Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
57 Cards in this Set
- Front
- Back
Main US Framework |
Internal Control - Integrated Framework - COSO - Committee of Sponsoring Organizations |
|
Main Canada Framework |
Guidance on Control Referred to as CoCo based on its original title Criteria of Control - Canadian Institute of Chartered Accountants |
|
5 COSO Components |
Monitoring Information and Communication Control Activities Risk Assessment Control Environment |
|
3 COSO Categories of Objectives |
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with Laws and Regulations |
|
4 CoCo Components |
Purpose Commitment Capability Monitoring and Learning |
|
What is COBIT |
Best-known control and governance framework addressing IT |
|
5 COBIT Principles |
1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance from Management |
|
COBIT - 3 components of value creation |
Realization of benefits Optimization (not minimization) or risk Optimal use of resources |
|
COBIT - 8 Categories of Enablers That Support Comprehensive IT Governance and Management |
1. Principles, policies, and frameworks 2. Processes 4. Organizational Structures 5. Culture, ethics, and behavior 6. Information 7. Services, infrastructure, and applications 8. People, skills, and competencies |
|
Why are COBIT enablers interconnected |
Need the input of other enablers to be fully effective
Deliver output for the benefit of other enablers |
|
COBIT - Governance vs Management |
Governance - setting of overall objectives and the monitoring of progress toward those objectives
Management - carrying out of activities in pursuit of enterprise goals |
|
eSAC |
Electronic Systems Assurance and Control |
|
eSAC Inputs |
Mission Values Strategies Objectives |
|
eSAC Outputs |
Results Reputation Learning |
|
eSAC Broad Control Objectives |
Operating Effectiveness and Efficiency
Reporting of Financial and Other Management Information
Compliance with Laws and Regulations
Safeguarding of Assets |
|
eSAC IT Business Assurance Objectives |
Availability Capability Functionality Protectability Accontability |
|
Equation to Assess Vulnerability |
V = P x S
Product of probability of occurrence and the significance of the occurrence CV |
|
COSO - Three categories of interrelated organizational objectives |
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations |
|
COSO - Components of Internal Control |
Control Activities Risk Assessment Information and Communication Monitoring The Control Environment |
|
COSO - Control Activities |
Policies and procedures that help ensure management directives are carried out |
|
COSO - Risk Assessmnet |
The identification and analysis and of relevant risks to achievement of the objectives. Forms a basis for determining how the risks should be managed |
|
COSO - Information and Communication |
Pertinent information must be identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities |
|
COSO - Monitoring |
Internal control systems need to be monitored. This process assesses the quality of the system's performance over time |
|
COSO - Control Environment |
Sets the tone of an entity and influences the control consciousness of personnel. It is the foundation for all other components of internal control, providing discipline and structre |
|
COSO - Define ERM |
A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives |
|
COSO - Define Risk |
The possibility that an event will occur and adversely affect the achievement of objectives |
|
COSO - Inherent Risk |
The risk in the absences of a risk response |
|
COSO - Residual Risk |
The risk after a risk response |
|
COSO - Risk Appetite |
The amount of risk an entity is willing to accept in pursuit of value. It reflects the entity's risk management philosophy and influences the entity's culture and operating style. Considered in evaluating strategies, setting objectives, and developing risk management methods |
|
What does the internal environment reflect? |
Risk management philosophy Risk appetite Integrity Ethical values Overall environment |
|
What does ERM ensure? |
That a process is established
Objectives align with the mission and risk appetite |
|
5 Strategies for Risk Response |
1. Risk avoidance ends the activity from which the risk arises
2. Risk retention accepts the risk of an activity. This term is synonymous with self-insurance
3. Risk reduction (mitigation) lowers the level of risk associated with an activity
4. Risk sharing transfers some loss potential to another party
5. Risk exploitation seeks risk to pursue a high return on investment |
|
Senior Management Role in ERM |
- CEO has ultimate responsibility for ERM
- Ensure that sound risk management processes are in place and functioning
- Determines the risk management philosophy |
|
Board of Directors Role in ERM |
- Oversight role. Determine that risk management processes are in place adequate, and effective
- Attitudes are a key component and must possess certain qualities: --- Majority should be outside directors --- Should have years of experience in industry or corp gov --- Must be willing to challenge management's choices |
|
ERM - Chief Risk Officer |
Appointed to coordinate the entity's risk management activities. A member of, and reports to the risk committee |
|
ERM - internal aditors |
Determine whether risk management processes are effective |
|
ERM - How Do Internal Auditors determine the effectiveness of risk management processes |
A judgment resulting from the assessment that: a) entity objectives support and align with mission
b) Significant risks are identified and assessed
c) Appropriate risk responses are selected that align risks within the risk appetite
d) Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities |
|
ERM Limitations |
Limitations arise from:
1. Faulty human judgment 2. Cost-benefit considerations 3. Simple errors or mistakes 4. Collusion 5. Management override of ERM decisions |
|
Implementation Standard 2120.A1 - Internal Audit Activity must evaluate risk exposures related to governance, operations and information systems regarding the: |
- Achievement of organization's strategic objectives
- Reliability and integrity of financial and operational information
- Effectiveness and efficiency of operations and programs
- Safeguarding of assets
- Compliance with laws, regulations, policies, procedures, and contracts |
|
Implementation Standard 2120.A2 - w/r/t Fraud |
Internal Audit Activity must evaluate the potential for the occurrence for fraud and how the organization manages fraud risk |
|
Define Fraud |
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence of physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services, to avoid payment or loss of services, or to secure personal or business advantage |
|
Effects of Fraud |
Monetary losses Time Productivity Reputation Customer relationships |
|
Causative Factors of Fraud |
Pressure/incentive - the need to satisfy by committing the fraud
Opportunity - ability to commit the fraud
Rationalization - ability to justify the fraud in his mind |
|
Principal means of preventing fraud |
Control |
|
Management's role in preventing fraud |
Establishing and maintaining control |
|
Internal Auditors' role in preventing fraud |
Examining and evaluating the adequacy and effectiveness of control |
|
Implementation Standard 1210.A2 - Fraud |
Auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed, but are not expected to have the expertise of a person whose primary responsibility if detecting and investigating fraud |
|
Elements of a fraud prevention system |
Control Environment - code of conduct, ethics policy, fraud policy
Fraud Risk Assessment
Control Activities - authority limits and segregation of duties
Fraud-related info and communication practices - training, confirmation of training
Monitoring of antifraud controls |
|
Elements of a fraud risk assessment |
Identifying and prioritizing fraud risk factors and fraud schemes
Mapping existing controls to potential fraud schemes and identifying gaps
Testing operating effectiveness of fraud prevention and detection controls
Document and reporting the assessment |
|
Implementation Standard 2120.A2 - Audit Activity |
The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk |
|
Low-Level Fraud |
Most often consists of theft of property or embezzlement of cash. Incentive might be relief of economic hardship, desire for material gain, or a drug or gambling habit |
|
Executive Fraud |
Incentive is usually either maintaining or increasing stock price, receiving a large bonus, or both. Consists most often of producing false or misleading financial statements |
|
Document Sympton |
Any kind of tampering with the accounting records to conceal a fraud - i.e., keeping two sets of books |
|
Situational Pressure |
Can be personal or organizational |
|
Lifestyle Sympton |
Unexplained rise in an employee's social status or level of material consumption |
|
Rationalization |
When a person attributes actions to rational and creditable motives without analysis of the true and especially unconscious motives |
|
Behavioral Sympton |
May indicate fraud - i.e., drastic change in behavior |