3570 Chapter 7: Controlling Info Systems: Intro to ERM & IC Malware • Worm - Computer virus that replicates itself on disks, in memory and across networks • Zombie - Program that secretly takes over another Internet-attached computer and uses that computer to launch untraceable attacks
Highlights from Sarbanes-Oxley
• Section 101 - Created PCAOB • Section 201 - Prohibits audit firms from providing a wide array of nonaudit services to audit clients - Prohibits consulting engagements involving the design and implementation of financial information systems • Section 302 - CEO and CFO must certify quarterly and annual financial statements • Section 404 - Mandates the annual filing of an internal control report with the SEC - Section 404 and PCAOB AU 5 requires that management: • Evaluate company controls to determine if they adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner • Gather and evaluate evidence about the operation of its controls • Present a written assessment of internal control effectiveness • Company's independent auditor must test and report of the effectiveness of the system of internal controls (using narratives, DFD diagrams, and systems flowcharts) • Section 802 - Makes it a felony to knowingly destroy, alter, or create records or documents with the intent to impede, obstruct, or influence an ongoing or completed federal investigation • Section 906 - Up to 20 year sentence and up to $5 million penalty for CEO and/or CFO who knowingly and willingly falsely certifies annual or quarterly reports • Section 1102 - Provides for fines and imprisonment of up to 20 years for anyone who knowingly destroy, alter, or create records or documents with the intent impede, obstruct, or influence an ongoing or completed federal investigation • Pros and cons of SOX
The Segregation of Duties Control Plan
• Segregation of duties - Separates the four basic functions of event processing • Authorizing events • Executing events • Recording events, and • Safeguarding resources resulting from consummating events • Ideally, different departments carry out each of these • Collusion necessary between departments for fraud to occur • No single employee should be in a position to perpetrate and conceal fraud, errors or other system failures. • Not just for classic segregation of duties - For example, company event open house
batch control totals
• Several types of batch control totals can be calculated • Some are better than others at addressing the information control goals of input validity, input completeness, and input accuracy
Intelligent Agents
• Software program that may be integrated into DSS or other software tools (such as word processing, spreadsheet, or database packages) • Once set in motion, intelligent agents (sometimes called "bots," short for "robots") continue to perform their tasks without further direction from the user. • Used in EIS for collecting specific information from the Internet
Monitor and Evaluate Domain: IT Process 10 Main Concerns with Cloud Computing
• Support and control of the cloud computing services are largely in the hands of third-party cloud service providers. • There is typically no 24/7 support, one hour response time common. • Much cloud communication occurs over the Internet which has security risks unless a secure network connection or encrypted line is used. • Cloud users commonly use browsers with known security vulnerabilities. • Cloud service providers' employees might have loosely controlled access to sensitive data stored on their servers. • Cloud services have been known to go down for up to an hour and some start-up cloud vendors have failed
Control Plans for Data Entry with Batches
• System Description and Flowchart - In this example, the clerk assembles the picking tickets into groups of 25 and calculates batch totals - Periodically, the shipment data are sent to the computer for processing by the shipping program - Distinguishing control-related features are that it processes event data in batches, uses batch totals as a major control, and produces an exception and summary report. - Exception and summary report • A report that reflects the events - either in detail, summary, or both - that were accepted or rejected by the system - Some data could still be rejected at the update stage where the computer compares the input data with the master data.
Hypothetical Computer System
• The challenge is to protect the system from inside and the outside threats - Intentional or unintentional misuse • Supports organizational objectives • Provide environment where business processes control plans can be effective
Plan and Organize Domain: IT Process 2 Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision
• The entire IT organization acts as in a service capacity to the entire organization • Ensures adequate funding for IT • Project management framework - Undertaken in order of importance • Must not overlook IT hiring practices, even when labor is scarce - A disgruntled or incompetent employee can do a lot of damage in a short period of time - Midwest nonprofit IT manager • IT departments must employ organizational design principles including reporting and segregation of duties.
COSO Report on Fraudulent Financial Reporting from 1998 to 2007
• There were 347 cases of public company fraudulent financial reporting investigated by the SEC from 1998 to 2007 as compared to 294 cases from 1987 to 1997 • A total of $120 billion was misstated or misappropriated across 300 cases. - The mean was almost $400 million per case versus $25 million in COSO's earlier study • Median assets and revenues were almost $100 million compared to under $16 million in the 1999 report • Stock prices of an accused company declined an average of 16.7% within the first two days of the news release. • Subsequent news of an investigation resulted in an average 7.3% stock price decline. • Companies engaged in fraudulent activities frequently went bankrupt, were delisted from the stock exchange or required to sell their assets. • Of the fraud companies, 26% switched auditors between the last pre-fraudulent financial statements and the fraudulent financial statements. Only 12% of non-fraud companies changed auditors during that same time • Most common fraud schemes were improper revenue recognition, followed by overstatement of assets or capitalization of expenses. • CEO's and CFO's were involved in 89% of the cases, up from 83% in 1987 - 1997. Over 60% of those indicted were convicted.
Deliver and Support Domain: IT Process 7 Deliver Required IT Services
• This process includes activities related to the delivery of the IT services that were planned in the Plan and Organize domain and developed and implemented in the Acquire and Implement domain
ERM Framework
(4 Categories of Management Objectives) 1. Strategic • High-level goals aligned with and supporting its mission 2. Operations • Effective and efficient use of its resources 3. Reporting • Reliability of reporting 4. Compliance • Compliance with applicable laws and regulations
Nonstatistical Sampling: Determining Sample Size
(recorded bal of pop/tolerable misstatement) x confidence factor
Three Fraud Studies
- 2012 ACFE Report to the Nations - COSO Report on Fraudulent Financial Reporting from 1998 to 2007 - PwC 2011 Global Economic Crime Survey • All three studies indicate that fraud controls are necessary but must be backed by a strong ethical culture, a broad risk management program, the right "tone at the top" and zero tolerance for any fraud, regardless of the perpetrator
fraud
- A deliberate act or untruth intended to obtain unfair or unlawful gain - Always entails manipulating information for criminal purposes Laws imply that management has a legal responsibility to prevent fraud - Example: Foreign Corrupt Practices Act
• Entity-relationship model
- A diagram of the relational model
tables
- A place to store data - The most important step in creating a useful database is proper table design. - Each table stores data about one specific thing or entity. - Database table columns each store one specific attribute of the type of things stores in the table. - Primary key • Each row in a database must be unique and include a unique identifier that serves as an address for the row - Composite primary key • A primary key formed by combining two or more columns in a table
Control goals of information processes
- Ensure input validity, completeness, and accuracy - Ensure update completeness and accuracy
Users access data in tables by:
- Formulating a query, - Preparing a report or - Including a request for data within an application program
• Four types of DBMS we'll discuss
- Hierarchical - Network - Relational - Object-Oriented
Control plans for physical protection of IT assets
- Organization must install and regularly review suitable environmental and physical controls. - With newer hardware, malfunctions are rare - Regular preventative maintenance (periodic cleaning, testing and adjusting of computer equipment) should be done to ensure the equipment's continued efficient and correct operation.
• E-R diagram (entity-relationship diagram)
- Reflects the system's key entities and the relationships among those entities. - The E-R diagram represents the data model • Rectangles = entities • Connecting lines = relationships • Diamonds = characteristics of relationships
points of general agreement of internal control
- ic is a process for accomplishing objectives - establishing and maintaining a viable ic sys is mgmts responsibility - ultimate ownership of the sys should rest w the ceo. only if the primary responsibility for the sys resides at the top can control effectively permeate the entire org - the strength of any ic sys is largely a function of the ppl who operate it. no matter how sound the control processess may be, they will fail unless the personnel who apply them are competent and honest. bc ic is so people-dependent, we explore ethics. ethics must be a central concern when designing an effective ic sys. - partly bc it depends on ppl to op it and partly bc it comes only at some cost to the org, ic cannot be expected to provide absolute, 100% assurance that the org will reach its objectives. rather, the operative phrase is that it should provide reasonable assurance to that effect
populate input screens w master data
-effectiveness goal a, efficient employment fo resources: automatic population of inputs from the master data results in fewer keystrokes, which should improve the speed and productivity of the data entry personnel -input validity: the code entered by the user calls up data form existing records (a customer record, a sales order record), and those data establish authorization for the input event. for ex, w/o a customer record, a customer order cannot be entered. -input accuracy: fewer keystrokes and the use of data called up from existing records reduce the possibility of input errors efficiency and input completeness and accuracy. address syncing on QB for top customers
turnaround docs
-effectiveness goal a, efficient employment of resources: by scanning the picking ticket, we reduce the amt of data that must be input to record the shipment and improve the speed (effectiveness) and productivity of the data entry personnel (efficiency) -input validity: the turnaround docs were printed in a diff func area. this separates event auth (as reflected by picking ticket) from execution of the shipment (as represented by the packing slips). -input accuracy: using a prerecorded bar code to trigger the event reduces the possibility of input errors
preformatted screens
-effectiveness goal a, efficient employment of resources: by structuring the data entry process, automatically populating fields, and prventing errors, preformatted screens simplify data input and save time (effectiveness goal A), allowing a user to input more data over a period of time (efficiency) -input accuracy: as each field is completed on a preformatted screen, the curser moves ot the next field on the screen, thus preventing the user from omitting any required data. the data for fields that are automatically populated need not be manually entered, thus reducing input errors. incorrectly formatted fields are rejected like doc design but for screens. lets u be efficient doing ur order entries
Manually reconcile batch totals
0input validity, input completeness, input accuracy: agreement of the batch totals at this point ensures that only valid source docs comprising the original batch have been input (input validity), that all the source docs were input once and only once (input completeness), and that data elements appearing on the source docs have been input correctly (input accuracy).
