acc systems exam 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

estimate account balance

(audited value of sample/recorded balance of sample) x recorded balance of pop

Basic Steps in Sampling

-planning -performing -evaluating

Steps in Sampling: Performing

4. Determine sample size 5. select sample items 6. measure sample items

cobit 5 2 main components

5 geit principles and 7 enablers both of these are fundamentally different than the approach used in 4.1 for ex, 4.1 did not have enablers

• Subschema

A description of a portion of a schema

erm

A process, effected by an entity's board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Database Management Systems (DBMS)

A set of integrated programs designed to simplify the tasks of creating, accessing, and managing a centralized database • Integrates a collection of files that are independent of application programs and are available to satisfy a number of different processing needs • Contains data related to: - All the organizations applications, - Supports normal data processing needs, and - Enhances management activities by providing data useful to managers • Enterprise databases are a subset of DBMS

intelligent agent

A software program that may be integrated into a DSS or other software tool (such as word processing, spreadsheet, or database packages) that provides automated assistance, advice, and/or information for decision making.

Third Normal Form (3NF)

A table is in third normal form (3NF) if it is in 2NF and has no transitive dependencies • Transitive dependency - Exists when a non-key attribute is functionally dependent on another non-key attribute - Cust_Name is functionally dependent on Cust_Code, which is a non-key attribute

control matrix

A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans.

control redundancy

Are too many goals directed at the same goal?

steps to precision and reliability

Based on sampling procedure, form sample estimate Based on precision and reliability, form precision interval

Monetary Unit Sampling (MUS)

Basics of MUS Determining Sample Size Selecting and Measuring Sample Items Evaluating Sample Results

Two primary functions of a DBMS

Creation and maintenance of master data 2. Recording of business event data

• Entity-relationship modeling

Designer identifies the important things (entities) about which information will be stored and how the things are related to each other (relationships)

• Data mining

Exploration, aggregation, and analysis of data in data warehouses using analytical tools and exploratory techniques

• 3 steps in analysis of E-R diagram

Identify entities 2. Identify relationships and learn about the characteristics of the relationships 3. Uses info to create database tables and connections among tables

key verification

Input documents are keyed by one individual and then rekeyed by a second individual to detect keying errors. occasionally applied to input of low volume, high value batches of events

3. Define the population

Item(s) about which question is asked (e.g., health club members?) Need to ensure population is carefully and completely define pop= all sales invoices sample unit= 1 sales invoice

Selection and Hiring Control Plans

Job candidates should be carefully screened, selected and hired. companies choose which plans to employ based on the salary level and job duties for the position for which the candidate is applying

reliability (confidence)

Likelihood of achieving a given level of precision

nonsampling risk

Likelihood that an incorrect conclusion is drawn for reasons unrelated to the sample Most common cause is mistakes in evaluating sample items usually errors in judgment or execution of the test (test performed incorrectly or test not created correctly, not bc ur using sampling).

risk response

Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

review tickler file

Manual file of documents, or a computer file, that contains business event data that is pending further action. should be reviewed on a regular basis

DSS (decision support system)

Models information to support managers and business professionals during the decision-making process

Population size

Not applicable unless relatively small once pop reaches 500 it has a much reduced effect on sample size so we dont typically consider it too important

Normalization in Relational Databases Bottom-Up Approach

One of two approaches - Other is top-down, which will be covered later • Designer identifies the attributes of interest and organizes those attributes into tables • Common practice to gather all paper documents currently used and design the computer system so that they can be completed electronically • Limitation is that one tends to automate current practices without leveraging computer technology capabilities • The need for computer-oriented controls may be ignored even though prior manual controls may not be effective

forms

Onscreen presentations that allow users to view data in tables or collected by queries from one or more tables and input new data

Nonstatistical Sampling

Permissible under GAAS Does not allow auditors to control exposure to sampling risk Major differences in: Determining sample size (may judgmentally determine sample size and do not need to quantify expected deviation rate or CI in that case) Selecting sample items (may use nonrandom methods like block or haphazard selection) Evaluating sample results (may judgmentally evaluate sample results based on a sample rate of dev compared to a tol rate and basically ask urself is there enough cushion to allow for sampling risk. based on auditor judgment which is not as precise so be careful with it)

Anomalies or errors

Results when you fail to follow the rules of normal forms - That might occur when adding, changing, or deleting data stored in the database

sample size examples: parameters

Risk of overreliance = 5% Tolerable rate of deviation = 6% Expected population deviation rate = 2%

Risk of Incorrect Rejection occurs when

Sample indicates account is misstated Account is not misstated

Risk of Incorrect Acceptance occurs when

Sample indicates account is not misstated Account is misstated

risk of overreliance occurs when

Sample indicates controls are functioning effectively Controls are not functioning effectively

• Normal forms

Structure of tables must comply with several rules - Include specifications that must be met by relational database tables

hash totals

Sum of any numeric data existing for all batch documents, such as a total of customer numbers or purchase order numbers. Can determine if inputs have been altered (accuracy) , added (validity), or deleted (completeness).

PCAOB Inspection Results

The Firm failed to sufficiently test an important control over the loan grading process that it selected, as the sample size the Firm used in its testing was too small to obtain the necessary level of assurance that the control was operating effectively to prevent or detect material misstatements. For these compensating controls [over revenue and accounts receivable transactions], the sample used by the Firm to test the compensating controls was inadequate because the Firm underestimated the number of times the control operated when computing the necessary sample size.

risk appetite

The amount and type of risk that an organization is willing to take in order to meet their strategic objectives (from Institute of Risk Management)

coding

The creation of substitute values, or codes, to represent classification categories long labels

Cannot afford to prevent all losses

Too expensive to eliminate all risk (if possible)

queries

Tools that allow users to access the data stored in various tables and to transform data into information

applications approach to business event processing

Under this approach, each application collects and manages its own data, generally in dedicated, separate, physically distinguishable files for each application. concentrates on process being performed eACH applicaiton collects and amnages its own data, gernerally in dedicated, separate, physically distinguishable files for each app.

Logical Versus Physical Database Models

Underlying concept of centralized database approach - Decouple data from applications • Data independence - Data is decoupled from the system applications to make it independent of the application or other users • Three-tier architecture - Systems that are decoupled are referred to as having 1. User or presentation tier 2. Application or business logic tier - Middleware 3. Database tier

Variables Sampling

Used to estimate the amount (or value) of some characteristic of a population Used in the auditor's substantive procedures

data redundancy

When the same data is stored in multiple locations and files • For example, customer information Can cause inconsistencies among the same data in different files. Increases storage and labor costs and data may not be shareable

automated data entry

a strategy for the capture and entry of event-related data using technology such as OCR, bar codes, RFID, and EDI. these methods use fewer human resources and capture more data in a period of time than is possible w manual entry. by eliminating the keying errors that can occur in manual data entry, these methods improve the accuracy of the entered data. finally, in some cases, the input method can validate the authenticity of the input. for ex, when the rfid chip on a box is read, we know that the box exists. completeness

continuous data protection (CDP)

all data changes are date stamped and saved to secondary systems as the changes are happening. u can have server here and one in another location and a keystroke is made here and almost simultaneously itll be on the server at another location. ex: invoice here, computer dies, go to starbs and invoice is there. ensures security of resources/ securing ur assets/computer files. this process is not the periodic backup of files mentioned previously but is a process for continuous and immediate replication of any data changes for many organizations, it is not cost-effective to maintain duplicate computer facilities, although they still need cdp. these orgs might contract w third parties for electronic vaulting

risks

are those events that would have a neg impact on an orgs objectives require assessment and response, whereas opportunities are channeled back to the strategy-setting process. ex: a new mkt op might have opened up that mgmt could decide to pursue.

Approving a customer credit purchase would be an example of which basic events processing function?

authorizing events

the best way to mitigate password risk is to put in additional authentications, such as a

biometric identification (i.e., something they are) or a smartcard (i.e., something they have) that users must use along w their passwords

As described in COSO, elements of a control environment might include the following:

commitment to the importance of control reward systems tone at the top of the org

incorrect acceptance is the same as

confidence level

COSO's 5 Elements of Internal Control

control environment, risk assessment, control activities, information and communication, monitoring

to overcome the roadblocks to quality decision making, managers use

decision support systems (DSSs), exec info sys (EISs), group support sys (GSSs), expert sys (ESs), neural networks (NNs), and intelligent agents

One-for-one checking

detailed comparison of the individual elements of two or more data sources to determine that they agree differences indicate errors in input or update expensive, reserved for low volume high value events

control efficiency

do individual control plans address multiple goals?

tolerable misstatements vs tolerable rate of deviation

dollar values that we are willing to tolerate as misstatements vs how many times can this control not function b4 we can consider it to be broken

impact

effect of an event's occurrence

timeliness

effectiveness

a mechanism by which a company is reimbursed for any loss that occurs when an employee commits fraud is called a

fidelity bond

GSSs facilitate

group interaciton and group consensus building

as summation of customer account numbers taken from a batch of sales invoices would be classified as

hash total

coso places integrity and ethical values at the

heart of what is called the control environment (captured in erm as internal environment)

personnel security control plans

help prevent the organization's own personnel from committing acts of fraud or theft of assets

object-relational databases

incldues a relational dbms framework w the capability to store complex data types. companies like either rn.

fidelity bond

indemnifies a company in case it suffers losses from defalcations committed by its employees employees who have access to cash and other negotiable assets are usually bonded

DSSs structure the available data to provide

info ab alternative courses of action w/o offering a solution. DSSs work well w unstructured or semistructured problems that have a quantifiable dimension.

knowledge

information that has been formatted and distributed in accordance w an orgs standards

supervision control plans

involve the processes of approving, monitoring, and observing the work of others

forced vacations

is a policy that requires an employee to take leave from the job and substitutes another employee in his or her place irregularity of skipping vacays will be detected by this (detective control) if these are in place, they should act as a deterrent to the irregularity ever occuring in the first place (preventive)

sampling

is the process of making a statement about a population of interest by examining only a subset (or sample) of that population

• Chief advantage of a DBMS is

it contains a query language

cobit 4.1 supports it governance by providing a framework to ensure that

it is aligned w the bus it enables the bus and maximizes benefits it resources are used responsibly it risks are managed appropriately

matrix

key tool in the assessment of a sys of ic that is used to determine whether a sys of ic is designed well and can help an org achieve objectives and respond to risks

use control matrix to

match bus process controls to the goals will allow us to access the effectiveness of design of the system of ic by examining, easily, which goals are being addressed and which goals are not. use it only to assess bus process controls

Classical Variables Sampling Approaches

mean per unit difference estimation ratio estimation

EISs use

menus, graphics, and color to provide a friendly interface to DSSs for execs who want to minimize their interaction w the sys

controls that ensure input accuracy and completeness do not

necessarily ensure update accuracy and completeness if the events ir trans are processed using an online real time (olrt) processing system, the input and update will occur nearly simultaneously. this will minimize the possibility that the update will occur nearly simultaneously.

DSS and EIS similarities

neither tells the decision maker what to do. both primarily provide views for interpreting the info. users generally use a dss to arrive at estimated or "recommended" solutions to problems being considered. statistical methods rarely used for eis. eis mainly ab collecting and presenting info desired by an exec and less ab doing additional processing calculations. eis's are more liekly to have the ability to drill down (from summarized into to the primary docs) than DSSs. no matter the type of decision aid being used, the knowledge and experience required to analyze the info, to make the judgements, and to take the actions required reside w the decision maker.

ensure input validity

no false transactions are put into the system ex: order entry clerk requested processing of 50 customer orders. 2 of the 50 orders are ficticious.

another useful and common way to classify controls is in relation to the timing of their

occurrence

Before a completed input screen is recorded the data entry clerk is asked if the data should be accepted. This is which control plan?

online prompting

erm is a process for

org governance. orgs create value for their stakeholders by establishing objectives and identifying and managing risks that might result in failure to achieve objectives.

MUS: Measuring Sample Items

perform appropriate substantive testing procedure for each misstatement, calculate tainting percentage as: (recorded bal - audited val)/recorded balance gives u the % it is tainted/misstated

personnel management control plans

personnel planning control plans job description control plans supervision control plans personnel security control plans

second level of protection

pervasive control plans

Control Activities

policies and procedures are established and implemented to help ensure the risk responses are effectively carried out includes approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures, supervision, audit trails, and segregation of duties

likelihood

possibility that an event will occur

In a control matrix the coding P-1 means:

present control plan

best control

preventive controls bc in the lr they're less expensive and less disruptive to ops to prevent, rather than to detect or correct, problems. however, bc no control can be made to be 100% effective, we need to implement a combination of preventive, detective, and corrective controls. detective can help prevent or deter fraudulent or careless acts. if someone knows that plans exist to detect or uncover fraud and carelessness, such knowledge can serve as one additional preventive measure

The goal of normalization is to

produce a database model that contains relations that are in third normal form (3NF)

personnel planning control plans

project future managerial and technical skills of the staff, anticipate turnover, and develop a strategy for filling necessary positions

ESs apply expertise extracted froma human expert to

provide specific recs on problems or decisions

systems documentation

provides an overall description of the application, including the systems purpose; an overview of sys procedures; and sample source docs, outputs, and reports

Agree run-to-run totals

reconcile totals prepared before a computer process has begun to totals prepared at the completion of the computer process reconciled manually or by the computer

specific attention must be paid to

recruitment promotion personnel qualifications training backup performance evaluation job change termination honesty is key to implement other control plans

which of the following database types has dominance in orgs

relational

a policy that requires employees to alternate jobs periodically is called

rotation of duties

sequential sampling process

select initial sample options -conclude control is operating effectively -conclude control is not operating effectively -sample is inconclusive; examine additional items

process

series of actions or operations leading to a particular and usually desirable result. results could be risk mgmt as described by erm, effective ic as proposed by coso, or a specified output of an ops process for a particular mkt or customer

process

set of procedures and practices also thought of as controls

domain

set of processes

Principle 1: Meeting Stakeholder Needs.

since enterprises exist to create value for their stakeholders, it makes sense that the key objective of governance and mgmt should be value creation. in turn, value creation has 3 objectives or components: benefits realization, risk optimization, and resource optimization

intelligent agents can be embedded in

software to perform tasks for u or help u more effectively complete certain tasks

