click below
click below
Normal Size Small Size show me how
ACCTG 413 - Unit 1
Accounting Information Systems - Chapters 1-3
Term | Definition |
---|---|
Accounting information system (AIS) | An information system that performs data collection, transformation, and reporting that is specific to financial data. It captures accounting data created by business events (or activities) that involve an exchange of economic resources. |
Basic business model | A fundamental model that consists of three primary types of business processes: acquisitions and payments processes; conversion processes; and marketing, sales, and collections processes. |
Business activity | A single business activity in a business process that takes place during the normal operation of a business. It give rise to accounting transactions because they involve an exchange of economic resources that impacts the accounting equation. |
Business event | A single business activity in a business process that takes place during the normal operation of a business. It give rise to accounting transactions b/c they involve an exchange of economic resources that impacts the accounting equation. |
Business model | A company's plan for operations. It identifies the customer base, products, operation plans, and sources of revenue and financing. |
Business process | A group of related business events designed to accomplish the strategic objectives of the business. |
Data analytics | The process of using technology to transform raw data, or facts, into useful information. It answers strategic questions beyond historical reporting by transforming data into insights. Can be raw data or reports generate by an IS. |
Data integrity | The completeness, accuracy, reliability, and consistency of data throughout its life cycle in an information system. |
Decision context | The preferences, constraints, and other factors that affect how a decision is made. It helps understand the intended use of information: Who are the users, and why do they need the information? |
Direct-to-consumer business model | A business model that involves selling directly to customers. |
Enhancing characteristics | Additional characteristics beyond the fundamental characteristics of relevance & faithful representation that enhance the usefulness of information. |
The Four Optional Characteristics | verifiability, timeliness, understandability, and comparability |
Financing event | A business event that helps a company operate by acquiring incoming cash flows to fund operating events. |
Franchise business model | A business model in which individuals purchase and run a franchise, such as a franchise of a popular fast food chain (for example, McDonald's). |
Freemium business model | A business model that involves offering free services but charging a fee to access upgraded features (for example, Dropbox). |
Fundamental characteristics | The two characteristics that are required to make information useful for decision making, according to the Financial Accounting Standards Board (FASB): relevance and faithful representation. |
Information event | A business event that involves an exchange of information and never involves an exchange of economic resources. |
Information quality | The suitability of information for a particular purpose in a specific task. |
Information system | A system that consists of interrelated components including physical hardware, the software that users interact with, databases used for storage, networks that send data and info throughout the system & the people who use and maintain it. |
Input | In information systems, raw and unorganized data captured by an information system. |
Investing event | A business event that provides long-term value to a company by purchasing long-term assets that will deliver value in the future. |
Key performance indicator (KPI) | A quantifiable metric used to measure and evaluate the success of a company based on its objectives. |
Operating event | A business event that occurs during the normal operations of a company's operations and directly relates to the company's creation and provision of a good or service to its customers. |
Output | In information systems, information that comes from an information system in a format that is useful to users. |
Peer-to-peer business model | A business model that connects individuals with one another (for example, Airbnb). |
Process-based information systems | An information system captures all the data of interest generated in a business process, including informational events. |
Purpose of a business | The goal of making a profit and generating enough cash flow to continue operating. Without the profit motive, it would not be a business (at least not for very long). |
Reporting | The process of aggregating data into information on the activities and performance in a company. Reporting provides a strictly descriptive view of what happened and does not seek insights into the context or reasons. |
Retailer business model | A business model in which a manufacturer sells goods to a retailer to sell to consumers on its behalf. |
Subscription business model | A business model that involves charging a monthly subscription fee for unlimited access to a service or product (for example, Netflix). |
Transaction-based AIS | A traditional information system that captures only accounting business events and ignores nonfinancial data and the relationships between business events and business processes. |
Language of Business | Accounting, because it measures & communicates the fiancial outcomes of a company's business strategy for three crucial categories of business activies |
Reality of Accounting | requires knowledge of economic contexts; consists of a mix of rigid black/white rules + gray; provides a source of useful info; helps support a prosperous society; serves public interest; demands strong critical-thinking |
