Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

49 Cards in this Set

  • Front
  • Back
any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization is referred to as a
threat or event
the potential dollar loss of a threat is referred to as
exposure or impact
the process implemented by the board of directors management and those under their direction to provide reasonable assurance that the following control objectives are achieved
safeguarding assets, maintaining records, providing accurate and reliable information, providing reasonable assurance that financial reporting is prepared in accordance with GAAP, promoting and improving operational efficiency, encouraging adherence to managerial policies, and complying with laws and regulations
preventative controls would include
hiring qualified accounting personnel, appropriately segregating employee duties, effectively controlling physical access to assets, facilities and information
examples of detective controls
duplicate checking of calculations, bank reconciliations and trial balances
corrective controls include
maintaining backup of transaction and master files and adhering to procedures for correcting data entry errors
internal controls are often segregated into two categories
general controls and application controls
some of the more important general controls are
information systems management controls, security management controls, and IT infrastructure controls
application controls perform what function
prevent detect and correct transaction errors and fraud, they concern themselves with accuracy completeness, validity and authorization of data captured
new rules under SOX are
auditors must report specific information to the audit committee; audit partners must be rotated periodically; auditors must not perform certain nonaudit services such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services CEO and CFO must certify that financial statements are fairly presented and not misleading
the four levels of control are
belief system, boundary system, diagnostic control system, interactive control system
this communicates company core values to employees and inspires the employees to live this way
belief system
this helps employees act ethically by setting limits beyond which an employee must not pass
boundary system
this measures company progress by comparing actual performance to planned performance
diagnostic control system
this helps top-level managers with high-level activities that demand frequent and regular attention, such as developing strategy, etc
interactive control system
Control Objectives for Information and Related Technology
COBIT is a framework of generally applicable information systems security and control practices that allows
management to benchmark the security and control practices of the IT environments, users of the IT services to be assured that adequate security and control exist, and auditors to substantiate their opinions on internal control and to advise on IT security and control matters
COBIT framework addresses the issue of control from three dimensions
Business objectives, IT resources and IT processes
What are the seven categories that map into the COSO objectives
effectiveness, efficiency, confidentiality, integrity, availability, and compliance with legal requirements, and reliability
the five interrelated components of COSO's internal control model
control environment, control activities, risk assessment, information and communication, monitoring
The intent of ERM is to achieve all the goals of the control framework and help the organization to
provide reasonable assurance that company objectives and goals are achieved, achieve its financial and performance targets, assess risks continuously and identify steps to take, and avoid adverse publicity and damage
the four types of objectives that management must meet to achieve company goals
strategic objectives, operations objectives, reporting objectives, compliance objectives
high level goals that are aligned with and support the company's mission,
strategic objectives
goals that deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets
operations objectives
help insure the accuracy, completeness, and reliability of internal and external company reports
reporting objectives
help the company comply with all applicable laws and regulations
compliance objectives
the tone or culture of a company that helps determine how risk conscious employees are is called the
internal environment
ERM ensures that company management puts into place a process to formulate ____,____, ___, and ____
strategic, operations, reporting and compliance objectives that support the company's mission and that are consistent with the company's tolerance for risk
Eight interrelated risks and control components of COSO
Internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & communication, and monitoring
the problem with focusing on controls first is that
it has an inherent bias toward past problems and concerns
COSO is ____ based
risk, not control
the amount of risk a company is willing to accept in order to achieve its goals and objectives.
risk appetite
section 301 of SOX requires that
all public companies to have an audit committee composed entirely of outside independent directors
an independent director is
one who Dow not receive any fees other than board of director fees from the company and is not affiliated with eh company or any subsidiary thereof
important aspects of organizational structure include
centralization of decentralization of authority; assignment of responsibility for specific tasks; whether three is a direct reporting relationship or more of a matrix structure; organization by industry product line, geographical location, or by a particular distribution or marketing network; the way responsibility allocation affects managements information requirements; the organization of the accounting and information system functions; the size and the nature of company activities
some threats that would challenge EDI implementation would be
choosing inappropriate technology; unauthorized system access, tapping into data transmissions, loss of data integrity, incomplete transactions, system failures incompatible systems
External Event Categories
economic, natural environment, political, social, technological
internal event categories
infrastructure, personnel, process, technology
common techniques companies use to identify events
comprehensive lists of potential events, perform an internal analysis, monitor leading events and trigger points, conduct workshops and interviews, perform data mining and analysis, analyze business processes
the risk that exists before management takes any steps to control the likelihood or impact of a risk is a
inherent risk
residual risk
four ways to respond to risk
reduce, accept, share and avoid
control procedures fall into one of these categories
proper authorization of transactions, segregation of duties, project development and acquisition controls, change management controls, design and use of documents and records, safeguarding assets, records and data, independent checks on performance
an effective segregation of accounting duties is achieved when the following functions are separated
authorization, recording, and custody
authorization is
approving transactions and decisions
recording is
preparing source documents, entering data into online systems, maintaining journals, ledgers, files or databases, preparing reconciliations, and preparing performance reports
custody is
handling cash, tools, inventory, fixed assets, receiving incoming checks, and writing checks
authority and responsibility is divided within the information system into
systems administration; network management; security management, change management, users, systems analysis, programming, computer operations, information system library, and data control
AIS has five primary objectives
identify valid transactions, properly classify transactions, record transactions, record transactions in proper accounting period, present transactions and related disclosures in the financial statements