Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
76 Cards in this Set
- Front
- Back
|
Definition of Internal Control
|
Internal control systems include all of the policies, practices, and procedures employed by the organization to achieve four objectives:
1. to safeguard assets of the firm 2. to ensure the accuracy and reliability of accounting records and information 3. to promote efficiency of the firm's operations 4. to measure compliance with management's prescribed policies and procedures |
|
|
Modifying Assumptions
|
>provide a guide to designers and auditors:
-management responsibility: the establishment and maintenance of internal control systems is management's responsibility -reasonable assurance: the costs of implementing controls to achieve the four objectives should not outweigh the benefits |
|
|
Exposure and Risk
|
>an exposure is a weakness in a control system, that exposes the organization to risks of injury or loss
|
|
|
Preventive Controls |
designed to reduce the opportunities for the commission of errors or fraud -passive controls: they are integrated into the system in the hopes of preventing errors and fraud before they happen |
|
|
Detective Controls |
designed to detect errors or fraud after they have occurred
-compare what has actually happened with what was supposed to happen |
|
|
Corrective Controls |
measures taken to correct errors, especially material ones, once they have been detected |
|
|
Trade-off between preventive, detective, corrective controls |
-preventive controls stop a bad thing from happening but may restrict employee freedom and initiative -detective controls do not take effect until the bad thing has happened by may free employees to make timely decisions |
|
|
COSO Internal Control Framework |
-endorsed by PCAOB and SEC -Committee of Sponsoring Organizations -5 components, represented in the "COSO Cube" Front: 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Activities |
|
|
The Control Environment |
-the foundation for the other four components in the COSO framework
-sets the "tone" for the organization, and includes: -the overall integrity and ethical values of management -the structure of the organization -role of the BOD - corporate governance -management philosophy and operating style |
|
|
Risk Assessment |
-identifies and analyzes the risks faced by the organization and how to manage and control those risks -risk may arise from the following issues: ~competitive pressures ~new personnel ~new IT ~rapid growth ~new products |
|
|
Information and Communication |
-quality of information in an AIS is critical to effective operations and decision making -all valid transactions are properly recorded -information is provided in a timely manner and with appropriate level of detail -accuracy |
|
|
Monitoring Activities |
-involves the assessment of the quality and completeness of the internal control system
-point in time monitoring -ongoing monitoring |
|
|
Control Activities |
-the policies and procedures implemented by organizations to address control risks and to ensure the four control objectives are met -two categories: physical controls and IT controls |
|
|
Physical Controls |
relate to human activities in either a manual or computerized environment |
|
|
IT controls |
relate specifically to the computing environment -application controls -general controls |
|
|
Physical Controls Categories |
1. Transaction Authorization 2. Segregation of Duties 3. Supervision 4. Accounting Records 5. Access Control 6. Independent Verification |
|
|
Transaction Authorization |
-to ensure that all material transactions processed are valid
|
|
|
Segregation of Duties |
there should be clear and logical division of responsibilities -ensures no single employee can steal and conceal; no single employee should be allowed to handle all aspects of a single transaction -general objectives: segregate custody, authorization, and record-keeping (CAR) |
|
|
Supervision |
-compensating control -often used when there is not an adequate separation of duties and employees must double up on tasks, esp in small organizations -especially important for computer-based systems where there is a concentration of processing |
|
|
Accounting Records |
all appropriate documents, accounting processing, and record keeping should be maintained from source document to the financial statements with an audit trail |
|
|
Access Control |
-relates the control over physical access to the assets of the organization -applies to the data and information assets as well -only authorized individuals should have access |
|
|
Independent Verification |
-involves the after-the-fact investigation of processing and record keeping -differs from supervision, which takes place while the activity is being carried out -conducted by an individual who is not directly involved with the activity |
|
|
IT Application Controls |
-narrowly focused on a specific computerized program application; e.g. accounts payable -three broad categories: 1. input controls 2. processing controls 3. output controls |
|
|
Input Controls |
procedures employed to ensure data input into the system is valid, accurate, and complete |
|
|
Check Digits |
-input control -data code is added to produce a control digit -the check digit is calculated in advance for the field and appended to the end of the data item -checks that the data is entered without error -ex: modulus 11=multiply each digit by a weight equaling its position +1 and sum, divide the result by 11, then 11 - remainder is the check digit |
|
|
Missing Data Checks |
-input control -aka completeness checks control for blanks or incorrect justifications |
|
|
Numeric-Alphabetic Checks |
-input control -aka mode check -verify that characters are in correct form |
|
|
Limit Checks |
-input control -identify values beyond pre-set limits (only top or bottom) |
|
|
Range Checks |
-input control -identify values outside upper and lower bounds (measures top and bottom) |
|
|
Reasonableness Checks |
-input control -compare one field to another to determine if the relationship is appropriate |
|
|
Validity Checks |
-input control -compares values to known or standard values |
|
|
Default values |
-input control
-pre-populated data to speed data entry |
|
|
Processing Controls |
three categories: 1. batch controls 2. run-to-run controls 3. audit trail controls |
|
|
Batch Controls |