GAAP | Generally accepted accounting principles - allows for distretion in making accounting choices where there are shades of gray |
Step 1 in the Basic Business Model | Acquisitions & payments process |
Step 2 in the Basic Business Model | Conversion process |
Step 3 in the Basic Business Model | Marketing, sales & collections process |
Step 1 in Information Systems | Collecting data from systems |
Step 2 in Information Systems | Processing & storing it |
Step 3 in Information Systems | Reporting & information outputs |
Examples of Operating Events | Collect customer payment Hire employee Pay employee Deliver goods |
Examples of Financing Events | Issue stocks Declare dividends Apply for a loan Pay loan installment |
Examples of Investing Events | Buy/sell property, plant & equipment Buy/sell marketable securities Buy/sell other businesses |
Examples of Information Events | Take customer order Create purchase order Interview candidate Print report |
Acquisitions & payments process | Management’s first task before the business can actually do business is to buy and pay for the resources the company needs. |
Common acquisitions & payment processes resources: | Financing (cash) Property, plant & equipment Employees Inventory Other goods & services |
Conversion Processes | After purchasing the resources needed to operate, a business creates value, or profit, by combining and converting resources to goods and/or services that customers want. |
Common conversion processes: | Design product Test product Plan production Schedule production Assemble product Package product |
Marketing, sales & collection processes | After purchasing the resources needed to operate, a business creates value, or profit, by combining and converting resources to goods and/or services that customers want. |
Critically important marketing, sales & collection process nonfinancial information | Conversion rate from first contact with potential customers to their becoming customers Online search engine rankings Online click-through rate Online engagement level Social media posts |
'Management' 'End Users' 'Users' 'Stakeholders' 'Decision Makers' | interchangeable terms for people who use the information created by an information system. |
Significant part of management function | making decisions about business processes, that must produce outcomes that align with the company's strategic plan |
Management's responsibilities in oversees businesses processes | Planning, implementing, monitoring, changing & improving processes |
Planning | Developing a strategic plan to create a sustainable competitive adv Design business processes towards achieving strategic goals Identifying key performance indicators & benchmarks Identifying opportunities & assessing their risk Forecasting |
Implementing | Putting into place a strategic plan Dividing high-level business objectives into smaller processes & events Assigning employees to perform activities Motivating employees Embedding internal controls to prevent & detect errors & fraud |
Monitoring | Evaluating the operating results & financial position Assessing whether strategic objectives are being attained by: analyzing financial statements, using data, monitoring key performance indicators & compare to benchmark, auditing, comparing |
Changing & Improving Processes | Changing designs or events so that actual results meet expectations Improving the design & correcting identified issues Prosecuting occupational fraudsters Improving internal controls to decrease opportunities for errors & fraud |
EBITDA | earnings before interest, taxes, depreciation & amortization |
Data-driven decision making process | Management combines the principles of quality of information and decision context to identify the information needed from an AIS for decision-making activities. |
FASB | Financial Accounting Standards Board |
FASB responsibility | for the accounting & financial reporting standards throughout the US |
Characteristics of quality financial information | FASB version of data integrity |
Two fundamental characteristics | Relevance Faithful representation |
Relevant information has: | Predictive value Confirmatory value Materiality |
Faithful representation is: | Complete Neutral Error free |
Verifiability | Information results in the same conclusions by independent and knowledgeable individuals. |
Timeliness | Information results in the same conclusions by independent and knowledgeable individuals. |
Understandability | Information results in the same conclusions by independent and knowledgeable individuals. |
Comparability | Information presents similar items in the same manner to make it easy to identify similarities and differences when necessary. |
Cost-effectiveness | An overall constraint on the usefulness of information. It is necessary to ensure that information is worth the resources needed to access it. |
Business events capture | data digitally even in small companies, which enables financial analysis to be performed using technology. |
Actual residual risk | The risk that actually remains after a risk is addressed. |
Application | A type of software that allows end users to perform specific functions. Application software may be designed for general use or a specific function. An AIS is an example of application software. |
Application control | A control that only applies to a specific application, including all the business processes and accounts that are linked to it. |
Audit committee | A committee of the company's BOD that includes outside members with special qualifications in finance/accounting. It provides objective oversight of a company, & the company's internal audit department has a direct line of communication to this committee. |
Automated control | A control that uses technology to implement control activities and requires no human intervention. Often more reliable & consistent than manual controls because they are not susceptible to human error, judgment, or override. |
