Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
|
Primary Objective of AIS (Ch. 4 Intro)
|
Control a Business Organization
|
|
|
Role of Accountants (2 fold)
|
1. Taking a proactive approach to reducing system threats
2. Detecting, Correcting, & Recovering from threats when they occur (Accountants should be members of the teams that develop, evaluate, or modify IS) |
|
|
What is Internal Control
|
Process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the company's control objectives are achieved
|
|
|
Why only reasonable Assurance provided by Internal Control?
|
Because complete assurance is difficult or impossible to achieve and is prohibitively expensive
|
|
|
Internal Control Objectives (7)
|
1. Safeguard Assets (including data)
2. Maintain records in sufficient detail to reflect company assets accurately 3. Provide accurate and reliable information 4. Prepare financial reports in accordance with established criteria (GAAP, tax code) 5. Promote and improve operation efficiency 6. Encourage adherence to prescribed managerial policies 7. Comply with applicable laws and regulations |
|
|
Limitations to Internal Control Systems
|
1. Susceptible to simple errors and mistakes
2. Overridden by management 3. Circumvented by collusion of two or more employees - Sometimes at conflict with each other (Safeguard assets decrease operational efficiency) |
|
|
Types of Controls (3)
|
1. Preventive: deter problems before they arise
2. Detective: discover problems quickly when they do arise 3. Corrective: Remedy problems that have occurred (ID, Correct errors, Modify) |
|
|
Categories of Controls (2)
|
1. General Controls - ensure organization's control environment is stable and well managed
2. Application Controls - make sure transactions are processed correctly, concerned with accuracy, completeness, validity, and authorization of the data captured --> reporting of data |
|
|
1977 Foreign Corrupt Practices Act
|
Requires corporations to maintain good systems o internal accounting control
|
|
|
1992: COSO's IC framework
|
-Establishes a common definition of internal control and describes its 5 components
-Provides guidance for evaluating and enhancing internal control systems |
|
|
COSO's IFC framework Components (5)
|
1. Control Environment
2. Control Activities 3. Risk assessment 4. Information and communication 5. Monitoring |
|
|
1996: COBIT framework - known as?
|
Know as: Control OBjectives for Information and related Technology framework
-generally applicable information systems secruity and control practices for IT control |
|
|
The COBIT framework allows:
|
Management to benchmark security and control practices
- Users to be assured that adequate security and control exists - Auditors to substantiate their opinions on internal control and advise on IT security and control matters |
|
|
2002: Sarbanes-Oxley Act Objectives (5)
|
1. PRevent financial statement fraud
2. Make financial reports more transparent 3. Protect investors 4. Strengthen internal controls 5. Punish executives who perpetrate fraud |
|
|
SOX Audit Committee Requirements
|
- Mandatory for Public Companies
- All audit committee members must be on the BoD AND be independent of the company (no compensation) - At least one member must be a financial expert |
|
|
SOX Section 404 Requires:
|
- Management responsible for establishing and maintaining adequate internal controls
- Contains management's assessment of the company's internal controls (COSO popularity rise) - Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests |
|
|
SOX Auditor Requirements
|
-Attest to and report on, management's internal control assessment
-Auditors must report specific information to the audit committee -Auditors must not perform certain non-audit services -Audit partners (not firms) must be rotated periodically |
|
|
2004: COSO's ERM framework did what:
|
- Enhanced Corporate Governance Document
- Expands on elements of COSO's 1992 framework - Provides a focus on the broader subject of enterprise risk management - Framework consists of 4 objectives across different levels of the organization and includes 8 interrelated components |
|
|
COSO IC vs ERM Framework (4)
|
- IC framework has too narrow a focus
- IC systems often have controls that protect against items that are no longer risks - Risk should be evaluated first, before controls - There are responses to risk other than controls |
|
|
ERM Framework Types of Company Objectives (4)
|
1. Strategic Objectives: high-level goals that are aligned with and support the company's mission
2. Operation Objectives: deal with effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets 3. Reporting Objectives: Help ensure the accuracy, completeness, and reliability of internal and external company reports both of financial and non-financial nature, - improve decision-making and monitor company activities and performance more efficiently 4. Compliance Objectives: Help the company comply with applicable laws and regulations |
|
|
COSO's IFC framework Components (5)
|
1. Control Environment
2. Control Activities 3. Risk assessment 4. Information and communication 5. Monitoring |
|
|
1996: COBIT framework - known as?