COSO's Five Interrelated Components of Internal Control
1. Control environment - Sets the tone at the top. influences the control consciousness of its ppl. its the foundation for all other components of internal control, providing discipline and structure 2. Risk assessment - Identification and analysis of risks. 3. Control activities - Policies and procedures to ensure directives are carried out. 4. Information & communication - Processing information in a form and time frame to enable people to do their jobs. 5. Monitoring - Process that assesses the quality of internal control over time.
Top IT Security Concerns
1. Data breaches 2. Cybercrimes, including cyber attacks 3. Workforce mobility 4. Outsourcing 5. Cloud computing 6. Mobility devices, including laptops and cell phones 7. P2P (person-to-person) file sharing 8. Web 2.0, for example, blogs and social networking sites.
Steps in Sampling: Planning
1. Determine the objective of sampling 2. Define the characteristic of interest 3. Define the population
Steps in Preparing a Control Matrix Step 1. Specify Control Goals
1. Identify operations process control goals: a. Effectiveness goals • Developed during risk management • Describe measures of success for the operations process • Provide timely acknowledgement of customer orders • Provide assurance of customer creditworthiness b. Efficiency goals • Relate to ensuring resources used in the business process are being employed in the most productive manner. • People and computers c. Security goals • Relate to protecting entity resources from loss, destruction, disclosure, copying, sale or other misuse. Cash, inventory and information (customer data) must be secured. • Security over hard assets handles through pervasive, general, and IT controls 2. Identify information process control goals: a. Input goals • Relate to ensuring input validity (IV), completeness (IC) and accuracy (IA) with respect to all business process data entering the system. a. Update goals • Ensure update completeness (UC) and accuracy (UA) when there is a periodic process - a delay between input and update.
• Four levels of expertise can be applied to decisions
1. Manager make decisions without assistance • Based on their expertise 2. Decision assisted by problem-solving aids such as checklist and manuals 3. Checklist or manuals automated 4. System itself replaces the decision maker • Expert systems
COBIT 5's Five GEIT Principles
1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single, Integrated Framework 4. Enabling a Holistic Approach - 7 enablers on next slide 5. Separating Governance from Management
Three classifications of control plans
1. Preventive control plans • Stop problems from occurring 2. Detective control plans • Discover that problems have occurred. 3. Corrective control plans • Rectify problems that have occurred.
2 parts of monitoring
1. putting controls into place to periodically follow up on the operation of control plans. the proceses include determining a baseline to know when a control is operating effectively, to identify if there is a change in a process or a control plan itself, and to periodically test tht a control is operating. 2. ensuring that appropriate communications are taking place. a control weakness should be reported to the person responsible for the controls operation and at least 1 person at a higher level.no monitoring was in place to make sure that personnel higher than the direct supervisor were aware of the violation of the forced vacation control plan
continuity between cobit 4.1 and 5's frameworks
5 is an integration of 4.1 w two other widely used isaca it frameworks: val IT and risk IT. val it deals w how businesses can create value from their it investments risk it addresses the risks involved in it use. isaca is stressing that cobit 5 is not just evolution but also revolution.
Identify Entities
A "thing" is an that is an important element in a business process can be modeled as an entity - Only one instance of a "thing" it is not modeled as an entity • REA (Resources-Events-Agents) approach - Popular data modeling approach. - Entities and relationships are determined through systems analysis. - Common accounting entities include: • Resources - Assets the company owns. • Events - Occurrences related to resources. • Agents - People or organizations that participate in events.
document design
A control plan in which a source document is designed to make it easier to prepare the document initially and later to input data from the document into a computer or other input device. output for orders in logical order for data entry. tab through order invoice goes to efficient employment of assets on control matrix ex: org has properly designed this doc to facilitate the data preparation and entry processes
• Primary key
A value that uniquely identifies a specific row in a table. - Typically stored in the tables first column. - A candidate attribute (a column or collection of columns) is that table's primary key if: • All attributes in the table are functionally dependent on the candidate attribute • No collection of other columns in the table, taken together, has the first property
goal of input completeness is concerned w the
ACTUAL NUMBER of events or objects to be processed
• Executive information systems (EIS)
Also called executive support systems (ESS) - Combine information from the organization and the environment, organize and analyze the information, and present the information to the manager in a form that assists in decision making - Most have highly interactive graphical user interfaces (GUIs) - Mainly about collecting and presenting information to executives and less about doing processing and calculations
• Group support systems (GSS)
Also known as Group Decision Support Systems (GDSS) - Computer-based systems that support collaborative intellectual work such as: idea generation, elaboration, analysis, synthesis, information sharing, and decision making - Supports brainstorming • A method for freely and creatively generating as many ideas as possible without undue regard for their practicality or realism - Creates virtual meeting for a group - Member contribute as necessary to achieve group objectives
Off-Site Storage
Alternate facility, other than the primary production site, where duplicated vital records and documentation may be stored for use during disaster recovery. not necessarily comp storage. storage somewhere else just in case something happens to originals.
sequence checks
Applied to sequentially numbered and prenumbered documents to determine that all documents have been processed (completeness) and that no extra documents have been processed (completeness, validity). two kinds: batch sequence check and cumulative sequence check
business process control plans
Are applied to a particular business process, such as billing or cash receipts
application controls
Are automated business process controls contained within IT application systems (i.e., computer programs).
• Significant digit coding
Assigns meanings to specific digits
Ratio estimation:
Assumes a constant percentage misstatement in population Estimates recorded balance by multiplying recorded balance by ratio of audited value to recorded balance to come up w estimate for pops
Risk of Incorrect Rejection result
Auditors conclude that account is misstated Auditors perform additional procedures Efficiency loss (perform more effective substantive procedures than necessary)
Risk of Incorrect Acceptance result
Auditors conclude that account is not misstated Effectiveness loss (issue incorrect opinion on misstated F/S)
result of risk of overreliance
Auditors conclude that controls are functioning effectively Effectiveness loss (do not reduce audit risk to sufficient level)
1. determine the objective of sampling
Auditors identify key controls upon which they intended to rely objective is typically related to the assertion being tested in the controlled pop.
In downsizing / retirement environments, ES can be used to:
Capture and retain the expertise of the departing employee - Distribute the expertise to remaining employees - Distribute expertise to employees who do not timely access to the expert - Train new employees - Create an electronic colleague • Guide human experts by suggesting trends, asking questions, highlighting exceptions, etc.
retention control plans
Companies should provide create and challenging work opportunities as well as channels for advancement whenever possible.
