Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
81 Cards in this Set
- Front
- Back
|
ERM
|
process, effected by an entity’s board of directors, management, and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
|
|
|
Relationship between mission, strategy, objectives, risks, controls, monitoring, policies
|
Create mission statement, set strategic goals to achieve mission statement, implement strategy that capitalizes on goals set in strategic objectives, objectives take action upon the strategy.
Risks: Events that would have negative impact on objectives. Controls: Policies and procedures implemented to ensure risk responses are carried out effectively. Monitoring: ERM monitored and changes made as necessary; accomplished through ongoing mgmt activities and separate evaluations. |
|
|
What is organizational governance?
|
process by which organizations select objectives, establish processes to achieve objectives, and monitor performance.
|
|
|
COSO ERM framework
a.Internal environment. What does it refer to? (E.g., risk appetite) |
–Encompasses the tone of an organization.
–Sets the basis for how risk is viewed and addressed by an entity’s people. –Includes risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. |
|
|
COSO ERM framework
b. Objective settings |
--Objectives must exist before mgmt can identify potential events affecting their achievement.
--ERM ensures mgmt has a process in place set objectives and that the objectives support and align with entity’s mission and are consistent with its risk appetite. |
|
|
COSO ERM framework
c. Event identification |
–Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities.
–Risks: those events that would have a negative impact on organization objectives –Opportunities are channeled back to management’s strategy or objective-setting processes. |
|
|
COSO ERM framework
d. Risk assessment. Residual expected risk calculation and scenario management using Excel |
–Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.
–Risks are assessed on an inherent and a residual basis. |
|
|
COSO ERM framework
e. Risk response: avoid, control, accept, or transfer |
–Management selects risk responses – avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
|
|
|
COSO ERM framework
f. Control activities. What is an internal control? What are the different levels of organizational control? Key: the control environment, pervasive control plans, and business process control plans (p. 235) |
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness/efficiency of operations; reliability of financial reporting; compliance with applicable laws & regulations.
-Control environment- tone at the top. -Pervasive control plans relate to multitude of goals and processes, are broad in scope, and apply equally to all business processes. -Business process control plans are applied to a particular business process, such as billing or cash receipts. |
|
|
COSO ERM framework
g. Information and communication. What different flowcharts and diagrams are used to identify and communicate risks? |
Information/communication- Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities
Suprina systems flowchart? |
|
|
COSO ERM framework
h. Monitoring |
Monitoring: ERM monitored and changes made as necessary; accomplished through ongoing mgmt activities and separate evaluations.
|
|
|
What is fraud? What is the difference between computer crime and computer abuse?
|
Fraud- deliberate act of untruth intended to obtain unfair or unlawful gain.
Difference between computer crime and computer abuse is intentions of the perpetrator. Computer crime is manipulation of a computer to dishonestly obtain money/property. ABUSE is unauthorized access to, or use of, computer for purposes contrary to the wishes of the computer’s owner. |
|
|
Malicious software: virus, worm, spyware, and Trojan horse.
|
Virus- program code that can attach itself to host file thereby infecting those programs/macros, etc.
Worm- Basically same thing as virus except it doesn’t require a host. Trojan horse- Harmful piece of software that looks legitimate. Unlike virus/worms, they do not self-replicate. They must be spread through user interaction. Spyware- collects information on users without their knowledge. |
|
|
What are pervasive control plans?
|
a. Organizational design control plans.
b. Personnel control plans. c. Compensatory controls d. Monitoring control plans e. IT general control plans |
|
|
a. Organizational design control plans. What is segregation of duties?
|
Authorizing events, executing events, recording events, safeguarding resources.
|
|
|
b. Personnel control plans. Provide two examples
|
Education/training and performance evaluations
|
|
|
e. IT general control plans. What is IT governance? The COBIT framework’s four pillars: plan and organize, acquire and implement, deliver and support, monitor and evaluate.
|
IT Governance- Process that ensures that the enterprise’s IT sustains and extends the organization’s strategies and objectives.
|
|
|
Information systems (general) controls. What are they?
|
Primary information security technologies: authentication and authorization (passwords, tokens, biometrics), prevention and resistance (firewalls, encryption, physical security, fault-tolerant systems), detection and response (antivirus, antispyware)
|
|
|
What is a denial-of-service attack? What is a botnet?