Automated controls include | embedded IT controls and controls that use other automation technologies to perform what have traditionally been manual tasks. |
Business function | A high-level business area or department that performs business processes to achieve company goals. More than one may be necessary to complete a single business process. |
Collusion | A control weakness that occurs when two or more people work together to circumvent controls. |
An example of collusion | if a control requires 1 employee to input invoices into the accounts payable system & another to approve payments for the invoices, these 2 employees could work together to commit fraud by inputting a fictitious invoice |
COSO | Committee of Sponsoring Organizations of the Treadway Commission |
Committee of Sponsoring Organizations of the Treadway Commission | COSO - An organization that is committed to fighting corporate fraud and composed of five private organizations that focus on providing guidance to executives and government entities on fraud prevention and response. |
COSO helps | publicly traded companies comply with SOX and the SEC requirement of using an internal control framework. |
Compliance risk | Risk that occurs when a company fails to follow regulation and legislation and is subjected to legal penalties, including fines. |
Continuous monitoring | Data analytics technology that internal auditors use to create detective controls that use rules-based programming to monitor a business's data for red flags of risks. Often programmed to keep tabs on KPIs or to look for red flags |
Control | A mechanism that is part of the internal control process—such as a rule, policy, or procedure—and that is put in place to mitigate risks by providing reasonable assurance that risk is at an acceptable level. Also known as a Control activity. |
Control component | One of the five key steps involved in implementing an effective system of internal controls. It flows from the top to the bottom of a business, starting with the control environment and ending with monitoring. |
Control components help | framework users understand what an effective control is and how to judge whether a control is effectively designed and implemented. |
Control environment | It is the foundation for other components and includes the attitude of management concerning integrity and ethical behavior. It is the most important component because it sets the overall tone for the organization. |
Control objective | focuses to achieve results: operations objectives, reporting objectives, and compliance objectives. |
Corrective control | A control that changes undesirable outcomes and occurs after the potential outcome of a risk has become a reality. They are used when it is not cost-effective to implement preventive or detective controls to mitigate a specific risk. Also as a backup plan |
Cyber risk | A unique type of technology risk that occurs when an external party accesses a company's technology assets and performs unauthorized actions that are malicious. |
Example of cyber risk | cyberattacks can cause data breaches, lock down a company's systems and hold them for ransom, or even be meant simply to prove that the attacker has the skill needed to perform the attack successfully. |
Detective control | A control that alerts management to an issue once it has occurred. Detective controls monitor business processes to identify problems like fraud risk, quality control, or legal compliance. |
ERM | Enterprise risk management |
Enterprise risk management | The comprehensive process of identifying, categorizing, prioritizing, and responding to a company's risks. It involves creating a formal risk assessment and addressing the risk. |
ERM Framework | a set of five interrelated components that highlight the importance of risk in creating strategies and driving a company's performance; it aims to improve the risk management process by addressing more than internal control. |
External risk | A risk that is not related to business operations and comes from outside the company. They are not related to business operations. While they are often unpredictable, companies still prepare for them to the best of their abilities. |
Financial risk | A risk specifically related to money going into and out of a company and the potential loss of a substantial sum. This type of risk is associated with various types of financial transactions, including investments, sales, purchases, and loans. |
Financial risk is associate with | investments sales purchases loans |
First line of defense | The business operations portion of the Institute of Internal Auditors' three lines of defense model. In this line of defense, management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. |
First line of defense reports | only to executive management |
Framework | A published set of specifications and criteria that defines a strategy to achieve certain objectives; specific to information appearing in a company's financial statements |
Risk management frameworks focus | on how a company defines its strategy for eliminating or minimizing the impact of risks |
Heat map | A type of risk matrix that uses different colors to represent values of data in a map or diagram format. The different colors typically represent the priority of a risk based on the risk score |
Impact | The estimation of damage that could be caused if a risk occurs. It is equivalent to the outcome in a risk statement |
Independence | A condition in which an auditor is removed from a business process and has no stake in or influence over the outcome of the business processes that they are auditing |
Auditors must | remain independent in order to audit the business objectively ** very important factor |
