Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
49 Cards in this Set
- Front
- Back
any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization is referred to as a
|
threat or event
|
|
the potential dollar loss of a threat is referred to as
|
exposure or impact
|
|
the process implemented by the board of directors management and those under their direction to provide reasonable assurance that the following control objectives are achieved
|
safeguarding assets, maintaining records, providing accurate and reliable information, providing reasonable assurance that financial reporting is prepared in accordance with GAAP, promoting and improving operational efficiency, encouraging adherence to managerial policies, and complying with laws and regulations
|
|
preventative controls would include
|
hiring qualified accounting personnel, appropriately segregating employee duties, effectively controlling physical access to assets, facilities and information
|
|
examples of detective controls
|
duplicate checking of calculations, bank reconciliations and trial balances
|
|
corrective controls include
|
maintaining backup of transaction and master files and adhering to procedures for correcting data entry errors
|
|
internal controls are often segregated into two categories
|
general controls and application controls
|
|
some of the more important general controls are
|
information systems management controls, security management controls, and IT infrastructure controls
|
|
application controls perform what function
|
prevent detect and correct transaction errors and fraud, they concern themselves with accuracy completeness, validity and authorization of data captured
|
|
new rules under SOX are
|
auditors must report specific information to the audit committee; audit partners must be rotated periodically; auditors must not perform certain nonaudit services such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services CEO and CFO must certify that financial statements are fairly presented and not misleading
|
|
the four levels of control are
|
belief system, boundary system, diagnostic control system, interactive control system
|
|
this communicates company core values to employees and inspires the employees to live this way
|
belief system
|
|
this helps employees act ethically by setting limits beyond which an employee must not pass
|
boundary system
|
|
this measures company progress by comparing actual performance to planned performance
|
diagnostic control system
|
|
this helps top-level managers with high-level activities that demand frequent and regular attention, such as developing strategy, etc
|
interactive control system
|
|
COBIT
|
Control Objectives for Information and Related Technology
|
|
COBIT is a framework of generally applicable information systems security and control practices that allows
|
management to benchmark the security and control practices of the IT environments, users of the IT services to be assured that adequate security and control exist, and auditors to substantiate their opinions on internal control and to advise on IT security and control matters
|
|
COBIT framework addresses the issue of control from three dimensions
|
Business objectives, IT resources and IT processes
|
|
What are the seven categories that map into the COSO objectives
|
effectiveness, efficiency, confidentiality, integrity, availability, and compliance with legal requirements, and reliability
|
|
the five interrelated components of COSO's internal control model
|
control environment, control activities, risk assessment, information and communication, monitoring
|
|
The intent of ERM is to achieve all the goals of the control framework and help the organization to
|
provide reasonable assurance that company objectives and goals are achieved, achieve its financial and performance targets, assess risks continuously and identify steps to take, and avoid adverse publicity and damage
|
|
the four types of objectives that management must meet to achieve company goals
|
strategic objectives, operations objectives, reporting objectives, compliance objectives
|
|
high level goals that are aligned with and support the company's mission,
|
strategic objectives
|
|
goals that deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets
|
operations objectives
|
|
help insure the accuracy, completeness, and reliability of internal and external company reports
|
reporting objectives
|
|
help the company comply with all applicable laws and regulations
|
compliance objectives
|
|
the tone or culture of a company that helps determine how risk conscious employees are is called the
|
internal environment
|
|
ERM ensures that company management puts into place a process to formulate ____,____, ___, and ____
|
strategic, operations, reporting and compliance objectives that support the company's mission and that are consistent with the company's tolerance for risk
|
|
Eight interrelated risks and control components of COSO
|
Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring
|
|
the problem with focusing on controls first is that
|
it has an inherent bias toward past problems and concerns
|
|
COSO is ____ based
|
risk, not control
|
|
the amount of risk a company is willing to accept in order to achieve its goals and objectives.
|
risk appetite
|
|
section 301 of SOX requires that
|
all public companies to have an audit committee composed entirely of outside independent directors
|
|
an independent director is
|
one who Dow not receive any fees other than board of director fees from the company and is not affiliated with eh company or any subsidiary thereof
|
|
important aspects of organizational structure include
|
centralization of decentralization of authority; assignment of responsibility for specific tasks; whether three is a direct reporting relationship or more of a matrix structure; organization by industry product line, geographical location, or by a particular distribution or marketing network; the way responsibility allocation affects managements information requirements; the organization of the accounting and information system functions; the size and the nature of company activities
|
|
some threats that would challenge EDI implementation would be
|
choosing inappropriate technology; unauthorized system access, tapping into data transmissions, loss of data integrity, incomplete transactions, system failures incompatible systems
|
|
External Event Categories
|
economic, natural environment, political, social, technological
|
|
internal event categories
|
infrastructure, personnel, process, technology
|
|
common techniques companies use to identify events
|
comprehensive lists of potential events, perform an internal analysis, monitor leading events and trigger points, conduct workshops and interviews, perform data mining and analysis, analyze business processes
|
|
the risk that exists before management takes any steps to control the likelihood or impact of a risk is a
|
inherent risk
|
|
\
|
residual risk
|
|
four ways to respond to risk
|
reduce, accept, share and avoid
|
|
control procedures fall into one of these categories
|
proper authorization of transactions, segregation of duties, project development and acquisition controls, change management controls, design and use of documents and records, safeguarding assets, records and data, independent checks on performance
|
|
an effective segregation of accounting duties is achieved when the following functions are separated
|
authorization, recording, and custody
|
|
authorization is
|
approving transactions and decisions
|
|
recording is
|
preparing source documents, entering data into online systems, maintaining journals, ledgers, files or databases, preparing reconciliations, and preparing performance reports
|
|
custody is
|
handling cash, tools, inventory, fixed assets, receiving incoming checks, and writing checks
|
|
authority and responsibility is divided within the information system into
|
systems administration; network management; security management, change management, users, systems analysis, programming, computer operations, information system library, and data control
|
|
AIS has five primary objectives
|
identify valid transactions, properly classify transactions, record transactions, record transactions in proper accounting period, present transactions and related disclosures in the financial statements
|