Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
AIS - Exam 3
Exam 3
| Term | Definition |
|---|---|
| 3 goals of internal controls | Operations, reporting, compliance |
| Internal controls | A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement objectives related to operations, reporting and compliance. |
| Sarbanes Oxley Act | Management is required to maintain a system of internal controls, assess their effectiveness and report on internal controls as part of the annual report |
| Auditors | rely on internal controls when making assertions about the financial statements; attest to the report of management on internal controls |
| Operations | consistent with managements plans |
| Reporting | Financial and non-financial reporting helps to support strategic and operational goals |
| Compliance | With necessary laws and regulations |
| COSO 5 control components | 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and communication 5. Monitoring Activities |
| 1. Control Environment | component of the COSO Internal Control framework applies to the governance activities of the Board of Directors and management (includes communicating with key individuals to discuss objectives) |
| 2. Risk Assessment | The organization specifies objectives so that risks can be assessed in relation to these objectives. |
| 3. Control Activities | Include many day-to-day activities that mitigate risk by preventing issues, detecting problems and assuring correction is possible |
| 4. Information and Communication | Communicate objectives, responsibilities and other information to support the functioning of internal controls |
| 5. Monitoring | Evaluations, separate from the daily processing of transactions and related controls, that determine whether internal controls are present and functioning. |
| Risk management | The process of IDENTIFYING, ASSESSING AND MANAGING risks to increase the likelihood that business and accounting objectives will be achieved |
| ERM | Enterprise risk management, is a process designed to identify potential events that may affect the entity and manage risk |
| Corporate governanace | Process of overseeing the company |
| COSO ERM Framework 5 parts | 1. Governance and culture 2. Strategy and objective setting 3. Performance 4. Review and Revision 5. Information, Communication, and Reporting |
| Governance and culture | Exercises board risk oversight, establishes structures, defines culture, commitment to core values, attracts develops and retains capable individuals |
| Strategy and objective setting | Analyzes business context, defines risk appetitie, evaluates alternative strategies, formulates business objectives |
| Performance | Identifies risk, assesses severity of risk, prioritizes risk, implements risk responses |
| Review and revision | Assesses substantial change, reviews risk and performance, pursues improvement in ERM |
| Information, communication, and reporting | Leverages information and technology, communicates risk information, reports on risk, culture and performance. |
| Six categories of risk | Operational, financial, reputational, compliance, strategic, physical |
| Operational risk | Relates to how we operate each day. (what we do every day) Often involves not following procedures. |
| Financial risk | Specifically related to cash flow |
| Reputational risk | Relates to how the external public views us, both due to our actions, and the actions of others |
| Compliance risk | Relates to adherence to laws and regulations |
| Strategic risk | Relates to the effectiveness of our business strategy |
| Physical risk | Involves natural disasters and other physical risks. These are things we have little control over |
| Risk severity | an evaluation of the level of risk that combines the effect of likelihood of risks occurring and their potential impact on the company |
| Likelihood | the estimated probability of risk occurrence |
| Impact | The estimation of damage that could be caused if the risk occurs |
| Qualitative measurement | Uses categories to measure likelihood and impact (scale 1-10) |
| Quantitative measurement | develops a risk score that is the dollar expectation of loss based on probability |
| Risk score = | likelihood x impact = risk severity |
| Heat map | can be used to visualize risk severity when qualitative evaluation for likelihood and impact is used |
| Avoid the risk | the risk is eliminated by completely avoiding the event connected to the risk |
| Accept the risk | management understands that an inherent risk exists but makes a decision not to act |
| Transfer the risk | Shift the risk to a third party (insurance, outsourcing) |
| Mitigate the risk | Management is willing to accept some risk but takes action to limit or reduce the risk severity. |
| Inherent risk | the risk level before any response or mitigation |
| Residual risk | the risk that remains after some action has been taken after risk response |
| Mitigate risk - preventative | reduces LIKELIHOOD of issue taking place or outcome resulting from the issue |
| Mitigate risk - detective | detects the issue early, reduce the IMPACT of the outcome |
| Mitigate risk - corrective | Having a plan of action to address the issue reduces the IMPACT of the outcome |
| 6 control activities | 1. proper authorization 2. independent checks on performance 3. physical controls 4. design and use of documents 5. application controls 6. segregation of duties |
| Authorization | happens before a transaction is executed, so it is a preventative control |
| General authorization | used for routine transactions |
| Specific authorization | for transactions that don't meet requirements for general. Not routine, have to consider factors |
| Independent checks on performance | make sure everything is right at every stage |
| Reconciliations - Independent checks on performance | of documents/records to one another |
| Comparison - Independent checks on performance | of actual assets with records about the asset ( double checking) |
| Physical controls | Restrict physical access to assets |
| Design and use of documents | Designed to correct data entry, track performance of other controls, tracked through audit trail |
| Application controls | Automated versions of design of docs. Controls within a computer system that assure integrity of data input, processing and output of specific data |
| Field check - Application controls | does the field contain the right type of data (numbers, alpha characters, date) |
