Term
|
Definition
| - any potential adverse occurence or unwanted event that could injure the AIS or the organization |
|
|
Term
|
Definition
| - potential dollar loss that would occur if the threat becomes a reality |
|
|
Term
|
Definition
| - probability that the threat will occur |
|
|
Term
| why computer-based AIS requires different internal control policies and procedures |
|
Definition
- computer processing may reduce clerical errors but increase risks of unauthorized access or modification of data files
- segregation of duties must be achieved differently in an AIS
- computers provide opportunities for enhancement of some internal controls |
|
|
Term
|
Definition
- process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:
- assets (including data) are safeguarded
- records are maintained in sufficient detail to accurately and fairly reflect company assets
- accurate and reliable information is provided
- there is reasonable assurance that financial reports are prepared in accordance with GAAP
- operational efficiency is promoted and improved
- adherence to prescribed managerial policies is encouraged
- the organization complies with applicable laws and regulations |
|
|
Term
| limitations of internal control systems |
|
Definition
- they are susceptible to errors and poor decisions
- they can be overridden by management or by collusion of two or more employees |
|
|
Term
| three functions of internal controls |
|
Definition
- preventive
- detective
- corrective |
|
|
Term
|
Definition
| - deter problems before they arise |
|
|
Term
|
Definition
| - discover problems quickly when they do arise |
|
|
Term
|
Definition
- remedy problems that have occurred by:
- identifying the cause
- correcting the resulting errors
- modifying the system to prevent future problems of this sort |
|
|
Term
| what internal controls are often classified as |
|
Definition
- general controls
- application controls |
|
|
Term
|
Definition
| - those designed to make sure an organization's control environment is stable and well managed |
|
|
Term
|
Definition
- prevent, detect, and correct transaction errors
- concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported |
|
|
Term
| foreign corrupt practices act |
|
Definition
| - primary purpose was to prevent the bribery of foreign officials to obtain business |
|
|
Term
| intent of Sarbanes-Oxley (SOX) |
|
Definition
- preventing financial statement fraud
- making financial reports more transparent
- protecting investors
- strengthening internal controls in publicly-held companies
- punishing executives who perpetrate fraud |
|
|
Term
|
Definition
- creation of Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession
- new rules of auditors
- new rules for audit committees
- new rules for management
- new internal control requirements |
|
|
Term
|
Definition
- basic conflict between creativity and controls
- Robert Simons has espoused four levers of control to help companies reconcile the conflict |
|
|
Term
|
Definition
- communicates company core values to employees and inspires them to live by those values
- draws attention to how the organization creates value
- helps employees understand management's intended direction
- must be broad enough to appeal to all levels |
|
|
Term
|
Definition
- helps employees act ethically by setting limits beyond which they must not pass
- does not create rules and standard operating procedures that can stifle creativity
- encourages employees to think and act creativity to solve problems and meet customer needs as long as they operate within limits such as: meeting minimum standards of performance, shunning off-limits activities, and avoiding actions that could damage the company's reputation |
|
|
Term
| Robert Simons' four levers of controls |
|
Definition
- concise belief system
- boundary system
- diagnostic control system
- interactive control system |
|
|
Term
| three important frameworks that have been developed to help companies develop good internal control systems |
|
Definition
- COBIT framework
- COSO internal control framework
- COSO's Enterprise Risk Management framework (ERM) |
|
|
Term
|
Definition
- Control Objectives for Information and Related Technology framework
- developed by the Information Systems Audit and Control Foundation (ISACF)
- framework of generally applicable information systems security and control practices for IT control |
|
|
Term
|
Definition
- Effectiveness (relevant, pertinent, and timely)
- Efficiency
- Confidentiality
- Integrity
- Availability
- Compliance with legal requirements
- Reliability |
|
|
Term
|
Definition
- people
- application systems
- technology
- facilities
- data |
|
|
Term
|
Definition
- planning and organization
- acquisition and implementation
- delivery and support
- monitoring |
|
|
Term
