Term
|
Definition
process implemented by the BOD, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved |
|
|
Term
control objectives to be achieved |
|
Definition
o Assets are safeguarded o Records are maintained in sufficient detail to accuracy and fairly reflect company assets o Accurate and reliable info is provided o There is reasonable assurance that financial reports are prepared in accordance with GAAP and IFRS o Operational efficiency is promoted and improved o Adherence to prescribed managerial policies is encouraged o Organization complies with applicable laws and regulations |
|
|
Term
o Internal controls perform 3 functions: |
|
Definition
preventative, detective and corrective controls |
|
|
Term
|
Definition
any potential adverse occurrence or unwanted event |
|
|
Term
|
Definition
potential dollars lost if the threat occurs |
|
|
Term
d. Likelihood- is the probability that the threat will happen |
|
Definition
is the probability that the threat will happen |
|
|
Term
how do Accounts and systems develops help management achieve their control objectives? (2 things) |
|
Definition
o Designing effective control systems that take a proactive approach to eliminating threats and that detect, correct and recover from when they occur o Make it easier to build controls into a system at the initial design stage than to add them after the fact |
|
|
Term
list 2 categories of controls |
|
Definition
1) general controls 2) application controls |
|
|
Term
|
Definition
make sure an organizations controls environment is stable and well managed |
|
|
Term
|
Definition
make sure transactions are processed correctly, concerned with accuracy, completeness, validity, and authorization of data |
|
|
Term
name 4 levels of control from robert simmons |
|
Definition
1) belief system 2) boundary system 3) diagnostic control system 4) interactive control system |
|
|
Term
|
Definition
deter problems before they arise |
|
|
Term
|
Definition
discover problems that are not prevented |
|
|
Term
|
Definition
identify and correct problems as well as correct and recover from the resulting errors |
|
|
Term
|
Definition
how a company creates value, helps employees understand management visions, communicates company core values, inspires employees to live by those values |
|
|
Term
|
Definition
helps employees act ethically by setting boundaries on employee behavior |
|
|
Term
o Diagnostic control system- |
|
Definition
measures, monitors and compares actual company progress to budgets and performance goals |
|
|
Term
o Interactive control system- |
|
Definition
helps managers to focus subordinates attention on key strategic issues and to be more involved in their decisions |
|
|
Term
how are corrective controls used to remedy problems? (3 things) |
|
Definition
1) Identifying the cause 2) Correcting the resulting errors 3) Modifying the system to prevent future problems of this sort |
|
|
Term
|
Definition
foreign corrupt practices acts- passed to prevent companies from bribing foreign officials to obtain business |
|
|
Term
|
Definition
applies to publicly held companies and their auditors and was designed to prevent financial statements fraud, make financial reports more transparent, protect investors, strengthen internal controls and punish executives who perpetrate fraud |
|
|
Term
|
Definition
controls the auditing profession, sets and enforces auditing, quality control, ethics, independence and other auditing standards |
|
|
Term
New rules for auditors b/c SOX makes accountants do what? |
|
Definition
report specific information to the company’s audit committee |
|
|
Term
New roles for audit committees- (2 things) |
|
Definition
1) must be on a company’s BOD and be independent of the company, 2) one member must be a financial expert--hires, compensates and oversees the auditors who report directly to them |
|
|
Term
New rules for management- |
|
Definition
requires CEO and CFO to certify that financial statements and disclosures are fairly presented, were reviewed by management and are not misleading |
|
|
Term
what 2 things must mgmt do b/c of SOX when dealing w/auditors? |
|
Definition
1. Auditors were told about all material internal control weaknesses and fraud 2. Must disclose material changes to their financial conditions |
|
|
Term
New internal control requirements- (what section & what does it entail?) |
|
Definition
Section 404 requires companies to issue a report accompanying the financial statements stating that managements is responsible for establishing and maintaining an adequate internal control systems |
|
|
Term
SEC mandated that management must do 3 things... |
|
Definition
1. Base its evaluation on a recognized control framework 2. Disclose all material internal control weaknesses 3. Conclude that a company does not have effective financial reporting internal controls if there are material weaknesses |
|
|
Term
|
Definition
Committee of sponsoring organizations, issued internal control and integrated framework (IC) |
|
|
Term
what does COSO do? (3 things) |
|
Definition
1) Authority of internal controls and is incorporated into policies, rules and regulations 2) Defines internal controls 3) Provides guidance for evaluating and exchanging internal controls |
|
|
Term
what are the 8 components of COSO and which 3 are added from ERM? |
|
Definition
1) control environment (internal environment) 2)control activities 3) risk assessment 4)information & communication 5)monitoring 6)objective setting (ERM) 7) event identification (ERM) 8) risk response (ERM) |
|
|
Term
name 7 sub components of "the internal environment" |
|
Definition
• Management’s philosophy, operating style, and risk appetite • The board of directors • Commitment to integrity, ethical values, and competence • Organizational structure • Methods of assigning authority and responsibility • Human resource standards • External influences- requirements imposed by stock exchanges, FASB, PCAOB, SEC |
|
|
Term
w/COSO, mgmt should make it clear and honest reports are more important than favorable ones? TRUE or FALSE |
|
Definition
|
|
Term