Approaches to sampling

statistical sampling nonstatistical sampling Both statistical sampling and nonstatistical sampling are appropriate under GAAS

preventive control plans

stop problems from occurring ex: programmed edits, such as validation of the customer name and address

relational database model

stores information in the form of logically related two-dimensional tables more flexible model each individual fact or type of into (i.e. entity) is stored in its own table allows users to query the tables to obtain info from 1 or more tables in a very flexible way

Elements of Relational Databases

tables queries forms reports

monitoring

the entirety of erm is monitored, and modifications are made as necessary. monitoring is accomplished through ongoing mgmt activities, separate evaluations, or both. should not be considered a final activity

variables sampling decisions

ul on misstatements <= tolerable misstatements = acct bal is not misstated ul on misstatements > tolerable misstatement = acct bal is misstated

turnaround documents

used to capture and input a subsequent event picking ticket, inventory count sheets, remittance advice stubs, etc

A data model depicts the requirements for data as specified by the:

user

applying the framework

• Let's walk through the controls on matrix and flowchart • P-1: Document design - Source document designed to make it easier to prepare the document and to input data from the document into a computer or other input device. • P-2 Written approvals - Signature or initials to indicate someone authorized the event. Ensures data input arises from a valid business event and appropriate authorizations have been obtained. - Electronic approvals • Route events using a computer system's workflow facility to persons authorized to approve. • P-3: Preformatted screens - Defines acceptable format of each data field. Includes drop-down data lists, automatic cursor move to the next field, mandatory inputs and auto population of certain fields. - System may automatically populate fields with data (current date, sales tax, etc.) • P-4: Online prompting - Requests user input or asks questions user must answer. Includes context-sensitive help. - In a sense, advising you to check your work. • P-5: Populate input screens with master data - Clerk enters identification code for an entity and system retrieves data about that entity from the master data. - Reduces number of key strokes. • P-6: Compare input data with master data - Performed manually or by the computer to determine the accuracy and validity of input data. - Three comparisons made: • Input/master data match. - Test that correct ID code has been manually entered. • Input/master data dependency check. - Test logical relationship. • Input/master data validity and accuracy check. - Test whether master data supports the validity and accuracy of the input. • P-7: Procedures for rejected inputs - Ensures that erroneous data are corrected and resubmitted for processing. - Suspense file of rejected inputs. • P-8: Programmed edit checks: - Automatically performed by data entry programs upon entry of data to highlight actual or potential input errors and allow them to be corrected quickly and efficiently. - Erroneous data highlighted for corrective action - Most common are: • Limit checks - Test whether the contents of the data entered fall within predetermined limits. • Reasonableness checks - Compares entered data with a calculated amount to discover inputs that may be incorrect. - Does the customer really want to order this amount. • P-8: Programmed edit checks: - Most common are (continued): • Document/record hash totals: - Summarization of any numeric data field within the input document or record. Calculated before and then again after entry of the document or record, total is used to determine that the applicable fields were entered accurately. - Total usually serves no function than control. • Mathematical accuracy checks: - Compare calculations performed manually to those performed by the computer to determine whether a document has been entered correctly. - If they don't agree, something was likely entered erroneously • P-10: Automated data entry: - Capture and entry of event-related data using items like OCR, bar codes, RFID, and EDI. - May also confirm validity of input (i.e., RFID) • P-11: Enter data close to the originating source: - Strategy for the capture and entry of event-related data close to the place and time that an event occurs. - Databases more current, no lag. - Lowers the risk of error in data entry. • P-12: Digital signatures: - Validates sender identity and electronic message integrity. - Uses data encryption and public key cryptography. • PCAOB AU 5 asserts that auditors must consider the impact of entity-level controls (i.e., control environment, pervasive, general, and IT controls) have on business process controls and application controls

Implications of Computer Fraud and Abuse

• Computer crime - Includes crime in which the computer is the target of the crime or the means used to commit the crime. • Two basic categories of computer crime - Tool - Target • Malware - Short for malicious software - Software designed specifically to damage or disrupt a computer system • Computer virus - A program code that can attach itself to other programs thereby "infecting" those programs and macros. • Real issue with computer fraud and abuse - It characterizes a s poorly controlled process

The COBIT 4.1 Framework

• Control Objectives for Information and Related Technology (COBIT) • Widely adopted framework for IT governance and control • Provides guidance on the best practices for the management of information technology • Supports IT governance by providing a framework that ensures: - IT is aligned with the business - IT enables the business and maximize benefits - IT resources are used responsibly - IT risk are managed appropriately

Steps in Sampling: Evaluating

7. Evaluate sample results • In statistical sampling, evaluating sample results controls exposure to sampling risk • Parameters -Sample estimate -Precision -Reliability

Programming Errors

-Softwares error resulting from bad code in some program involved in producing the erroneous result -There are two types: logic and syntax errors (-Logic errors-where conditions or variables are not correctly described -Syntax errors-where a variable is misspelled or a function is used incorrectly) for instnace, instead of reducing inventory for each order, the inventory balances were increased

doc design

-effectiveness goal a, efficient employment of resources: a well designed doc can be completed more quickly (effectiveness goal A) and can be prepared and entered into the computer w less effort (efficiency) -input accuracy: we tend to fill in a well designed doc completely and legibly. if a doc is legible, data entry errors will occur less frequently

Compare input data with master data

-effectiveness goal a, efficient employment of resources: events can be processed on a timelier basis and at a lower cost if errors are detected and prevented from entering the sys in the 1st place. making sure 2 match -input validity: the edits identify erroneous or suspect data and reduce the possibility of the input of invalid events -input accuracy: the edits identify erroneous or suspect data and reduce input errors. completeness by control matrix.

risk of underreliance

(Risk of Assessing Control Risk too High) Also referred to as Type I error, false rejection

ERM Framework

1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring

cobit groups it control processes into 4 broad domains

1. plan and organize 2. acquire and implement 3. deliver and support 4. monitor and evaluate (provides feedback to other 3 domains)

Schema

A complete description of the configuration of a record types, data items, and the relationship between them

• Sequential (serial) coding

Assigns numbers to objects in chronological sequence - Provides limited flexibility and tells nothing about the object's attributes - Limitations with adding and deleting exist

suprina control matrix

Note: Four elements of the control matrix (a) control goals (b) recommend control plans (c) cell entries (d) explanation of cell entries

residual risk

The risk that remains after a risk response is chosen - Avoid, reduce, share, accept

sample control plan for data input

This discussion describes generic controls • Knowing these controls will help you identify present and missing controls • Data entry step - Usually inefficient and susceptible to errors • As we discuss these controls, keep in mind that the following improvements can help address inefficiencies and errors - Data entry automated - Purchasing initiated by the buying organization and transmitted to the selling organization via the Internet or electronic data interchange (EDI) - In an ERP system, multiple steps may be integrated

organizational governance

a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance

cobit 5's domains and governance process

cobit 5 is diff from 4.1 in how they specify their domains and processes cobit 4.1 has 4 sets of domains and 34 high level processes. 5 has 5 domains and 37 high level processes. 4.1's domains are plan and organize, acquire and implement, deliver and support, and monitor and evaluate. 5's domains are evaluate, deliver, and monitor, align, plan, and organize, build, acquire, and implement, deliver, service, and support, and monitor, evaluate, and assess

isaca is in the process of releasing a new cobit framework

cobit 5, at the publication time of this edition. not merely an update of cobit 4.1 but instead takes us in a radicallly new direction, according to isaca. siwtch to cobit 5 or merge 4.1 and 5

it steering committee

coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan guides the it org in establishing and meeting user info requirements and in ensuring the effective and efficient use of its resources. this and the cio are the main authorizing bodies within the it dept. come up with plan for it sys. tell ppl in comp what task they need done. rank as most important. look at budget. choose projects to do. important bc its putting a priority intact

alternative names for contingency planning include

disaster recovery planning business interruption planning business continuity planning

ESs can automate portions of the decision making act

hey can func independently and actually make the decision, or they can assist the decision maker and recommend a course of action. the goal of Ess is not to replace ppl. these sys make it possible for valuable expertise to be avail in multiple locations

Acquire and Implement Domain

• Processes designed to identify, develop or acquire, and implement IT solutions • Failure to successfully implement these processes can lead to significant risks throughout the organization • Systems development life cycle (SDLC) - Covers the progression of information systems through the systems development process, from birth, through implementation, to ongoing use and modification

If attribute A determines a single value for attribute B at any time, we say that attribute B is ____.

functionally dependent on attribute A

monitoring

in an internal control system means assessment by management to determine whether the control plans in place are continuing to function appropriately over time further involves making sure that any control weaknesses are communicated to responsible parties on a timely basis and that responsible parties take appropriate action typicallly underused by orgs. ineffective monitoring can result in a failure of the control sys itself or, less severely, in a failure to implement control plans to correct identified problems

updating master data

info processing activity whose function is to incorporate new data into existing master data 2 types of updates that can be made to master data: info processing (analogous to the posting step in a manual bookeeeping cycle) and data maintenancce our analysis of the ics related to data updates is restricted to data updates from info processing

organizational design

involves the creation of roles, processes, and formal reporting relationships in an org. one aspect of org design includes establishing departmental relationships, including the degree of centralization in the org. another aspect involves personnel reporting structures such as chain of command and approval levels. ex: upper mgmt of a comp reporting to the bod. ex: separation of op units (sales and production) from accting units. org design is a key component of a companys ic structure

cobit 5

is a new departure in the corporate governance of info tech. the most sig change is restructuring and reorganizing the framework from being an it process model into an it governance model w a set of governance practices for it, a mgmt sys for the continuous improvement of it acts, and a process model w baseline practices. thus, cobit 5 is, for one thing, more inclusive than 4.1 cobit 5 moved from it governannce as its overall objective to governance of enterprise it (geit) shifting the center of attention from it to governance. more strategic or big pic oriented than 4.1 holistic approach. this is a complete, comprehensive approach that an enterprise tailors to its own specific needs, putting ic control w the larger context of tnerprise wide governance and mmgmt. more flexible and adaptable more principles based and less procedures based

internal control

is a process -- effected by an entity's board of directors, mgmt, and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness (degree to which and objective is accomplished) and efficiency (the ability to accomplish an objective w minimal waste of resources) of ops reliability of fin reporting compliance w applicable laws and regulations

Business Continuity Planning

is a process by which a business identifies its critical processes, or those areas of its business that must occur without failure lest the business will also fail. Such planning defines specific lengths of time for acceptable outages, responsible parties, contact information, and partners that have assumed the risk of supporting emergency continuity services. also called disaster recovery planning, contingency planning, and business interruption planning

Variables sampling

is used to estimate the amount (or value) of a population find diff between true value and recorded value and determine if its material or not substantive procedures (used for substantive test of details): Estimate account balance or misstatement Compare estimated account balance or misstatement to recorded balance or tolerable misstatement approaches (use 1 of 2): Monetary unit sampling (MUS) (use a variation of attribute sample principles applied to a monetary pop. using a theoretical statistical framework very similar to our previous module but applying it to a monetary pop) Classical variables sampling (use more traditional types of statistical techniques to calculate an estimate of the pop)

orgs that must ensure continuous ops may

maintain and operate two or more sites that separately contain identical equipment and identical copies of all programs, data, and documentation. should the primary facility become unavail, one of the secondary sites takes over, sometimes automatically and without noticeable delay. in these situations, data must be replicated in real time on both systems. this data replication strategy is called continuous data protection (cdp)

Establishing a viable internal control system is primarily the responsibility of:

management

control plans

reflect information-processing policies and procedures that assist in accomplishing control goals • Starts with the control environment • Pervasive control plans - They relate to a multitude of goals and processes, They are broad in scope and apply equally to all business processes. • General controls (also known as IT general controls) - Are applied to all IT service activities. doc control plans: 2 flavors. doc code and new code. reading proc book

pervasive control plans

relate to a multitude of goals and processes. Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate. they are broad in scope and apply equally to all business processes; hence, they pervade all systems

completeness

reliability of reporting

controls implemented to respond to risks must be

reviewed to determine that the activities have been performed and to determine whether additional actions must be taken to respond to the risk

residual risk

risk that remains after one of these responses is chosen.