Additional Considerations in Classical Variables Sampling
Consider the following additional factors in determining sample size: Risk of incorrect rejection Population variability To reduce population variability, auditors may choose to stratify the population
- Difference between DSS and EIS
DSS is created to suit the user, EIS is preformatted in advance (i.e., dashboard containing specific company performance information)
Database Essentials Relational Database Model
Data are logically organized into two-dimensional tables (i.e., "relations") • Allows users to query the tables to obtain information from one or more table in a very flexible way • Able to handle complex queries • Requires more computer resources than hierarchical or network DB models - I.e., more memory and processing time • Allows only text and numerical data to be stored - Does not allow the inclusion of complex object types such as graphics, audio, video, or geographic information
network database model
Data is organized in tree's according to relationships (many to many). for more complex data structures. a child record an have more than one parent record.
data redundancy
Data stored in multiple locations within a system. occurs among various files consequence of apps approach
business is becoming more and more "it centric"
Database Management Systems (DBMS) at the heart of this evolution
• Noteworthy aspects of centralized database approach
Database is now shared by multiple system applications that support related business processes - Data can be accessed through report generation and ad hoc user inquiries (queries) which allows users to ask questions using query language software - Two layers of software needed 1. Logical view (how users see) 2. Physical view (how data is stored on computer hardware)
Expert Systems (ES)
Decision support systems for complex decisions, where consistency is desirable and the decision maker wants to minimize time and maximize quality • Emulates the problem solving techniques of human experts • Appropriate when: - Decisions are extremely complex - Consistency in decision-making is desirable - Desire to minimize time spent on decision and maximize the quality of the decision - Experts are utilized and such knowledge can be captured and modeled via software • Utilized in downsizing and retirements
• Block coding
Dedicates groups of numbers to particular object characteristics - Numbers within each block are generally assigned sequentially - This leads to some of the same adding and deleting limitations as sequential coding
Monetary Unit Sampling (MUS)
Defines the sampling unit as an individual dollar (or other monetary unit) in an account balance Auditor will select individual dollars (or monetary units) for examination Auditor will verify the entire "logical unit" containing the selected dollar (or monetary unit) -Accounts receivable: Customer account -Inventory: Inventory item (that contains the $ we collected)
MUS: Evaluating Sample Results
Determine the upper limit on misstatements, which has a (1 - Risk of incorrect acceptance) of equaling or exceeding the true amount of misstatement Components: Projected misstatement Incremental allowance for sampling risk Basic allowance for sampling risk
• Application Approach to Business Event Processing
Each application collects and manages its own data, generally in dedicated, separate, physically distinguishable files for each application
Acquire and Implement Domain: IT Process 5 Integrate IT Solutions Into Operational Processes
Ensures that the new or significantly revised system is suitable - Must provide for a planned, tested, controlled, and approved conversion to the new system • After installation review to determine that the new system has met users' needs in a costeffective manner
Tolerable rate of deviation
Establish based on desired level of control risk Lower control risk = lower tolerable rate of deviation
Expected population deviation rate
Estimate based on past audits or pilot sample if this is greater than the tolerable amt theres no reason to test this control bc we already think its broken so we typiclly would expect the expected pop deviation rate to be lower than the tol rate of deviation if we gonna test a control
Variables Sampling process
Estimate the amount of misstatement (upper limit on misstatements) Compare upper limit rate on misstatements to an allowable level (tolerable misstatement)
risk
Events that would have a negative impact on organization objectives
opportunities
Events that would have a positive impact on organization objectives
Disadvantages of the centralized approach
Expensive to implement and maintain - If the DBMS fails, all the organization's information processing halts - Large magnitude of damage from unauthorized access - Increased potential for damage should unauthorized access to the database occur - Database recovery and contingency planning are more important than in the applications approach - Concurrent access causes contention or concurrency problems - Territorial disputes over how owns the data and who is responsible for data maintenance • Most companies that have adopted this approach have created a database administrator function to cope with the administrative and technical issues related to the DBMS
• Centralized Database Approach to Business Event Processing
Facts about events are stored in relational database tables instead of separate files, which solves many of the problems caused by data redundancy
Steps in Preparing a Control Matrix Step 2. Identify Recommend Control Plans
Focuses on the nature and extent of control plans that should be in place to reach objectives and lower residual risk • Most difficult part, identifying controls that should be in place and controls that are not in place 1. Identify "present" control plans and annotate them on the systems flowchart: - General rule, each process symbol on flowchart should be associated with at least one control - 2 categories of controls, (1) generic and (2) specific business processes a. Place P-1, P-2 through P-n beside all present controls, starting at the upper-left column. 2. Evaluate "present" control plans: - Common for a control plan to address more than one control goal - Important to write description of control goal a. Place the number and name of the plan on the control matrix, enter the control plan number in the matrix cells, and explain how each control addresses each control goal. 3. Identify and evaluate "missing" control plans: a. Examine the control matrix to see if there are any control goals not being addressed with the present plan. If so, develop a control plan and explain the nature and extent of the missing plan. b. Analyze the systems flowchart for further risk exposures for which you would recommend adding additional or strengthening existing controls. • It takes training, and teamwork, to become proficient at spotting risk and control weaknesses.
Characteristics of Relationships
In the E-R diagram previously show, read - ORDERS are received from CUSTOMERS • Cardinality - The degree to which each entity participates in the relationship. Can have a value of "one" ("1) or "many" ("N" or "M") • 1:N, one-to-many • M:N, many-to-many • 1:1, one-to-one • Maximum cardinality - Measure of the highest level of participation that one entity can have in another entity - Shown as number or N/M
there are problems with 1NF
Include functional dependencies which cause several problems called update anomalies, including: 1. Updates may require changes to multiple rows 2. Data may be inconsistent 3. Additions and deletions are problematic - Problems arise because an attribute is dependent on a portion of the primary key - a partial dependencies - In the example table, the attribute Item_Name is dependent on a portion of the primary key, Item_Number, not the entire key
Event Identification
Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. must be monitored to determine that evolving events have been identified and evaluated. as an org and its environment change, controls often become less effective
documentation
Involves all seven steps of sampling process Important judgments include: • Factors affecting sample size and rationale for those factors • Method of selecting sample and summary of items selected • Method of measuring sample items and summary of measurements • Evaluation of sample results and overall conclusion
COSO Definition of Internal Control
Is a process—effected by an entity's board of directors, management, and other personnel— designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness & efficiency of operations - Reliability of financial reporting - Compliance with applicable laws & regulations
Review tickler file (file of pending shipments)
Manual file of documents, or a computer file, that contains business event data that is pending further action. such files must be reviewed on a regular basis for the purp of taking action to clear items form that file. if ticker file docs remain in the file for an extended period of time, the person or computer monitoring the file determines the nature and extent of the delay. ex: after packing slips are received, hte picking tickets are compared to their associated packing slipts and removed from the pending shipments file. we are classifying this as a present control bc we are assuming that the shipping clerk periodically reviews the file looking for picking tickets that have been pending for too lonh
Selecting Sample Items
Methods -Unrestricted random selection: Select items based on random numbers matched to items in population -Systematic random selection: Bypass a fixed number of items in population, selecting every nth item. select a random starting point. n is number of item in population divided by the sample size. -Block selection: Select contiguous/adjacent units. not used very much for random selection -Haphazard selection: Select items in a nonsystematic manner. unstructured w/o intentional bias. could not be replicated when defined carefully (other 3 methods can) and still coould have bias so not rly random sample. Can only use unrestricted random selection or systematic random selection with statistical sampling
COBIT 5
Newer framework that has been adopted • COBIT 5 is a new departure in the corporate governance of information technology. • Restructuring and reorganizing of the framework from being an IT process model into an IT governance model. • More inclusive, "strategic" and "big picture" oriented than COBIT 4 .1. • Uses a "holistic" approach that is more flexible, more principles-based and less proceduresbased than COBIT 4.1. - An enterprise tailors to its own needs - Putting internal controls within the larger context of enterprise-wide governance and management • GEIT - Governance of Enterprise IT
Database Essentials Object-Oriented Database Model
Object-relational databases - Include a relational DBMS framework with the capability to store complex data types • Includes abstract data types that allow users to define characteristics of the data to be stored when developing an application • Overcomes the limitations of relational databases
objective setting
Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. strategic objectives are established as well as related objectives for ops, reporting, and compliance. risk appetite guides strategy setting to balance, for ex, growth, risk, and return. risk appetite drives risk tolerances -- acceptable levels of variation in achieving objectives.