Inherent risk | The natural level of risk in a business process or activity if there are no risk responses in place. It is the risk before implementing a risk response. |
2 parts of inherent risk | Likelihood Impact |
Internal audit | An independent function in a company that tests internal controls to provide assurance of their effectiveness to executive management and the board of directors. |
Internal audits add | value to a business by providing assurance, insight & objectivity to the company |
Internal control | A process that specifically mitigates risks to the company's financial information. It, as it relates to accounting information, focuses on providing quality information to internal decision makers and external stakeholders. |
Internal Control—Integrated Framework | controls-based approach to risk management thats widely accepted as the authoritative guidance on int controls & SOX comp. It defines internal control & gives the criteria for developing, implementing & monitoring an effective internal control system |
Internal risk | A risk that occurs throughout a company's operations and arises during normal operations. Most are preventable through careful risk identification & management. Note that it may relate to an external party, such as the company's reputation with customers. |
IT general control (ITGC) | A control that applies to the entire operation of a full system and its environment. All corporate applications, like email, web browsers, time-keeping software, benefits management systems, and more, are subject to it |
ITGC | IT general control |
Likelihood | The estimated probability of risk occurrence. Companies use different methods to calculate it, but its always ranked on a spectrum. In different industries, its described as "frequency" or "probability" |
Management override | A control weakness that occurs when internal control activities are ineffective because management is not following policy or procedure. The AICPA describes management override as the Achilles heel of fraud prevention. |
AICPA | American institute of certified public accountants |
Manual control | A control that is executed by people/physical interaction. They are used when human judgment/physical interaction is required. They are subject to human error/intentional manipulation & override; there is an increased risk that a manual control might fail |
Auditors frequently focus on | manual controls during their assessments - both internal & external |
Maturity model | A model that shows how far along a company is on its journey to reach the ideal state by comparing the current state to a predetermined set of best practices |
Maturity models are used for | judging the companies current performance & creating a roadmap for continuous improvement |
Operational risk | The most important type of risk for an AIS, which occurs during day-to-day business operations and causes breakdowns in business activities. These risks are a priority for an AIS because they result from inadequate or failed procedures within the company. |
Physical risk | A threat such as adverse weather, crime, or physical damage. Its the easiest type of risk to understand & its one of the most important types of risk to identify b/c the impact is usually high. |
Physical risk range | from financial loss to legal actions and reputational loss due to mismanagement of assets. |
Portfolio view | A view of risk that examines risk at the entity level. |
Preventive control | A control that prevents problems from happening. |
Examples of preventive control | firewalls to prevent unauthorized access to an organization's computer network & P&P documentation that specifies how employees should execute procedures and clarifies company policies to reduce the organization's risk of error and misconduct |
Profile view | A view of risk that considers risk at the granular level of a business function, process, or event. |
Reputational risk | Risk that occurs when the reputation of a company is damaged. With this comes financial loss through a loss of customers & revenue. It can be both internal and external in nature. It is considered an intangible asset |
Residual risk | The remaining risk posed by a process or an activity once a plan to respond to the risk is in place. It is the risk after implementing a risk response. |
Risk | The likelihood of an unfavorable event occurring. Risks differ by business type, size, industry, and location. |
Risk acceptance | A risk response in which an inherent risk is present but the organization chooses not to act. The company chooses to live with the risk. |
Risk appetite | The amount of risk a company is willing to take on at a particular time. |
Risk assessment | An assessment that identifies, categorizes, and prioritizes individual risks in a company. After assessing, management decides how to manage it. |
Risk avoidance | A risk response that involves eliminating the risk by completely avoiding the events causing the risk. Rather than accept or reduce risk, companies avoid risk when it is both significant and highly likely to occur. |
Risk inventory | A listing of all a business's known risks. A risk inventory is an essential part of approaching risk at the entity level and creating a portfolio view. |
Risk matrix | A diagram that helps paint a clearer picture of risk by helping users visualize variations in risk scores. Using it allows management to plot risk and move prioritization around; it is especially helpful for the risks that are scored the same numerically. |
Risk mitigation | The most commonly used risk response. It involves reducing risk based on careful consideration and calculation. It enables a company to take on risks in order to create a competitive advantage. |
Risk severity | The likelihood of risks occurring and their potential impact on a company. |