| Sign check - Application controls | If numeric, is the field limited to positive, zero, negative numbers, as makes sense for the information being stored. |
| Limit check - Application controls | if numeric, is the data above or below a certain valid amount |
| Range check - Application controls | Like a limit check, but with a bottom and a top value |
| Size check - Application controls | Is the number of digits/characters consistent with the requirements for the data |
| Completeness check - Application controls | Is there data in the field if data is required |
| Validity check - Application controls | does the value entered appear in a list of VALID VALUES for the data being stored |
| Reasonableness check - Application controls | does the value in one field logically agree with data found in another? |
| Check Digit verification - Application controls | Item numbers may contain a computed digit that can be recomputed to assure the number is a valid one. Check digits are used in numbers like credit card numbers, barcodes, automobile VINs |
| Closed loop verification - Application controls | When a user enters a value related data is displayed for verification controls |
| Batch totals | Processing a lot at once |
| Financial total - Batch totals | add a field, like purchase order totals |
| Hash total | sum a field such as quantity ordered, or numeric document numbers |
| Record count | Count the number of records processecd |
| Data Transmission Controls | Checksum and Parity bit |
| Checksum | when data is transmitted, a mathematical calculation is performed, resulting in a checksum. when that data reaches its destination, the same computation is performed to make sure the checksum agrees |
| Parity bit | An extra digit (0/1) at the beginning of every character that is used to check transmission accuracy by assuring that every character has either an even or odd number of zeros/ones |
| Concurrent update controls | Assure that two users are not making changes to the same object in a database at the same time, resulting errors in data |
| Segragation of duties | a preventative control that lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of business activity of authorizing, recording, and having custody |
| Limitations on internal controls | management override and collusion (fraud) |
| Compensating control | alternative controls used to make up for the lack of a desirable control |
| Logical access controls | how we identify and authinticate users |
| Identifying users | involves assigning a unique identifier (username) |
| User authorization | how do we allow people to access different parts of the company |
| Role-based access control | restricts network access by assigning individuals specific roles that have predefined criteria for what they can and cannot access in the system |
| Administrator role | Highest role in the hierarchy and has permissions for all objects |
| Provisioning | the process of assigning access to users |
| De-provisioning | the process of removing access when users change jobs, or leave the organization. |
| Access creep | when additional roles or individual permissions are assigned to users that may be needed only temporarily, but are not removed |
| User access reviews - Reviewing access | compare the user's job responsibilities with the role assigned |
| Dormant access reviews - Reviewing access | compare access logs to user permissions to identify permissions that have not been used, and may need to be removed |
| Dormant user reviews - Reviewing access | compare access logs to users, to identify users that have not access the system and may need to be reviewed. |
| Data center | Physical location where servers, network appliances and other hardware that make up the core of the IT infrastructure are sored |
| 3 key environments of data center | Outside environment, inside environment, physical security |
| Outside environment | Data center should be near the bottom floors of its physical building |
| Inside environment | have their own air-conditioning units, and the rooms are chilled to prevent overheating. |
| Physical security | A single entry point monitored by user authentication |
| Business Continuity Planning | a set of procedures that a business undertakes to protect employees, other stakeholders, and assets in the event of a disruptive event |
| Incident response | what to do when a potential problem is first noticed |
| Disaster recovery | what to do to recover data, systems and individuals to minimize damage from the event |
| Business conitinuity | How are going to keep going |
| Data prioritization | Companies categorize systems and data based on importance/ criticality |
| Recovery point objective | How much data can be lost before it causes significant damage to the business |
| Recovery time objective | How much time a system can be down before it causes significant damage to the business |
| Full backups | involve copying all existing data in its entirety every time |
| Differential backups | involve copying all data created since the most recent full backup everytime |
| Incremental backups | involve copying only new or updated data with each backup |
| Continuous backup | automatically captures a copy of every change made, building a simulated data backup |
| Backup site | a physical location where company personnel will go to recover systems and data after a disaster |
| Change management | is a standardized process that decreases risk by controlling the identification and implementation of required changes to a system |
| 3 stages of a change management process | 1. Creating changes in the TEST ENVIRONMENT 2. Evaluating accuracy of changes in the MODEL ENVIONMENT 3. implementing changes in the PRODUCTION ENVIRONMENT |
| Documentation | a formal record that describes a system or process |
| Narratives | Describe what we do (control matrix) |
| Data flow diagrams | show the flow of data within the system |
| Flowcharts | more detailed overviews of processes |
| Swim lanes | used to identify responsibility in the process |
| Terminator | Beginning and ending of process |
| Flow | left to right, or top to bottom |
| On page connector | numbered to match the connection points |
| Off page connector | Numbered to match the connection points |
| Triangle | Paper file |
| cylindar | electronic database |
| parallelagram | electronically input/output |
| rectangle with slanted top | manual input |
Created by:
sekavecr
Popular Accounting sets