• Costs / Benefits Dilemma
Organizations want to have enough controls to ensure objectives are achieved without paying more for the controls than can be derived from their implementation
Example
Parameters Population size = $12,563,336 (recorded balance) Risk of incorrect acceptance = 10 percent Expected misstatement = $188,450 (1.5 percent of recorded balance) Tolerable misstatement = $628,167 (5 percent of recorded balance) Calculations Ratio of expected to tolerable misstatement: $188,450 ÷ $628,167 = 0.30 Tolerable misstatement as a percentage of population: $628,167 ÷ $ 12,563,336 = 5%
Nonstatistical Sampling
Permissible under GAAS Does not permit auditors to control exposure to sampling risk Major differences in: Determining sample size Selecting sample items Evaluating sample results
Losses due to accidental, nonmalicious acts far exceed those caused by intentional acts - This is why the system of controls must be capable of:
Preventing crimes Minimizing simple, innocent errors
COBIT 5's five GEIT principles
Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management
reports
Printed lists and summaries of data stored in tables or collected by queries from one or more tables
program change controls
Provide assurance that all modifications to programs are authorized and that the changes are completed, tested and properly implemented. changes in documentation should mirror the changes made to the related programs. improper change controls could allow a programmer to change, for ex, the payroll program so that salaries for all programmers are increased each pay period separate org entities are responsible for each stage in the change process formal way of making sure programmers are doing what they should be doing. librarian. supervisor has list
Basic Allowance for Sampling Risk
Provides a measure of the misstatement that might exist in sampling intervals in which a misstatement was not detected Calculated as: Sampling interval x Confidence factor
2. Define the characteristic of interest
Question of interest to person conducting sampling plan (e.g., resting heart rate)
Incremental Allowance for Sampling Risk procedure
Rank all projected misstatements in descending order by tainting factor Determine incremental confidence factor for each misstatement Multiply projected misstatement by (incremental confidence factor - 1)
If ULRD > Tolerable Rate of Deviation
Reduce reliance on controls, increase control risk, and reduce detection risk (perform more effective substantive procedures) Expand sample to examine additional items and potentially reduce ULRD if we think our sample is not representative of the population
• Knowledge
Refers to information that has been formatted and distributed in accordance with an organization's routines, processes, practices and norms
Sarbanes-Oxley Act of 2002
Resulted from actions of failed publicly traded companies such as Enron, WorldCom, and Tyco • Government forced to interject its will into governance • Created public company accounting oversight board (PCAOB) • Strengthened auditor independence rules • Increased accountability of company officers and directors • Mandated upper management to take responsibility for the company's internal control structure • Enhanced the quality of financial reporting • Increased white collar crime penalties
Advantages of MUS
Results in more efficient (smaller) sample sizes bc the stats in mus have smaller sample sizes than var sampling Selects transactions or components reflecting larger dollar amounts more likely than smaller amts bc we test single dollar bc more dollars in the pool. probability proportional to size sample: probability of being selected is greater when we're larger and smaller when the bal is smaller. Effective in identifying overstatement errors (things that are overstated are larger so more likely to be selected) -use it to focus on Asset and revenue accounts Generally simpler to use than classical variables sampling bc dont have to do as many statistical estimates like variance or assuming a normal pop using monetary unit sampling its much simpler t apply than classical var sampling.
effectiveness losses
Risk of overreliance (assessing control risk too low) Risk of incorrect acceptance most concerned w these bc issue an unqual opinion when we shouldnt have
efficiency losses
Risk of underreliance (assessing control risk too high) Risk of incorrect rejection dont care as much about these but still important
inherent risk
Risk that exist in the absence of any actions management might take to reduce the likelihood or impact of the risk
How to Determine ULRD
Sample Evaluation Tables in Appendix F.B Process: Select AICPA Sample Evaluation table corresponding to desired risk of overreliance Identify row related to the appropriate sample size Identify column related to the appropriate number of deviations Determine ULRD at junction of row and column
risk of underreliance occurs when
Sample indicates controls are not functioning effectively Controls are functioning effectively
Using MUS Tables
See Exhibit G.2 for excerpted Sample Size Table (full tables in Appendix G.A) Inputs: Risk of incorrect acceptance Expected misstatement Tolerable misstatement Population size
electronic vaulting
Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. when needed, the backed up data can be retrieved from the electronic vault to recover from a data loss at the primary comp facility or to resume interrupted ops at an alternative facility
3. define the population
Should include all potential applications of the control during the period examined ex: all invoices generated between the 1st day of the period and the last day of the period (includes all of the pop of potential transactions which should have those supporting shipping docs)
document/record counts
Simple counts of the number of documents entered (e.g., 25 documents in a batch). This procedure represents the minimum level required to control input completeness (input doc once). it is not sufficient if there are multiple parts to an event. for ex, consider a sales doc that can include 1 or more items. a doc record coutn would not reflect the # of individual items sold, but rather, only the 1 doc. this total would not be enough to ensure input accuracy. also, bc one doc could be intentionally replace w another, this control is not effective for ensuring input validity and input completeness (the insertion of a duplicate doc, a completeness violation, or the insertion of a bogus doc, a validity violation)
Plan and Organize Domain: IT Process 1 Establish Strategic Vision for Information Technology
Strategic planning and corresponding activities include: 1. A summary of the organization's strategic goals and plans and how they are related to IT. 2. IT goals and strategies and a statement of how each will support organizational goals and strategies. 3. An information architecture model encompassing the corporate data model and the associated information systems. 4. An inventory of current IT capabilities. 5. Acquisition and development schedules for hardware, software, applications, personnel and finances. 6. IT-related requirements to comply with industry, regulatory, legal and contractual obligations including safety, privacy, transborder data flows, e-business, and insurance contracts. 7. IT risks and risk action plans. 8. Process for modifying the plan to accommodate changes to the organization's strategic plans and IT conditions.
dollar totals
Sum of dollar value of batch items. Reduces possibility that documents could be duplicated, added to or lost from a batch or that amounts were incorrectly input and improves input validity, completeness, and accuracy.
Ensure effectiveness of operations
The control plan compare vendors for favorable prices, terms, quality, and product availability is directed primarily at which of the following control goals? a. ensure effectiveness of operations b. input validity c. input accuracy d. input completeness ex: timely acknowledgement and customer creditworthiness created by ppl, subjective, no uniform set of ops process goals exists.
• Classifying
The process of grouping or categorizing data according to common attributes
Risk of Incorrect Rejection
The risk that the sample supports the conclusion that the control is not operating effectively when it actually is or that the recorded account balance is materially misstated when it is not materially misstated. Type I error, false rejection
Risk of Incorrect Acceptance
The risk that the sample supports the conclusion that the control is operating effectively when it is not or that the recorded account balance is not materially misstated when it is materially misstated. Type II Error, false acceptance embodiment of audit risk audit is ineffective
Personnel Development Control Plans
Training must occur regularly and be a top priority. Performance reviews should assess strengths and weaknesses and identify opportunities for promotion, training and personal growth.
4. determine sample size (upfront)
Under statistical sampling, sample size considers desired exposure to sampling risk 5% SR = 95% CI willing to take 5% chance that sample does not represent population what affects sample size: pop size for small pops, expected deviation rate, tolerable deviation rate, sr, ci,
• Data warehousing
Use of information systems facilities to focus on the collection, organization, integration, and longterm storage of entity-wide data - Purpose is to provide users with easy access to large quantities of varied data from across the organization to improve decision-making capabilities - Firms copy data from transactional / organizational DBs to the data warehouse - Additional nonorganizational / external data is added • Such as governmental or industry statistics
MUS: Selecting Sample Items
Use systematic random sampling Calculate sampling interval as: Population size ÷ Sample size Process: Identify random start Skip number of items equal to sampling interval Select item (dollar in account) and examine entire logical unit containing that item (customer account) May select same logical unit multiple times any logical unit w a $ value greater than the sampling interval will have a 100% chance at being selected. high dollar values always selected!!
attributes sampling
Used to estimate the extent to which a characteristic exists within a population Used in the auditor's study of internal control
both dsss and ess can assist a user in prob solving but in diff ways
a dss is a passive tool. it depends on the human users knowledge and ability to provide the right data to the sys's decision model. an es is an active teacher or partner tht can guide the user in deciding what dat ato enter and in providing hints about further actions that are indicated by the analysis to date
rotation of duties
a policy that requires an employee to alternate jobs periodically
Enterprise Risk Management (ERM)
a process effected by an entity's board of directors, management, and other personnel applied in strategy setting and across the enterprise that is designed to identify potential events that may affect the entity and to manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives helps mgmt identify, assess, and manage risk.
IT governance
a process that ensures that the enterprise's IT sustains and extends the organization's strategies and objectives
changes
can include changes to process acts (purchasing raw materials) or changes to process controls (approving purch orders). if changes in the process do not reduce the variance from objectives, changes to process objectives (increase production by only 5%) might also be considered.
