Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
61 Cards in this Set
- Front
- Back
|
Risk Assessment
|
The process whereby management identifies the organizations vulnerabilities.
|
|
|
Risk Management
|
the ongoing process of designing and operating internal controls that mitigate the risks identified in the organizations risk assessment.
|
|
|
Risk can be quantified as a combintation of two factors:
|
1. the severity of consequences .
2. liklihood of occurrence. |
|
|
Inherent risk
|
the susceptibility of one of the companies objectives to obstacles arising from the nature of the objectives.
Example a uranium mine is inherently riskier than a strip mall |
|
|
Control risk
|
the risk that the controls put in place will fail to prevent an obstacle from interfering with the achievement of the objective.
Example a policy requiring two approvals for expenditures over a certain dollar amount could be bypassed by collusion |
|
|
Detection risk
|
Th risk that an obstacle to an objective will not be detected before a loss has occurred.
FOr example: An embezzlement that continues for a year before detection is much costlier than one that is discovered after one month . |
|
|
Total risk
|
Inherent risk x Detection Risk x Control risk.
|
|
|
Internal Controls
|
The whole system of controls established by management to carry on the business of the enterprise in an orderly and efficient manner, to ensure adherence to management policies, safeguard the assets, and ensure as far as possible the completeness and accuracy of the records.
|
|
|
What does section 404 of SOX require companies to issue
|
a report stating that
1. Management takes responsibility for establishing and maintaining the firms system of internal controls. 2. The system has been functioning effectively over the reporting period. |
|
|
PCAOB Auditing Standard No. 5
|
"An audit of internal control over financial reporting that is integrated with an audit of financial statements. "
|
|
|
A companys internal control cannot be considered effective if _________________.
|
one or more material weaknesses exist.
|
|
|
Material Weakness
|
A deficiency or combination of deficiencies, in internal control that results in a reasonable possibility that a material misstatement of the financial statement will not be prevented or timely detected and corrected.
|
|
|
COSO definetion of internal control
|
A process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations 2. Reliability of financial reporting Compliance with applicable laws and regulations. |
|
|
Effectiveness and Efficiency of Operations
|
Operational objectives relate to the achievement of the entities mission concerning performance, including attainment of earning objectives and safeguarding of resources.
|
|
|
Reliability of financial reporting
|
To make sound decisions, investors creditors and other users must have access to reliable financial reports, especially financial statements issued for general use.
|
|
|
Compliance with applicable laws and regulations.
|
1. conduct activities, and often take specific actions in accordance with applicable laws and regulations.
2. Subject to laws at the local, state and federal levels. 3. responsible, not absolute assurance. |
|
|
The benefits of internal controls must always exceed
|
exceed the costs of implementing them.
|
|
|
What are the 5 components of COSO's internal control framework.
|
The Control Environment
Risk Assessment Control Activities Information and communication monitoring |
|
|
The Control Environment
|
setting the tone of an entity. The foundation for all other components of internal control
|
|
|
Risk Assessment
|
Identification and analysis of relevant risks to achievement of the objectives. it forms a basis for determining how risks should be managed.
|
|
|
Relevant risks include
|
Events and circumstances that may adversely effect an entities ability to initiate, authorize, record, process and report financial data consistent with financial statement assertions.
|
|
|
Control Activities
|
Policies and procedures that help ensure management directives are carried out.
|
|
|
Information and communication
|
Pertinent information must be identified, captured, and communicated in a form and timeframe that enables people to carry out responsibilities.
|
|
|
Monitoring
|
Internal control systems need to be monitored. This process asesses the quality of the systems performance over time.
|
|
|
The pillars of a control environment
|
1. Organizational Structure
2. Policies are stated principles that require, guide, or restrict action. 3. Objectives and goals. 4. Management philosophy and operating style. 5. Assignment of authority and responsibility. |
|
|
Board of Directors role
|
Most Publicly held companies are required to have a board consisting of both inside and outside members.
|
|
|
Audit committee
|
subcommittee of the board of directors whose purpose is to help keep the external auditors independent of management.
|
|
|
The control process
|
Establishing standards
Measuring performance against the standards examining and analyzing deviations Taking corrective action Reappraising the standards based on experience |
|
|
Primary controls
|
Preventive
Detective Corrective Directive |
|
|
Preventive controls
|
deter the occurrence of unwanted events
|
|
|
Detective controls
|
alert the proper people after an unwanted event.