-reconcile system output with the input originally entered into the system (detective and corrective) -provide assurance that: all records in the batch have been processed, no records in the batch were processed more than once -based on different types of batch totals: record counts, total number of records; financial totals, total dollar value; hash totals, sum of non-financial numbers |
|
|
Audit Trail Controls |
numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements |
|
|
Output Controls |
-exist to minimize the possibility that system output is lost, misdirected, or there is a loss of confidentiality |
|
|
Exposures to Output Controls |
1.errors in the output reports themselves 2. unauthorized individuals may review, steal, copy or misdirect the output |
|
|
SOX Section 302 |
-quarterly and annual financial statements, management must, among other things: certify the internal controls over financial reporting, provide reasonable assurance as to the reliability of the financial reporting process |
|
|
SOX Section 404 |
-annual report on internal controls effectiveness management must, among other things: ~describe the flow of transactions ~assess the design and effectiveness IC ~assess the potential for fraud ~provide explicit conclusions on the effectiveness of general and financial reporting IC ~identify the framework management used to conduct their IC assessment |
|
|
Application Controls |
apply to specific applications and programs and ensure data validity, completeness and accuracy |
|
|
General Controls |
apply to all systems and address IT governance and infrastructure, security of operating systems and databases, and application and program acquisition and development |
|
|
Audit Implications of SOX Sections 302 and 404 |
>SOX radically expanded the scope of audit: -issue new audit opinion on management's IC assessment -required auditors to test IC -collect documentation of management's IC tests |
|
|
External Financial Audit |
-external auditors attest to whether a firm's financial statements fairly represent the application of GAAP to the company's economic resources and transactions |
|
|
Definition of Auditing |
a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users |
|
|
Notable points in the Definition of Auditing |
1. auditing is systematic and requires a step-by-step approach to gathering evidence 2. focuses on management's assertion about the financial health of the entity: financial statements 3. relative to criteria: GAAP 4. communicating a result: issue an audit report |
|
|
The IT Audit |
1. audit planning 2. test of controls 3. substantive testing |
|
|
Audit Planning |
-first step in IT audit -the auditor first gains an understanding of the organization's business and risks |
|
|
Test Controls |
-second step in IT audit
-determine whether adequate internal controls are in place and are functioning properly; evidence-gathering techniques are employed -at end of test of controls phase, auditor assess the quality of the controls in place and the degree of reliance to be placed on these controls |
|
|
Substantive Testing |
-third step in IT audit -involves detailed investigation of specific account balances and transactions -the name comes from the idea of "substantiating" the account balances and transactions |
|
|
IT Governance Controls |
-IT governance relates to the organization and the delegation of decision making rights and accountability -goal: to ensure desirable behavior related to IT |
|
|
IT governance issues addressed by SOX |
1. Organization structure of the IT function 2. Computer center security controls 3. Disaster recovery planning |
|
|
Organization Structure Controls |
-important to separate the following activities within an organization: systems development, computer operations, database administration, systems maintenance, and operational activities (users) |
|
|
Separating Systems Development from Computer Operations |
systems development: analyzing, designing, and programming new applications data processing: operating the hardware; loading and running software programs for transaction processing; generating system output >reason to separate these two functions: those with knowledge of programs and access to these programs and hardware could make unauthorized changes to a program and then run the unauthorized program |
|
|
Separating all IS functions from users |
In general, IS operations should not: initiate or authorize user transactions, initiate or authorize updates to master records, initiate or authorize new systems or improvements, or correct errors without user department approval |
|
|
Separating the Database Administrator from Other Functions |
-from the users: the administrator determines security, user access, database usage monitoring, and system planning -from the system developers: the programmers could manipulate access privileges |
|
|
Separating New Systems Development (new app) from Maintenance |
two problems: 1. inadequate documentation because programmers find documentation boring and the lack of documentation is a type of job security 2. program fraud can occur when unauthorized changes may occur by programmers |
|
|
Audit Objectives related to organizational structure |
-to determine that all incompatible tasks are formally segregated in accordance with the level of potential risk |
|
|
Tests of controls to achieve audit objectives and procedures relating to organizational structure |
-review computer security policy and policy knowledge of responsible employees -review organizational chart and job descriptions to determine if there is a lack of segregation of duties -review programmer's user rights and privileges to verify consistency with job descriptions |
|
|
Computer Center Security Controls |
-general controls involve consideration of the following: physical location, construction, access & security, air conditioning, fire suppression system, fault tolerance controls, uninterruptible power supplies |
|
|
Audit objectives and procedures relating to computer center security |
audit objectives: to verify that physical security controls, insurance coverage, operator documentation, and access are adequate |
|
|
Test controls to achieve objectives relating to computer center security |