Ensure efficient employment of resources
can only be evaluated in the relative sense
to achieve the goal of input accuracy, we must
capture and enter into a system all important data elements. all important data elements must be identified for each economic event or object that we want to include in a systems database
data input incldues
capturing data (completing a source doc such as a customer order) (if necessary) converting the data to machine-readable form event data are the target of the input control goals. only actual authorized events have validity
to ensure update accuracy relates to
correctly recording (correct customer, correct items and quantities) customer orders in the sales order and inventory master data
ensure input accuracy
correctness of data put into the system relates to the various data items that usually constitute a record of an event, such as a source doc. to achieve this goal, we must minimize discrepancies between data items entered into a sys and the economic events or objects they represent. mathematical mistakes and inaccurate transcription of data from one doc or medium to another may cause accuracy hours. order is for 200 for customer 159, sales rep mistakenly enters the customer number as 195, resulting in another customers name. missing data fields on a source doc or computer screen represent another type of accuracy error. absence of a customer number on an order would result in a lost sale (orders that cant be shipped to a particular customer). this is an accuracy error rather than a completeness error bc the mere presence of the source doc suggests that the event itself has been captured and that the input data are complete.
detective control plans
discover that problems have occurred ex: review and compare. comparison is done to ensure that no discrepancies exist between customer orders displayed by the customer and the totals that accompany those orders.
the purpose of ______ control goals is to ensure that all resources used throughout the business process are being employed in the most productive manner
efficiency
Principle 4: Enabling a Holistic Approach
enablers, as the word suggests, are the means to achieving cobit 5's governance objectives for the enterprise. specifically, enablers support the implementation in an enterprise of an all inclusive governance and mgmt structure for it. the cobit 5 framework specifies 7 categories of enablers: -processes -principles, policies, and frameworks -org structures -ppl, skillls, and competencies -culture, ethics, and behavior -services, infrastructure, and applications -info
internal environment
encompasses the tone of an org and sets the basis for how risk is viewed and addressed by an entitys people, including risk mgmt philosophy and risk appetite, integrity AND ETHICAL VALUES, AND THE ENVIRONMENT IN WHICH THEY OPERATE
Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once?
ensure input completeness
a process, affected by an entity's board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives is:
enterprise risk mgmt
NNs supplement ESs in areas where
expertise has not yet been captured. by examining data, NNS can identify and replicate the patterns that exist
centralized database approach to business event processing
facts about events are stored in relational database tables instead of separate files, solves many of the problems caused by data redundancy.
1. Determine the objective of sampling
Drawing conclusion about some population of interest (e.g., does aerobics program lead to a reduction in resting heart rate?) (e.g., does brand of golf ball provide increased distance?)
planning (attributes)
1. determine the objective of sampling 2. define deviation condition 3. define the population
Upper Limit Rate of Deviation
(1 - risk of overreliance) probability that the true rate of deviation is less than or equal to the ULRD (Risk of overreliance) probability that the true rate of deviation exceeds the ULRD Consists of: Sample rate of deviation Allowance for sampling risk its the most conservative estimate
Risk of Overreliance
(Risk of Assessing Control Risk too Low) referred to as type II error, false acceptance
automated data entry
-effectiveness goal A, efficient employee of resources: inputs are entered more quickly and w fewer personnel resources than are inputs entered manually -input accuracy: by elminating manual keying and using scanning and other tech, the input accuracy is improved
review tickler file (file of pending shipments)
-effectiveness goal a, input completeness, update completeness: a file of picking tix is retained in shippin awaiting packing slips. if the packing slips are received ina timely manner, nad the corresponding picking tiz are removed from the pending shipments file, we can ensure that goods will be shipped in a timely manner and that the picking tix were indeed input and the master data updated. if picking tix do not receive packing slips within a reasonable period of time, then an inquiry procedure is initiated to determine the nature and extend of the delay in a warehouse -- all open doors that havent been fulfilled. it addresses security and update completeness and update accuracy. saves mgr reviewing tickler file and open orders to work w warehouse mgr to create plan. have a doc that sales mgr reviews and signs and says plan of open invoices
attributes sampling
-planning -Determining Sample Size -Selecting and Measuring Sample Items -Evaluating Sample Results
InformationWeek Top-10 CIO Concerns
1. Business analytics 2. 80/20 IT operations vs. investment gap 3. Mobile devices 4. Digitize the enterprise 5. Social media 6. Customer engagement 7. Data center / cloud computing 8. CIO as Chief Acceleration Officer 9. Importance of Being Global 10. Optimizing systems
Create the E-R Diagram in 5 Steps
1. Create a relational table for each entity - CUSTOMERS, INVENTORY, ORDERS, and SALES 2. Determine primary keys for each entity table 3. Determine attributes for each entity - Sometimes called a field and represented as a column in a table 4. Implement relationships among the entities (primary keys exist as attributes in other tables) - Ensure that the primary key of one table exits as an attribute in every table (entry) for which there is a relationship - For many-to-many, relationship (junction) tables 5. Determine attributes for each relationship table
8 components of ERM
1. Internal Environment - Tone of an organization - Sets the basis for how risk is viewed and addressed by an entity's people - Risk management philosophy and risk appetite - Integrity and ethical values - The environment in which they operate 2. Objective Setting - Objectives must exist before management can identify potential events affecting their achievement - ERM ensures management has a process in place to set objectives and that the objectives support and align with the entity's mission and are consistent with its risk appetite 3. Event Identification - Events affecting achievement of objectives must be identified, distinguishing between risks and opportunities. - Opportunities are channeled back to management's strategy or objective-setting processes. 4. Risk Assessment - Risks are analyzed - Evaluated considering likelihood and impact of risk as a basis for determining how they should be managed - core of effective compliance w sox section 404 5. Risk Response - Management selects risk responses • Avoiding, accepting, reducing, or sharing risk - Develop a set of actions to align risks with the entity's risk tolerances and appetite 6. Control Activities - Establish and implement policies and procedures to help ensure the risk responses are effectively carried out 7. Information and Communication - Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities - Effective communication flows down, across and up the organization - narratives, systems flowcharts, written policies and procedures 8. Monitoring - ERM is monitored and modifications are made as necessary. - Monitoring is accomplished through ongoing management activities and separate evaluations. - assesses the qual of ic performance over time - key element in the lt success of a sys of ic. - includes org gov, mgmts compliance w soz s. 404, the activities of internal and external auditors, and certain control activities • Audit risk model (AR=IR*CR*DR)
Ensure security of resources
A control goal of an operations process ex: protect assets from damage, fraud, or misappropriation ex: suprinas customer data represent an importance resource for this company bc it tells them a lot must protect both tangible and intangible resources
Residual expected risk
A function of initial expected gross risk, reduced risk exposure due to controls and the cost of controls
object-oriented database model
A model that allows the storage of both simple and complex objects (including items such as video, audio, and pictures). Characteristics also include inheritance and encapsulation. other types of data can be stored. like video clips or pics can be stored in an object oriented database. include abstract data types that allow users to define characteristics of the data to be stored when developing an application. this overcomes the limitations of relational databases. relational databases limit the types of data that can be stored in table columns. instead of tables, oo dbms stores data in objects
Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service
A number of business continuity planning models are available • We'll look at one developed by the Business Continuity Institute • Six elements 1. BCM policy and program management provides the framework around which the BCM is designed and built (hub of wheel) 2. Understand the organization 3. Determine business continuity strategies 4. Develop and implement a BCM response 5. Exercise (rehearse), maintain and review 6. Embed BCM in the organization's culture
hash totals
A summation of any numeric data existing for all documents in the batch, such as a total of customer numbers or invoice numbers in the case of remittance advices; used for control purposes only. can be a powerful batch control bc they can determine whether inputs have been altered (accuracy), added (validity), duplicated (completeness), or deleted (completeness). these batch hash totals operate for a batch in a manner similar to the operation of doc record hash totals (a type of programmed edit check for individual inputs).
Second Normal Form (2NF)
A table is in second normal form (2NF) if it is in 1NF and has no partial dependencies - I.e., no non-key attributes that are dependent on only a portion of the primary key • Non-key attributes: - An attribute that is not part of the primary key • This resolves update anomaly problems • Two steps to get from 1NF to 2NF 1. Create a new table for each subset of the table that is partially dependent on a part of the composite primary key 2. Place each of the non-key attributes that are dependent on a part of the composite primary key into the table that now has a primary key that is the field on which the non-key attribute is partially dependent.