Events that could have a negative impact on organizational objectives:

risks

seg of duties

separating: authorizing events executing events recording events safeguarding resources resulting from consummating events no employee in a position both to perpetrate and to conceal frauds, errors, or other kinds of system failures. applies not only to classic accting trans, such as a cash disbursement or credit sale, but also to other events and activities, such as planning a company dinner or implementing a new general ledger system.

four categories of management objectives

strategic: high level goals aligned with and supporting its mission operations: effective and efficient use of its resources reporting: reliability of reporting compliance: compliance w applicable laws and regs

program change controls take on an even higher level of significance w enterprise systems

the challenges are the result of the interdependence of the bus processes and the complexity of these processes and their connections. should unauthorized or untested changes be made to such systems, the results could be disastrous. ex: assume that a change is made to the inventory module of an erp sys w/o testing to see the impact that change will have on the sales module used to enter customer orders. bc these 2 modules work together, and orders from customers for inventory cannot be processed w/o the inventory module, changes to either module must be carefully planned and executed

Populate input screens with master data

the clerk enters the identification code for an entity, such as a customer, and the system retrieves data about that entity from the master data ex: entering a customer order. user might be prompted to enter customer id code. then, by accessing the customer master data, the sys automatically provides data such as cust name and address, salespersons name, and the sales terms. this reduces the number of key strokes required, making data entry quicker and more efficient. fewer keystrokes=fewer mistakes. to enable this control, numeric, alphabetic, and other designators are usually assigned to entities such as customers, vendors, and employees

data mining

the exploration, aggregation, and analysis of large quantities of varied data from across the org used to bettter understnd an orgs bus processes, trends within these processes, and potential opps to imprve effectiveness and efficiencyof org. requires training and expertise large amts of this so u could identifty relationships between factors that appear relevent but in fact are not (spurious correlations)

COBIT 4.1 (Control Objectives for Information and Related Technology)

the framework that has been widely adopted for it governance and it controls developed by the it governance institute to provide guidance to managers, suers, and auditors on the best practices for the mgmt of info tech it resources must be managed by it control processes to ensure that an organization has the information it needs to achieve its objectives organizes control processes

some auditors differentiate between

the point in a system where a control is "established" and the later point where it is "exercised"

data warehousing

the use of information systems facilities to focus on the collection, organization, integration, and long-term storage of entity wide data purp is to provide users w easy access to large quantities of varied data from across the org for the sole purp of improving dec making capabilities copying data periodically from 1 db to another analyze to gain insight

Principle 3: Applying a Single, Integrated Framework

there are numerous it standards, best practices, and guidance procedures available to enterprises. sobit 5 can align with any of these at a high level and thereby provide an enterprise w a single, integrated, overarching framework for it governance and mgmt. this overall framework is context and principles based, allowing for flexibility and dealing w open ended situations

bc control is an ongoing process,

there are periodic iterations of the steps. could be fraud! so periodic reviews are conducted to determine the effectiveness of fraud prevention programs.

of the following options, a database that is in _____ form has the best design

third normal (3NF)

purp of ic

to provide reasonable assurance that objectives are achieved and that risk responses are carried out

dss and eis managers

typiccally work alone and make decisisns

attributes sampling decision

ulrd <= trd = rely on controls as planned ulrd > trd = reduce planned reliance on controls

attributes sampling decisions

ulrd<=trd = rely on controls as planned ulrd>trd = reduce planned reliance on controls

what goals are aimed at minimizing processing errors

update completeness and accuracy

no sepate goal for

update validity. there would be invalid updates only if the inut completeness or update completeness control goals are not met (i.e. inputs or updates are to be processed once and only once)

in a manual based system, the goals of ensure update completeness and ensure update accuracy relate to

updating varius ledgers (ex: accts receivable subsidiary ledger) for data items entered into the books of original entry ( sales and cash receipts journals)

if u want to assess the design of a sys of ic

use the matrix to ask the Q " can these processes/controls provide reasonable assurance that the objectives are achieved?" an org should have at lease 1 process for each objective. otherwise, the org may achieve its objectives, but the odds are not v good. assessment concludes w recommendations for changes to the processes and controls that might be necessary. make changes carefully and take into acct cost benefits.

important data elements

usually all fin data elements, such as numbers that enter into a calculation. ex: amt ordered, selling price, discount, and net sales amt are crucial reference numbers, such as those for inventory items, customer numbers, and general ledger cording. accurate reference numbers are crucial to the proper classification of items in the fin stmts dates so we can determine that events are recorded in the proper time period

monitoring control plans differ from normal control plans in that they

verify the operation of the normal control plans. a normal control plan only serves to deetect and correct errors. monitoring control plans lead to the identification of the root cause of the error and ideally the implementation of normal control plans to prevent future errors. ex of monitoring: creating a periodic exception report listing all employees who have not taken vacations within a specified time frame and ensuring that report was reviewed and acted upon by mgmt. ex: writing and distributing the code of conduct outlining appropriate employee behavior is a normal control plan; a monitoring control plan would involve periodically collecting and reviewing letters signed by the employees that they have read, understand, and will follow the code of conduct

computer agreement of batch totals

works in the following manner: 1. First, one or more of the batch totals are established manually. 2. The manually prepared total is entered into the computer and written to the computer batch control totals data. 3. As individual source documents are entered, computer program accumulates independent batch totals and compares totals to the ones prepared manually and entered at start of the processing. 4. Computer prepares report, which usually contains details of each batch, together with an indication of whether totals agreed or disagreed. - Batched that do not balance are rejected, and discrepancies are manually investigated.

Fraud and Its Relationship to Control

• Accounting Profession Proactive in Dealing with Fraud • SAS No. 99 (Consideration of Fraud in a Financial Statement Audit) - Emphasizes brainstorming fraud risks, increasing professional skepticism, using unpredictable audit test patterns and detecting management override of internal controls. • SEC - "Management's evaluation of risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity..." • PCAOB AS5 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements) - An auditor's assessment of internal control should take into account the fraud risk assessment

University Housing Controls

• App State Safety & Security Policies: - Residents are issued an Appalachian State University ID card used to gain access to their residence hall. - Residents should not allow non-residents to follow them through the open door when entering/leaving the building. - This practice of "tailgating" compromises the safety of all residents. - Non-residents should contact a resident of the building to escort them while in the residence hall. - Residence hall staff are on duty from 8:00pm - 3:30am to monitor activity in each building. • Break Into Groups and Discuss the Following: - How well do these policies work? - In the context of this chapter, what improvements could be made?

Applying the Control Framework for Data Entry with Batches

• Batch control plans: - Regulate processing by calculating control totals at various points in a processing run and subsequently comparing these totals. - To be effective, batch control plans must ensure that: • All documents are included in the batch. • All batches are submitted for processing. • All differences are investigated and corrected on a timely basis. • All batches are accepted by the computer.

Caveat about the COBIT 4.1 Framework

• COBIT 5 framework has been adopted by ISACA • There are firms that are, and will continue, to utilize the COBIT 4.1 framework • PCAOB suggest finding a suitable framework to comply with SOX Section 404 - No specific framework is required • You may see this or another suitable framework in practice - Unlike accounting standards that do require adherence to changes in standards • I.e., PCAOB AU's and FASB's GAAP

Ethical Considerations and the Control Environment

• Control environment - Reflects the organization's general awareness of and commitment to the importance of control throughout the organization - Primarily the board of directors' and management's awareness • COSO places integrity and ethical values at the heart of the of control environment and states that ethical behavior and management integrity are products of the "corporate culture." - Corporate culture determines what actually happens and which rules are obeyed, bent, or ignored • Rewards system can pressure employees to bend the rules to attain unrealistic performance targets • Code of conduct

the control framework

• Control matrix - A tool designed to assist in analyzing the effectiveness of controls in a particular business process by matching control goals with their associated control plan • PCAOB Auditing Standard Number 5 calls this "Effectiveness of Control Design" - Compliance with SOX Section 404 • Provides a means to explain and analyze the controls that have been annotated on a systems flowchart • Caveat for this chapter: - Not learning a specific control plan - Overview of control matrix elements and how they relate to each other • Let's get real why we're learning about evaluating controls

A framework for Assessing the Design of an Internal Control System

• Control matrix - A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans - Analyze objectives and related risk - Establish processes and controls to provide reasonable assurance that objectives will be met • Control goals - Business process objectives that an internal control system is designed to achieve • Control plans - Reflect information-processing policies and procedures that assist in accomplishing control goals

Pervasive Control Plans

• Control plans that relate to a multitude of goals and processes • Provide a climate or set of surrounding conditions in which the various business processes operate - Similar to the control environment • Influence the effectiveness of control plans at lower levels in the control hierarchy • PCAOB AS5 includes them under "entity-level" controls • 4 pervasive controls we'll disuses - Organizational design (focus on segregation of duties) - Corporate policies (focus on personnel policies) - Monitoring controls - IT general controls

PWC 2011 Global Economic Crime Survey

• Cybercrimes - Crimes involving computers and the Internet - Now rank as one of the top four economic crimes worldwide. • Frauds reported within the previous 12 months occurred in 34% of companies in 2011, up from 30% in 2009. • For the first time in 12 years, computerized internal controls was the most effective method for detecting fraud. • Internal audit was the second most effective fraud detection method at 14%, down from 17% in 2009. • Suspicious transactions monitoring led to 18% of fraud detections in 2011, up from 5% in 2009. • Cybercrime represented 23% of all economic crime. • Strong correlation exists between fraud risk management activities and higher chances of fraud detection. • Accounting fraud decreased 37% from 2009 to 2011 but was still the second most reported fraudulent activity at 24%. • Most reported fraud was asset misappropriation at 72%

Control and Audit Implications of Data Warehouses

• DBs are normalized and emphasize data integrity • Data warehouses are primarily meant for decision support, which requires speed to perform data analysis - Data integrity relaxed as a tradeoff for speed • Relevance vs. Reliability • DB approached differently than a data warehouse • Auditor must be attentive to the possibility that bad data is present as a result of weak data integrity • GIGO

control plans for manual and automated entry

• Data entry program presents the clerk with a preformatted screen that prompts entry of certain data • In the following slide, the left-hand side presents manual entry and the right-hand is automated entry • The flowchart stops without depicting the update of master data - In this example we're focusing on input controls

Acquire and Implement Domain: IT Process 4 Develop and Acquire IT Solutions

• Develop and acquire or develop application software and technology infrastructure • Application software: - General term used for the software that is used to facilitate the execution of a given business process • Service level requirements: - Include such items as availability, reliability, performance, capacity for growth, disaster recovery, security, minimal system functionality, and service charges • Develop service level requirements and application documentation which typically includes the following: - Systems and program documentation - Operations run manual and user manual - Training materials

The Segregation of Duties Control Plan A Couple of Questions

• Do you agree with the following comment? - No matter how sophisticated the internal controls, success ultimately requires that a company place trust in a small number of trusted employees • Do you think it is possible for a small company to adequately implement segregation of duties? • Compensatory controls - Alternative controls - Placing greater reliance on management supervision, ownership involvement in the day-to-day operations of the business, and personnel control plans that focus on hiring honest employees

COBIT 5's Seven Enablers

• Enablers - Means to achieve governance objectives • Seven categories of enablers 1. Processes 2. Principles, policies and frameworks 3. Organizational structures 4. People, skills, and competencies 5. Culture, ethics, and behavior 6. Services, infrastructure, and applications 7. Information

Acquire and Implement Domain: IT Process 6 Manage Changes to Existing IT Systems

• Ensures integrity between versions of the systems • Ensures consistency of results • Changes to IT infrastructure must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures • Improper changes can allow a programmer to make changes that are improper - Create opportunity for fraud • Program change controls - Provide assurance that all modifications to programs are authorized, and that changes are completed, tested, and properly implemented • These controls take a higher level of importance with an enterprise system

Monitor and Evaluate Domain: IT Process 10 Monitor and Evaluate the Processes

• Establish a system for defining performance indicators (service levels). • Gather data about processes and generate performance reports. • Measure progress toward identified goals. • Obtain outside confirmation based on independent review. • AICPA and Canadian Institute of Chartered Accountants have developed professional assurance and advisory services based on a common set of Trust Principles

Acquire and Implement Domain: IT Process 9 Provide Support Services

• Identify training needs of all personnel - internal and external - who use the organization's IT services. • Conduct timely training sessions. • Help desks - Provide advice and assistance to users with problems encountered in using IT resources so that they can effectively use those resources.

Organizational Governance Objective Setting

• Includes defining mission, vision, purpose and strategies to establish relationships

Plan and Organize Domain: IT Process 1 Establish Strategic Vision for Information Technology

• Information service (IS) management should establish a process for developing a strategic plan and converting it into short-term goals • IS strategic planning effort must ensure the strategic plan is supported and that IT is optimally deployed • Plan must ensure the organization is prepared to anticipate competitors' actions and take advantage of emerging technology

Common Ground on Working Definition of Internal Control

• Internal control is a process - Process is a series of actions or operations leading to a particular and usually desirable result • It is management's responsibility to establish and maintain internal control system • Strength of internal control system largely dependent on people who operate it • Internal control cannot provide absolute assurance - But can provide reasonable assurance

Organizational Design Control Plans

• Involves the creation of roles, processes, and formal reporting relationships in an organization • Is a key component of a firm's internal control • Without proper structure, greater likelihood of fraud

Using a Matrix to Evaluate Internal Controls

• Key tool for evaluating internal controls • Check marks show which process address which objective • At least one process for each objective • Concludes with recommendations for changes to processes and controls - Shown as "-n " process

Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service

• Mirror site - Site that maintains copies of the primary site's programs and data. • Electronic vaulting - Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. • Hot site - Fully equipped data center that can accommodate many businesses and made available to subscriber companies for a monthly fee. • Cold site - Facility usually with air-conditioned space, a raised floor, telephone connections, and computer ports into which a subscriber can move equipment. • Denial-of-service attack - A Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities. • Distributed denial-of-service attack - Uses many computers (called zombies) that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web sites.

Monitoring Control Plans

• Monitoring - An internal control system - Means management assessment to determine whether control plans are functioning appropriately • Consist of two parts 1. Putting controls in place and periodically following up on the operations of the controls • Set a baseline to compare or test the control 2. Ensuring that proper communications take place • Verifies operation of control plan • Identifies root causes of errors and implementation of control plans that mitigate future errors

IT General Controls and the COBIT 4.1 Framework

• Organizational governance - The processes employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance • IT governance - A process that ensures the enterprise's IT sustains and extends the organization's strategies and objectives

2012 ACFE RttN's - Employees

• Over 75% of the frauds were committed by employees. • Most fraudsters were first-time offenders whose record was previously clean • Top 6 behavioral red flags same since the RttN's tracked (2008) - Living Beyond Means (45.80%) - Financial Difficulties (30.00%) - Unusually Close Association with Vendor/Customer (20.10%) - Wheeler-Dealer Attitude (15.30%) - Control Issues, Unwillingness to Share Duties (15.30%) - Instability in Life Circumstances (13.40%) • Small businesses disproportionally victimized by fraud

pcaob stuff

• PCAOB Inspection Reports critical of performance of audit firms • PCAOB wants to ensure compliance with auditing standards • Critical nature indicates how serious PCAOB is • The statistics bear this out - In 15% of 2009 engagements inspected, firms failed to gather sufficient audit evidence to support their internal control audit opinions due to one or more deficiencies. - Of those engagements, 10% had two or more deficiencies. - In 13% of the engagements, there was not sufficient evidence to support the financial statement audit opinion. - In 2011, the percent of engagements in which firms failed to gather sufficient evidence to support their internal control audit opinion climbed to 22%.

