UGA ACCT 5310 Midterm
COBIT audience
-Management: to help them balance risk and control investment in an IT environment -Auditors: to provide a framework to assist them to come to an opinion on the level of assurance on the particular subject matter being audited
Online/real-time processing
-as it occurs -data is more timely -provides competitive advantages
batch processing
-periodic updates -cheaper and efficient -lack of timely/updated data -typically used for processes not needing timely data (ex: payroll)
data is captured about
-the event/activity that occurred -the resources affected by the event/activity -the people who participated
important SOX aspects
1) PCAOB 2) Rules for auditors 3) Roles for audit committees 4) Rules for management 5) Internal control requirements
Two fundamentals of Security
1) Security is a management issue, not just an IT issue 2) Defense in depth: Employing multiple layers of controls in order to avoid having a single point of failure
Input controls
1) data entry controls 2) batch processing data entry controls 3) online data entry controls
3 principles of information and communications systems
1) obtain or generate relevant, high quality information to support internal control 2) internally communicate information, such as objectives and responsibilities, to support other components of internal control 3) communicate internal control matters externally
Internal Controls Primary Functions
1) preventive controls 2) detective controls 2) corrective controls
COSO Control Activities
1) proper authorization of transactions and activities 2) segregation of duties 3) design and use of documents and records 4) safeguarding of assets, records, and data 5) independent check on performance 6) project development and acquisition controls 7) change management controls
expenditure cycle journals
1) purchase journal 2) cash disbursements journal
revenue cycle journals
1) sales journal 2) cash receipts journal
4 general guidelines for adequate segregation of duties
1) separate custody of assets from accounting 2) separate authorization from custody of related assets 3) separate operational responsibilities from record-keeping 4) separate IT duties from user departments
6 components of an AIS
1) the people who use the system 2) the procedures and instructions used to collect, process, and store data 3) the data about the organization and its business activities 4) the software used to process the data 5) the information technology infrastructure, including the computers, peripheral devices, and network communications devices used in the AIS 6) the internal controls and security measures that safeguard AIS data
HRM (HCM)/Payroll Cycle
1) update payroll master database 2) validate time and attendance 3) prepare payroll 4) disburse payroll 5) disburse payroll taxes and deductions
internal control objectives
1. Safeguard assets 2. Ensure accuracy and reliability of accounting records (data) and information 3. Promote efficiency in the firm's operations 4. Measure compliance with management's prescribed policies and procedures and/or laws and regulations
Online Data Entry Controls
1. prompting 2. closed-loop verification 3. transaction log
revenue Cycle
1.Sales Order Entry 2.Shipping 3.Billing 4.Cash Collection 5.Sales Return (if applicable)
COBIT 5
1describes best practices for effective governance and management of IT. Main point is to separate governance from management.
primary key
A field (or group of fields) that uniquely identifies a given entity in a table
Database
A set of interrelated, centrally coordinated data files (stored without redundancy
file
A set of logically related records, such as the sales orders of all customers
accounting information system
A system that collects, records, stores, and processes data to produce information for decision makers.
record
All the fields containing data about one occurrence within the entity (e.g., one student)
rules for audit management
CEO and CFO certifications on financial statements and system of internal controls
data processing
CRUD -creating new data records (ex: new employee is hired) -reading, retrieving or viewing existing data (reviewing month end balances) -updating previously stored data (updating credit limits for a customer) -deleting data (purging vendor records from the vendor master file - no activity for X time period)
data input (collection)
Capturing transaction data, usually triggered by a business activity
Blanket Purchase Order
Commitment to purchase specified items at designated prices from a particular supplier for a set time period, e.g. one year.
COSO
Committee of Sponsoring Organizations
turnaround document
Company data sent to an external party and then returned to the system as input
CIRT
Computer Incident Response Team. A group of experts that respond to security incidents. Also known as CERT, SIRT, or IRT.
COBIT
Control Objectives for Information and Related Technology•IT auditors and managers have embraced COBIT as a framework for designing and implementing control over their IT. •COBIT is increasingly adopted as a control framework for compliance purposes for three reasons: •Suggests comprehensive set of risks and controls for IT processes •Control objectives have been mapped to COSO •Has been mapped to popular ERP systems such as SAP, Oracle, and PeopleSoft
ETL Process
Extract, Transform, Load
Redundancy Issues
For example: if customer pays 5 times on 1 bill, customer information must be re-entered 5 times. This increases file maintenance.
Change management controls
Formal process used to ensure that changes to hardware, software or processes do not reduce systems reliability.
fields
Information about the attributes of an entity (e.g., 810 number and birth date)
Proper authorization of transactions & activities
Only Certain people are authorized (or allowed) to do activities.