Risk statement | A statement that summarizes a potential problem that needs to be addressed. It contains two parts: the issue and the possible outcome. |
The two parts of risk statements | The issue The possible outcome |
The outcome of risk varies greatly | from delaying the launch of an information system to preventing the success of an entire company |
Risk transfer | A risk response that involves shifting a risk to a third party. In other words, a third party assumes the liabilities for the risk. Most often, this is done through a contract, such as an insurance policy. |
Sarbanes-Oxley Act of 2002 (SOX) | A U.S. federal law that protects investors from fraud and other risks by improving the reliability and accuracy of financial statements. It primarily focuses on the internal control structure of a company |
SOX | Sarbanes-Oxley Act of 2002 |
SOX changed the way companies operate | by mandating audit trails and shifting the responsibility for financial reporting misstatements. Responsibility for control failures moved directly to management, and violation of internal control requirements now comes with serious criminal penalties |
Second line of defense | The risk management and compliance portion of the Institute of Internal Auditors' three lines of defense model. In this line of defense, the ERM team identifies and assesses organizational risks. Reports only to executive management. |
Second line of defense aids the first | ensuring that controls are designed to adequately address risk, then monitors the controls to ensure that the first line of defense is complying with internal control requirements. |
Segregation of duties | A type of preventive control that reduces the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity: authorizing, recording, and custody. |
Separation of duties is synonymous with | Segregation of duties |
Strategic risk | The inevitable risk that results when a strategy becomes less effective. Companies constantly update their strategies—and change their risks—to stay ahead of the competition. |
Examples of strategic risk | Adopting new technology overhauling a product design changing vendors to avoid high costs of materials |
Target residual risk | The goal level of residual risk after implementing a risk response. |
Technology risk | A specific subset of operational risk that exists when technology failures have the potential to disrupt business. Technology failures include threats, vulnerabilities, and exposures of information. |
Third line of defense | The internal audit portion of the three lines of defense model. The primary objective of internal audit is to test internal controls to provide assurance of their effectiveness to executive management and the board of directors |
Internal audit is an independent function | of the company that reports both to executive management and to the board of directors |
Time-based model of controls | A model that measures the residual risk for technology attacks by comparing the relationship of preventive (P), detective (D), and corrective (C) control functions. |
P > (D + C) | utilized to determine if the controls are effective. If this statement is true, they are. If this statement is false, they are not |
Internal audit departments perform | risk assessments when creating audit plans |
External auditors assess | a client's audit risk when creating audit plans |
Cost accountants examine | risk from financial & operational perspectives |
Financial accountants implement | controls to address risk |
Tax accountants comply | with regulations designed to protect their companies & clients from risk |
Risks differ by | business type size industry location |
Risk drives | innovation - companies that take significant risk may have a competitive advantage over a company that avoids the risk |
"Sweet Spot" | The optimal level of risk-taking that yields enough value to make taking the risk worthwhile |
Risk-aware culture | characterized by leadership that sets a risk-awareness tone at the top, management that encourages employees to discuss risks openly and honestly, and an alignment of risk across all corporate initiatives, including salaries and incentive programs. |
Individual business processes in purchases & payments | purchasing raw materials receiving raw materials onboarding a new employee |
Individual business processes in conversion | manufacturing products/goods/services delivering products/goods/services developing new products/goods/services |
Individual business processes in marketing, sales & collections | face-to-face sales online sales mobile app sales w/ delivery |
Risks in purchase & payments | duplicate payments to vendors unauthorized access to employee data payroll fraud |
Risks in conversion | excess inventory unauthorized access to research data inventory fraud |
Risks in marketing, sales & collections | customer dissatisfaction unauthorized access to customer data revenue fraud |
Business functions of purchases & payments | Supply chain vendor management purchasing payroll |
Business functions of conversion | production quality research & development distribution |
Business functions of marketing, sales & collections | sales customer relations store operations deliveries mobile app |
Entity-level risk analysis helps understand | create strategic plans which audits to perform report risk to audit committee & BOD projects each dept should prioritize design IS & data analytics solutions asses & design internal controls meet regulatory requirements investigate areas for potential fraud create P&Ps design physical security & infrastructure plans |
Step 1 in ERM process | Risk identification |
Step 2 in ERM process | Risk Categorization |
Step 3 in ERM Process | Risk Prioritization |
Step 4 in ERM Process | Risk Response |
Three steps in Formal Risk Assessment | Risk Identification Risk Categorization Risk Prioritization |
Final process in ERM | Addressing the risk - is the risk response |