COBIT 4.1's Four Broad IT Control Process Domains

• Plan and organize • Acquire and implement • Deliver and support • Monitor and evaluate

Personnel Policy Control Plan

• Policy - A plan or process put in place to guide actions and achieve goals • Selection and hiring control plans - Job candidates should be carefully screened, selected and hired • Retention control plans - Companies should provide create and challenging work opportunities as well as channels for advancement whenever possible • Personnel development control plans - Training must occur regularly and be a top priority - Performance reviews should assess strengths and weaknesses and identify opportunities for promotion, training and personal growth • Personnel management control plans - Personal planning control plans • Project future staff skills, anticipate turnover and develop strategies for filling positions. - Job description control plans • Lay out position responsibilities and identify necessary resources for performing such responsibilities. - Personnel security control plans • Help prevents employee acts of fraud and theft of assets. • Rotation of duties • Forced vacations • Fidelity bond • Personnel termination control plans - Procedures when an employee leaves an organization - Voluntary and involuntary fidelity bond (insurance ur buying). used on any1 that handles cash. required to prosecute employee.

Acquire and Implement Domain: IT Process 8 Restricting Logical Access to Stored Programs, Data, and Documentation

• Preventing unauthorized disclosure and loss of data has become almost impossible. Employees and others can use iPods, flash drives, cameras, and PDAs, such as iPhones and iPads, to download data and remove it from a company's premises. • Access control software ensures; 1. Only authorized users gain access to a system through identification and authentication, 2. Restricts authorized users to specific data they require and sets action privileges for data, and 3. Monitors access attempts and violations. • The best way to mitigate password risk is additional authentications such as a biometric identification system (something they are) or a smartcard that must be used along with passwords and user ID's. • Intrusion-detection systems (IDS) - Log and monitor who is on or trying to access a network. • Intrusion-prevention systems (IPS) - Actively block unauthorized traffic using rules specified by an organization. • Library controls - Restrict access to data, programs, and documentation through a combination of people, procedures and computer software • Data encryption - Is a process that employs mathematical algorithms and encryption keys to encode data so that it is unintelligible in its encrypted form. • Public-key cryptography - Employs a pair of matched keys for each system user, one private (i.e., known only to the party who possesses it) and one public. The public key corresponds to but is not the same as the user's private key • Computer hacking and cracking - Is the intentional, unauthorized access to an organization's computer system, accomplished by bypassing the system's access security controls. • Hacker - Is someone who gets a kick out of breaking into a computer system but does not hold malicious intentions to destroy or steal. • Cracker - Is a term used when a hacker's motive is crime, theft, or destruction.

Acquire and Implement Domain: IT Process 3 Identify Automated Solutions

• SDLC must include procedures to: - define information requirements - formulate alternative courses of action - perform feasibility studies and assess risks • Solutions should be consistent with the strategic IT plan and may be developed in house or by third parties.

Types of Malware

• Salami slicing - Instructions inserted in programs to steal very small amounts of money. • Back door - Special code that allows a programmer to bypass its security features and can be used to attack the program. • Trojan horse - Module of unauthorized code that performs a damaging, unauthorized act. Often used in phishing emails. • Logic bomb - Code secretly inserted in a program that is designed to execute or explode at a specific date or event. ACC 3570 Chapter 7: Controlling Info Systems: Intro to ERM & IC Malware • Worm - Computer virus that replicates itself on disks, in memory and across networks • Zombie - Program that secretly takes over another Internet-attached computer and uses that computer to launch untraceable attacks

Highlights from Sarbanes-Oxley

• Section 101 - Created PCAOB • Section 201 - Prohibits audit firms from providing a wide array of nonaudit services to audit clients - Prohibits consulting engagements involving the design and implementation of financial information systems • Section 302 - CEO and CFO must certify quarterly and annual financial statements • Section 404 - Mandates the annual filing of an internal control report with the SEC - Section 404 and PCAOB AU 5 requires that management: • Evaluate company controls to determine if they adequately address the risk that a material misstatement of the financial statements would not be prevented or detected in a timely manner • Gather and evaluate evidence about the operation of its controls • Present a written assessment of internal control effectiveness • Company's independent auditor must test and report of the effectiveness of the system of internal controls (using narratives, DFD diagrams, and systems flowcharts) • Section 802 - Makes it a felony to knowingly destroy, alter, or create records or documents with the intent to impede, obstruct, or influence an ongoing or completed federal investigation • Section 906 - Up to 20 year sentence and up to $5 million penalty for CEO and/or CFO who knowingly and willingly falsely certifies annual or quarterly reports • Section 1102 - Provides for fines and imprisonment of up to 20 years for anyone who knowingly destroy, alter, or create records or documents with the intent impede, obstruct, or influence an ongoing or completed federal investigation • Pros and cons of SOX

The Segregation of Duties Control Plan

• Segregation of duties - Separates the four basic functions of event processing • Authorizing events • Executing events • Recording events, and • Safeguarding resources resulting from consummating events • Ideally, different departments carry out each of these • Collusion necessary between departments for fraud to occur • No single employee should be in a position to perpetrate and conceal fraud, errors or other system failures. • Not just for classic segregation of duties - For example, company event open house

batch control totals

• Several types of batch control totals can be calculated • Some are better than others at addressing the information control goals of input validity, input completeness, and input accuracy

Intelligent Agents

• Software program that may be integrated into DSS or other software tools (such as word processing, spreadsheet, or database packages) • Once set in motion, intelligent agents (sometimes called "bots," short for "robots") continue to perform their tasks without further direction from the user. • Used in EIS for collecting specific information from the Internet

Monitor and Evaluate Domain: IT Process 10 Main Concerns with Cloud Computing

• Support and control of the cloud computing services are largely in the hands of third-party cloud service providers. • There is typically no 24/7 support, one hour response time common. • Much cloud communication occurs over the Internet which has security risks unless a secure network connection or encrypted line is used. • Cloud users commonly use browsers with known security vulnerabilities. • Cloud service providers' employees might have loosely controlled access to sensitive data stored on their servers. • Cloud services have been known to go down for up to an hour and some start-up cloud vendors have failed

Control Plans for Data Entry with Batches

• System Description and Flowchart - In this example, the clerk assembles the picking tickets into groups of 25 and calculates batch totals - Periodically, the shipment data are sent to the computer for processing by the shipping program - Distinguishing control-related features are that it processes event data in batches, uses batch totals as a major control, and produces an exception and summary report. - Exception and summary report • A report that reflects the events - either in detail, summary, or both - that were accepted or rejected by the system - Some data could still be rejected at the update stage where the computer compares the input data with the master data.

Hypothetical Computer System

• The challenge is to protect the system from inside and the outside threats - Intentional or unintentional misuse • Supports organizational objectives • Provide environment where business processes control plans can be effective

Plan and Organize Domain: IT Process 2 Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision

• The entire IT organization acts as in a service capacity to the entire organization • Ensures adequate funding for IT • Project management framework - Undertaken in order of importance • Must not overlook IT hiring practices, even when labor is scarce - A disgruntled or incompetent employee can do a lot of damage in a short period of time - Midwest nonprofit IT manager • IT departments must employ organizational design principles including reporting and segregation of duties.

COSO Report on Fraudulent Financial Reporting from 1998 to 2007

• There were 347 cases of public company fraudulent financial reporting investigated by the SEC from 1998 to 2007 as compared to 294 cases from 1987 to 1997 • A total of $120 billion was misstated or misappropriated across 300 cases. - The mean was almost $400 million per case versus $25 million in COSO's earlier study • Median assets and revenues were almost $100 million compared to under $16 million in the 1999 report • Stock prices of an accused company declined an average of 16.7% within the first two days of the news release. • Subsequent news of an investigation resulted in an average 7.3% stock price decline. • Companies engaged in fraudulent activities frequently went bankrupt, were delisted from the stock exchange or required to sell their assets. • Of the fraud companies, 26% switched auditors between the last pre-fraudulent financial statements and the fraudulent financial statements. Only 12% of non-fraud companies changed auditors during that same time • Most common fraud schemes were improper revenue recognition, followed by overstatement of assets or capitalization of expenses. • CEO's and CFO's were involved in 89% of the cases, up from 83% in 1987 - 1997. Over 60% of those indicted were convicted.

Deliver and Support Domain: IT Process 7 Deliver Required IT Services

• This process includes activities related to the delivery of the IT services that were planned in the Plan and Organize domain and developed and implemented in the Acquire and Implement domain

ERM Framework

(4 Categories of Management Objectives) 1. Strategic • High-level goals aligned with and supporting its mission 2. Operations • Effective and efficient use of its resources 3. Reporting • Reliability of reporting 4. Compliance • Compliance with applicable laws and regulations

Nonstatistical Sampling: Determining Sample Size

(recorded bal of pop/tolerable misstatement) x confidence factor

Three Fraud Studies

- 2012 ACFE Report to the Nations - COSO Report on Fraudulent Financial Reporting from 1998 to 2007 - PwC 2011 Global Economic Crime Survey • All three studies indicate that fraud controls are necessary but must be backed by a strong ethical culture, a broad risk management program, the right "tone at the top" and zero tolerance for any fraud, regardless of the perpetrator

fraud

- A deliberate act or untruth intended to obtain unfair or unlawful gain - Always entails manipulating information for criminal purposes Laws imply that management has a legal responsibility to prevent fraud - Example: Foreign Corrupt Practices Act

• Entity-relationship model

- A diagram of the relational model

tables

- A place to store data - The most important step in creating a useful database is proper table design. - Each table stores data about one specific thing or entity. - Database table columns each store one specific attribute of the type of things stores in the table. - Primary key • Each row in a database must be unique and include a unique identifier that serves as an address for the row - Composite primary key • A primary key formed by combining two or more columns in a table

Control goals of information processes

- Ensure input validity, completeness, and accuracy - Ensure update completeness and accuracy

Users access data in tables by:

- Formulating a query, - Preparing a report or - Including a request for data within an application program

• Four types of DBMS we'll discuss

- Hierarchical - Network - Relational - Object-Oriented

Control plans for physical protection of IT assets

- Organization must install and regularly review suitable environmental and physical controls. - With newer hardware, malfunctions are rare - Regular preventative maintenance (periodic cleaning, testing and adjusting of computer equipment) should be done to ensure the equipment's continued efficient and correct operation.

• E-R diagram (entity-relationship diagram)

- Reflects the system's key entities and the relationships among those entities. - The E-R diagram represents the data model • Rectangles = entities • Connecting lines = relationships • Diamonds = characteristics of relationships

points of general agreement of internal control

- ic is a process for accomplishing objectives - establishing and maintaining a viable ic sys is mgmts responsibility - ultimate ownership of the sys should rest w the ceo. only if the primary responsibility for the sys resides at the top can control effectively permeate the entire org - the strength of any ic sys is largely a function of the ppl who operate it. no matter how sound the control processess may be, they will fail unless the personnel who apply them are competent and honest. bc ic is so people-dependent, we explore ethics. ethics must be a central concern when designing an effective ic sys. - partly bc it depends on ppl to op it and partly bc it comes only at some cost to the org, ic cannot be expected to provide absolute, 100% assurance that the org will reach its objectives. rather, the operative phrase is that it should provide reasonable assurance to that effect

populate input screens w master data

-effectiveness goal a, efficient employment fo resources: automatic population of inputs from the master data results in fewer keystrokes, which should improve the speed and productivity of the data entry personnel -input validity: the code entered by the user calls up data form existing records (a customer record, a sales order record), and those data establish authorization for the input event. for ex, w/o a customer record, a customer order cannot be entered. -input accuracy: fewer keystrokes and the use of data called up from existing records reduce the possibility of input errors efficiency and input completeness and accuracy. address syncing on QB for top customers

turnaround docs

-effectiveness goal a, efficient employment of resources: by scanning the picking ticket, we reduce the amt of data that must be input to record the shipment and improve the speed (effectiveness) and productivity of the data entry personnel (efficiency) -input validity: the turnaround docs were printed in a diff func area. this separates event auth (as reflected by picking ticket) from execution of the shipment (as represented by the packing slips). -input accuracy: using a prerecorded bar code to trigger the event reduces the possibility of input errors

preformatted screens

-effectiveness goal a, efficient employment of resources: by structuring the data entry process, automatically populating fields, and prventing errors, preformatted screens simplify data input and save time (effectiveness goal A), allowing a user to input more data over a period of time (efficiency) -input accuracy: as each field is completed on a preformatted screen, the curser moves ot the next field on the screen, thus preventing the user from omitting any required data. the data for fields that are automatically populated need not be manually entered, thus reducing input errors. incorrectly formatted fields are rejected like doc design but for screens. lets u be efficient doing ur order entries

Manually reconcile batch totals

0input validity, input completeness, input accuracy: agreement of the batch totals at this point ensures that only valid source docs comprising the original batch have been input (input validity), that all the source docs were input once and only once (input completeness), and that data elements appearing on the source docs have been input correctly (input accuracy).

COSO's Five Interrelated Components of Internal Control

1. Control environment - Sets the tone at the top. influences the control consciousness of its ppl. its the foundation for all other components of internal control, providing discipline and structure 2. Risk assessment - Identification and analysis of risks. 3. Control activities - Policies and procedures to ensure directives are carried out. 4. Information & communication - Processing information in a form and time frame to enable people to do their jobs. 5. Monitoring - Process that assesses the quality of internal control over time.

Top IT Security Concerns

1. Data breaches 2. Cybercrimes, including cyber attacks 3. Workforce mobility 4. Outsourcing 5. Cloud computing 6. Mobility devices, including laptops and cell phones 7. P2P (person-to-person) file sharing 8. Web 2.0, for example, blogs and social networking sites.

Steps in Sampling: Planning

1. Determine the objective of sampling 2. Define the characteristic of interest 3. Define the population

Steps in Preparing a Control Matrix Step 1. Specify Control Goals

1. Identify operations process control goals: a. Effectiveness goals • Developed during risk management • Describe measures of success for the operations process • Provide timely acknowledgement of customer orders • Provide assurance of customer creditworthiness b. Efficiency goals • Relate to ensuring resources used in the business process are being employed in the most productive manner. • People and computers c. Security goals • Relate to protecting entity resources from loss, destruction, disclosure, copying, sale or other misuse. Cash, inventory and information (customer data) must be secured. • Security over hard assets handles through pervasive, general, and IT controls 2. Identify information process control goals: a. Input goals • Relate to ensuring input validity (IV), completeness (IC) and accuracy (IA) with respect to all business process data entering the system. a. Update goals • Ensure update completeness (UC) and accuracy (UA) when there is a periodic process - a delay between input and update.