w/internal environment, what should mgmt avoid? |
|
Definition
Unrealistic expectations, incentives or temptations. Attitude of earnings or revenue at any price. Overly aggressive sales practices. Unfair or unethical negotiation practices. Implied kickback offers. Excessive bonuses. Bonus plans with upper and lower cutoffs. |
|
|
Term
|
Definition
company culture, influences how organizations establish strategies and objectives, structure business activities, and identify assess and respond to risk |
|
|
Term
|
Definition
management determines what the company hopes to achieve, referred to as the corporate vision or mission |
|
|
Term
name the 4 sub comp of "objective setting" |
|
Definition
strategic objectives operations obj reporting obj compliance obj |
|
|
Term
objective setting must come b4 other 6 comp TRUE or FALSE |
|
Definition
|
|
Term
|
Definition
high level goals that are aligned with the companies mission, support it and create shareholder value are set first |
|
|
Term
|
Definition
deal with the effectiveness and efficiency of company operations, determine how to allocate resources |
|
|
Term
|
Definition
ensures the accuracy, completeness and reliability of company reports, improve decision making, monitors company activities and performance |
|
|
Term
|
Definition
help the company comply with all applicable laws and regulations; Most are imposed by external entities in responses to laws or regs |
|
|
Term
corp objectives should be 3 things |
|
Definition
1) easy to understand/measure 2) should be prioritized 3) be aligned w/the company's risk appetite |
|
|
Term
|
Definition
incidents or occurrences that emanate from internal or external sources, affect implementation of strategy or achievement of objectives, impact can be positive, negative or both, events can range from obvious to obscure, effects can range from inconsequential to highly significant |
|
|
Term
2 sub comp of "event identification" |
|
Definition
1) external factors 2) internal forces |
|
|
Term
|
Definition
• Event represents uncertainty • Management must do its best to anticipate all possible events—positive or negative—that might affect the company: Try to determine which are most and least likely. Understand the interrelationships of events. |
|
|
Term
|
Definition
Economic factors Natural environment Political factors Social factors Technological factors |
|
|
Term
|
Definition
Infrastructure Personnel Process technology |
|
|
Term
|
Definition
-identified risks are assess to determine how to manage them -• Corresponds to risk assessment in COSO • Category in terms of likelihood and positive and negative impact |
|
|
Term
2 sub comp of "risk assessment" |
|
Definition
inherent risk residual risk |
|
|
Term
|
Definition
the risk that exists before management takes any steps to control the likelihood or impact of a risk |
|
|
Term
|
Definition
risk that remains after management implements internal controls or some other form of response to risk |
|
|
Term
• Companies should assess inherent risk develop a response then assess residual risk..what are the 5 steps? |
|
Definition
1 event identification of threats that confront the company 2estimate the likelihood or probability of each event occurring 3 estimate the impact of potential loss from each threat i. want to provide reasonable assurance that events do not take place ii. Expected loss = impact x likelihood 4 identify set of controls to guard against threat 5estimate costs and benefits form instituting controls i. benefits must exceed costs ii. benefits- increased sales and productivity, reduced losses, better interaction with customers and supplies, increased customer loyalty, competetive advantages and lower insurance premiums iii. Costs- personnel iv. Value of a control procedure = expected loss with control procedures – expected loss without it |
|
|
Term
what are the 4 sub comp of "risk response" |
|
Definition
|
|
Term
|
Definition
reduce the likelihood and impact of risk by using an effective system of internal controls Most effective way |
|
|
Term
|
Definition
accept the likihood and impact of the risk Don’t act to prevent or mitigate it |
|
|
Term
|
Definition
share or transfer it to someone else by buying insurance, outsourcing an activity or entering into hedging transactions like insurance, outsourcing or hedging |
|
|
Term
|
Definition
by not engaging in the activity that produces the risk, may require the company to sell a division, exit a product line or not expand as anticipated may require: sale of division, exiting a product line, canceling an expansion plan |
|
|
Term
what are the 7 sub comp of "control activities" |
|
Definition
•Proper authorization of transactions and activities •Segregation of duties •Project development and acquisition controls --change mgmt controls -•Design and use of documents and records •Safeguard assets, records and data •Independent checks on performance |
|
|
Term
|
Definition
control policies and procedures are established and implemented |
|
|
Term
control activities cont'd |
|
Definition
• Must more effective when place in the system as it is built • Proper authorization of transactions and activities- auditors review transactions should verify the presence of appropriate authorizations Employees who process transactions should verify the presence of the appropriate authorizations |
|
|
Term
|
Definition
good internal control requires that no single employee is given too much responsibility over business transactions or processes; Should not be able to commit and conceal fraud |
|
|
Term
Segregation of accounting duties- achieved when (3 things) |
|
Definition
1) authorization 2) recording 3) custody |
|
|
Term
|
Definition
detecting fraud where 2 or more people are together to override the controls is more difficult and much easier to commit |
|
|
Term
Segregation of systems duties- |
|
Definition
restricting access to computer, programs and live data could perpetrate and conceal fraud |
|
|
Term
|
Definition
approving transactions or decisions |
|
|
Term
|
Definition
preparing source documents, maintaining journals, ledgers, or files, preparing reconciliations and preparing performance reports |