Decisions under MUS
Account balance is not misstated Suggest correction of identified misstatements Investigate cause of misstatements Account balance is misstated Increase sample size to attempt and reduce upper limit on misstatements Recommend adjustment to reduce misstatement below tolerable misstatement
Incremental Allowance for Sampling Risk
Adjusts the projected misstatement to control exposure to risk of incorrect acceptance Allows for the possibility that the remainder of the sampling interval might be misstated by a higher percentage than the logical unit
• Functional dependence
An attribute (column in a table) is functionally dependent on a second attribute (or a collection of other attributes), if a value for the first attribute determines a single value for the second attribute at any time - When functional dependence exists, the first attribute determines the second attribute
Mean-per-unit:
Assumes each item in population (component of account) has similar balance Estimates recorded balance by multiplying number of components by average audited value Use amts similar in size
Difference estimation:
Assumes each item in population (component of account) has similar difference between recorded and audited value Estimates the amount of misstatement by multiplying number of components by average misstatement Estimates recorded balance using estimated misstatement
Projected Misstatement
Assumes entire sampling interval contains same percentage of misstatement as the logical unit examined by auditors Calculated for each misstatement as: Sampling interval x Tainting % Do not project misstatements if the logical unit > sampling interval
risk of underreliance result
Auditors conclude that controls are not functioning effectively Auditors assess control risk at higher than necessary levels Efficiency loss (perform more effective substantive procedures than necessary)
When a business purchases a DBMS, it becomes an audit problem
Auditors need to expand their knowledge of DBMS
sampling risk cause
Caused by selecting a nonrepresentative sample
• Other coding schemes
Check digit: is a code that includes an extra digit that can be used to check the accuracy of the code
Database Essentials Network Database Model
Child records can have more than one parent record - Solved joint account problem • Significant improvement over the early hierarchical designs • Eclipsed by relational databases which are vastly more flexible
Expert Systems
Computerized advisory programs that imitate the reasoning processes of experts in solving difficult problems ESs appropriate in situations w these characteristics: decisions are extremely complex, consistency of decision making is desirable, the decision maker wants to minimize time spent making decision while maxing qual of decision, experts familiar w the knowledge and content of the decision are involved, and their knowledge can be captured and modeled via computer software sometimes used as part of a downsizing strategy.
Sequential Sampling
Conducting a pilot study to estimate the population parameters so that another, larger sample of the appropriate sample size may be drawn. also known as stop or go sampling stop after evaluating a relatively small sample and evaluate your results. if ur results are clearly acceptable or unacceptable u would stop. if the results are inconclusive u would examine more items. most used to determine quickly that results are clearly not acceptable, we're less likely to use stop and go to determine that something is acceptable w a small small sample size. advantage is that sample may be more efficient than a fixed sample plan
item or line counts
Counts of number of items or lines entered. Improves input validity, completeness, and accuracy by reducing possibility that line items or entire documents could be added to the batch or not be input.
attributes sampling process
Estimate the rate at which the client's internal control is failing to function effectively (upper limit rate of deviation) Compare upper limit rate of deviation to an allowable level (tolerable rate of deviation)
Using Databases and Intelligent Systems to Aid Decision Makers
Decision aids - Information tools that can help decision makers - Computerized tools used to assist, and in some cases replace, the decision maker - Decision aids include: • Decision support systems • Executive information systems • Group support systems • Expert systems • Intelligent agents Many decisions are unstructured - Especially, at higher levels of an organization
Personnel termination control plans
Defines procedures when an employee leaves an organization. more important when fired for cause bc the employee is likely to be upset or angry and damage the org. collecting any items displaying the companys identification (letter head), reclaiming office and building keys, and removing password access to data
• Data model
Depicts user requirements for data stored in a database
sampling risk can be controlled by
Determining an appropriate sample size (higher % of items sampled in the population, sampling risk decreases bc more likely to have a representative sample) Ensuring that all items have an equal likelihood of selection (more random, less risk) Evaluating sample results to control risk (if u evaluate using statistical methods u can control the level of sampling risk and that makes ur results more meaningful)
Precision (allowance for sampling risk)
Distance from the estimated population value in which the true (but unknown) population value may lie with a given probability +- range (precision interval). 5% SR = 95% reliability level. compare ippder end of precision interval to tolerable amt to decide if pop is materially misstated or not.
• Advantages of the centralized approach
Eliminating data redundancy - Ease of maintenance - Reduced labor and storage costs - Data integrity - Data independence - Privacy
knowledge mgmt sys
Employees can access database and contribute of extract knowledge from anywhere in the world • DBs provide orderly storage and retrieval of captured knowledge
• Control goals of operations processes
Ensure effectiveness of operations Ensure efficient employment of resources Ensure security of resources
5. select sample items
Ensure that all items are available for selection
Sampling risk (Risk of overreliance)
Establish based on desired level of control risk Lower control risk = lower risk of overreliance (less substantive testing)
Batch sequence check:
Event data within a batch are checked as follows: 1. The range of serial numbers constituting the documents in the batch is entered. 2. Each individual serially prenumbered document is entered. 3. Computer program sorts input documents into numerical order; checks documents against the sequence number range; and reports missing, duplicate, and out-of-range data.
Centralized Database Approach To Business Event Processing
Facts about events are stored in relational database tables instead of separate files • Solves the problems caused by data redundancies • Improves efficiency, eliminates data redundancies, and improves data integrity • Enables integrated business information systems that include data about all of a company's operations - In one massive relational table • Multiple users from throughout the organization can view and aggregate event data in a manner most conducive to their needs • Management increasingly views information systems as a decision-support activity first and reporting second (CRM and ERP)
example
If Sample estimate = 17.5 bpm Precision = 2 bpm Reliability = 90 percent There is a 90 percent likelihood (reliability) that the true population value is between 15.5 bpm (17.5 - 2) and 19.5 bpm (17.5 + 2)
Qualitative Considerations
In addition to number of deviations (quantitative) consider qualitative nature of deviations Examples: Pervasive (a few affect a lot of things-special circumstance for invoices done incorrectly. follow up on) vs. isolated deviations? Unintentional vs. intentional deviations (greater concern-maybe some fraud going on)? Misunderstanding (less concern-training can fix it) vs. carelessness (ppl dont care, not good)? these all have implications on the audit and for publicly traded companies we may consider these to indicate sig deficiencies or material weaknesses
access control software
In an online environment, it ensures that (1) only authorized users gain access to a system through a process of identification (e.g., a unique account number for each user) and authentication (e.g., a password to verify that users are who they say they are), (2) restricts authorized users to specific data they require and sets the action privileges for that data (e.g., read, copy, write data), and (3) monitors access attempts and violations.
• Mnemonic coding
Includes letters as some or all of the code which is done to help humans remember them
• Decision support systems (DSS)
Information systems that assist managers with unstructured decisions by retrieving and analyzing data and generating information - Possesses interactive capabilities - Can answer ad-hoc inquires - Provides data modeling facilities such as spreadsheets - Artificial intelligence • Can imitate human decision making (i.e.,) when confronting complex and ambiguous situations
sampling risk
Likelihood that the decision based on the sample differs from the decision that would have been made if the entire population were examined
• Hierarchical coding
Orders items in descending order where each successive rank order is a subset of the rank above it. Specific meaning is attached to particular positions
ULRD Example
Parameters: Risk of overreliance = 5% Sample size = 127 (use row for n = 125) Number of deviations = 2 Sample rate of deviation = 2 ÷ 127 = 1.6%
6. measure sample items
Perform procedure and make appropriate evaluation/measurement Determine sample estimate Nonsampling risk can occur if incorrect procedures are performed or mistakes in evaluation or measurement are made
Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service
Plan for contingencies for processes, not resources • Two elements required 1. Programs, data, and documentation 2. Alternative computer facility • Backup - Making a copy of data • Recovery - Use the backup to restore lost data and resume operations. • Continuous Data Protection (CDP) - All data changes are date stamped and saved to secondary systems as the changes are happening.