• Four levels of expertise can be applied to decisions

1. Manager make decisions without assistance • Based on their expertise 2. Decision assisted by problem-solving aids such as checklist and manuals 3. Checklist or manuals automated 4. System itself replaces the decision maker • Expert systems

COBIT 5's Five GEIT Principles

1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single, Integrated Framework 4. Enabling a Holistic Approach - 7 enablers on next slide 5. Separating Governance from Management

Three classifications of control plans

1. Preventive control plans • Stop problems from occurring 2. Detective control plans • Discover that problems have occurred. 3. Corrective control plans • Rectify problems that have occurred.

2 parts of monitoring

1. putting controls into place to periodically follow up on the operation of control plans. the proceses include determining a baseline to know when a control is operating effectively, to identify if there is a change in a process or a control plan itself, and to periodically test tht a control is operating. 2. ensuring that appropriate communications are taking place. a control weakness should be reported to the person responsible for the controls operation and at least 1 person at a higher level.no monitoring was in place to make sure that personnel higher than the direct supervisor were aware of the violation of the forced vacation control plan

continuity between cobit 4.1 and 5's frameworks

5 is an integration of 4.1 w two other widely used isaca it frameworks: val IT and risk IT. val it deals w how businesses can create value from their it investments risk it addresses the risks involved in it use. isaca is stressing that cobit 5 is not just evolution but also revolution.

Identify Entities

A "thing" is an that is an important element in a business process can be modeled as an entity - Only one instance of a "thing" it is not modeled as an entity • REA (Resources-Events-Agents) approach - Popular data modeling approach. - Entities and relationships are determined through systems analysis. - Common accounting entities include: • Resources - Assets the company owns. • Events - Occurrences related to resources. • Agents - People or organizations that participate in events.

document design

A control plan in which a source document is designed to make it easier to prepare the document initially and later to input data from the document into a computer or other input device. output for orders in logical order for data entry. tab through order invoice goes to efficient employment of assets on control matrix ex: org has properly designed this doc to facilitate the data preparation and entry processes

• Primary key

A value that uniquely identifies a specific row in a table. - Typically stored in the tables first column. - A candidate attribute (a column or collection of columns) is that table's primary key if: • All attributes in the table are functionally dependent on the candidate attribute • No collection of other columns in the table, taken together, has the first property

goal of input completeness is concerned w the

ACTUAL NUMBER of events or objects to be processed

• Executive information systems (EIS)

Also called executive support systems (ESS) - Combine information from the organization and the environment, organize and analyze the information, and present the information to the manager in a form that assists in decision making - Most have highly interactive graphical user interfaces (GUIs) - Mainly about collecting and presenting information to executives and less about doing processing and calculations

• Group support systems (GSS)

Also known as Group Decision Support Systems (GDSS) - Computer-based systems that support collaborative intellectual work such as: idea generation, elaboration, analysis, synthesis, information sharing, and decision making - Supports brainstorming • A method for freely and creatively generating as many ideas as possible without undue regard for their practicality or realism - Creates virtual meeting for a group - Member contribute as necessary to achieve group objectives

Off-Site Storage

Alternate facility, other than the primary production site, where duplicated vital records and documentation may be stored for use during disaster recovery. not necessarily comp storage. storage somewhere else just in case something happens to originals.

sequence checks

Applied to sequentially numbered and prenumbered documents to determine that all documents have been processed (completeness) and that no extra documents have been processed (completeness, validity). two kinds: batch sequence check and cumulative sequence check

business process control plans

Are applied to a particular business process, such as billing or cash receipts

application controls

Are automated business process controls contained within IT application systems (i.e., computer programs).

• Significant digit coding

Assigns meanings to specific digits

Ratio estimation:

Assumes a constant percentage misstatement in population Estimates recorded balance by multiplying recorded balance by ratio of audited value to recorded balance to come up w estimate for pops

Risk of Incorrect Rejection result

Auditors conclude that account is misstated Auditors perform additional procedures Efficiency loss (perform more effective substantive procedures than necessary)

Risk of Incorrect Acceptance result

Auditors conclude that account is not misstated Effectiveness loss (issue incorrect opinion on misstated F/S)

result of risk of overreliance

Auditors conclude that controls are functioning effectively Effectiveness loss (do not reduce audit risk to sufficient level)

1. determine the objective of sampling

Auditors identify key controls upon which they intended to rely objective is typically related to the assertion being tested in the controlled pop.

In downsizing / retirement environments, ES can be used to:

Capture and retain the expertise of the departing employee - Distribute the expertise to remaining employees - Distribute expertise to employees who do not timely access to the expert - Train new employees - Create an electronic colleague • Guide human experts by suggesting trends, asking questions, highlighting exceptions, etc.

retention control plans

Companies should provide create and challenging work opportunities as well as channels for advancement whenever possible.

Additional Considerations in Classical Variables Sampling

Consider the following additional factors in determining sample size: Risk of incorrect rejection Population variability To reduce population variability, auditors may choose to stratify the population

- Difference between DSS and EIS

DSS is created to suit the user, EIS is preformatted in advance (i.e., dashboard containing specific company performance information)

Database Essentials Relational Database Model

Data are logically organized into two-dimensional tables (i.e., "relations") • Allows users to query the tables to obtain information from one or more table in a very flexible way • Able to handle complex queries • Requires more computer resources than hierarchical or network DB models - I.e., more memory and processing time • Allows only text and numerical data to be stored - Does not allow the inclusion of complex object types such as graphics, audio, video, or geographic information

network database model

Data is organized in tree's according to relationships (many to many). for more complex data structures. a child record an have more than one parent record.

data redundancy

Data stored in multiple locations within a system. occurs among various files consequence of apps approach

business is becoming more and more "it centric"

Database Management Systems (DBMS) at the heart of this evolution

• Noteworthy aspects of centralized database approach

Database is now shared by multiple system applications that support related business processes - Data can be accessed through report generation and ad hoc user inquiries (queries) which allows users to ask questions using query language software - Two layers of software needed 1. Logical view (how users see) 2. Physical view (how data is stored on computer hardware)

Expert Systems (ES)

Decision support systems for complex decisions, where consistency is desirable and the decision maker wants to minimize time and maximize quality • Emulates the problem solving techniques of human experts • Appropriate when: - Decisions are extremely complex - Consistency in decision-making is desirable - Desire to minimize time spent on decision and maximize the quality of the decision - Experts are utilized and such knowledge can be captured and modeled via software • Utilized in downsizing and retirements

• Block coding

Dedicates groups of numbers to particular object characteristics - Numbers within each block are generally assigned sequentially - This leads to some of the same adding and deleting limitations as sequential coding

Monetary Unit Sampling (MUS)

Defines the sampling unit as an individual dollar (or other monetary unit) in an account balance Auditor will select individual dollars (or monetary units) for examination Auditor will verify the entire "logical unit" containing the selected dollar (or monetary unit) -Accounts receivable: Customer account -Inventory: Inventory item (that contains the $ we collected)

MUS: Evaluating Sample Results

Determine the upper limit on misstatements, which has a (1 - Risk of incorrect acceptance) of equaling or exceeding the true amount of misstatement Components: Projected misstatement Incremental allowance for sampling risk Basic allowance for sampling risk

• Application Approach to Business Event Processing

Each application collects and manages its own data, generally in dedicated, separate, physically distinguishable files for each application

Acquire and Implement Domain: IT Process 5 Integrate IT Solutions Into Operational Processes

Ensures that the new or significantly revised system is suitable - Must provide for a planned, tested, controlled, and approved conversion to the new system • After installation review to determine that the new system has met users' needs in a costeffective manner

Tolerable rate of deviation

Establish based on desired level of control risk Lower control risk = lower tolerable rate of deviation

Expected population deviation rate

Estimate based on past audits or pilot sample if this is greater than the tolerable amt theres no reason to test this control bc we already think its broken so we typiclly would expect the expected pop deviation rate to be lower than the tol rate of deviation if we gonna test a control

Variables Sampling process

Estimate the amount of misstatement (upper limit on misstatements) Compare upper limit rate on misstatements to an allowable level (tolerable misstatement)

risk

Events that would have a negative impact on organization objectives

opportunities

Events that would have a positive impact on organization objectives

Disadvantages of the centralized approach

Expensive to implement and maintain - If the DBMS fails, all the organization's information processing halts - Large magnitude of damage from unauthorized access - Increased potential for damage should unauthorized access to the database occur - Database recovery and contingency planning are more important than in the applications approach - Concurrent access causes contention or concurrency problems - Territorial disputes over how owns the data and who is responsible for data maintenance • Most companies that have adopted this approach have created a database administrator function to cope with the administrative and technical issues related to the DBMS

• Centralized Database Approach to Business Event Processing

Facts about events are stored in relational database tables instead of separate files, which solves many of the problems caused by data redundancy

Steps in Preparing a Control Matrix Step 2. Identify Recommend Control Plans

Focuses on the nature and extent of control plans that should be in place to reach objectives and lower residual risk • Most difficult part, identifying controls that should be in place and controls that are not in place 1. Identify "present" control plans and annotate them on the systems flowchart: - General rule, each process symbol on flowchart should be associated with at least one control - 2 categories of controls, (1) generic and (2) specific business processes a. Place P-1, P-2 through P-n beside all present controls, starting at the upper-left column. 2. Evaluate "present" control plans: - Common for a control plan to address more than one control goal - Important to write description of control goal a. Place the number and name of the plan on the control matrix, enter the control plan number in the matrix cells, and explain how each control addresses each control goal. 3. Identify and evaluate "missing" control plans: a. Examine the control matrix to see if there are any control goals not being addressed with the present plan. If so, develop a control plan and explain the nature and extent of the missing plan. b. Analyze the systems flowchart for further risk exposures for which you would recommend adding additional or strengthening existing controls. • It takes training, and teamwork, to become proficient at spotting risk and control weaknesses.

Characteristics of Relationships

In the E-R diagram previously show, read - ORDERS are received from CUSTOMERS • Cardinality - The degree to which each entity participates in the relationship. Can have a value of "one" ("1) or "many" ("N" or "M") • 1:N, one-to-many • M:N, many-to-many • 1:1, one-to-one • Maximum cardinality - Measure of the highest level of participation that one entity can have in another entity - Shown as number or N/M

there are problems with 1NF

Include functional dependencies which cause several problems called update anomalies, including: 1. Updates may require changes to multiple rows 2. Data may be inconsistent 3. Additions and deletions are problematic - Problems arise because an attribute is dependent on a portion of the primary key - a partial dependencies - In the example table, the attribute Item_Name is dependent on a portion of the primary key, Item_Number, not the entire key

Event Identification

Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. must be monitored to determine that evolving events have been identified and evaluated. as an org and its environment change, controls often become less effective

documentation

Involves all seven steps of sampling process Important judgments include: • Factors affecting sample size and rationale for those factors • Method of selecting sample and summary of items selected • Method of measuring sample items and summary of measurements • Evaluation of sample results and overall conclusion

COSO Definition of Internal Control

Is a process—effected by an entity's board of directors, management, and other personnel— designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness & efficiency of operations - Reliability of financial reporting - Compliance with applicable laws & regulations

Review tickler file (file of pending shipments)

Manual file of documents, or a computer file, that contains business event data that is pending further action. such files must be reviewed on a regular basis for the purp of taking action to clear items form that file. if ticker file docs remain in the file for an extended period of time, the person or computer monitoring the file determines the nature and extent of the delay. ex: after packing slips are received, hte picking tickets are compared to their associated packing slipts and removed from the pending shipments file. we are classifying this as a present control bc we are assuming that the shipping clerk periodically reviews the file looking for picking tickets that have been pending for too lonh

Selecting Sample Items

Methods -Unrestricted random selection: Select items based on random numbers matched to items in population -Systematic random selection: Bypass a fixed number of items in population, selecting every nth item. select a random starting point. n is number of item in population divided by the sample size. -Block selection: Select contiguous/adjacent units. not used very much for random selection -Haphazard selection: Select items in a nonsystematic manner. unstructured w/o intentional bias. could not be replicated when defined carefully (other 3 methods can) and still coould have bias so not rly random sample. Can only use unrestricted random selection or systematic random selection with statistical sampling

COBIT 5

Newer framework that has been adopted • COBIT 5 is a new departure in the corporate governance of information technology. • Restructuring and reorganizing of the framework from being an IT process model into an IT governance model. • More inclusive, "strategic" and "big picture" oriented than COBIT 4 .1. • Uses a "holistic" approach that is more flexible, more principles-based and less proceduresbased than COBIT 4.1. - An enterprise tailors to its own needs - Putting internal controls within the larger context of enterprise-wide governance and management • GEIT - Governance of Enterprise IT

Database Essentials Object-Oriented Database Model

Object-relational databases - Include a relational DBMS framework with the capability to store complex data types • Includes abstract data types that allow users to define characteristics of the data to be stored when developing an application • Overcomes the limitations of relational databases

objective setting

Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. strategic objectives are established as well as related objectives for ops, reporting, and compliance. risk appetite guides strategy setting to balance, for ex, growth, risk, and return. risk appetite drives risk tolerances -- acceptable levels of variation in achieving objectives.