Four steps in ERM | Identify Categorize Prioritize Respond |
Identifying risk is | a 'worst case scenario' exercise - Murphy's law approach |
Examples of identifying risk | conducting brainstorming exercises using data to investigate historic events diagramming business processes for weaknesses developing assumptions |
Common risk statement keywords | Because Caused Possible |
Step 1 in categorizing risk | Where did it come from |
Example of Internal Risk | An external party, like Forbes, ranks a business poorly, it still ties to the company's operations & performance (reputational risk) |
Example of External Risk | A stock market crash during a pandemic & a hurricane destroying corporate warehouses are not related to the company's operations or performance. They are outside events that the business has no control or influence over. |
Three internal risks | Operational Financial Reputational |
Examples of operational risk | technology interruption employees could commit fraud procedures could fail to outline the proper steps in a business process |
Example of financial risk | failed investments |
Example of reputational risk | data breach making the news |
Three external risks | Compliance Strategic Physical |
Examples of compliance risk | regulatory fines |
Example of strategic risk | beaten by competitor |
Example of physical risk | natural disasters |
Examples of technology risk | power outages or poor connections fraud cybercrime security issues GPS malfunction |
Examples of cyber risk | data breaches lock down a company's systems & hold for ransom |
Examples of financial risk | large amounts of debt - fluctuation in interest rates & inability to payback the loans bankruptcy theft fraud |
Mitigating internal reputational risk | implementing appropriate policies safety procedures customer relations initiatives |
Cross-selling | practice of selling one customer multiple company products |
Examples of strategic risk | adopting new technology overhauling a product design changing vendors to avoid high costs of materials |
When companies face strategic risk | they either adapt or fail |
A good risk identification & prioritization looks at | monetary values, historical data & external benchmarks |
Data-drive risk analysis | applies statistical values |
Judgement-based risk analysis | makes estimates that rely on the experience of company leaders |
Impact synonyms | consequence magnitude |
Types of damage (impact) | financial customer reputational |
Risk are prioritized using | Likelihood Impact |
Likelihood x Impact score | = Inherent Risk the overall risk score, allowing companies to understand the needs to prioritize |
Risk score ties favor | the highest impact score |
Heat map colors | Green = low priority (think healthy green trees) Red = high priority (think fire) |
Risk is either | Inherent Residual |
Residual risk calculation | Inherent risk - risk response (adjustment made to avoid the risk) |
Residual risk compared to | risk appetite to determine if the risk response is adequate |
Example of risk avoidance | Not purchasing a smart phone to avoid the cost of damage repairs |
Example of risk acceptance | Not purchasing a protection plan for your phone, and ultimately accepting all cost of repairs |
Example of risk mitigation | No protection plan purchased, but a screen protector & case were purchased |
Example of risk transfer | Purchasing a protection plan for your phone, as the carrier would be liable for any risk associated with the device |
Cost of risk transfer | financial |
5 Typical Transaction-Based Cycles | Revenue Expenditure Production HR/Payroll Financing |
By mitigating risk | a company can take on risks & create a competitive advantage for its business while still carefully considering, calculating & reducing those risks |
Risk is mitigated by | applying internal controls to business processes to reduce its exposure |
An adequate Internal Control creates assurance that | accounting information is reliable, complete & valid operations are effective & efficient the business is complying with laws & regulations |
Internal controls provide | quality information to internal decision makers & external stakeholders |
Proper internal controls can: | create quality information lessen the risk of financial statement misstatements prevent fraud identify financial issues safeguard assets from theft & waste increase operating efficiency measure business objectives & goals ensure compliance with applicable laws & refulations provide investors with reassurance |
Reasonable assurance | not absolute mitigation but enough mitigation to give the company confidence that risk is at an acceptable level |
Control is synonymous with | Control activites |
Three functions of control | Prevent Detect Correct |
Examples of preventative control | Taking your car in to get a regular inspection, to ensure their is no damage Firewall on a computer Policy & procedure |
Three segregation of duties | Authorize Record Custody |
Examples of authorizing | signing checks - authorizing requests for checks - approving vendor payments - approving purchase orders - approving compensation adjustments |
Examples of recording | preparing source documents - inputting data into the information system - recording journal entries - maintaining accounting records, files & databases |
Examples of custody | overseeing & distributing cash - inventory - fixed assets - computer equipment - tools - supplies |
System roles | dictate what activities users can perform |
Examples of detective controls | indicator lights in vehicles lighting up when their is an issue counting the cash drawer EOD & compare to sales records physical inventory counts |
Detective controls identify | fraud risk quality control legal compliance |
Examples of corrective control | vehicle breaks down & repairs must be made |