Disadvantages of MUS
Provides a conservative (higher) estimate of misstatement than classical var sampling so ur more likely to determine that the bal is materially misstated than if u use cvs Not effective for understatement or omission errors which is more important for Liabilities and expenses. smaller amts/understatements or items left our are less likely to be selected and u have a 0 chance of selecting something w a 0 bal which would be our omission errors using mus. Expanding sample is difficult if initial conclusion is to reject the account balance bc of the way we select our sample using a systematic sampling technique it becomes much more difficult to expand the sample than in other methods Requires special consideration for accounts with zero or negative balances since these accts would have a 0 chance of being selected in this method u would need to alter ur selection process to somehow include these balances to be selected if u are going to use mus and areas like liabs and exps
cumulative sequence check
Provides input control when the serial numbers are assigned within the organization (e.g., sales order numbers issued by the sales order department) but later are not entered in perfect serial number sequence (i.e., picking tickets do not necessarily arrive at the shipping department in sequence). periodically, reports of missing numbers are produced for manual follow up ex: reconciling checkbook
cumulative sequence check
Provides input control when the serial numbers are assigned within the organization (e.g., sales order numbers issued by the sales order department) but later are not entered in perfect serial number sequence (i.e., picking tickets do not necessarily arrive at the shipping department in sequence). in this case, the mathcing of individual event data (picking ticket) numbers is made to a file that contains all doc numers (all sales order numbers). periodically, reports of missing numbers are produced for manual follow up. check register assists for reconciling checkboook to know complete sequenc eof checks
hierarchical database model
Records are organized in a pyramid structure the records at or near the top of the structure contain records below them. works well for simple situations ex: a bank that wants to record info ab its customers and their accts couold use this. top level records may hold info ab customers. next level down could include reocrds w info abt accts. a custoemr might have a savings acct, a checking acct, and a loan acct. all of a customers accts would be below that customer record in the hierarchy. the next level down may include records that store info ab transactions in each acct.
Database Essentials Hierarchical Database Model
Records are organized in a pyramid structure • Child records - Records that are included in a record one level above them (a parent record) • Parent records - Include the lower-level child records • Each parent can have many child records, but each child record can only have one parent • Example - Customer master record and child accounts for the customer • Works well for simple data structures only - Problem for joint accounts (i.e., child having two parents)
big data
Refers to the massive amount of data collected from human- and machine-generated sources
Information and Communication
Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
If ULRD ≤ Tolerable Rate of Deviation
Rely on controls as planned Maintain planned level of control risk and detection risk
online prompting
Requests user input or asks questions user must answer. Includes context-sensitive help. ex: after entering all the input data for a particular customer order, u might be presented w 3 options: accept the completed screen, edit the completed screen, or reject the completed screen. by forcing u to stop and accept the data, online prompting is advising u to check ur data entries b4 moving on. in addition, many systems provide context service help, whereby the user is automatically provided w, or can ask 4, descriptions of the data to be entered into each input field
how to determine sample size
Sample size tables in Appendix F.A Process: Select AICPA Sample Size table corresponding to desired risk of overreliance Identify row related to the appropriate expected population deviation rate Identify column related to the appropriate tolerable rate of deviation Determine sample size at junction of row and column
MUS: Evaluating Sample Results (Basic Allowance for Sampling Risk)
Sampling Interval x Confidence Factor $147,804 x 2.31 = $341,427
written approvals
Signature or initials to indicate someone authorized the event. Ensures data input arises from a valid business event and appropriate authorizations have been obtained. another control aspect of approving an input document is that such of an approval segregates authorizing events from recording events might use electronic approvals in some situations. whereby bus events are routed, using a computer systems workflow facility, to persons authorized to approve the event. ex: purch requisitions might be routed for approval to those w budgetary authority
document/record counts
Simple counts of the number of documents entered (e.g., 25 documents in a batch). This procedure represents the minimum level required to control input completeness (i.e., input the document once). putting batch in. physically count when submitting invoice. if u put wrong #, it wont process. input accuracy and completeness. make sure ur putting in right # of docs.
2. define deviation condition
Situation in which control is not functioning as intended ex: shipping docs missing, shipping and invoices dont match all the things that indicate the control isnt working, not just the most obvious things
• Now let's discuss using the top-down approach to database design
Sometimes called event-driven approach • Because it attempts to describe all aspects of the business events and processes under consideration • As opposed to bottom-up (or user-driven) approach • Usually results in better DB design
PCAOB Inspection Results
The Firm failed to perform sufficient substantive procedures to test the [client's] loan charge-offs and recoveries...the sample the Firm used in its testing was too small to provide the necessary level of assurance, as the risk factor the Firm used to calculate its sample size was inconsistent with its own risk assessment. The Firm failed to perform sufficient procedures to test revenue and accounts receivable...in performing tests of details of accounts receivable, the Firm selected a sample only from subsidiary ledgers that exceeded a certain threshold, and therefore a significant portion of accounts receivable was not subject to testing.
When is sampling used?
The need for exact information is less important The number of items comprising the population is large
COBIT 4.1 Definition for Control
The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
organizational goverance
The process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. • Processes to achieve the objectives including essential internal controls and monitoring activities are then designed and implemented
• Knowledge management
The process of capturing, storing, retrieving, and distributing the knowledge of the individuals in an organization for use by others in the organization to improve the quality and efficiency of decision making across the firm - Next logical step after DBMS - Why?
turnaround documents
These are used to capture and input a subsequent event. picking tickets, inventory count sheets, and remittance advice stubs attached to customer invoices are examples of this. for ex, we have seen picking tix that are printed by the computer, used to pick the goods, and sent to shipping, where the bar code on the picking ticket is scanned to trigger the recording of the shipment. thus, turnaround docs can facilitate automated data entry. they can be used for the input of individual items rather than batches. in such cases, the scanning computer displays the scanned data, such as items and quantities to be shipped, to the data entry clerk or shipping clerk. if the data has been scanned correctly, the clerk need only press 1 key or click the mouse button to record the input remittance devices and picktick
First Normal Form (1NF)
Unnormalized table - Contains repeating attributes (fields) within each row (or record) • We call these attributes repeating groups • A table is in first normal form (1NF) if it doesn't contain repeating groups. • A primary key that is formed by the combination of two or more columns is called a composite primary key
Discovery Sampling
Used when deviations occur at a very low rate, but are critical in nature • Extremely important controls • Possible existence of fraud we use the sample sizes from the tables that show an expected pop dev rate of 0% bc in this case these are v important or there might be fraud so we're saying we expect 0 deviations here. if u find even 1 deviation u would stop testing immediately and conclude that the control is not working If one deviation is identified, audit team concludes control is not operating effectively
Classical Variables Sampling
Uses normal distribution theory and the central limit theorem to provide an estimated range of: Recorded account balance or class of transactions Misstatement in an account balance or class of transactions Basic methodology: Determine estimated range of account balance or misstatement Evaluate using tolerable misstatement
Applications Approach To Business Event Processing
View that concentrates on the process being performed • Data plays a secondary role to the programs • Each application collects and manages its own data files • Data redundancy Same fact in multiple files violates the integrity of the data
policy
a plan or process put into place to guide actions and achieve goals. applies to company activities in a variety of areas law can compel behaviors and enforce penalties for noncompliance, policies merely guide behavior toward the actions that are most likely to achieve desired goals. one major policy area that significantly affects internal control in an org is the area of personnel policies
ensure input completeness
all true or authorized transactions are put into the sys ex: there are 48 valid orders to be processed but the order entry clerk makes a mistake and only requests the processing of 38 orders
General Controls
also known as IT general controls are applied to all it service activities for ex, preventing unauthorized access to the computer system would protect all of the specific business processes that run on the computer (such as order entry/sales, billing/accounts receivable/cash receipts, inventory, payroll, and so on.).
erm process
and its components are evaluated -- via ongoing mgmt activites, separate evaluations, or both -- to determine its effectiveness and to make necessary modifications. for ex, bus processes put into place to accomplish objectives are reviewed to determine their effectiveness.
business process control plans
applied to a particular business process, such as billing or cash receipts
control effectiveness
are all the control goals achieved
application controls
are automated business process controls contained within IT application systems (i.e., computer programs).
control goals
are business process objectives that an internal control system is designed to achieve
neural networks (NNs)
are computer hardware and software systems that mimic the human brains ability to recognize patterns or predict outcomes using less than complete info used to recognize faces, voices, and handwrittem characters, and apples from bad to good
audit sampling
attributes sampling variables sampling effect of factors on sample size
mus best and worst
best used when audit team expects to find few or no misstatements and when overstated, the existence assertion is of greatest concern. in contrast, when a relatively large number of misstatements is expected or when understatement (the completeness assertion) is of greater concern then mus is less effective and we may want to go w some other method
alternative names for contingency planning include all of the following except:
business disaster planning
Principle 5: Separating Governance From Management
cobit 5 strongly differentiates governance and mgmt. these two functions have different acts, organizational structures, and purposes. this distinction is critical to cobit 5. accordingly, we quote below cobit 5's definition of these two terms governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting directions through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives
Principle 2: Covering the Enterprise End-to-End
cobit 5's holistic and enterprise orientations make integrating geit into overall enterprise governance a top priority. cobit 5 is not "it-focused" but instead takes an enterprise wide view. it covers all funcs and processes in the enterprise and views all it governance and mgmt enablers to apply to the entire enterprise--end to end
group support systems
computer-based systems designed to improve various aspects of group work also called group decision support systems support collaborative intellectual work. sue tech to solve the time and place dimension problems associated w group work creates a virtual meeting for a group. while attending, memebrs of group work toward completing their tasks and achieving the groups objectives.