|
Know as: Control OBjectives for Information and related Technology framework
-generally applicable information systems secruity and control practices for IT control |
|
|
The COBIT framework allows:
|
Management to benchmark security and control practices
- Users to be assured that adequate security and control exists - Auditors to substantiate their opinions on internal control and advise on IT security and control matters |
|
|
2002: Sarbanes-Oxley Act Objectives (5)
|
1. PRevent financial statement fraud
2. Make financial reports more transparent 3. Protect investors 4. Strengthen internal controls 5. Punish executives who perpetrate fraud |
|
|
SOX Audit Committee Requirements
|
- Mandatory for Public Companies
- All audit committee members must be on the BoD AND be independent of the company (no compensation) - At least one member must be a financial expert |
|
|
SOX Section 404 Requires:
|
- Management responsible for establishing and maintaining adequate internal controls
- Contains management's assessment of the company's internal controls (COSO popularity rise) - Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests |
|
|
SOX Auditor Requirements
|
-Attest to and report on, management's internal control assessment
-Auditors must report specific information to the audit committee -Auditors must not perform certain non-audit services -Audit partners (not firms) must be rotated periodically |
|
|
2004: COSO's ERM framework did what:
|
- Enhanced Corporate Governance Document
- Expands on elements of COSO's 1992 framework - Provides a focus on the broader subject of enterprise risk management - Framework consists of 4 objectives across different levels of the organization and includes 8 interrelated components |
|
|
COSO IC vs ERM Framework (4)
|
- IC framework has too narrow a focus
- IC systems often have controls that protect against items that are no longer risks - Risk should be evaluated first, before controls - There are responses to risk other than controls |
|
|
ERM Framework Types of Company Objectives (4)
|
1. Strategic Objectives: high-level goals that are aligned with and support the company's mission
2. Operation Objectives: deal with effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets 3. Reporting Objectives: Help ensure the accuracy, completeness, and reliability of internal and external company reports both of financial and non-financial nature, - improve decision-making and monitor company activities and performance more efficiently 4. Compliance Objectives: Help the company comply with applicable laws and regulations |
|
|
ERM Component: 1/8 Internal Environment
|
-Establishes the tone or culture of the company
-Influences the control awareness of the company's employees -Top management support of strong internal control environment is critical -A weak or deficient internal environment often results in control breakdowns FACTORS: managements philosophy, attention and direction of the BoD, commitment to integrity, organizational structure and methods, HR standards |
|
|
ERM Component: 2/8 Objective Setting
|
Ensures that management implements a process to formulate strategic, operations, reporting, and compliance objectives that support the company's mission are consistent with the company's tolerance for risk
-Provide guidance to companies as they ID risk-creating events and assess and respond to those risks |
|
|
ERM Component: 3/8 Event Identification
|
-Management should develop a list of external and internal events that may affect the company's ability to implement its strategy and achieve its objectives
- MUST DETERMINE if RISKS (neg. impact) or OPPORTUNITIES (pos. impact) exist - how do you gather information on this? |
|
|
ERM Component: 4/8 Risk Assessment
|
-Assessed to determine how to manage and potential impact (using qualitative and quantitative methods)
- Likelihood (probability) and Impact ($ loss) - Risk: 1. Inherent (exists before management takes any steps) 2. Residual (risk that remains after) |
|
|
ERM Component: 5/8 Risk Response (4)
|
1. Reduce: implement an effective system of internal, cost-effective, controls
2. Avoid: do not engage in risk producing activity 3. Share: buy insurance or outsource the activity 4. Accept: do nothing to prevent or mitigate the risk |
|
|
ERM Component: 6/8 Control Activities!!!
|
Established throughout the various levels and functions of the organization:
- Proper authorization of transactions and activities - Segregation of Duties: 1. Authorization (approving transx and decisions), 2. Recording (preparing, maintaining), 3. Custody (handling cash, tools, inventory, assets, receiving/writing checks) *Responsibility of more than 1 or Collusion overrides separation of duties EX: Systems of analysts should never make changes or have access to live systems EX: End users should never access code EX: Project development and acquisition controls |
|
|
ERM Component: 7/8 Information and Communication
|
- Providing company's personnel with understanding of roles and responsibilities pertaining to internal control
- Effective communication should FLOW DOWN, ACROSS, and UP the company |
|
|
ERM Component: 8/8 Monitoring
|
- The process that assesses the quality of internal control performance over time
- Involves evaluating the design and operation of controls on a time basis and initiates corrective action when functioning is incorrect |