|
Denial-of-service attack- a Web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in normal activities
Botnet- a collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party. |
|
|
Define: backup
|
Backup- making a copy of data, programs and documentation
|
|
|
Recovery
|
Recovery- use the backup data to restore lost data and resume operations
|
|
|
Hot site-
|
Hot site- fully equipped data center that can accommodate many businesses and that is made available to client companies for a monthly subscriber fee
|
|
|
Cold site-
|
facility usually comprised of A/C space with a raised floor, phone connections, and computer ports into which a subscriber can move equipment
|
|
|
The control framework. What is it?
|
The control framework provides you with a structure for analyzing the internal controls of business organizations.
|
|
|
document design
|
a control plan in which a source document is designed to make it easier to prepare the document initially and later to input data from the document
|
|
|
written approvals
|
a signature or initials on a document to indicate that an event has been authorized
|
|
|
preformatted screens
|
a computer screen designed to control the entry data by defining the acceptable format of each data field, automatically moving to the next field, requiring that certain fields completed, and/or by automatically populating fields
|
|
|
online prompting
|
= a control plan that requests user input or asks questions that the user must answer
|
|
|
populate input screens with master date
|
a control plan that operates when a clerk enters the identification code for an entity, such as a customer, and the system retreives data about that entity from the master data, to eliminate the need for re-entry of those data
|
|
|
compare input with master data
|
a process to determine the accuracy and validity of the input data. Such comparisons may be done manually or by the computer
|
|
|
procedures for rejected inputs
|
a control plan designed to ensure that erroneous data are corrected and resubmitted for procesing
|
|
|
automated data entry
|
a strategy for the capture and entry of event-related using technology such as OCR bar codes RFID EDI
|
|
|
enter data close to the originating source (remember OLRT and OLTE
|
a strategy for the capture and entry of event-related data close to the place that an event occurs, reducing the likelihood that events will be lost and not entered into the system and that errors will be introduced to the system
|
|
|
digital signatures
|
this technology validates the identity of the sender and the integrity of the electronic message to reduce the risk that a communication was sent by n unauthorized system or user or was intercepted/modified in transit
|
|
|
EDI
|
EDI = electronic data interchange; computer to computer exchange of business data in structured formats that allow direct processing of those electronic documents.
|
|
|
control plans
|
reflect information processing policies and procedures that assist in accomplishing control goals
|
|
|
document and record counts
|
simple counts of the number of documents entered, this procedure represents the minimum level required to control input completeness
|
|
|
dollar totals
|
= a summation of the dollar value of items in the batch, such as the total dollar value of all remittance advices in a batch
|
|
|
hash totals
|
a summation of any numeric data existing for all documents in the batch such as total of customer numbers or invoice numbers in the case of remittance advices; used for control purposes only
|
|
|
turnaround document
|
documents such as remittance advices that are used to capture and input a subsequent event,
|
|
|
key verification
|
a control plan in which documents are keyed by one individual and then rekeyed by a second individual. The data entry software compares the second keystrokes to the strokes keyed by the first individual. If there are differences, it is assumed that one person missed or miskeyed the data
|
|
|
sequence checks
|
a type of control in a batch processing system where documents that are numbered sequentially are used to determine that all documents have been processed (completeness) and that no extra documents have been processed (completeness, if a duplicated document, or validity, if a bogus document
|
|
|
Systems flowchart
|
a graphical representation of a business process, including information processes (inputs, data processing, data storage, and outputs), as well as the related operations processes (people, equipment, organization, and work activities).
|
|
|
What is a supply chain?
|
The connections from the suppliers of merchandise and raw materials through to an organization’s customers. These connection include the flow of information, materials, and services. Organizations manage links in their supply chains to get the right goods, in the right amount, at the right time, and at minimal cost (i.e. efficiency) to create maximum value for their customers (effectiveness).
|
|
|
SCM Software. Supply chain planning vs. supply chain execution
|
Planning- Accumulates data about orders from retail customers, sales from retail outlets, and data manufacturing and delivery capability to assist in planning for each of the SCM steps. Execution- Automates the SCM steps. Includes ERP software that receives and routes order, and executes invoices.
|
|
|
What is the bullwhip effect?
|
The multiplication of false orders up the supply chain can cause wild demand and supply fluctuations known as the bullwhip effect.
|
|
|
What are the benefits of SCM?
|
Lower costs to customer. Higher availability of product. Higher response to customer requests. Reduced inventories among the supply chain. Improved buyer-seller relationship. Smoother Shipping and receiving. Reduced item cost. Increased customer orders. Reduced product defects.
|
|
|
What are the potential problems of SCM?