-verify that proper physical construction of fire-proof materials, and adequate water drainage has occurred -verify that fire detection and suppression systems operate correctly and are regularly tested -verify that the computer center is restricted to authorized personnel by reviewing visitor logs for purposes, duration and frequency of visits |
|
|
Disaster Recovery Planning |
-a disaster recovery plan is a comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations |
|
|
Essential Features of a disaster recover plan |
-providing second site backup for replacement data processing capabilities (off site) -an empty shell aka "cold site" -a "hot site", higher cost -an internally operated backup system -create a disaster recovery team |
|
|
Audit Objectives relating to disaster recovery panning |
to verify that a plan is in place and feasible |
|
|
Test of controls to achieve objectives relating to disaster recovery planning |
-evaluate adequacy of second-site backup for system compatibility and excess capacity
-verify completeness of the critical application list -verify the existence of off-site backups of all critical applications -verify the existence of off-site backup supplies, source documents, and documentation |
|
|
Operating System |
the key program that translates user commands to executable computing tasks and manages the many users and resources on the network |
|
|
Controlling the Operating System: five control objectives |
1. protect itself from tampering from users 2. prevent users from tampering with the programs of other users 3. safeguard users' applications from accidental corruption 4. safeguard its own programs from accidental corruption 5. protect itself from power failures and other disasters |
|
|
Operating System Security |
-addresses who can access the OS and related resources -log-on procedure: first line of defense; user IDs and passwords -access token: contains key information about the user -access control list: defines access privileges of users -discretionary access control: allows user to grant access to another user |
|
|
Audit Objectives and Procedures relating to Access Privileges and Passwords |
-security clearance checks of privileged employees -logs of users' log-on times, resources accessed, and data changes -passwords required for all users -password instructions distributed to all new users -passwords changed regularly -password file for weak passwords -encryption of password file -password standards -account lockout policies |
|
|
Audit Objectives and Procedures relating to Viruses and Destructive Programs |
-verify effectiveness of procedures to protect against programs such as: viruses, worms, back doors, logic bombs, and Trojan horses -training of operations personnel concerning destructive programs -testing of new software prior to being implemented -currency of antiviral software and frequency of upgrades |
|
|
Audit Objectives and Procedures relating to System Audit Trails |
-this is not an accounting audit trail but a record of access and activity within a system. The focus is on preventing and detecting system abuses. -unauthorized access detection and audit trails in place -facilitate event reconstruction -archived log files for key indicators such as access times and locations -monitoring and reporting of security violations |
|
|
Database Control issues |
1. Access controls: similar to operating system access, those authorized to use databases are limited to the data needed to perform their duties and unauthorized individuals are denied access to data 2. backup controls: can adequately recover lost, destroyed, or corrupted data |
|
|
Access Controls |
-user views (subschemas): defined by DB administration, reference from user's access token -database authorization table: allows greater access authority and privileges to be specified; referenced from access token -user-defined procedures: user creates a personal security program/routine (ex. secret questions for PW reset) -data encryption: encoding algorithms -biometric devices: fingerprints, retina prints, or signature characteristics |
|
|
Network and Communication Control Issues |
>Internal and external subversive activities (hacking) -prevent and detect illegal internal and Internet network access -render useless any data captured by perpetrator -preserve the integrity and physical security of data connected to the network >equipment failure -the integrity of the electronic commerce transactions by determining that controls are in place to detect and correct message loss due to equipment failure |
|
|
Controlling Subversive Threats |
-firewalls: provide security by channeling all network connections through a control gateway -network level firewalls: low cost and low security access control; do not explicitly authenticate outside users; filter junk or improperly routed messages; experienced hackers can easily penetrate the system -application level firewalls: customer network security, but expensive; includes sophisticated functions such as logging or user authentication -encryption: computer program transforms a clear message into a coded text form using an algorithm -private key encryption: the decoding key is the inverse of the coding key -public key encryption: the decoding key is not the inverse of the coding key; this allows the receiving party to safely maintain the decoding key and to distribute the encoding key to all possible senders, when a sender encrypts the data with a public key - only the receiving party can decode the message -digital signature: electronic authentication technique to ensure that the transmitted message originated with the authorized sender and was not tampered with after the signature was applied -digital certificate: like an electronic identification card used with public key encryption system; verifies the authenticity of the message sender -message sequence numbering: numbers the transmissions so missing or duplicates can be detected -call-back devices: require the dial-in user to enter a password and be identified; the system then breaks the connection and calls the user's authorized number for a connection; this control helps eliminate unauthorized intruders masquerading as legitimate users |
|
|
Backup Controls |
-database backup: automatic periodic copy of data -transaction log: list of transactions which provides a system audit trail -checkpoint features: suspends data during system reconciliation -recovery module: restarts the system after a failure |
