Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
25 Cards in this Set
- Front
- Back
|
8 related risk and control components
|
–Internal Environment
–Objective Setting –Event Identification –Risk Assessment –Risk Response –Control Activities –Information & Communication –Monitoring |
|
|
internal environment
|
Includes the organizations integrity and ethical values that define the organization (tone at the top).
the most important component of the model as it is the foundation for all 7 others. consists of: –Management’s philosophy, operating style, and risk appetite –Board of directors –Commitment to integrity, ethical values, and competence –Organizational structure –Methods of assigning authority and responsibility –Human resource standards –External influences |
|
|
objective setting
|
Process to formulate strategic, operations, reporting, and compliance objectives to support the company’s mission and risk tolerance.
–Begins with why the company exists & what it hopes to achieve (vision/mission) –Objectives need to be understandable, measurable, prioritized, and aligned with company risk appetite. –Corporate objectives must be linked to/integrated with sub-unit objectives ----Operating Objectives – are based on management preferences ----Compliance & Reporting Objectives – are based on external entities (SEC, IRS, EPA, etc.) |
|
|
event identification
|
consideration of events that may affect the company’s ability to implement its strategy and achieve its objectives.
External Factors: –Economic –Natural Environment –Political –Social –Technological Internal Factors: –Infrastructure –Personnel –Process –Technology |
|
|
risk assessment
|
use of quantitative or qualitative methods to evaluate the likelihood and potential impact of risks.
Companies should: •Assess inherent risk •Develop a response •Then assess residual risk |
|
|
risk response
|
managements decision to avoid, reduce, share, or accept identified risk based on risk tolerance level.
|
|
|
control activities
|
–Policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.
–Management is responsible for developing a secure and adequately controlled system. –Management must establish a set of procedures to ensure control compliance and enforcement. |
|
|
information and communication
|
includes the collection and communication of data to employees to meet responsibilities.
|
|
|
monitoring
|
ongoing evaluation and modification of processes to manage risk and help ensure achievement organizational goals and objectives.
|
|
|
ERM model's 4 ways to respond to risk
|
•Reduce it – reduce likelihood or impact (which controls?)
•Accept it – do not act to prevent or mitigate •Share it – transfer some risk to others (e.g. insurance) •Avoid it – don’t engage in the activity (e.g. exit market) |
|
|
risk assessment and response flowchart
|
Identify the events or threats that confront the company>>>
Estimate the likelihood or probability of each event occurring>>> Estimate the impact of potential loss from each threat>>> Identify set of controls to guard against threat>>> Estimate costs and benefits from instituting controls>>> Cost/Benefit? No --> avoid, share or accept risk (loop to top) Yes>> Reduce risk by implementing set of controls to guard against threat (loop to top) |
|
|
control activity categories
|
1. Proper authorization of transactions and activities
2. Segregation of duties (Authorization, Recording, Custody) 3. Project development and acquisition controls 4. Change management controls 5. Design and use of documents 6. Safeguard assets, records, and data 7. Independent checks on performance •Reconciliations •Analytical review |
|
|
segregation of accounting duties
|
achieved when following functions are separated:
authorization recording custody |
|
|
authorization
|
Approving transactions and decisions.
|
|
|
recording
|
Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.
|
|
|
custody
|
Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.
|
|
|
AIS authority and responsibility must be clearly divided among these functions
|
–Systems administration - ensure different parts of IS operate
–Network management – ensure devices are properly linked and the network is continuously operating –Change management – manage changes of/modifications to IS –Computer operations – ensure proper processing of data –Programming – responsible for writing design into programs –Systems analysts – help identify IS needs and design IS to meet –Users – input/record transactions and use system output –Security management – ensures IS is adequately protected –Information systems library – maintains custody of dBases & programs –Data control – monitor collection, approval, flow of work, and reconcile input & output to identify errors |
|
|
principles of control that should be applied to systems development
(project development and acquisition controls) |
–Strategic master plan
–Project controls –Data processing schedule –Steering committee –System performance measurements –Post-implementation review |
|
|
change management controls
|
–Organizations constantly modify their AIS to reflect new business practices and take advantage of IT advances.
–Change management is the process of making sure that changes do not negatively affect: •Systems reliability •Security •Confidentiality •Integrity •Availability |
|
|
design and use of documents and records
|
–Proper design and use of documents helps ensure accurate and complete recording of all relevant transaction data.
–Form and content should be kept simple to: •Promote efficient record keeping •Minimize recording errors •Facilitate review and verification –Documents that initiate a transaction should contain a space for authorization. –Those used to transfer assets should have a space for the receiving party’s signature. |
|
|
why documents should be sequentially pre-numbered
|
–To reduce likelihood that they would be used fraudulently.
–To help ensure that all valid transactions are recorded. |
|
|
a good audit trail facilitates:
|
–Tracing individual transactions through the system.
–Correcting errors. –Verifying system output (vouching). |
|
|
5 primary objectives of an AIS according to the AICPA
(information and communication) |
•Identify and record all valid transactions.
•Properly classify transactions. •Record transactions at their proper monetary value. •Record transactions in the proper accounting period. •Properly present transactions and related disclosures in the financial statements. |
|
|
key methods of monitoring performance
|
–Perform ERM evaluation
–Implement effective supervision –Use responsibility accounting –Monitor system activities –Track purchased software –Conduct periodic audits –Employ a computer security officer or Chief Compliance Officer –Engage forensic specialists –Install fraud detection software (neural networks) –Implement a fraud hotline |
|
|
internal audit
|
–Internal audit function should be organizationally independent
•The CAE should report to the audit committee –Internal audits can detect events including: •Excess overtime •Under-used assets •Obsolete inventory •Padded expense reimbursements •Excessively loose budgets and quotas •Poorly justified capital expenditures •Production bottlenecks |