|
Data not collected or not shared across functional boundaries. Info I not shared between supply and chain partners. Inaccurate data negatively affects the entire chain. Over-reliance on demand forecasting the may be inaccurate. Competing marketing and sales objectives lead to unrealistic forecasts.
|
|
|
Push vs. pull supply chain
|
Push- goods and services are ordered in anticipation of demand based on sales and demand forecasts. Pull- uses data from vendors and customers to make purchasing decisions based on actual demand.
|
|
|
Continuous replenishment (CRP)
|
A vendor obtains a buyer’s current sales, demand, and inventory data in real time and replenishes the buyer’s inventory. Sales and demand data may be warehouse, withdrawal, production control (for manufacturing), or retail point-of-sale (POS) Data may be sent via EDI or accessed by vendor via a Web interface into the buyer’s system or a hosted hub.
|
|
|
Collaborative Planning Forecasting and Replenishment (CPFR)
|
Collaborative processes across the supply chain using a set of processes and technology models. Trading partners share plans, forecasts, and other data over the internet. During planning and execution, partners negotiate resolution to exceptions such as: Dramatic change in plans, Plans do not match, Forecast accuracy is out of tolerance, Overstock and understock conditions.
|
|
|
Reorder point (ROP) analysis
|
Each item is assigned a reorder point based on its sales rate.
|
|
|
Economic order quantity (EOQ
|
order quantity based on costs or odering and carrying inventory.
|
|
|
ABC analysis (categorized inventory)
|
technique for ranking items in a group based on the output of the items. Can be used to categorize inventory items according to their importance.
|
|
|
What is e-procurement?
|
use of information technology to automate significant portions for the procurement process to reduce the number of people and amount of time required for the procurement process. For example, a purchasing organization can use intelligent agents, Web services, and B2B exchanges.
|
|
|
How is RFID used in the purchasing process?
|
a system for sending and receiving data, using wireless technology, between an RFID tag and RFID transceiver. RFID tags are computer chips containing information about the object to which the tag is attached and an antenna that sends and receives data.
|
|
|
What comprises Accounts Payable/ Cash Disbursement process?
|
an interactin structure of people, equipment, activities, and controls that is designed to accomplish the following: Handle the repetitive work routines of the AP department and the cashier, Support the decision needs of those who manage the AP department and cashier, and Assist in the preparation of internal and external reports. Process-1. Invoice received from vendor 2. AP invoice notice sent to GL 3. Approved voucher (payment request) sent to cashier (3a) and to GL (3b). 4. Payment (e.g. check) sent to vendor by cashier (4a), paid voucher (payment notice) returned to the accounts payable department (4b), payment notice sent to the general ledger (4c).
|
|
|
What comprises Purchasing Process?
|
Purchasing-to-pay process- 1. Requirements determination 2. Purchase order processing 3. Good Receipt 4. Invoice Verification 5. Payment Processing
Horizontal Information flows- 1. Purchase Requisition sent from inventory control (or various departments) to purchasing 2. PO sent to vendor (2a) inventory control (2b) receiving (2c) and account payable (2d) |
|
|
What comprises Billing/Accounts Receivable/Cash Receipts process?
|
a. The billing/accounts receivable/cash receipts (B/AR/CR) process is an interacting structure of people, equipment, activities, and controls designed to create information flows and records that accomplish the following:
i. Support the repetitive work routines of the cashier, and the credit and accounts receivable departments. ii. Support the problem-solving processes of financial managers. iii. Assist in the preparation of internal and external reports. |
|
|
What is electronic bill presentment and payment (EBPP)?
|
a. Electronic bill presentment and payment (EBPP) systems: B2C systems that use a Web site to post customers’ bills and to receive their electronic payments. Types of EBPP systems:
i. Biller direct method, whereby a company posts its bills/invoices to its own Web site (or to a Web site hosted for it by a third party) ii. Consolidation/aggrega6on method, in which bills are not posted to the billing company’s Web site but are posted to a Web site hosted by the billing company’s own bank or by a company such as Fiserv. |
|
|
3. Explain the role of electronic funds transfer (EFT), the Automated Clearing House (ACH) Network, lockboxes, in the cash receipts process
|
a. Electronic funds transfer (EFT): general term used to describe a variety of procedures for transmitting cash funds between entities via electronic transmission instead of using paper checks. Includes wire transfers, credit and debit card processing, as well as payments made via the ACH Network.
b. Automated Clearing House (ACH) Network: Batch processing system for the interbank clearing of electronic payments. c. Lockbox: postal address maintained by a third party-typically a bank-which is used solely for the purpose of collecting checks. |
|
|
How could you prevent lapping?