which of the following control plans is designed to achieve the goal of input completeness
confirm input acceptance
preformatted screens
control the entry of data by defining the acceptable format of each data field. ex: screen might force users to key exactly 9 alphabetic characters in 1 field and exactly 5 numerals in another field. or the sys may provide drop down lists of data that are acceptable for a given field, such as shipping methods and sales terms. to facilitate the data entry process, the cursor may require that certain fields be completed, thus preventing the user from omitting any mandatory data. finally, the sys may automatically populate certain fields w data, such as the current data, sales tax rates, and other terms of a bus event. this reduces the # of keystrokes required, making data entry quicker and more efficient. also, w fewer keystrokes and by using the default data, fewer keying mistakes are expected, which makes the data entry more accurate. to ensure that the sys has not provided inappropriate defaults, the clerk must compare the data provided by the sys w that of the input
entity level controls
controls that have a pervasive effect on the entity's system of internal control; also referred to as company-level controls levels 1 and 2 of control hierarchy control environment and general controls the standard emphasizes the pervasive effect that entity level controls have on the achievement of control objectives and the effectiveness of specific controls, such as business process controls. many of these entity level controls, including it general controls, such as controls over computer program development, program change controls, controls over computer operations, and access to programs and data
nonstatistical sampling
does not allow audit team to control exposure to sampling risk when the auditor does not use statistical methods in either determining the sample size or selecting the sample or both which means the auditor cannot evaluate the results statistically in nonstatistical sampling we determine the sample results and use auditor judgment to decide if theres enough of a cushion between projected pop misstatement and tolerable misstatement to give a large enough cushion for sampling which in this case cannot be quantified so we're making a judgement call on whether theres enough of a gap between those 2 things to control for sampling risk so its a little less precise.
org gov, as implemented w a framework such as erm, begins w
establishing mission, vision and purpose; then, strategy and objectives directed at the mission are established and risks, are identified. after assessing risks and deciding how to respond to the risks, controls are put into palce to ensure that responses to the risks are carried out.
personnel control plans
help to protect an organization against certain types of risks. ex: hiring incompetent employees could result in time and money being wasted on futile training programs. alternatively, offering employment to an individual unqualified to fill a position may preclude efficient, effective ops or, if the person cannot follow instructions, may lead to inaccurate info processing. hiring an employee with a prior record or dishonesty exposes the org to a greater possibility of fraud.
operational errors
human error when entering inventory or other forms of data todays customer orders may be processed against an out of data (yesterdays) sales order master data or we may fail to execute some intermediate steps in a process. this may happen if input data are used for more than one applicatioin and we fail to use the inputs for all of the intended processes (should not be a problem w enterprise systems where one input automatically impacts all relevant applications). some appplications (such as in banking) process "memo" updates during the day to immediately reflect activity, such as cash withdrawals. the "real" updates take place overnight in a batch process. if we fail to properly execute the overnight process, the updates may be incomplete or inaccurate
for org gov, ic are
implemented to help ensure that risk responses are effectively carried out, or the controls themselves are the responses to risks. a
Knowledge Mangement
is the process of capturing, storing, retrieving, and distributing knowldeg of the individuals in an org for use by other s in the prg to improve the qual and efficiency of dec making across the firm primary enabler of km efforts is info ttech logical next step after dbms in bus info sys
attributers sampling
is used to estimate the extent to which a characteristic (attribute) exists within a population Used during auditors' tests of controls Estimate the rate at which internal control activities are not functioning as intended (deviation conditions) Compare estimated rate to an allowable rate (tolerable rate of deviation)
job description control plans
lay out the responsibilities for each position on an organization chart and identify the resources to be used in performing those responsibilities
manual reconciliation of batch totals
operates as follows: 1. One or more batch totals are established manually. 2. As individual event descriptions are entered the data entry program accumulates independent batch totals. 3. Computer produces reports that includes relevant control totals that must be manually reconciled with totals established prior to the process. 4. Person who reconciles batch total must determine why totals do not agree and make necessary corrections to ensure the integrity of the input data
categories of pervasive control plans
org design, policies, monitoring, and it general controls. pervasive control plans provide a second umbrella of protection, in addition to the control environment, over all AIS bus processes. pervasive control plans are particularly important bc they operate across all business processes and affect a company's capability to meet a multitude of control goals.
even if a malfunction occurs, it is usually detected and corrected automatically. in addition to relying on the controls contained within the computer hardware, organizations should perform regular
preventive maintenance (period cleaning, testing, and adjusting of computer equipment) to ensure their equipments continued efficient and correct operation
program documentation
provides a description of an application program and usually includes the programs purpose; program flowcharts; source code listings; descriptions of inputs, data, and outputs; program test data and test results; and a history of program changes and approvals of such changes
ensure of input completeness ex
recording all csutomer orders in the sales order and inventory master data for all customer orders recorded in the customer orders file.
corrective control plans
rectify problems that have occurred ex: if discrepancies are detected, suprina should have a procedure for resolving the discrepancy. this procedure would constitute a corrective control
document/record hash totals
reflect a summarization of any numeric data field within the input document or record, such as item numbers or quantities on a customer order. the totaling of these numbers typically serves no pup other than as a control. calculated b4 and then again after entry of the doc or record, this total can be used to determine that the applicable fields were entered accurately. you use this to look for any 1 thing in all docs on a certain type of docs. for vendor invoices, vendor zip code. something that is numeric and u add them up to get has total
control plans (first level of overall protection)
reflect information-processing policies and procedures that assist in accomplishing control goals control environment appears at the top of the hierarchy and it comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans
The model that logically organizes data into two-dimensional tables is the:
relational database model
risk assessment
risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. risks are assessed on an inherent and a residual basis two factors to consider: likelihood and impact inherent risk exists in the absence of any actions that mgmt might take to reduce likelihood or impact. the fin serv industry firms that failed in 2008 either did not identify the investment risks they were facing or did not adequately respond to those risks
Statistical Sampling
sampling applies laws of probability in selecting sample items and evaluating sample results Allows audit team to control exposure to sampling risk enables the auditor to make quantitative stmts about the results and to measure the sufficiency of the evidence gathered must follow statistical methods for determining sample size, selecting the sample, and evaluating the results (for all 3 steps). this allows u to quantify sampling risk and make precise decisions on sample results when extrapolating to the population. projective misstatements can be very close to but still below tolerabe misstatement and we can still determine that the population is not materially misstated bc we have statistically quantified sampling risk w this method.
Factors Affecting Sample Size
sampling risk (risk of overreliance) tolerable rate of deviation expected population deviation rate population size
Searching through rubbish for system information such as passwords is called:
scavenging
the first step, identification and authentication, involves
what is commonly known as the user id and password. however, passwords are a notoriously weak method for authenticating user identification bc, for ease of use, most people choose simple passwords. free software already exists that can decode simple word passwords n seconds. employees should be trained to use longer passwords and those made up of random characters, including letters, numbers, and symbols. employees should also be instructed not to write down or divulge their passwords.
Plan and Organize Domain: IT Process 2 Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision
• IT steering committee - Coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan • Security officer - Safeguards the IT organization by 1. Establishing employee passwords and access to data, 2. Ensuring the IT organization is secure from physical threats
Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service
• Two important aspects of Process 8: - Ensure continuous service - Secure IT assets • Business continuity planning (also known as disaster recovery planning, contingency planning, and business interruption planning) - A process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disruption
2012 ACFE Report to the Nation on Occupational Fraud and Abuse
• Typical organization lost 5% of annual revenues to fraud - $3.5 trillion worldwide • Typical fraud was underway 18 months before detection. • Frauds were more likely detected by tips than through audits or internal controls. • Median loss of the 1,388 reported cases was $140,000. • One-fifth of losses were at least $1 million.
Monitor and Evaluate Domain: IT Process 10 Trust Services Principles and Criteria
• WebTrust - Best practices and e-business solutions related to B2B and B2C electronic commerce • SysTrust - Assurance service designed to test and monitor the reliability of an entity's information systems and databases including ERP systems
measuring sample items
• perform appropriate tests of controls -look for presence or absence of control applied by entity -if item cannot be located, consider as a deviation • determine sample rate of deviation number of deviations/sample size