Term
|
Definition
| process implemented by the BOD, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved |
|
|
Term
| control objectives to be achieved |
|
Definition
o Assets are safeguarded
o Records are maintained in sufficient detail to accuracy and fairly reflect company assets
o Accurate and reliable info is provided
o There is reasonable assurance that financial reports are prepared in accordance with GAAP and IFRS
o Operational efficiency is promoted and improved
o Adherence to prescribed managerial policies is encouraged
o Organization complies with applicable laws and regulations |
|
|
Term
| o Internal controls perform 3 functions: |
|
Definition
| preventative, detective and corrective controls |
|
|
Term
|
Definition
| any potential adverse occurrence or unwanted event |
|
|
Term
|
Definition
| potential dollars lost if the threat occurs |
|
|
Term
| d. Likelihood- is the probability that the threat will happen |
|
Definition
| is the probability that the threat will happen |
|
|
Term
| how do Accounts and systems develops help management achieve their control objectives? (2 things) |
|
Definition
o Designing effective control systems that take a proactive approach to eliminating threats and that detect, correct and recover from when they occur
o Make it easier to build controls into a system at the initial design stage than to add them after the fact |
|
|
Term
| list 2 categories of controls |
|
Definition
1) general controls
2) application controls |
|
|
Term
|
Definition
| make sure an organizations controls environment is stable and well managed |
|
|
Term
|
Definition
| make sure transactions are processed correctly, concerned with accuracy, completeness, validity, and authorization of data |
|
|
Term
| name 4 levels of control from robert simmons |
|
Definition
1) belief system
2) boundary system
3) diagnostic control system
4) interactive control system |
|
|
Term
|
Definition
| deter problems before they arise |
|
|
Term
|
Definition
| discover problems that are not prevented |
|
|
Term
|
Definition
| identify and correct problems as well as correct and recover from the resulting errors |
|
|
Term
|
Definition
| how a company creates value, helps employees understand management visions, communicates company core values, inspires employees to live by those values |
|
|
Term
|
Definition
| helps employees act ethically by setting boundaries on employee behavior |
|
|
Term
| o Diagnostic control system- |
|
Definition
| measures, monitors and compares actual company progress to budgets and performance goals |
|
|
Term
| o Interactive control system- |
|
Definition
| helps managers to focus subordinates attention on key strategic issues and to be more involved in their decisions |
|
|
Term
| how are corrective controls used to remedy problems? (3 things) |
|
Definition
1) Identifying the cause
2) Correcting the resulting errors
3) Modifying the system to prevent future problems of this sort |
|
|
Term
|
Definition
| foreign corrupt practices acts- passed to prevent companies from bribing foreign officials to obtain business |
|
|
Term
|
Definition
| applies to publicly held companies and their auditors and was designed to prevent financial statements fraud, make financial reports more transparent, protect investors, strengthen internal controls and punish executives who perpetrate fraud |
|
|
Term
|
Definition
| controls the auditing profession, sets and enforces auditing, quality control, ethics, independence and other auditing standards |
|
|
Term
| New rules for auditors b/c SOX makes accountants do what? |
|
Definition
| report specific information to the company’s audit committee |
|
|
Term
| New roles for audit committees- (2 things) |
|
Definition
1) must be on a company’s BOD and be independent of the company,
2) one member must be a financial expert--hires, compensates and oversees the auditors who report directly to them |
|
|
Term
| New rules for management- |
|
Definition
| requires CEO and CFO to certify that financial statements and disclosures are fairly presented, were reviewed by management and are not misleading |
|
|
Term
| what 2 things must mgmt do b/c of SOX when dealing w/auditors? |
|
Definition
1. Auditors were told about all material internal control weaknesses and fraud
2. Must disclose material changes to their financial conditions |
|
|
Term
| New internal control requirements- (what section & what does it entail?) |
|
Definition
| Section 404 requires companies to issue a report accompanying the financial statements stating that managements is responsible for establishing and maintaining an adequate internal control systems |
|
|
Term
| SEC mandated that management must do 3 things... |
|
Definition
1. Base its evaluation on a recognized control framework
2. Disclose all material internal control weaknesses
3. Conclude that a company does not have effective financial reporting internal controls if there are material weaknesses |
|
|
Term
|
Definition
| Committee of sponsoring organizations, issued internal control and integrated framework (IC) |
|
|
Term
| what does COSO do? (3 things) |
|
Definition
1) Authority of internal controls and is incorporated into policies, rules and regulations
2) Defines internal controls
3) Provides guidance for evaluating and exchanging internal controls |
|
|
Term
| what are the 8 components of COSO and which 3 are added from ERM? |
|
Definition
1) control environment (internal environment)
2)control activities
3) risk assessment
4)information & communication
5)monitoring
6)objective setting (ERM)
7) event identification (ERM)
8) risk response (ERM) |
|
|
Term
| name 7 sub components of "the internal environment" |
|
Definition
• Management’s philosophy, operating style, and risk appetite
• The board of directors
• Commitment to integrity, ethical values, and competence
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
• External influences- requirements imposed by stock exchanges, FASB, PCAOB, SEC |
|
|
Term
| w/COSO, mgmt should make it clear and honest reports are more important than favorable ones? TRUE or FALSE |
|
Definition
|
|
Term
| w/internal environment, what should mgmt avoid? |
|
Definition
Unrealistic expectations, incentives or temptations.