Corrective control is synonymous with | backup plan 'oh shit' response plan Z |
Example of management override | A control may require additional approvals for journal entries over a certain dollar amount. If an accounting manager insists that a member of their team input a journal entry about this threshold without proper approval, management has ignored the existing control. |
Examples of corrective controls actions | disciplinary action - reports - software patches - policy updates |
Is the control in a computer environment or not? | The answer indicates whether the control is a physical control or an information technology control |
Three locations for control | physical IT general (ITGC) IT application |
Physical control | it is tangible & governs individuals & their activities A business continuity plan that governs how people & equipment will respond to the occurrence of disruptive event, like a natural disaster or global pandemic |
Examples of IT general | Password policies that require users to create new passwords to log into the corporate network every 90 days passwords must be a certain length & contain specific characters |
Examples of IT application | computer system that assigns roles in purchasing & approvals the app that conducts the validity check that verifies entered data is formatted correctly |
Application controls in AIS | transaction controls |
Two methods of implementing a control | manual automated |
Manual control vs physical control | Manual controls are executed by people or physical interaction, while physical controls mitigate risks related to people and their actions |
Examples of manual controls | physical inventory counts supervisor review & sign-off employee performing bank reconciliation P&Ps employee training manager reviewing a weekly exception report |
Examples of automated controls | system-performed three-way match system user role privileges & limitations calculations embedded in spreadsheets continuous monitoring & data analytics systems limitations that determine how many approvals are needed based on the amount of a transaction |
Example of continuous monitoring | a call has to be answered within 90 seconds, so a business will monitor the call answer rates to confirm this is being completed |
Aspects of AIS for continuous monitoring | data stored in the AIS for analysis, the data must be accurate program is often a separate IS that creates its own technology risks |
Management provides _______ lines of defense | both the first & second |
First line of defense is synonymous with | business operations managers |
Second line of defense is synonymous with | Risk management & compliance management |
Third line of defense reports to | executive management & board of directors |
Third line of defense is synonymous with | internal audit |
Primary objective of internal audit | to test internal controls to provide assurance of their effectiveness to executive management & BOD |
Primary objective of risk management & compliance (second line of defense) | Aids the first line of defense in ensuring that controls are designed to adequately address risk, then monitors the controls to ensure that the first line of defense is complying with internal control requirements |
Primary objective of business operations management (first line of defense) | the responsibility of developing, implementing & controlling business processes |
External auditors are | not part of the three lines of defense of a company |
External auditors are synonymous with | External assurance providers - according to the IIA |
IIA | Institute of Internal Auditors |
By selecting or designing a maturity model, companies gain | a guide for envisioning the future benchmarks for the organization to use in comparing processes internally or externally insights into the improvement path from an immature model to a mature model disciplined methods that are easy for management to understand & implement |
Phase 1 of business maturity model | Limited: informal process, ad hoc controls, localized efforts, reactive management, reliance on key individuals |
Phase 2 of business maturity model | Informal: some defined processes, some defined controls, lack of documentation, primarily manual controls inconsistencies, reliance on key individuals |
Phase 3 of business maturity model | Defined: clearly defined processes, clearly defined controls, formal documentation, mis of manual & automated controls, no reliance on key individuals |
Phase 4 of business maturity model | Optimized: enterprise-wide risk management, enterprise-wide control environment, top-down/proactive approach, clearly defined processes, clearly defined controls, formal documentation, clear communication throughout organization, more automated controls than manual controls, internal audit provides stratgic value |
Phase 1 in a maturity model | is a reactive environment & management only addresses issues after something has gone wrong |
Phase 2 in the maturity model | things are more defined than phase 1, but informal maturity business processes lack enterprise-wide oversight & implementation |
Many companies will not achieve higher | than phase 3 due to resource limitations |
Phase 3 in the maturity model | is fully automated, providing more protection against error & manipulation |
Phase 4 in the maturity model | is managed at an enterprise-wide level, with leadership taking a top-down, proactive approach to risk |
Internal auditors are | employees of their organization; however, they must remain independent of all business functions that they audit |
Assurance | ensures that the organization is operating in accordance with management's plan |
Insight | Discovers improvements for policies, procedures, controls & risk management |
Objecctivity | Assesses the company from an independent consulting point of view |