|
|
Term
|
Definition
handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organizations bank accounts |
|
|
Term
what systems duties need to be segregated? (10 things) |
|
Definition
i. Systems administration ii. Network management iii. Security management iv. Change management v. Users vi. Systems analysis vii. Programming viii. Computer operations ix. Information systems library x. Data control xi. Don’t want a person to do one or more of these that way they cant commit fraud |
|
|
Term
• Project development and acquisition controls- |
|
Definition
contain appropriate controls for management approval, user involvement, analysis, design, testing, implementation and conversion |
|
|
Term
|
Definition
guides and oversees systems development and acquisition |
|
|
Term
|
Definition
developed and updated yearly |
|
|
Term
• Design and use of documents and records |
|
Definition
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data. Form and content should be kept as simple as possible to: i. Promote efficient record keeping ii. Minimize recording errors iii. Facilitate review and verification Documents that initiate a transaction should contain a space for authorization. Those used to transfer assets should have a space for the receiving party’s signature. Documents should be sequentially pre-numbered: i. To reduce likelihood that they would be used fraudulently. ii. To help ensure that all valid transactions are recorded. A good audit trail facilitates: i. Tracing individual transactions through the system. ii. Correcting errors. iii. Verifying system output. |
|
|
Term
• Safeguard assets, records and data |
|
Definition
Maintain accurate records of all assets i. Periodically reconcile recorded amounts to physical counts. ii. Restrict access to assets Top-level reviews Analytical reviews Reconciliation of independently maintained sets of records Comparison of actual quantities with recorded amounts Double-entry accounting Independent review Protect records and documents • Independent checks on performance |
|
|
Term
o Information and communication- |
|
Definition
info must be identified, captured and communicated so employees can fulfill their responsibilities • Info must be able to flow through all levels and functions in the company as well as flowing to and from external parties • Accountants must understand how: Transactions are initiated Data are captured in or converted to machine-readable form Computer files are accessed and updated Data are processed Information is reported to internal and external parties |
|
|
Term
|
Definition
ERM processes must be monitored on an ongoing basis and modified as needed |
|
|
Term
|
Definition
• Accomplished with a series of ongoing events or by separate evaluations • Perform ERM evaluation • Implement effective supervision • Use responsibility accounting • Monitor system activities • Track purchased software • Conduct periodic audits • Employ a computer security officer and security consultants • Engage forensic specialists • Install fraud detection software • Implement a fraud hotline • Internal auditing should be organizationally independent of the accounting and operating functions. • The head should report to the audit committee of the board of directors rather than to the controller or CFO |
|
|
Term
|
Definition
a. Enterprise Risk Managements- process the BOD and management use to set strategies, identify events that may affect the entity, assess and manage risks and provide reasonable assurance that the company achieves its objectives and goals o Companies are formed to create value for their owners o Management must decide how much uncertainty it will accept as it creates value o Uncertainty results in risk, which is the possibility that something negatively affects the companies ability to create or preserve value o The ERM can manage uncertainty as well as create and preserve value o Base evaluation of internal control on a recognized framework o Subsidiary o Business unit o Division o Entity level |
|
|
Term
a. Enterprise Risk Managements- |
|
Definition
process the BOD and management use to set strategies, identify events that may affect the entity, assess and manage risks and provide reasonable assurance that the company achieves its objectives and goals |
|
|
Term
COSO UPDATE CONTROL ENVIRONMENT (5 principles) |
|
Definition
• Commitment to integrity and ethics • Oversight for internal control by the board of directors, independent of management • Structures, reporting lines, and responsibilities in the pursuit of objectives established by management and overseen by the board • Commitment to attract, develop, and retain competent individuals in alignment with objectives • Holding individuals accountable for their internal control responsibilities in pursuit of objectives |
|
|
Term
COSO UPDATE RISK ASSESSMENT (4) |
|
Definition
• Specifying objectives clearly enough for risks to be identified and assessed • Identifying and analyzing risks to determine how they should be managed • Considering the potential of fraud • Identifying and assessing changes that could significantly impact the system of internal controls |
|
|
Term
COSO UPDATE CONTROL ACTIVITIES (3) |
|
Definition
• Selecting and developing controls that help mitigate risks to an acceptable level • Selecting and developing general control activities over technology • Deploying control activities as specified in policies and procedures |
|
|
Term
COSO UPDATE INFORMATION AND COMMUNICATION (3) |
|
Definition
• Obtaining or generating relevant high-quality information to support internal control • Internally communicating information, including objectives and responsibilities to support the other internal control components • Communicating relevant internal control matters to external parties |
|
|
Term
COSO UPDATE MONITORING ACTIVITIES (2) |
|
Definition
• Selecting, developing and performing ongoing or separate evaluations of internal control components • Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors where appropriate |
|
|
Term
|
Definition
|
|