|
a. Lapping: Fraud by which funds being paid by one customer are stolen, and the theft is covered up by applying funds from another customer to the first customer’s account. Rotation of duties and forced vacations help prevent this type of fraud.
|
|
|
Technology trends: self-service systems
|
a. Enables HR employees to make changes to records from outside of the office using convenient, easy-to-use Web browser interfaces.
i. These systems automate manually intensive processes and can reduce HR costs b. Could also refer to Customer Self Service (CSS) i. Allows an organization’s customers to interact with the business at their convenience by integrating with ERP systems. |
|
|
ghost employees
|
a. Ghost employees – employees who do not currently work for the company but receive paychecks. Can be ex-employees or fictitious. Usually results in largest losses because total payment is fraudulent and can be over long period of time.
|
|
|
Falsified hours and salary
|
– employees record more time than actually worked or are able to increase the salary in their employee data
|
|
|
Commission scheme
|
– employees overstate the sales on which commissions are based or increase the commission rate in their employee data
|
|
|
False Workers’ Compensation Claims
|
employees pretend to have injuries to collect disability payments
|
|
|
Reimbursement fraud
|
a. Employees may be reimbursed for fraudulent expenses incurred. This may include the following schemes
i. Using legitimate documentation from personal expenses for a business expense ii. Overstating expenses by altering receipts iii. Submitting fictitious expenses by producing fake receipts iv. Obtaining multiple reimbursements for one expense by submitting multiple copies of invoices |
|
|
Segregation
|
segregation of duties, security of resources
|
|
|
Direct deposit
|
helps with the security of resources, entails having paychecks distributed to employees by an entity not otherwise involved in payroll processing
|
|
|
Master Data Maintenance
|
helps to ensure validity, completeness, and accuracy.
|
|
|
Payroll budget comparison -
|
allows for reconciliation, provides for security of resources, and should identify missing or unusual items.
|
|
|
G/L and business reporting processes
|
a. An interacting structure of people, equipment, activities, and controls that is designed to accomplish both operations and information system functions.
i. Focuses mainly on information functions. IE processing and communicating information |
|
|
G/L process comprises
|
i. Accumulating data, classifying data by accounts, and recording data
ii. Fueling financial, business, and other reporting by providing information needed to prepare reports c. Business reporting process encompasses: i. Preparing general purpose, external financial statements ii. Ensuring statements conform to GAAP iii. Generating Web-based forms of key financial statements and related business reporting info for dissemination via the Internet iv. Supporting the generation of both ad hoc business reports and predetermined business reports that support operation and strategic decision making |
|
|
What is a feeder process?
|
any business process that accumulates business event data that are then communicated to and processed with the G/L
|
|
|
G/L Master Data
|
– contains summarized information of all an organization’s business event data
|
|
|
Audit trail
|
– source code field of each GL entry; allows tracing from G/L entry back to the feeder system and individual business events that have been aggregated into the G/L balances
|
|
|
Limitations of the G/L approach
|
a. Most G/L systems only capture the chart of account number and debit or credit
b. Other information about a business event is generally discarded c. After closing, detailed event-level data are purged from the system d. Changing account numbers/account structures raises a problem with comparability |
|
|
ERP financial module and security (authentication and authorization)
|
a. Wide range of options available
b. For security reasons and ease of use, limit users’ access to menu items needed to perform his or her responsibilities c. ERP security can become detailed and complex due to different privilege levels for different users d. Users can be assigned different access levels: view access, write access, entry access, and/or change access |
|
|
What is the balanced scorecard method? How does it create a shared vision for the organization?
|
a. Methodology for assessing organization’s business performance via four components:
i. Financial: Traditional measures of business performance; shareholders view ii. Internal business processes: Capacity to identify core competencies and assess performance iii. Customers: How customers perceive the organization in terms of value iv. Innovation and improvement activities: How the organization is improving and creating additional value b. Provides organizations with the ability to clarify vision and strategy and translate them into action. By focusing on future potential success it becomes a dynamic management system that is able to reinforce, implement and drive corporate strategy forward. i. enables organizations to bridge the gap between strategy and actions, engage a broader range of users in organizational planning, reflects the most important aspects of the business, and respond immediately to progress, feedback and changing business conditions. |
|
|
What is XBRL?
|
a. An XML-based language consisting of a set of tags used to unify presentation of business reporting information into a single format
i. Easily red by almost any software package ii. Easily searched by Web browsers iii. Several regulators have begun accepting or requiring filings be done in XBRL format |
