Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
42 Cards in this Set
- Front
- Back
|
Threat/event |
Any potential adverse occurrence |
|
|
Exposure/impact |
The potential dollar loss from a threat |
|
|
Likelihood/risk |
The probability that it will happen |
|
|
Internal controls |
Processes implemented to provide a reasonable assurance of achieving internal control objectives. |
|
|
Internal control objectives |
1: safeguard assets - prevent or detect their unauthorized acquisition use or disposition 2: maintain records in sufficient detail to report company assets accurately and fairly 3: provide accurate and reliable information 4: prepare financial reports in accordance with established criteria 5: promote and improve operational efficiency 6: encourage adherence to prescribed managerial policies 7: comply with applicable laws and regulations |
|
|
Preventative controls - function 1 |
Deter problems before they arise. Examples: hiring qualified personnel, segregating employee duties, controlling physical access to assets and information. |
|
|
Detective controls - function 2 |
Discover problems that are not prevented. Examples: duplicate checking of calculations and preparing bank reconciliations and monthly trial balances. |
|
|
Corrective controls - function 3 |
Identify and correct problems as well as correct and recover from the resulting errors. Examples: maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing. |
|
|
General controls - category 1 |
Make sure an organization's control environment is stable and well-managed. Examples: IT infrastructure; software acquisition development and maintenance controls. |
|
|
Application controls- category 2 |
Prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported. |
|
|
Levers of control - Robert Simons |
1: belief system 2: boundary system 3: diagnostic control system 4: interactive control system |
|
|
Belief system |
Describes how a company creates value, helps employees understand managements vision, communicates company core values, and inspires employees to live by those values. |
|
|
Boundary system |
Helps employees act ethically by setting boundaries on employee behavior. |
|
|
Diagnostic control system |
Measures monitors and compares actual company progress to budgets and performance goals. Feedback helps management adjust and fine-tune inputs and processes so future outputs more closely match goals. |
|
|
Interactive control system |
Helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions. interactive system data are interpreted and discussed in face-to-face meetings of superiors, subordinates and peers. |
|
|
Foreign corrupt practices act (1977) |
Was passed to prevent companies from bribing foreign officials to obtain business. |
|
|
PCAOB - public company accounting oversight board |
SOX created it to control the auditing profession. Sets and enforces auditing, quality control, ethics, independence and other auditing standards. Consists of five people who are appointed by the Securities and Exchange Commission. |
|
|
Sarbanes-Oxley Act (SOX) (2002) |
Applies to publicly held companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives to perpetrate fraud. |
|
|
New rules SOX - Auditors |
Must report specific information to the company's audit committee, such as critical accounting policies and practices. Auditors are prohibited from performing some non-audit services such as information systems design and implementation. Audit firms cannot provide services to companies if top management was employed by the auditing firm and worked on the company's audit in the preceding 12 months. |
|
|
New roles SOX - audit committee |
Audit committee members must be on the company's Board of Directors and be independent of the company. One member must be a financial expert. The audit committee hires, compensates and oversees the auditors who report directly to them. |
|
|
New rules SOX - management |
Sox requires the CEO and CFO to certify that 1: financial statements and disclosures are fairly presented, were reviewed by management and not are not misleading and 2: the auditors were told about all material internal control weaknesses and fraud |
|
|
New rules SOX - internal control requirements |
Section 404 requires companies to issue a report accompanying the financial statement stating that management is just possible for establishing and maintaining an adequate internal control system. The report must contain management's assessment of the company's internal controls, attest to their accuracy, and report significant weaknesses or material noncompliance. |
|
|
COBIT |
Control objectives for information and related technology. COBIT consolidates control standards from many different sources into a single framework that allows (1) management to benchmark security and control practices of IT environments (2) users to be assured that adequate IT security controls exist and (3) auditors substantiate their internal control opinions to advise on IT security and control matters. |
|
|
COBIT 5 - 1 Meeting stakeholder needs |
Helps users customize business processes and procedures to create an information system that adds value to stakeholders; it also allows the company to create a proper balance between risk and reward. |
|
|
COBIT 5 - 2 Covering the enterprise, end to end |
Does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes. |
|
|
COBIT 5 - 3 Applying a single, integrated framework |
Can be aligned at a high-level with other standards and frameworks all that an overarching framework for IT governance and management is created. |
|
|
COBIT 5 - 4 Enabling a holistic approach |
Provides a holistic approach that results in effective governance and management of all IT functions in the company. |
|
|
COBIT 5 - 5 Separating governance from management |
Distinguishes between governance and management. |
|
|
Governance |
The objective of governance is to create value by optimizing the use of organizational resources to produce desired benefits in a manner that effectively addresses risk. Governance is the responsibility of the Board of Directors who (1) evaluate stakeholder needs to identify object objectives (2) provide management with direction by prioritizing objectives and (3) monitor management's performance. |
|
|
Management |
Management is responsible for planning, building, running, and monitoring the activities and processes used by the organization to pursue the objectives established by the Board of Directors. Management provides feedback to the Board of Directors. |
|
|
COSO |
The Committee of Sponsoring Organizations consists of the American accounting Association, the AICPA, Institute of internal auditors, Institute of management accountants, and the financial executives Institute. |
|
|
COSO Internal control - integrated framework |
(1992) is widely excepted as the authority on internal controls and is incorporated into policies rules and regulations used to control business activities. |
|
|
COSO components and principles - 1 Control Environment: |
Commitment to integrity and ethics. Internal control oversight by the Board of Directors independent of management. Structures, reporting lines and appropriate responsibilities in the pursuit of objectives established by management and overseen by the board. A commitment to attract, develop, and retain competent individuals in alignment objectives. Holding individuals accountable for their internal control responsibilities in pursuit of objectives. |
|
|
COSO components and principles - 2 Risk Assessment |
Specifying objectives clearly enough for risks to be identified and assessed. Identifying and analyzing risks to determine how they should be managed. Considering the potential of fraud. Identifying and assessing changes that could significantly impact the system of internal control. |
|
|
COSO components and principles - 3 control activities |
Selecting developing controls that might help mitigate risks to an acceptable level. Selecting and developing general control activities over technology. Deploying control activities as specified in policies and relevant procedures. |
|
|
COSO components and principles - 4 information and communication |
Obtaining or generating relevant, high-quality information to support internal control. Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control. Communicating relevant internal control matters to external parties. |
|
|
COSO components and principles - 5 monitoring |
Selecting, developing and performing ongoing or separate evaluations of the components of internal control. Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the Board of Directors, where appropriate. |
|
|
COSO ERM - Enterprise Risk Management, 5 principles |
1: Companies are formed to create value for their owners. 2: Management must decide how much uncertainty it will accept as it creates value. 3: Uncertainty results in risk, which is the possibility that something negatively affects the company's ability to create or preserve value. 4: Uncertainty results in opportunity, which is the possibility that something positively affects the company's ability to create or preserve value. 5: The ERM framework can manage uncertainty as well as create and preserve value. |
|
|
COSO enterprise risk management model |
|
|
|
Internal Environment |
The internal environment (or company culture) influences how organizations establish strategies and objectives, structure business activities, and identify, assess, and respond to risk. |
|
|
Risk Appetite |
The amount of risk a company is willing to accept to achieve their goals. |
|
|
Audit committee |
The audit committee is responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors report all critical accounting policies and practices to them. |