• Costs / Benefits Dilemma

Organizations want to have enough controls to ensure objectives are achieved without paying more for the controls than can be derived from their implementation

Example

Parameters Population size = $12,563,336 (recorded balance) Risk of incorrect acceptance = 10 percent Expected misstatement = $188,450 (1.5 percent of recorded balance) Tolerable misstatement = $628,167 (5 percent of recorded balance) Calculations Ratio of expected to tolerable misstatement: $188,450 ÷ $628,167 = 0.30 Tolerable misstatement as a percentage of population: $628,167 ÷ $ 12,563,336 = 5%

Nonstatistical Sampling

Permissible under GAAS Does not permit auditors to control exposure to sampling risk Major differences in: Determining sample size Selecting sample items Evaluating sample results

Losses due to accidental, nonmalicious acts far exceed those caused by intentional acts - This is why the system of controls must be capable of:

Preventing crimes Minimizing simple, innocent errors

COBIT 5's five GEIT principles

Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management

reports

Printed lists and summaries of data stored in tables or collected by queries from one or more tables

program change controls

Provide assurance that all modifications to programs are authorized and that the changes are completed, tested and properly implemented. changes in documentation should mirror the changes made to the related programs. improper change controls could allow a programmer to change, for ex, the payroll program so that salaries for all programmers are increased each pay period separate org entities are responsible for each stage in the change process formal way of making sure programmers are doing what they should be doing. librarian. supervisor has list

Basic Allowance for Sampling Risk

Provides a measure of the misstatement that might exist in sampling intervals in which a misstatement was not detected Calculated as: Sampling interval x Confidence factor

2. Define the characteristic of interest

Question of interest to person conducting sampling plan (e.g., resting heart rate)

Incremental Allowance for Sampling Risk procedure

Rank all projected misstatements in descending order by tainting factor Determine incremental confidence factor for each misstatement Multiply projected misstatement by (incremental confidence factor - 1)

If ULRD > Tolerable Rate of Deviation

Reduce reliance on controls, increase control risk, and reduce detection risk (perform more effective substantive procedures) Expand sample to examine additional items and potentially reduce ULRD if we think our sample is not representative of the population

• Knowledge

Refers to information that has been formatted and distributed in accordance with an organization's routines, processes, practices and norms

Sarbanes-Oxley Act of 2002

Resulted from actions of failed publicly traded companies such as Enron, WorldCom, and Tyco • Government forced to interject its will into governance • Created public company accounting oversight board (PCAOB) • Strengthened auditor independence rules • Increased accountability of company officers and directors • Mandated upper management to take responsibility for the company's internal control structure • Enhanced the quality of financial reporting • Increased white collar crime penalties

Advantages of MUS

Results in more efficient (smaller) sample sizes bc the stats in mus have smaller sample sizes than var sampling Selects transactions or components reflecting larger dollar amounts more likely than smaller amts bc we test single dollar bc more dollars in the pool. probability proportional to size sample: probability of being selected is greater when we're larger and smaller when the bal is smaller. Effective in identifying overstatement errors (things that are overstated are larger so more likely to be selected) -use it to focus on Asset and revenue accounts Generally simpler to use than classical variables sampling bc dont have to do as many statistical estimates like variance or assuming a normal pop using monetary unit sampling its much simpler t apply than classical var sampling.

effectiveness losses

Risk of overreliance (assessing control risk too low) Risk of incorrect acceptance most concerned w these bc issue an unqual opinion when we shouldnt have

efficiency losses

Risk of underreliance (assessing control risk too high) Risk of incorrect rejection dont care as much about these but still important

inherent risk

Risk that exist in the absence of any actions management might take to reduce the likelihood or impact of the risk

How to Determine ULRD

Sample Evaluation Tables in Appendix F.B Process: Select AICPA Sample Evaluation table corresponding to desired risk of overreliance Identify row related to the appropriate sample size Identify column related to the appropriate number of deviations Determine ULRD at junction of row and column

risk of underreliance occurs when

Sample indicates controls are not functioning effectively Controls are functioning effectively

Using MUS Tables

See Exhibit G.2 for excerpted Sample Size Table (full tables in Appendix G.A) Inputs: Risk of incorrect acceptance Expected misstatement Tolerable misstatement Population size

electronic vaulting

Service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party. when needed, the backed up data can be retrieved from the electronic vault to recover from a data loss at the primary comp facility or to resume interrupted ops at an alternative facility

3. define the population

Should include all potential applications of the control during the period examined ex: all invoices generated between the 1st day of the period and the last day of the period (includes all of the pop of potential transactions which should have those supporting shipping docs)

document/record counts

Simple counts of the number of documents entered (e.g., 25 documents in a batch). This procedure represents the minimum level required to control input completeness (input doc once). it is not sufficient if there are multiple parts to an event. for ex, consider a sales doc that can include 1 or more items. a doc record coutn would not reflect the # of individual items sold, but rather, only the 1 doc. this total would not be enough to ensure input accuracy. also, bc one doc could be intentionally replace w another, this control is not effective for ensuring input validity and input completeness (the insertion of a duplicate doc, a completeness violation, or the insertion of a bogus doc, a validity violation)

Plan and Organize Domain: IT Process 1 Establish Strategic Vision for Information Technology

Strategic planning and corresponding activities include: 1. A summary of the organization's strategic goals and plans and how they are related to IT. 2. IT goals and strategies and a statement of how each will support organizational goals and strategies. 3. An information architecture model encompassing the corporate data model and the associated information systems. 4. An inventory of current IT capabilities. 5. Acquisition and development schedules for hardware, software, applications, personnel and finances. 6. IT-related requirements to comply with industry, regulatory, legal and contractual obligations including safety, privacy, transborder data flows, e-business, and insurance contracts. 7. IT risks and risk action plans. 8. Process for modifying the plan to accommodate changes to the organization's strategic plans and IT conditions.

dollar totals

Sum of dollar value of batch items. Reduces possibility that documents could be duplicated, added to or lost from a batch or that amounts were incorrectly input and improves input validity, completeness, and accuracy.

Ensure effectiveness of operations

The control plan compare vendors for favorable prices, terms, quality, and product availability is directed primarily at which of the following control goals? a. ensure effectiveness of operations b. input validity c. input accuracy d. input completeness ex: timely acknowledgement and customer creditworthiness created by ppl, subjective, no uniform set of ops process goals exists.

• Classifying

The process of grouping or categorizing data according to common attributes

Risk of Incorrect Rejection

The risk that the sample supports the conclusion that the control is not operating effectively when it actually is or that the recorded account balance is materially misstated when it is not materially misstated. Type I error, false rejection

Risk of Incorrect Acceptance

The risk that the sample supports the conclusion that the control is operating effectively when it is not or that the recorded account balance is not materially misstated when it is materially misstated. Type II Error, false acceptance embodiment of audit risk audit is ineffective

Personnel Development Control Plans

Training must occur regularly and be a top priority. Performance reviews should assess strengths and weaknesses and identify opportunities for promotion, training and personal growth.

4. determine sample size (upfront)

Under statistical sampling, sample size considers desired exposure to sampling risk 5% SR = 95% CI willing to take 5% chance that sample does not represent population what affects sample size: pop size for small pops, expected deviation rate, tolerable deviation rate, sr, ci,

• Data warehousing

Use of information systems facilities to focus on the collection, organization, integration, and longterm storage of entity-wide data - Purpose is to provide users with easy access to large quantities of varied data from across the organization to improve decision-making capabilities - Firms copy data from transactional / organizational DBs to the data warehouse - Additional nonorganizational / external data is added • Such as governmental or industry statistics

MUS: Selecting Sample Items

Use systematic random sampling Calculate sampling interval as: Population size ÷ Sample size Process: Identify random start Skip number of items equal to sampling interval Select item (dollar in account) and examine entire logical unit containing that item (customer account) May select same logical unit multiple times any logical unit w a $ value greater than the sampling interval will have a 100% chance at being selected. high dollar values always selected!!

attributes sampling

Used to estimate the extent to which a characteristic exists within a population Used in the auditor's study of internal control

both dsss and ess can assist a user in prob solving but in diff ways

a dss is a passive tool. it depends on the human users knowledge and ability to provide the right data to the sys's decision model. an es is an active teacher or partner tht can guide the user in deciding what dat ato enter and in providing hints about further actions that are indicated by the analysis to date

rotation of duties

a policy that requires an employee to alternate jobs periodically

Enterprise Risk Management (ERM)

a process effected by an entity's board of directors, management, and other personnel applied in strategy setting and across the enterprise that is designed to identify potential events that may affect the entity and to manage risks to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives helps mgmt identify, assess, and manage risk.

IT governance

a process that ensures that the enterprise's IT sustains and extends the organization's strategies and objectives

changes

can include changes to process acts (purchasing raw materials) or changes to process controls (approving purch orders). if changes in the process do not reduce the variance from objectives, changes to process objectives (increase production by only 5%) might also be considered.

Ensure efficient employment of resources

can only be evaluated in the relative sense

to achieve the goal of input accuracy, we must

capture and enter into a system all important data elements. all important data elements must be identified for each economic event or object that we want to include in a systems database

data input incldues

capturing data (completing a source doc such as a customer order) (if necessary) converting the data to machine-readable form event data are the target of the input control goals. only actual authorized events have validity

to ensure update accuracy relates to

correctly recording (correct customer, correct items and quantities) customer orders in the sales order and inventory master data

ensure input accuracy

correctness of data put into the system relates to the various data items that usually constitute a record of an event, such as a source doc. to achieve this goal, we must minimize discrepancies between data items entered into a sys and the economic events or objects they represent. mathematical mistakes and inaccurate transcription of data from one doc or medium to another may cause accuracy hours. order is for 200 for customer 159, sales rep mistakenly enters the customer number as 195, resulting in another customers name. missing data fields on a source doc or computer screen represent another type of accuracy error. absence of a customer number on an order would result in a lost sale (orders that cant be shipped to a particular customer). this is an accuracy error rather than a completeness error bc the mere presence of the source doc suggests that the event itself has been captured and that the input data are complete.

detective control plans

discover that problems have occurred ex: review and compare. comparison is done to ensure that no discrepancies exist between customer orders displayed by the customer and the totals that accompany those orders.

the purpose of ______ control goals is to ensure that all resources used throughout the business process are being employed in the most productive manner

efficiency

Principle 4: Enabling a Holistic Approach

enablers, as the word suggests, are the means to achieving cobit 5's governance objectives for the enterprise. specifically, enablers support the implementation in an enterprise of an all inclusive governance and mgmt structure for it. the cobit 5 framework specifies 7 categories of enablers: -processes -principles, policies, and frameworks -org structures -ppl, skillls, and competencies -culture, ethics, and behavior -services, infrastructure, and applications -info

internal environment

encompasses the tone of an org and sets the basis for how risk is viewed and addressed by an entitys people, including risk mgmt philosophy and risk appetite, integrity AND ETHICAL VALUES, AND THE ENVIRONMENT IN WHICH THEY OPERATE

Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once?

ensure input completeness

a process, affected by an entity's board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives is:

enterprise risk mgmt

NNs supplement ESs in areas where

expertise has not yet been captured. by examining data, NNS can identify and replicate the patterns that exist

centralized database approach to business event processing

facts about events are stored in relational database tables instead of separate files, solves many of the problems caused by data redundancy.

1. Determine the objective of sampling

Drawing conclusion about some population of interest (e.g., does aerobics program lead to a reduction in resting heart rate?) (e.g., does brand of golf ball provide increased distance?)

planning (attributes)

1. determine the objective of sampling 2. define deviation condition 3. define the population

Upper Limit Rate of Deviation

(1 - risk of overreliance) probability that the true rate of deviation is less than or equal to the ULRD (Risk of overreliance) probability that the true rate of deviation exceeds the ULRD Consists of: Sample rate of deviation Allowance for sampling risk its the most conservative estimate

Risk of Overreliance

(Risk of Assessing Control Risk too Low) referred to as type II error, false acceptance

automated data entry

-effectiveness goal A, efficient employee of resources: inputs are entered more quickly and w fewer personnel resources than are inputs entered manually -input accuracy: by elminating manual keying and using scanning and other tech, the input accuracy is improved

review tickler file (file of pending shipments)

-effectiveness goal a, input completeness, update completeness: a file of picking tix is retained in shippin awaiting packing slips. if the packing slips are received ina timely manner, nad the corresponding picking tiz are removed from the pending shipments file, we can ensure that goods will be shipped in a timely manner and that the picking tix were indeed input and the master data updated. if picking tix do not receive packing slips within a reasonable period of time, then an inquiry procedure is initiated to determine the nature and extend of the delay in a warehouse -- all open doors that havent been fulfilled. it addresses security and update completeness and update accuracy. saves mgr reviewing tickler file and open orders to work w warehouse mgr to create plan. have a doc that sales mgr reviews and signs and says plan of open invoices

attributes sampling

-planning -Determining Sample Size -Selecting and Measuring Sample Items -Evaluating Sample Results

InformationWeek Top-10 CIO Concerns

1. Business analytics 2. 80/20 IT operations vs. investment gap 3. Mobile devices 4. Digitize the enterprise 5. Social media 6. Customer engagement 7. Data center / cloud computing 8. CIO as Chief Acceleration Officer 9. Importance of Being Global 10. Optimizing systems

Create the E-R Diagram in 5 Steps

1. Create a relational table for each entity - CUSTOMERS, INVENTORY, ORDERS, and SALES 2. Determine primary keys for each entity table 3. Determine attributes for each entity - Sometimes called a field and represented as a column in a table 4. Implement relationships among the entities (primary keys exist as attributes in other tables) - Ensure that the primary key of one table exits as an attribute in every table (entry) for which there is a relationship - For many-to-many, relationship (junction) tables 5. Determine attributes for each relationship table

8 components of ERM

1. Internal Environment - Tone of an organization - Sets the basis for how risk is viewed and addressed by an entity's people - Risk management philosophy and risk appetite - Integrity and ethical values - The environment in which they operate 2. Objective Setting - Objectives must exist before management can identify potential events affecting their achievement - ERM ensures management has a process in place to set objectives and that the objectives support and align with the entity's mission and are consistent with its risk appetite 3. Event Identification - Events affecting achievement of objectives must be identified, distinguishing between risks and opportunities. - Opportunities are channeled back to management's strategy or objective-setting processes. 4. Risk Assessment - Risks are analyzed - Evaluated considering likelihood and impact of risk as a basis for determining how they should be managed - core of effective compliance w sox section 404 5. Risk Response - Management selects risk responses • Avoiding, accepting, reducing, or sharing risk - Develop a set of actions to align risks with the entity's risk tolerances and appetite 6. Control Activities - Establish and implement policies and procedures to help ensure the risk responses are effectively carried out 7. Information and Communication - Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities - Effective communication flows down, across and up the organization - narratives, systems flowcharts, written policies and procedures 8. Monitoring - ERM is monitored and modifications are made as necessary. - Monitoring is accomplished through ongoing management activities and separate evaluations. - assesses the qual of ic performance over time - key element in the lt success of a sys of ic. - includes org gov, mgmts compliance w soz s. 404, the activities of internal and external auditors, and certain control activities • Audit risk model (AR=IR*CR*DR)

Ensure security of resources

A control goal of an operations process ex: protect assets from damage, fraud, or misappropriation ex: suprinas customer data represent an importance resource for this company bc it tells them a lot must protect both tangible and intangible resources

Residual expected risk

A function of initial expected gross risk, reduced risk exposure due to controls and the cost of controls

object-oriented database model

A model that allows the storage of both simple and complex objects (including items such as video, audio, and pictures). Characteristics also include inheritance and encapsulation. other types of data can be stored. like video clips or pics can be stored in an object oriented database. include abstract data types that allow users to define characteristics of the data to be stored when developing an application. this overcomes the limitations of relational databases. relational databases limit the types of data that can be stored in table columns. instead of tables, oo dbms stores data in objects

Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service

A number of business continuity planning models are available • We'll look at one developed by the Business Continuity Institute • Six elements 1. BCM policy and program management provides the framework around which the BCM is designed and built (hub of wheel) 2. Understand the organization 3. Determine business continuity strategies 4. Develop and implement a BCM response 5. Exercise (rehearse), maintain and review 6. Embed BCM in the organization's culture

hash totals

A summation of any numeric data existing for all documents in the batch, such as a total of customer numbers or invoice numbers in the case of remittance advices; used for control purposes only. can be a powerful batch control bc they can determine whether inputs have been altered (accuracy), added (validity), duplicated (completeness), or deleted (completeness). these batch hash totals operate for a batch in a manner similar to the operation of doc record hash totals (a type of programmed edit check for individual inputs).

