Chapter 5: Business And Information Process Rules, Risks, And Controls

Front 1

Risk

Back 1

Any exposure to the chance of injury or loss

Hint 1

Threat is another word.

Examples include:

1. Unauthorized Payments to influence the decisions of foreign government officials.

2. Bad decisions by management to buy or sell subsidiary companies.

3. Sexual harassment

4. Fault product designs and recalls

5. Fabricating product quality tests

6. Invasion of a company's network by hackers

Front 2

Control

Back 2

An activity we perform to minimize or eliminate a risk

1. Having a second employee estimate project completion time so a more realistic completion date can be negotiated

2. Have another employee review each system module for completeness and accuracy

Meet periodically with the client and have client personnel review the system to verify it meets their expectations

3. Perform a market study to identify the types of systems most companies want and to determine the demand for your type of systems.

Hint 2

Examples designed to minimize or eliminate "consulting firm" risks include:

1. Having a second employee estimate project completion time so a more realistic completion date can be negotiated

2. Have another employee review each system module for completeness and accuracy

Meet periodically with the client and have client personnel review the system to verify it meets their expectations

3. Perform a market study to identify the types of systems most companies want and to determine the demand for your type of systems.

Front 3

Opportunities

Back 3

Changes create opportunities.

The opportunities an organization seeks are guided by its objectives.

Front 4

Materiality of Risk

Back 4

Increases with

1. Size of potential loss (and impact on the organization; i.e. exposure)
2. Likelihood of potential loss

Hint 4

As either the likelihood or size of the loss increases, the ___________ of the risk also increases.

The higher the ___________, the greater the need for managing the risk.

We need to control for risks that are highly ___________. These risks have high impact and high likelihood of occurrence.

Front 5

Business Risks

Back 5

Enumerated:

1. Strategic Risks
2. Decision Risks
3. Operating RIsks.
4. Financial Risks
5. Information Risks

Front 6

Strategic Risks

Back 6

Risks associated with DOING the wrong things.

Examples:

1. Poor company vision
2. Failure to recognize the strength of a competitor.
3. Lack of knowledge of government rules and regulations

Front 7

Decision Risks

Back 7

Risks associated with making a bad decision.

Examples:

1. Failure to recognize when a decision needs to be made
2. Failure to consider all relevant alternatives
3. Incorrectly evaluating available information on decision alternatives.

Front 8

Operating Risks

Back 8

Risks associated with doing the right things the wrong way.

Examples:

1. Workers performing slow or sloppy work
2. Lack of safety standards in the manufacturing process.
3. Errors in equipment settings that cause poor quality in a manufactured product
4. Failure to check product quality on a timely basis.

Front 9

Financial Risks

Back 9

Risks associated with the loss of financial resources or the creation of financial liabilities.

Examples:

1. Lack of physical controls over inventory
2. Extending bad credit
3. Allowing unauthorized people to write company checks to unapproved vendors.

Front 10

Information Risks

Back 10

Business risk associated with information processing:

1. Developing incomplete or inaccurate information
2. Unreliable hardware or software.
3. Failure to protect the system from hackers.

Front 11

System of Internal Controls.

Back 11

The rules, policies, and procedures that manage risks.

Front 12

Internal Control System Objectives.

Back 12

Rules, policies, and procedures an organization implements to provide reasonable assurance that:

1. Its financial reports are reliable
2. Its operations are effective and efficient
3. Its activities comply with applicable laws and regulations

Hint 12

The three main objectives of the internal control system.

Front 13

Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Back 13

Incomplete.

Hint 13

Incomplete.

Front 14

Internal Control System Components.

Back 14

1. Control Environment
2. Risk Assessment
3. Control Activities.
4. Information and Communications
5. Monitoring

Hint 14

COSO promulgated control philosophy elements.

Front 15

Control Environment

Back 15

Sets the tone of the organization, which influences the control consciousness of its people.

This foundation provides discipline and structure upon which all other components of internal control are built.

Includes these seven areas:

1. Integrity and ethical behavior
2. Commitment to competence
3. Board of directors and audit committee participation
4. Management philosophy and operating style
5. Organization structure
6. Assignment of authority and responsibility
7. Human resources policies and practices

Hint 15

The first component of the internal control system. It shapes the other four components.

Front 16

Risk Assessment

Back 16

Identifies and analyzes the relevant risks associated with the organization achieving its objectives.

Hint 16

The second component of the internal control system.

What risks need to be controlled and what controls are required to manage them?

This goes beyond what risks the auditor will consider and what controls the auditor will require related to the issuing of an opinion on external financial statements' fairness in presenting the results of operations and the financial position of the entity in conformance with generally accepted accounting principles.

Particularly, the risk assessment should also emphasize the effectiveness and efficiency of operations and compliance with applicable rules and regulations IN ADDITION to financial reporting.

Front 17

Control Activities

Back 17

Necessary actions undertaken to minimize risks associated with achieving its objectives.

They may be classified by their use relating to errors and irregularities:

1. Preventive: prevent an error or irregularity. The most desirable use.
2. Detective: identifying when an error or irregularity has occurred.
3. Corrective: recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.

Categories include: segregation of duties, physical controls, information processing controls, and performance reviews.

Hint 17

The Third Component Promulgated by COSO.

They are delineated according to their intended use. They focus on errors and irregularities.

Front 18

Error

Back 18

An unintended mistake on the part of an employee.

Hint 18

More money is lost as a result of ______ than ________________.

65% of data security losses (measured in dollars) result from ______ or omissions.