Vendor Managed Inventory (VMI)
Outsources much of the inventory control and purchasing function to suppliers who have access to sales and inventory data in order to replenish inventory.
Segregation of duties
Segregating duties reduces the opportunity for someone to commit and conceal fraud (or errors)
Independent checks on performance
Someone who did not perform the initial transaction should review to ensure it was processed accurately.
production cycle
Transforming raw materials and labor into finished products
the 5 V's of big data
Volume, Velocity, Variety, Veracity, Value
Design & use of documents and records, and data entry screens.
Well-designed forms and records help ensure transaction data is recorded completely and accurately. •Should include space for authorization •When appropriate, documents should be sequentially pre-numbered, or the system should generate the numbering.
narrative
Written, step-by-step explanation of system components and how they interact
big data
a collection of data sets that are so large or complex that it is impossible to analyze them with traditional databases and tools.
Data Flow Diagram (DFD)
a graphical description of the flow of data within an organization, including data sources/destinations, data flows, transformation processes, and data storage
trial balance
a listing of the name and balance of each account in the general ledger. it is an internal report of which accounts have debit and credit balances and proves the totals are equal
analytics
a means of extracting value from data
business process
a set of related, coordinated, and structured activities and tasks that are performed by a person, a computer, or a machine, and that help accomplish a specific organizational goal
System
a set of two or more interrelated components or subsystems that interact to achieve a goal or common purpose
audit trail
a traceable path of a transaction through a data processing system from point of origin to final output, or backward from final output to point of origin
foreign key
an attribute in a table that is also a primary key in another table
Event
an incident of occurrence due to an internal or external force which impacts achievement of objectives
control
any action taken to mitigate or manage risk and increase the probability that the business/process will achieve its goals and objectives NOT A POLICY STATE OR A PROCESS
update anomaly
any change must be made to every record containing customer information (or else there will be inconsistency). For example, what if the customer address changes.
threat
any potential adverse occurrence or unwanted event that could injure the AIS or the organization
entity
anything about which the organization wishes to store data.
each column in a database
attribute •Contains information about the entity attributes, ex: name, address, customer number, etc.
how does the amount in a journal affect the balances on the trial balance?
balance in the beginning trial balance +/- total from corresponding journal = individual account balance on trial balance
why are there gaps between account numbers?
because over time organizations might need to add account numbers and this allows for future growth
block codes
blocks of numbers reserved for purpose ex: product code
changes in subsystems
cannot be made without considering impact on other subsystems or the main system
information and communication systems
capture and exchange information needed to conduct, manage, and control operations
internal control requirements
companies must issue a report stating that management is responsible for establishing and maintaining an adequate internal control system
sequence codes
consecutive numbering ex: PO#s
general ledger
contains summary-level data for every type of account: asset, liability, equity, revenue, and expense
subsidiary ledger
contains the details related to a given general ledger account
application controls
controls that prevent, detect, and correct transaction errors and fraud in application programs
internal environment
culture of an organization ex: management's philosophy
Insert anomaly
customer information cannot be entered unless there is a related purchase. We may have a new customer we want to enter, but they have not yet made a purchase.
information
data that has been organized and processed to be useful
COSO Internal Control Internal Framework (IC)
defines internal controls and provides guidance for evaluating and enhancing internal control systems -controls based model; very focused on internal controls
subsystems
designed to achieve their own, lower-order goal
general controls
designed to make sure an organization's information system and control environment is stable and well managed ex: IT security, IT infrastructure, software acquisition, maintenance and development
preventive controls
deter problems before they arise
variety
different forms of data
detective controls
discover problems that haven't been prevented
Data Entry Controls
every time data is entered a process is done •Field Check •Sign Check •Limit Check •Range Check •Size Check •Completeness Check •Validity Check •Reasonableness Test •Check Digits and Check Digit Verification
data
facts about the transaction ex: activities that take place, resources affected by the activities, people who participate in the activity
Physical view of database
for every value that is in there, it is very specific about what it should look like
velocity
frequency of incoming data
revenue cycle
goods and services are sold for cash or a future promise to receive cash
inherent risk
gross risk; absent any actions/controls by management
lower goals
help the organization achieve the higher-level goals
human resources / payroll cycle
hiring, training, and paying employees
The logical view of a database:
how users conceptionally organize and understand the relationships between the entries in a database
Corrective Controls
identify and correct problems as well as correct and recover from the resulting errors
document flowchart
illustrates the flow of documents and data among areas of responsibility within an organization
two elements of risk
impact and likelihood
loading data
includes knowing which tool the data should be loaded into for the most efficient and effective analysis
roles for audit committees
independence from the company, financial expertise
Enterprise Resource Planning (ERP) Systems
integrate all aspects of a company's operations with a traditional AIS
data transformation (cleansing)
involves converting data from one format to another to load it into an analytics tool. •This includes making certain that only the data needed is extracted and that this data is complete and accurate. •Data cleansing needs to be performed bothbefore and after the data loading process.
