Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
29 Cards in this Set
- Front
- Back
SSA (strategic systems audit)
|
auditor learns client's strategies, processes, and business risks for a more effective audit
|
|
3 primary phases of SSA
|
1. strategic analysis-external concerns
2. process analysis-internal concerns 3. audit/residual risk analysis-links business risks to objectives of audit |
|
PEST analysis
|
4 forces: political, economic, social, and technological
|
|
Porter's 5 competitive forces
|
threat of new entrants
bargaining power of buyers bargaining power of suppliers threat of substitutes intensity of competitor rivalry |
|
CSFs (critical success factors)
|
elements of competitive strategy, product attributes, resources, etc that most affect the ability of the entity to succeed in the marketplace
|
|
KPIs (key performance indicators)
|
Both financial and non-financial measures that an entity uses to monitor and evaluate performance of its critical business processes (typically focused on process cycle time, effectiveness/quality, and efficiency/cost)
|
|
residual risk
|
strategic or process risk that is either uncontrolled by the organization and/or is the risk remaining after considering the extent to which a risk reduction strategy reduces an inherent risk; high leads to increased RMM
|
|
COBIT
|
Control OBjectives for Information and related Technology: basically best practices for IT mgmt
|
|
Information Technology General Controls (ITGC)
|
address the overall operation and activities of the information system and user environment that are pervasive over all or most applications
|
|
Information Technology Application Contorls (ITAC)
|
apply to a specific use of the system and should be evaluated separately for each audit area in which the client uses IT
|
|
5 ITCG control areas
|
1. IT management
2. System/program development 3. Data security (physical and online) 4. Program change mgmt 5. Business continuity planning and computer operations |
|
IT management key concepts
|
IT goals aligned w/ business goals
segregation of duties (structure) position within the organization role of internal audit |
|
application controls
|
computerized steps within the application software to control the processing of transactions; they provide incremental reliance on information produced by an application.
types: input, processing, output |
|
input controls
|
provide reasonable assurance that input is properly authorized and accurately entered for processing
ex: check digits, record counts, batch totals, etc |
|
processing controls
|
provide reasonable assurance that transactions are processed accurately and that all transactions are processed once and only once
|
|
output controls
|
provide reasonable assurance that output reflects accurate processing and only authorized people receive output/get access
|
|
auditing 'around' computer
|
for simple computer transactions, is less extensive, there are hard copy source docs, basically reconciling inputs with outputs
|
|
auditing 'through' computer
|
for more complex computer systems, is more extensive, source docs are electronic format, checks each stage in computerized process
|
|
test data
|
a set of fictitious entries, or inputs, that are processed though the client’s computer system under the control of the auditor
|
|
integrated test facility
|
test data commingled with actual data; transactions are manually processed and compared
|
|
parallel simulation
|
1. auditor creates a software program that parallels the logic used in the client's program
2. same data processed through both and compared |
|
controlled reprocessing
|
audit copy of clients program, reprocesses actual data and results are compared
|
|
types of computer abuse/fraud controls
|
preventative: stop fraud from entering system
detective: identify fraud when it enters system damage-limiting: reduce monetary impacts of fraud and control to specified levels |
|
sampling risk
|
risk that the decision made based on the sample differs from the decision that would have been made by examining the population
|
|
causes and controls of sampling risk
|
cause: non-representative sample
controls: appropriate sample size, all items have equal chance of selection, evaluate sample results |
|
sampling risk: Type I
|
risk of incorrect rejection: risk that the sample supports a conclusion that the balance is not fairly stated when it is
|
|
sampling risk: Type II
|
risk of incorrect acceptance: the risk that the sample supports a conclusion that the balance is fairly stated when it contains material misstatements
|
|
statistical sampling
|
use laws of probability to select sample items and evaluate sample results. these methods measure the auditor's exposure to sampling risk
|
|
non-statistical sampling
|
violate one of the 2 criteria for statistical sampling
|