|
|
|
Corrective controls
|
correct the negative effects of unwanted events
|
|
|
Directive controls
|
cause or encourage the occurrence of a desirable event
|
|
|
Secondary controls
|
Compensatory controls
Complementary controls |
|
|
compensatory controls
|
reduce ri wehn the primary controls are ineffective. but they do not by themselves, reduce risk to an acceptable level.
|
|
|
Complementary controls
|
work with other controls to reduce risk to an acceptable level.
|
|
|
TIme-based classification
|
Feedback controls
Concurrent controls feedforward controls |
|
|
Feedback controls
|
Report information about completed activities. Permit improvement in the future performance by learning from past mistakes.
|
|
|
Concurrent controls
|
adjust ongoing processes. Monitor activities in the present to prevent them from deviating too far from standards.
|
|
|
Feedforward controls
|
Anticipate and prevent problems. These controls require a long-term perspective.
|
|
|
Financial controls
|
"Accounting Controls"
based on relevant established accounting principles |
|
|
Operating controls
|
"Administrative Controls" for production and support activities. Based on management principles and methods.
|
|
|
People Based controls
|
Dependent on the intervention of humans for their proper operation.
|
|
|
Systems based controls
|
Executed whenever needed with no human intervention
|
|
|
Control Activities
|
Designed and placed in operation to ensure that management directives are executed
|
|
|
Segregation of duties
|
assigning different employees to perform functions such that an employee acting alone is prevented from committing an error or concealing a fraud in the normal course of his/her duties.
|
|
|
Four types of functional responsibilities that should be segregated
|
Authority to execute transactions
Record keeping of the transaction Custody of the assets affected by the transactions Periodic reconciliation of the existing assets to recorded amounts. |
|
|
The reconciliation of recorded accountability with the assets must be performed by a part of the organization either
|
1. unconnected with the original transaction or
2. Without custody of the assets involved. |
|
|
Foreign corrupt practices act
|
To prevent secret payments of corporate funds for purposes that congress has determined to be contrary to public policy.
|
|
|
Section 404 Sarbox :Internal control report
|
1. Statement of managements responsibility for internal control.
2. Managements assessment of the effectiveness of internal control as of the end of the most recent fiscal year. 3. Identification of the framework used to evaluate the effectiveness of internal control 4. A statement about whether significant changes in controls were made after their evaluation. 5. A statement that the external auditor has issued an attestation report |
|
|
Sarbanes Oxley Section 201 Prohibited activities
|
1. Bookkeeping/other services
2. Financial information systems design. 3.appraisal/valuation services 4. actuarial services 5. internal audit outsourcing 6. management functions/HR 7. Broker or dealer, Investment advice 8. legal services |
|
|
Audit Partner Rotation
|
CPA firms must rotate audit partners so that the same individual is not supervising a clients audit for an extended period of time.
|
|
|
Section 302 Corporate responsibility for financial reports
|
In each annual and quarterly report:
1. signing officer has reviewed 2. report doesn't have any untrue statements of fact or omission 3. the financial statements are fairly preseneted in all material respects the financial condition and results |
|
|
Section 302 What are the signing officers responsibilities
|
1. Establishing and maintaing internal controls
2. They ahve designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others. 3. have evaluated the effeciveness of the issuers internal controls as of a date within 90 days prior to the report 4. have presented in the report their conclusions about the effectiveness of their internal controls based on their eval |
|
|
WHAT DOES THE PCAOB HAVE THE AUTHOIRTY TO DO
|
To promulgate standards for the practice of auditing
|
|
|
What are the four objectives of Auditing Standard 5
|
1. Focus the internal control audit on the most imprtant matters.
2. Eliminate Procedures that are unecessary to achieve the intended benefits. 3. Make the audit clearly scalable to fit the size and complexity of any company. 4. simplify the text of the standard. |
|
|
What are the four different audit approaches
|
1. substantive procedures approach.
2. Balance sheet approach 3. Systems based approach 4. Risk based approach. |
|
|
Substantive procedures
|
aka the vouching approach. audit resources are targeted on testing large volumes of transactions and account balances without any particular focus on specified areas.
|
|
|
balance sheet approach
|
substantive procedures are focused on balance sheet accounts, with only limited procedures being carried out on income statement/profit and loss accounts.
|
|
|
Systems basedd approach
|
internal controsl audit, then to direct substantive procedures primoarily where it is considered that systems objectives will not be met.
|
|
|
Risk based approach.
|
audit resources are directed towards those areas of the financial statements that may contain misstatements, as a consequence of the risks faced by the business.
|