| COSO's internal control framework |
|
Definition
- Committee of Sponsoring Organizations (COSO)
- American Accounting Association
- AICPA
- Institute of Internal auditors
- institute of management accountants
- financial executives institute |
|
|
Term
| Internal Control Integrated Framework |
|
Definition
- defines internal controls
- provides guidance for evaluating and enhancing internal control systems
- widely accepted as the authority on internal controls
- incorporated into policies, rules, and regulations used to control business activities |
|
|
Term
| five crucial components of COSO's internal control model |
|
Definition
- Control environment
- control activities
- risk assessment
- information and communication
- monitoring |
|
|
Term
| Enterprise Risk Management Integrated Framework (ERM) |
|
Definition
- an enhanced corporated governance document
- expands on elements of preceding framework
- provides a focus on the broader subject of enterprise risk management |
|
|
Term
|
Definition
- provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized
- achieve its financial and performance targets
- assess risks continuously and identifying steps to take and resources to allocate to overcome or mitigate risk
- avoid adverse publicity and damage to the entity's reputation |
|
|
Term
| What ERM defines risk management as |
|
Definition
- a process effected by an entity's board of directors, management, and other personnel
- applied in strategy setting and across the enterprise
- to identify potential events that may affect the entity
- and manage risk to be within its risk appetite
- in order to provide reasonable assurance of the achievement of entity objectives |
|
|
Term
| basic principles behind ERM |
|
Definition
- companies are formed to create value for owners
- management must decide how much uncertainty they will accept
- uncertainty can result in risk and opportunity |
|
|
Term
| what internal evironment consists of |
|
Definition
- management's philosophy, operating style, and risk appetite
- the board of directors
- commitment to integrity, ethical values, and competence
- organizational structure
- methods of assigning authority and responsibility
- human resource standards
- external influences |
|
|
Term
|
Definition
- economic factors
- natural environment
- political factors
- social factors
- technological factors |
|
|
Term
|
Definition
| - the risk that exists before management takes any steps to control the likelihood or impact of a risk |
|
|
Term
|
Definition
| - the risk that remains after management implements internal controls or some other form of response to risk |
|
|
Term
|
Definition
- identify the events or threats that confront the company
- estimate the likelihood of probability of each event occurring
- estimate the impact of potential loss from each threat
- identify set of controls to guard against threat
- estimate costs and benefits from instituting controls
- reduce risk by implementing set of controls to guard against threat |
|
|
Term
| categories of control procedures |
|
Definition
- proper authorization of transactions and activities
- segregation of duties
- project development and acquisition controls
- change management controls
- design and use of documents and records
- safeguard assets, records, and data
- independent checks on performance |
|
|
Term
|
Definition
| - management authorizes employees to handle routine transactions without special approval |
|
|
Term
|
Definition
- for activities or transactions that are of significant consequences, management review and approval is required
- might apply to sales, capital expenditures, or write-offs over a particular dollar limit |
|
|
Term
| segregation of accounting duties |
|
Definition
| - effective segregation of accounting duties is achieved when the following fuctions are separated |
|
|
Term
|
Definition
| - approving transactions and decisions |
|
|
Term
|
Definition
- preparing source documents
- maintaining journals, ledgers, or other files
- preparing reconciliations
- preparing performance reports |
|
|
Term
|
Definition
- handling cash
- maintaining an inventory storeroom
- receiving incoming customer checks
- writing checks on the organization's bank account |
|
|
Term
| segregation of duties within the systems function |
|
Definition
- in a highly integrated information system, procedures once performed by separate individuals are combined
- therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud
- to combat this threat, organizations must implement effective segregation of duties within the IS function |
|
|
Term
| what authority and responsibility must be divided into |
|
Definition
- systems administration
- network management
- security management
- change management
- users
- systems analysts
- programming
- computer operations