mnemonic codes
letters and numbers ex: item#D300W05
journal
lists a set of transactions that arise from similar business events (i.e. in the same transaction cycle) following a chronological order
residual risk
net risk; remaining risk after management's risk response
financing cycle
obtaining funds from investors and repaying them
Expenditure Cycle
ordering, reviving, approve supplier invoices, cash disbursement
Enterprise Risk Management (ERM)
organizations need a methodology to assess and measure risk so they can address it and implement controls to reduce the risk
PCAOB
oversight board for the auditing profession. sets auditing standards.
service organizations
perform outsourced services for a User Entity (customer), that the User Entity would otherwise need to perform themselves, ranging from performing a specific task under the direction of an entity to replacing an entity's entire business unit or function
Control Activities
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risks are reduced to an appropriate level
Batch Processing Data Entry Controls
processes a large amount of entries periodically •Sequence Check •Batch Totals •Financial Check •Hash Total •Record Count
general journal
records infrequent or non-routine transactions ex: bad debt, prepaid insurance
specialized journal
records large numbers of repetitive transactions ex: sales, cash receipts, cash disbursements
rules for auditors
report specific information to audit committees, prevents auditors from performing certain services, rules about ex-auditors working and company and audit firm doing the work
volume
scale of data
Customer relationship management systems (CRM
software that organizes information about customers in a manner that facilitates efficient and personalized service
data is collected from
source documents
COSO ERM Framework
speaks to the process that a BOD or management uses to set strategy, identify threats and risks, manage those risks, and provide reasonable assurance that a company meets goals -risk based moel
data storage / management
storing, retrieving, deleting data
Delete anomaly
the deletion of a record results in the loss of all the customer information. If a customer only had one sale with us, if we delete that record, we eliminate all information about the customer.
impact
the exposure or dollar loss should a threat become a reality
monitoring
the internal control system is continuously monitored, evaluated and modified
data processing cycle
the operations performed on data to generate meaningful and relevant information
likelihood
the probability that a threat will come to pass
internal controls
the processes and procedures implemented to provide reasonable assurance that control objectives are met
coding
the systematic assignment of numbers or letter to classify and organize items/data
third normal form (3NF)
the tables are free of the update, insert and deleteanomalies. 1.Eliminate repeating groups •Any related attributes that might be repeated in several rows should be put in a separate table. 2.Eliminate redundant data 3.Eliminate columns not dependent of primary key
risk
the threat that an event, action or non-action could adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully
each row in a database
tuple •Represents a unique entity or record, ex: a customer record
veracity
uncertainty of data
group codes
using two or more subgroups to define a digit position ex: position 3 = color
When the invoice is received, the AP reconciles: the
•(1) Invoice •(2) The P.O. •(3) The receiving report (Voucher Package) •These 3 documents make the Voucher Package •This is a 3 - way match
Database advantages
•Data Integration - one central data "pool" that many applications can access •Data Sharing - with authorized users •Minimize data redundancy and data inconsistency - "one version of the truth" •Data Independence - keeping data separate from application programs •Cross-functional Analysis - define and use relationships for management and decision-making. For example: analysis of revenues and selling costs associated with a promotional campaign.
Processing Controls
•Data matching •File labels •Recalculation of batch totals •Cross footing and zero balance tests •Write-protection mechanisms •Concurrent update controls
Safeguarding of assets, records and data.
•Establish and enforce policies & procedures •Maintain accurate records of assets •Restrict physical access to assets and systems •Protect records and documents, including restricting access to what information an individual can electronically access
Project Development and Acquisition Controls
•Executive Sponsorship •Steering Committee •Project Development Planning •Project Schedule •System Performance Measurements •Post-implementation review
Two-way match or Evaluated Receipt Settlement (ERS)
•Invoice less approach •Match PO and receiving report •Based on this information, system calculates the amount owed (quantity received on receiving report x purchase prices from PO) •Pay the supplier
information output (generation)
•Monitors/Devices (soft copy) •Documents (hard copy): e.g. checks, invoices, purchase order •Reports: internal/external users (e.g. monthly sales report, financial statements). These could be hard copy of soft copy. •Query: specific requests, rapid action/decision making (e.g. highest selling item of the year in the southeast) •One-time •Repetitive (report?...)
Output Controls
•User Review •Reconciliation Procedures •External data reconciliation •Data Transmission •Checksums •Parity bits
extraction of data
•What data to ask for •How to ask for data •What format the data needs to be in