Internal audit team value | assessing whether controls are well designed determining if controls are functioning as designed providing objective insight because of its independence ensuring that the company is complying with regulations identifying opportunities for strategic improvements |
Different frameworks | accounting frameworks are specific to the information appearing in a company’s financial statements accounting frameworks are specific to the information appearing in a company’s financial statements |
Framework is synonymous with | roadmaps - they provide a path to follow but don't specify what mode of transportation to use |
Example of framework | Class syllabus - gives an outline, but doesn't describe how each step should be completed to get an A |
SOX compliance is required for | Publicly traded companies in US & subsidiaries Foreign companies that are publicly traded & do business in US Private companies planning their initial public offerings to become publicly traded Accounting firms performing audits of the above SOX-regulated companies |
IPOs | initial public offerings |
Significant SOX requirements for CEOs & CFOs | accuracy & documentation of financial statements ensuring that financial statements are reviewed by management overall internal control structure reports provided to the SEC informing external auditors about any significant internal control issues or fraud concerns |
Significant SOX requirements for internal control report | is included in the company's annual financial statements states that management is responsible for implementing & maintaining an adequate system of internal controls contains an assessment of the effectiveness of the system of internal control |
Significant SOX requirements for external audit | evaluates management's assessment of the effectiveness of the system of internal control & provides an audit opinion on management's report includes disclosure of instances where the internal control environment is not in compliance with SOX |
Significant SOX requirements for formal data security policies | are communicated & enforced throughout the company ensure protection of all financial data in storage & in use |
SEC | Securities & Exchange Commission |
Securities & Exchange Commission (SEC) | the government agency that oversees trading & securities transactions & has the legal authority to issue rules under federal securities laws |
Four requirements of framework | 1. free from bias 2. consistent measurements of internal control 3. include any relevant factor that could alter the opinion about a company's effectiveness of internal controls 4. relevance to an evaluation of internal controls as they relate to financial reporting |
Five private sector groups of COSO | 1. American accounting association (AAA) 2. American institute of certified public accountants (AICPA) 3. Institute of Internal Auditors (IIA) 4. Institute of management accountants (IMA) 5. Financial Executive Institute (FEI) |
AAA | The American Accounting Association |
IMA | The Institute of Management Accountants |
FEI | The Financial Executives Institute |
Three items of Internal Control-Integrated Framework | Control Objectives Components & related principles COSO Cube |
Operations objectives | relate to the effectiveness & efficiency of the company's daily functions, allocation of resources, operation & financial performance, & prevention of losses |
Reporting objectives | relate to the reporting of financial information internally & externally & the reporting of nonfinancial information. These objectives relate to the characteristics of useful information, including relevance, representational faithfulness, timeliness, & reliability |
Compliance objectives | relate to internal control goals for adhering to applicable laws & regulations |
Three control objectives | Operations Objectives Reporting Objectives Compliance Objectives |
Control environment key course concepts | risk appetite enterprise-wide risk management business process maturity model management override SOX regulations |
Risk assessment key course concepts | risk appetite risk identification risk categorization risk scores risk prioritization heat maps |
Control activities key course concepts | risk response internal controls |
Information & communication key course concepts | quality information reporting data analytics internal audit management audit committee financial statements |
Monitoring key course concepts | management assessments internal audits audit committee reporting |
Governance & culture | about setting the company's tone & establishing oversight responsibilities for ERM |
Governance & culture key course concepts | business model values & mission business objectives sustainability culture |
Strategy & objective setting | the strategic planning process, which combines ERM, strategy, & objective setting to determine the risk appetite & align it with the business objectives |
Strategy & objective setting key course concepts | decision-making context risk appetite business objectives |
Performance | assessing & identifying risks & responding to risk at a portfolio-view level. Plus reporting results to key stakeholders |
Performance key course concepts | risk identification risk categorization risk scores risk prioritization heat maps risk responses internal controls portfolio level risk |
Review & revision | reviewing performance to consider how well ERM is functioning & identify necessary revisions |
Review & revision key course concepts | internal audits management assessments business process maturity model |
Information, communication, and reporting | continually obtaining & sharing necessary information, rom both internal & external sources, flowing up, down, & across the company |
Information, communication, and reporting key course concepts | quality information reporting data analytics management assessments internal audits audit committee reporting |