- information systems library
- data control |
|
|
Term
| categories of control procedures |
|
Definition
- proper authorization of transactions and activities
- segregation of duties
- project development and acquisition controls
- change management controls
- design and use of documents and records
- safeguard assets, records, and data
- independent checks on performance |
|
|
Term
| change management controls |
|
Definition
- organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances
- process of making sure that the changes do not negatively affect systems reliability, security, confidentiality, integrity, and availability |
|
|
Term
| independent checks on information |
|
Definition
- top-level reviews
- analytical reviews
- reconciliation of independently maintained sets of records
- comparison of actual quantities with recorded amounts
- doubly-entry accounting
- independent review |
|
|
Term
|
Definition
| - after one person processes a transaction, another reviews their work |
|
|
Term
| five primary objectives of an AIS |
|
Definition
- identify and record all valid transactions
- properly classify transactions
- record transactions at their proper monetary value
- record transactions in the proper accounting period
- properly present transactions and related disclosures in the financial statements |
|
|
Term
|
Definition
| - communicates company core values to employees and inspires them to live by them |
|
|
Term
| diagnostic control system |
|
Definition
| - measures company progress by comparing actual performance to planned performance |
|
|
Term
| interactive control system |
|
Definition
| - helps top-level managers with high-level activities that demand frequent and regular attention, such as developing company strategy, setting company objectives, understanding and assessing threats and risks, monitoring changes in competitive conditions and emerging technologies, and developing responses and action plans to proactively deal with these high-level issues |
|
|
Term
|
Definition
| - high-level goals that are aligned with and support the company's mission |
|
|
Term
|
Definition
| - deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets |
|
|
Term
|
Definition
| - help ensure the accuracy, completness, and reliability of internal and external company reports, of both a financial and nonfonancial nature |
|
|
Term
|
Definition
| - help the company comply with all applicable laws and regulations |
|
|
Term
|
Definition
| - the most important components of the ERM and internal control frameworks |
|
|
Term
|
Definition
| - the amount of risk a company is willing to accept in order to achieve its goals and objectives |
|
|
Term
|
Definition
| - composed entirely of outside (nonemployee), independent directors |
|
|
Term
| policy and procedures manual |
|
Definition
| - explains proper business practices, describes the knowledge and experience needed by key personnel, spells out management policy for handling specific transactions, and documents the systems and procedures employed to process those transactions |
|
|
Term
|
Definition
| - includes verifying educational and work experience, talking to references, checking for a criminal record, and checking credit records |
|
|
Term
|
Definition
| - the mathematical product or impact and likelihood |
|
|
Term
|
Definition
| - policies, procedures, and rules that provide reasonable assurance that management's control objectives are met and the risk responses are carried out |
|
|
Term
|
Definition
| - means of signing a document with a piece of data that cannot be forged |
|
|
Term
|
Definition
| - when two or more people work together to commit fraud |
|
|
Term
|
Definition
| - vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors |
|
|
Term
|
Definition
| - the process of making sure changes do not negatively affect systems reliability, security, confidentiality, integrity, and availability |
|
|
Term
|
Definition
| - exists when individual company transactions can be traced through the system from where they originate to where they end up on the financial statements |
|
|
Term
| chief security officer (CSO) |
|
Definition
| - in charge of AIS security and should be independent of the information system function and report to the chief operating officer (COO) or the CEO |
|
|
Term
|
Definition
| - specialize in fraud detection and investigation |
|
|
Term
| computer forensics specialists |
|
Definition
| - discovering, extracting, safeguarding, and documenting computer evidence such that its authenticity, accuracy and integrity will not succumb to legal challenges |
|
|
Term
|
Definition
- programs that mimic the brain and have learning capabilities
- quite accurate in identifying suspected fraud |
|
|
Term
|
Definition
| - where employees can anonymously report fraud |
|
|