Second Normal Form (2NF)

A table is in second normal form (2NF) if it is in 1NF and has no partial dependencies - I.e., no non-key attributes that are dependent on only a portion of the primary key • Non-key attributes: - An attribute that is not part of the primary key • This resolves update anomaly problems • Two steps to get from 1NF to 2NF 1. Create a new table for each subset of the table that is partially dependent on a part of the composite primary key 2. Place each of the non-key attributes that are dependent on a part of the composite primary key into the table that now has a primary key that is the field on which the non-key attribute is partially dependent.

Decisions under MUS

Account balance is not misstated Suggest correction of identified misstatements Investigate cause of misstatements Account balance is misstated Increase sample size to attempt and reduce upper limit on misstatements Recommend adjustment to reduce misstatement below tolerable misstatement

Incremental Allowance for Sampling Risk

Adjusts the projected misstatement to control exposure to risk of incorrect acceptance Allows for the possibility that the remainder of the sampling interval might be misstated by a higher percentage than the logical unit

• Functional dependence

An attribute (column in a table) is functionally dependent on a second attribute (or a collection of other attributes), if a value for the first attribute determines a single value for the second attribute at any time - When functional dependence exists, the first attribute determines the second attribute

Mean-per-unit:

Assumes each item in population (component of account) has similar balance Estimates recorded balance by multiplying number of components by average audited value Use amts similar in size

Difference estimation:

Assumes each item in population (component of account) has similar difference between recorded and audited value Estimates the amount of misstatement by multiplying number of components by average misstatement Estimates recorded balance using estimated misstatement

Projected Misstatement

Assumes entire sampling interval contains same percentage of misstatement as the logical unit examined by auditors Calculated for each misstatement as: Sampling interval x Tainting % Do not project misstatements if the logical unit > sampling interval

risk of underreliance result

Auditors conclude that controls are not functioning effectively Auditors assess control risk at higher than necessary levels Efficiency loss (perform more effective substantive procedures than necessary)

When a business purchases a DBMS, it becomes an audit problem

Auditors need to expand their knowledge of DBMS

sampling risk cause

Caused by selecting a nonrepresentative sample

• Other coding schemes

Check digit: is a code that includes an extra digit that can be used to check the accuracy of the code

Database Essentials Network Database Model

Child records can have more than one parent record - Solved joint account problem • Significant improvement over the early hierarchical designs • Eclipsed by relational databases which are vastly more flexible

Expert Systems

Computerized advisory programs that imitate the reasoning processes of experts in solving difficult problems ESs appropriate in situations w these characteristics: decisions are extremely complex, consistency of decision making is desirable, the decision maker wants to minimize time spent making decision while maxing qual of decision, experts familiar w the knowledge and content of the decision are involved, and their knowledge can be captured and modeled via computer software sometimes used as part of a downsizing strategy.

Sequential Sampling

Conducting a pilot study to estimate the population parameters so that another, larger sample of the appropriate sample size may be drawn. also known as stop or go sampling stop after evaluating a relatively small sample and evaluate your results. if ur results are clearly acceptable or unacceptable u would stop. if the results are inconclusive u would examine more items. most used to determine quickly that results are clearly not acceptable, we're less likely to use stop and go to determine that something is acceptable w a small small sample size. advantage is that sample may be more efficient than a fixed sample plan

item or line counts

Counts of number of items or lines entered. Improves input validity, completeness, and accuracy by reducing possibility that line items or entire documents could be added to the batch or not be input.

attributes sampling process

Estimate the rate at which the client's internal control is failing to function effectively (upper limit rate of deviation) Compare upper limit rate of deviation to an allowable level (tolerable rate of deviation)

Using Databases and Intelligent Systems to Aid Decision Makers

Decision aids - Information tools that can help decision makers - Computerized tools used to assist, and in some cases replace, the decision maker - Decision aids include: • Decision support systems • Executive information systems • Group support systems • Expert systems • Intelligent agents Many decisions are unstructured - Especially, at higher levels of an organization

Personnel termination control plans

Defines procedures when an employee leaves an organization. more important when fired for cause bc the employee is likely to be upset or angry and damage the org. collecting any items displaying the companys identification (letter head), reclaiming office and building keys, and removing password access to data

• Data model

Depicts user requirements for data stored in a database

sampling risk can be controlled by

Determining an appropriate sample size (higher % of items sampled in the population, sampling risk decreases bc more likely to have a representative sample) Ensuring that all items have an equal likelihood of selection (more random, less risk) Evaluating sample results to control risk (if u evaluate using statistical methods u can control the level of sampling risk and that makes ur results more meaningful)

Precision (allowance for sampling risk)

Distance from the estimated population value in which the true (but unknown) population value may lie with a given probability +- range (precision interval). 5% SR = 95% reliability level. compare ippder end of precision interval to tolerable amt to decide if pop is materially misstated or not.

• Advantages of the centralized approach

Eliminating data redundancy - Ease of maintenance - Reduced labor and storage costs - Data integrity - Data independence - Privacy

knowledge mgmt sys

Employees can access database and contribute of extract knowledge from anywhere in the world • DBs provide orderly storage and retrieval of captured knowledge

• Control goals of operations processes

Ensure effectiveness of operations Ensure efficient employment of resources Ensure security of resources

5. select sample items

Ensure that all items are available for selection

Sampling risk (Risk of overreliance)

Establish based on desired level of control risk Lower control risk = lower risk of overreliance (less substantive testing)

Batch sequence check:

Event data within a batch are checked as follows: 1. The range of serial numbers constituting the documents in the batch is entered. 2. Each individual serially prenumbered document is entered. 3. Computer program sorts input documents into numerical order; checks documents against the sequence number range; and reports missing, duplicate, and out-of-range data.

Centralized Database Approach To Business Event Processing

Facts about events are stored in relational database tables instead of separate files • Solves the problems caused by data redundancies • Improves efficiency, eliminates data redundancies, and improves data integrity • Enables integrated business information systems that include data about all of a company's operations - In one massive relational table • Multiple users from throughout the organization can view and aggregate event data in a manner most conducive to their needs • Management increasingly views information systems as a decision-support activity first and reporting second (CRM and ERP)

example

If Sample estimate = 17.5 bpm Precision = 2 bpm Reliability = 90 percent There is a 90 percent likelihood (reliability) that the true population value is between 15.5 bpm (17.5 - 2) and 19.5 bpm (17.5 + 2)

Qualitative Considerations

In addition to number of deviations (quantitative) consider qualitative nature of deviations Examples: Pervasive (a few affect a lot of things-special circumstance for invoices done incorrectly. follow up on) vs. isolated deviations? Unintentional vs. intentional deviations (greater concern-maybe some fraud going on)? Misunderstanding (less concern-training can fix it) vs. carelessness (ppl dont care, not good)? these all have implications on the audit and for publicly traded companies we may consider these to indicate sig deficiencies or material weaknesses

access control software

In an online environment, it ensures that (1) only authorized users gain access to a system through a process of identification (e.g., a unique account number for each user) and authentication (e.g., a password to verify that users are who they say they are), (2) restricts authorized users to specific data they require and sets the action privileges for that data (e.g., read, copy, write data), and (3) monitors access attempts and violations.

• Mnemonic coding

Includes letters as some or all of the code which is done to help humans remember them

• Decision support systems (DSS)

Information systems that assist managers with unstructured decisions by retrieving and analyzing data and generating information - Possesses interactive capabilities - Can answer ad-hoc inquires - Provides data modeling facilities such as spreadsheets - Artificial intelligence • Can imitate human decision making (i.e.,) when confronting complex and ambiguous situations

sampling risk

Likelihood that the decision based on the sample differs from the decision that would have been made if the entire population were examined

• Hierarchical coding

Orders items in descending order where each successive rank order is a subset of the rank above it. Specific meaning is attached to particular positions

ULRD Example

Parameters: Risk of overreliance = 5% Sample size = 127 (use row for n = 125) Number of deviations = 2 Sample rate of deviation = 2 ÷ 127 = 1.6%

6. measure sample items

Perform procedure and make appropriate evaluation/measurement Determine sample estimate Nonsampling risk can occur if incorrect procedures are performed or mistakes in evaluation or measurement are made

Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service

Plan for contingencies for processes, not resources • Two elements required 1. Programs, data, and documentation 2. Alternative computer facility • Backup - Making a copy of data • Recovery - Use the backup to restore lost data and resume operations. • Continuous Data Protection (CDP) - All data changes are date stamped and saved to secondary systems as the changes are happening.

Disadvantages of MUS

Provides a conservative (higher) estimate of misstatement than classical var sampling so ur more likely to determine that the bal is materially misstated than if u use cvs Not effective for understatement or omission errors which is more important for Liabilities and expenses. smaller amts/understatements or items left our are less likely to be selected and u have a 0 chance of selecting something w a 0 bal which would be our omission errors using mus. Expanding sample is difficult if initial conclusion is to reject the account balance bc of the way we select our sample using a systematic sampling technique it becomes much more difficult to expand the sample than in other methods Requires special consideration for accounts with zero or negative balances since these accts would have a 0 chance of being selected in this method u would need to alter ur selection process to somehow include these balances to be selected if u are going to use mus and areas like liabs and exps

cumulative sequence check

Provides input control when the serial numbers are assigned within the organization (e.g., sales order numbers issued by the sales order department) but later are not entered in perfect serial number sequence (i.e., picking tickets do not necessarily arrive at the shipping department in sequence). periodically, reports of missing numbers are produced for manual follow up ex: reconciling checkbook

cumulative sequence check

Provides input control when the serial numbers are assigned within the organization (e.g., sales order numbers issued by the sales order department) but later are not entered in perfect serial number sequence (i.e., picking tickets do not necessarily arrive at the shipping department in sequence). in this case, the mathcing of individual event data (picking ticket) numbers is made to a file that contains all doc numers (all sales order numbers). periodically, reports of missing numbers are produced for manual follow up. check register assists for reconciling checkboook to know complete sequenc eof checks

hierarchical database model

Records are organized in a pyramid structure the records at or near the top of the structure contain records below them. works well for simple situations ex: a bank that wants to record info ab its customers and their accts couold use this. top level records may hold info ab customers. next level down could include reocrds w info abt accts. a custoemr might have a savings acct, a checking acct, and a loan acct. all of a customers accts would be below that customer record in the hierarchy. the next level down may include records that store info ab transactions in each acct.

Database Essentials Hierarchical Database Model

Records are organized in a pyramid structure • Child records - Records that are included in a record one level above them (a parent record) • Parent records - Include the lower-level child records • Each parent can have many child records, but each child record can only have one parent • Example - Customer master record and child accounts for the customer • Works well for simple data structures only - Problem for joint accounts (i.e., child having two parents)

big data

Refers to the massive amount of data collected from human- and machine-generated sources

Information and Communication

Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

If ULRD ≤ Tolerable Rate of Deviation

Rely on controls as planned Maintain planned level of control risk and detection risk

online prompting

Requests user input or asks questions user must answer. Includes context-sensitive help. ex: after entering all the input data for a particular customer order, u might be presented w 3 options: accept the completed screen, edit the completed screen, or reject the completed screen. by forcing u to stop and accept the data, online prompting is advising u to check ur data entries b4 moving on. in addition, many systems provide context service help, whereby the user is automatically provided w, or can ask 4, descriptions of the data to be entered into each input field

how to determine sample size

Sample size tables in Appendix F.A Process: Select AICPA Sample Size table corresponding to desired risk of overreliance Identify row related to the appropriate expected population deviation rate Identify column related to the appropriate tolerable rate of deviation Determine sample size at junction of row and column

MUS: Evaluating Sample Results (Basic Allowance for Sampling Risk)

Sampling Interval x Confidence Factor $147,804 x 2.31 = $341,427

written approvals

Signature or initials to indicate someone authorized the event. Ensures data input arises from a valid business event and appropriate authorizations have been obtained. another control aspect of approving an input document is that such of an approval segregates authorizing events from recording events might use electronic approvals in some situations. whereby bus events are routed, using a computer systems workflow facility, to persons authorized to approve the event. ex: purch requisitions might be routed for approval to those w budgetary authority

document/record counts

Simple counts of the number of documents entered (e.g., 25 documents in a batch). This procedure represents the minimum level required to control input completeness (i.e., input the document once). putting batch in. physically count when submitting invoice. if u put wrong #, it wont process. input accuracy and completeness. make sure ur putting in right # of docs.