Front 19

Irregularity

Back 19

An intentional effort to do something that is undesirable to the organization.

Hint 19

19% of data security losses (measured in dollars) result from _______________.

Front 20

Preventive Control

Back 20

Focus on preventing an error or irregularity

Hint 20

Having a second clerk assist with each sale in an attempt to prevent theft of cash by the sales clerk is an example of a __________ _______.

Front 21

Detective Controls

Back 21

Focus on identifying when an error or irregularity has occurred.

Hint 21

Scanning items sold and pricing them automatically by the cash register, along with a rule that requires a comparison of the cash in the cash drawer with total sales accumulated by the cash register during an employee's shift, is an example of a _________ _______.

Front 22

Corrective Controls

Back 22

Focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity.

Hint 22

A policy of deducting the amount of a cash drawer shortage form the employee's pay is an example, foremost, of a __________ _______ although it may also serve as a preventive control.

Front 23

Separation of Duties

Back 23

Structures the work of people so the work of one person is checked by the work of the next person as the next person performs his or her assigned tasks.

Hint 23

A preventive and detective control.

Front 24

Physical Controls

Back 24

Security over the asset themselves, limiting access to the assets to only authorized people, and periodically reconciling the quantities on hand with the quantities recorded in the organization's records.

Front 25

Information Processing Controls

Back 25

Methods used to ensure accuracy, completeness, and authorization of transactions.

Two broad groups of information processing controls are:

1. General Controls
2. Application Controls

Hint 25

Discussed in depth in chapter D supplement

Front 26

Performance Reviews

Back 26

Any checks of an entity's performance.

Common examples:

a) actual data to budgeted data or prior period data (e.g. actual production costs of the current period with last period's production costs and budgeted production costs).

Hint 26

Common examples:

a) actual data to budgeted data or prior period data (e.g. actual production costs of the current period with last period's production costs and budgeted production costs)

b) operating data to financial data

c) data within and across various units, subdivisions, or functional areas of the organization (e.g. compare the amount of sales within each region to the quantity of inventory shipped to that region to see if the ratio between sales and quantity shipped is about the same in all regions).

Front 27

Information System

Back 27

Consists of the methods and records used to record, maintain, and report the events of an entity, as well as to maintain accountability for the related assets.

It should do each of the following to provide accurate and complete information in the accounting system and correctly report the results of operations:

1. Identify and record all business events on a timely basis.
2. Describe each event in sufficient detail
3. Measure the proper monetary value of each event.
4. Determine the time period in which events occurred.
5. Present properly the events and related discourses in financial statements.

Hint 27

The first aspect of the FOURTH component of internal controls promulgated by COSO.

Front 28

"Communication"

Back 28

Deals with providing an understanding of individual roles and responsibilities pertaining to internal controls.

Hint 28

The second aspect of the fourth component of internal control systems promulgated by COSO.

Also includes an organization's policy, accounting, and financial reporting manuals.

Front 29

Monitoring

Back 29

The process of assessing the quality of internal control performance over time.

Hint 29

The fifth component of internal control systems promulgated by COSO.

Involves assessing the design and operation of controls on a timely basis and taking corrective actions as needed.

Front 30

Operating Event Risks

Back 30

It results in errors and irregularities having one or more of the following characteristics:

The dichotomy of risk in an event driven system primarily includes two types of risk. This is one type.

1. A business event occurring at the wrong time or sequence.

2. A business event occurring without proper authorization.

3. A business event involving the wrong internal agent.

4. A business event involving the wrong external agent.

5. A business event involving the wrong resource.

6. A business event involving the wrong amount of resource.

7. A business event occurring at the wrong location.

Hint 30

The dichotomy of risk includes two types of risk. This is one type.

The control of this type of risk requires embedding procedures into the execution of operating events. The rules, policies, and procedures, associated with the events are then reviewed and mandated at the point and time of the activity.

Front 31

Information Processing Risks

Back 31

Related risks include:
1. Recording risks
2. Maintaining risks
3. Reporting risks.

The dichotomy of risk includes two types of risk. This is one type.

Hint 31

The objectives include recording and reporting accurate, complete, and timely data. Attempts to maintain the validity of the data is referred to as maintaining data integrity.

Front 32

Recording Risks:

Back 32

Include recording incomplete, inaccurate, or invalid data about a business event.

Incomplete data result in not having all the relevant characteristics about an operating event.

Inaccuracies arise from recording data that do not accurately represent the event.

Invalid data refers to data that are recorded about a fabricated event.

Hint 32

Garbage in, garbage out.


If inaccurate, invalid, or incomplete data are either recorded or maintained, the result is erroneous reporting of all affected processes. Furthermore, if the recording process also executes the management policy surrounding a business event, a faulty or illogical recording process can also introduce errors and irregularities into the execution of the business event itself.

Front 33

Maintaining Risks:

Back 33

Essentially the same as recording risks. The only difference is the data relates to resources, agents, and locations rather than to operating events. The related risk is that changes with respect to the organization's resources, agents, and locations will go either undetected or unrecorded.

Hint 33

Examples:

Failure to update changes.
Customer or employee moves, customer declares bankruptcy, or location is destroyed through a natural disaster.

Garbage in, garbage out.

Front 34

Reporting Risks:

Back 34

Include data that are improperly accessed, improperly summarized, provided to unauthorized individuals, or not provided in a timely manner.

Front 35

Sarbanes Oxley

Back 35

Incomplete

Hint 35

Incomplete