2. define deviation condition

Situation in which control is not functioning as intended ex: shipping docs missing, shipping and invoices dont match all the things that indicate the control isnt working, not just the most obvious things

• Now let's discuss using the top-down approach to database design

Sometimes called event-driven approach • Because it attempts to describe all aspects of the business events and processes under consideration • As opposed to bottom-up (or user-driven) approach • Usually results in better DB design

PCAOB Inspection Results

The Firm failed to perform sufficient substantive procedures to test the [client's] loan charge-offs and recoveries...the sample the Firm used in its testing was too small to provide the necessary level of assurance, as the risk factor the Firm used to calculate its sample size was inconsistent with its own risk assessment. The Firm failed to perform sufficient procedures to test revenue and accounts receivable...in performing tests of details of accounts receivable, the Firm selected a sample only from subsidiary ledgers that exceeded a certain threshold, and therefore a significant portion of accounts receivable was not subject to testing.

When is sampling used?

The need for exact information is less important The number of items comprising the population is large

COBIT 4.1 Definition for Control

The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

organizational goverance

The process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. • Processes to achieve the objectives including essential internal controls and monitoring activities are then designed and implemented

• Knowledge management

The process of capturing, storing, retrieving, and distributing the knowledge of the individuals in an organization for use by others in the organization to improve the quality and efficiency of decision making across the firm - Next logical step after DBMS - Why?

turnaround documents

These are used to capture and input a subsequent event. picking tickets, inventory count sheets, and remittance advice stubs attached to customer invoices are examples of this. for ex, we have seen picking tix that are printed by the computer, used to pick the goods, and sent to shipping, where the bar code on the picking ticket is scanned to trigger the recording of the shipment. thus, turnaround docs can facilitate automated data entry. they can be used for the input of individual items rather than batches. in such cases, the scanning computer displays the scanned data, such as items and quantities to be shipped, to the data entry clerk or shipping clerk. if the data has been scanned correctly, the clerk need only press 1 key or click the mouse button to record the input remittance devices and picktick

First Normal Form (1NF)

Unnormalized table - Contains repeating attributes (fields) within each row (or record) • We call these attributes repeating groups • A table is in first normal form (1NF) if it doesn't contain repeating groups. • A primary key that is formed by the combination of two or more columns is called a composite primary key

Discovery Sampling

Used when deviations occur at a very low rate, but are critical in nature • Extremely important controls • Possible existence of fraud we use the sample sizes from the tables that show an expected pop dev rate of 0% bc in this case these are v important or there might be fraud so we're saying we expect 0 deviations here. if u find even 1 deviation u would stop testing immediately and conclude that the control is not working If one deviation is identified, audit team concludes control is not operating effectively

Classical Variables Sampling

Uses normal distribution theory and the central limit theorem to provide an estimated range of: Recorded account balance or class of transactions Misstatement in an account balance or class of transactions Basic methodology: Determine estimated range of account balance or misstatement Evaluate using tolerable misstatement

Applications Approach To Business Event Processing

View that concentrates on the process being performed • Data plays a secondary role to the programs • Each application collects and manages its own data files • Data redundancy Same fact in multiple files violates the integrity of the data

policy

a plan or process put into place to guide actions and achieve goals. applies to company activities in a variety of areas law can compel behaviors and enforce penalties for noncompliance, policies merely guide behavior toward the actions that are most likely to achieve desired goals. one major policy area that significantly affects internal control in an org is the area of personnel policies

ensure input completeness

all true or authorized transactions are put into the sys ex: there are 48 valid orders to be processed but the order entry clerk makes a mistake and only requests the processing of 38 orders

General Controls

also known as IT general controls are applied to all it service activities for ex, preventing unauthorized access to the computer system would protect all of the specific business processes that run on the computer (such as order entry/sales, billing/accounts receivable/cash receipts, inventory, payroll, and so on.).

erm process

and its components are evaluated -- via ongoing mgmt activites, separate evaluations, or both -- to determine its effectiveness and to make necessary modifications. for ex, bus processes put into place to accomplish objectives are reviewed to determine their effectiveness.

business process control plans

applied to a particular business process, such as billing or cash receipts

control effectiveness

are all the control goals achieved

application controls

are automated business process controls contained within IT application systems (i.e., computer programs).

control goals

are business process objectives that an internal control system is designed to achieve

neural networks (NNs)

are computer hardware and software systems that mimic the human brains ability to recognize patterns or predict outcomes using less than complete info used to recognize faces, voices, and handwrittem characters, and apples from bad to good

audit sampling

attributes sampling variables sampling effect of factors on sample size

mus best and worst

best used when audit team expects to find few or no misstatements and when overstated, the existence assertion is of greatest concern. in contrast, when a relatively large number of misstatements is expected or when understatement (the completeness assertion) is of greater concern then mus is less effective and we may want to go w some other method

alternative names for contingency planning include all of the following except:

business disaster planning

Principle 5: Separating Governance From Management

cobit 5 strongly differentiates governance and mgmt. these two functions have different acts, organizational structures, and purposes. this distinction is critical to cobit 5. accordingly, we quote below cobit 5's definition of these two terms governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting directions through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives

Principle 2: Covering the Enterprise End-to-End

cobit 5's holistic and enterprise orientations make integrating geit into overall enterprise governance a top priority. cobit 5 is not "it-focused" but instead takes an enterprise wide view. it covers all funcs and processes in the enterprise and views all it governance and mgmt enablers to apply to the entire enterprise--end to end

group support systems

computer-based systems designed to improve various aspects of group work also called group decision support systems support collaborative intellectual work. sue tech to solve the time and place dimension problems associated w group work creates a virtual meeting for a group. while attending, memebrs of group work toward completing their tasks and achieving the groups objectives.

which of the following control plans is designed to achieve the goal of input completeness

confirm input acceptance

preformatted screens

control the entry of data by defining the acceptable format of each data field. ex: screen might force users to key exactly 9 alphabetic characters in 1 field and exactly 5 numerals in another field. or the sys may provide drop down lists of data that are acceptable for a given field, such as shipping methods and sales terms. to facilitate the data entry process, the cursor may require that certain fields be completed, thus preventing the user from omitting any mandatory data. finally, the sys may automatically populate certain fields w data, such as the current data, sales tax rates, and other terms of a bus event. this reduces the # of keystrokes required, making data entry quicker and more efficient. also, w fewer keystrokes and by using the default data, fewer keying mistakes are expected, which makes the data entry more accurate. to ensure that the sys has not provided inappropriate defaults, the clerk must compare the data provided by the sys w that of the input

entity level controls

controls that have a pervasive effect on the entity's system of internal control; also referred to as company-level controls levels 1 and 2 of control hierarchy control environment and general controls the standard emphasizes the pervasive effect that entity level controls have on the achievement of control objectives and the effectiveness of specific controls, such as business process controls. many of these entity level controls, including it general controls, such as controls over computer program development, program change controls, controls over computer operations, and access to programs and data

nonstatistical sampling

does not allow audit team to control exposure to sampling risk when the auditor does not use statistical methods in either determining the sample size or selecting the sample or both which means the auditor cannot evaluate the results statistically in nonstatistical sampling we determine the sample results and use auditor judgment to decide if theres enough of a cushion between projected pop misstatement and tolerable misstatement to give a large enough cushion for sampling which in this case cannot be quantified so we're making a judgement call on whether theres enough of a gap between those 2 things to control for sampling risk so its a little less precise.

org gov, as implemented w a framework such as erm, begins w

establishing mission, vision and purpose; then, strategy and objectives directed at the mission are established and risks, are identified. after assessing risks and deciding how to respond to the risks, controls are put into palce to ensure that responses to the risks are carried out.

personnel control plans

help to protect an organization against certain types of risks. ex: hiring incompetent employees could result in time and money being wasted on futile training programs. alternatively, offering employment to an individual unqualified to fill a position may preclude efficient, effective ops or, if the person cannot follow instructions, may lead to inaccurate info processing. hiring an employee with a prior record or dishonesty exposes the org to a greater possibility of fraud.

operational errors

human error when entering inventory or other forms of data todays customer orders may be processed against an out of data (yesterdays) sales order master data or we may fail to execute some intermediate steps in a process. this may happen if input data are used for more than one applicatioin and we fail to use the inputs for all of the intended processes (should not be a problem w enterprise systems where one input automatically impacts all relevant applications). some appplications (such as in banking) process "memo" updates during the day to immediately reflect activity, such as cash withdrawals. the "real" updates take place overnight in a batch process. if we fail to properly execute the overnight process, the updates may be incomplete or inaccurate

for org gov, ic are

implemented to help ensure that risk responses are effectively carried out, or the controls themselves are the responses to risks. a

Knowledge Mangement

is the process of capturing, storing, retrieving, and distributing knowldeg of the individuals in an org for use by other s in the prg to improve the qual and efficiency of dec making across the firm primary enabler of km efforts is info ttech logical next step after dbms in bus info sys

attributers sampling

is used to estimate the extent to which a characteristic (attribute) exists within a population Used during auditors' tests of controls Estimate the rate at which internal control activities are not functioning as intended (deviation conditions) Compare estimated rate to an allowable rate (tolerable rate of deviation)

job description control plans

lay out the responsibilities for each position on an organization chart and identify the resources to be used in performing those responsibilities

manual reconciliation of batch totals

operates as follows: 1. One or more batch totals are established manually. 2. As individual event descriptions are entered the data entry program accumulates independent batch totals. 3. Computer produces reports that includes relevant control totals that must be manually reconciled with totals established prior to the process. 4. Person who reconciles batch total must determine why totals do not agree and make necessary corrections to ensure the integrity of the input data

categories of pervasive control plans

org design, policies, monitoring, and it general controls. pervasive control plans provide a second umbrella of protection, in addition to the control environment, over all AIS bus processes. pervasive control plans are particularly important bc they operate across all business processes and affect a company's capability to meet a multitude of control goals.

even if a malfunction occurs, it is usually detected and corrected automatically. in addition to relying on the controls contained within the computer hardware, organizations should perform regular

preventive maintenance (period cleaning, testing, and adjusting of computer equipment) to ensure their equipments continued efficient and correct operation

program documentation

provides a description of an application program and usually includes the programs purpose; program flowcharts; source code listings; descriptions of inputs, data, and outputs; program test data and test results; and a history of program changes and approvals of such changes

ensure of input completeness ex

recording all csutomer orders in the sales order and inventory master data for all customer orders recorded in the customer orders file.

corrective control plans

rectify problems that have occurred ex: if discrepancies are detected, suprina should have a procedure for resolving the discrepancy. this procedure would constitute a corrective control

document/record hash totals

reflect a summarization of any numeric data field within the input document or record, such as item numbers or quantities on a customer order. the totaling of these numbers typically serves no pup other than as a control. calculated b4 and then again after entry of the doc or record, this total can be used to determine that the applicable fields were entered accurately. you use this to look for any 1 thing in all docs on a certain type of docs. for vendor invoices, vendor zip code. something that is numeric and u add them up to get has total

control plans (first level of overall protection)

reflect information-processing policies and procedures that assist in accomplishing control goals control environment appears at the top of the hierarchy and it comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans

The model that logically organizes data into two-dimensional tables is the:

relational database model

risk assessment

risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. risks are assessed on an inherent and a residual basis two factors to consider: likelihood and impact inherent risk exists in the absence of any actions that mgmt might take to reduce likelihood or impact. the fin serv industry firms that failed in 2008 either did not identify the investment risks they were facing or did not adequately respond to those risks

Statistical Sampling

sampling applies laws of probability in selecting sample items and evaluating sample results Allows audit team to control exposure to sampling risk enables the auditor to make quantitative stmts about the results and to measure the sufficiency of the evidence gathered must follow statistical methods for determining sample size, selecting the sample, and evaluating the results (for all 3 steps). this allows u to quantify sampling risk and make precise decisions on sample results when extrapolating to the population. projective misstatements can be very close to but still below tolerabe misstatement and we can still determine that the population is not materially misstated bc we have statistically quantified sampling risk w this method.

Factors Affecting Sample Size

sampling risk (risk of overreliance) tolerable rate of deviation expected population deviation rate population size

Searching through rubbish for system information such as passwords is called:

scavenging

the first step, identification and authentication, involves

what is commonly known as the user id and password. however, passwords are a notoriously weak method for authenticating user identification bc, for ease of use, most people choose simple passwords. free software already exists that can decode simple word passwords n seconds. employees should be trained to use longer passwords and those made up of random characters, including letters, numbers, and symbols. employees should also be instructed not to write down or divulge their passwords.

Plan and Organize Domain: IT Process 2 Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision

• IT steering committee - Coordinates the organizational and IT strategic planning processes and reviews and approves the strategic IT plan • Security officer - Safeguards the IT organization by 1. Establishing employee passwords and access to data, 2. Ensuring the IT organization is secure from physical threats

Acquire and Implement Domain: IT Process 8 Ensure Security and Continuous Service

• Two important aspects of Process 8: - Ensure continuous service - Secure IT assets • Business continuity planning (also known as disaster recovery planning, contingency planning, and business interruption planning) - A process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disruption

2012 ACFE Report to the Nation on Occupational Fraud and Abuse

• Typical organization lost 5% of annual revenues to fraud - $3.5 trillion worldwide • Typical fraud was underway 18 months before detection. • Frauds were more likely detected by tips than through audits or internal controls. • Median loss of the 1,388 reported cases was $140,000. • One-fifth of losses were at least $1 million.

Monitor and Evaluate Domain: IT Process 10 Trust Services Principles and Criteria

• WebTrust - Best practices and e-business solutions related to B2B and B2C electronic commerce • SysTrust - Assurance service designed to test and monitor the reliability of an entity's information systems and databases including ERP systems

measuring sample items

• perform appropriate tests of controls -look for presence or absence of control applied by entity -if item cannot be located, consider as a deviation • determine sample rate of deviation number of deviations/sample size


Ensembles d'études connexes

Chapter 2: Starting the Planning Process

View Set

Abeka Science 8.5 Types Of Birds

View Set

MODULE 5: MANAGEMENT AND CONTROL OF THE CORP.

View Set

Algebra 1 Lesson 3.1 Graphing Linear Equations - Intercepts

View Set

evolution and the history of life exam 1

View Set

NSG 334 Chapter 29: Growth and Development of the Adolescent

View Set

Chapter 10- Customer Relationship Management

View Set

Verbs:Datıf -a/w, -ya/ye (movement to)

View Set