Attitude of earnings or revenue at any price.
Overly aggressive sales practices.
Unfair or unethical negotiation practices.
Implied kickback offers.
Excessive bonuses.
Bonus plans with upper and lower cutoffs. |
|
|
Term
|
Definition
| company culture, influences how organizations establish strategies and objectives, structure business activities, and identify assess and respond to risk |
|
|
Term
|
Definition
| management determines what the company hopes to achieve, referred to as the corporate vision or mission |
|
|
Term
| name the 4 sub comp of "objective setting" |
|
Definition
strategic objectives
operations obj
reporting obj
compliance obj |
|
|
Term
| objective setting must come b4 other 6 comp TRUE or FALSE |
|
Definition
|
|
Term
|
Definition
| high level goals that are aligned with the companies mission, support it and create shareholder value are set first |
|
|
Term
|
Definition
| deal with the effectiveness and efficiency of company operations, determine how to allocate resources |
|
|
Term
|
Definition
| ensures the accuracy, completeness and reliability of company reports, improve decision making, monitors company activities and performance |
|
|
Term
|
Definition
| help the company comply with all applicable laws and regulations; Most are imposed by external entities in responses to laws or regs |
|
|
Term
| corp objectives should be 3 things |
|
Definition
1) easy to understand/measure
2) should be prioritized
3) be aligned w/the company's risk appetite |
|
|
Term
|
Definition
| incidents or occurrences that emanate from internal or external sources, affect implementation of strategy or achievement of objectives, impact can be positive, negative or both, events can range from obvious to obscure, effects can range from inconsequential to highly significant |
|
|
Term
| 2 sub comp of "event identification" |
|
Definition
1) external factors
2) internal forces |
|
|
Term
|
Definition
• Event represents uncertainty
• Management must do its best to anticipate all possible events—positive or negative—that might affect the company:
Try to determine which are most and least likely.
Understand the interrelationships of events. |
|
|
Term
|
Definition
Economic factors
Natural environment
Political factors
Social factors
Technological factors |
|
|
Term
|
Definition
Infrastructure
Personnel
Process
technology |
|
|
Term
|
Definition
-identified risks are assess to determine how to manage them
-• Corresponds to risk assessment in COSO
• Category in terms of likelihood and positive and negative impact |
|
|
Term
| 2 sub comp of "risk assessment" |
|
Definition
inherent risk
residual risk |
|
|
Term
|
Definition
| the risk that exists before management takes any steps to control the likelihood or impact of a risk |
|
|
Term
|
Definition
| risk that remains after management implements internal controls or some other form of response to risk |
|
|
Term
| • Companies should assess inherent risk develop a response then assess residual risk..what are the 5 steps? |
|
Definition
1 event identification of threats that confront the company
2estimate the likelihood or probability of each event occurring
3 estimate the impact of potential loss from each threat
i. want to provide reasonable assurance that events do not take place
ii. Expected loss = impact x likelihood
4 identify set of controls to guard against threat
5estimate costs and benefits form instituting controls
i. benefits must exceed costs
ii. benefits- increased sales and productivity, reduced losses, better interaction with customers and supplies, increased customer loyalty, competetive advantages and lower insurance premiums
iii. Costs- personnel
iv. Value of a control procedure = expected loss with control procedures – expected loss without it |
|
|
Term
| what are the 4 sub comp of "risk response" |
|
Definition
|
|
Term
|
Definition
reduce the likelihood and impact of risk by using an effective system of internal controls
Most effective way |
|
|
Term
|
Definition
accept the likihood and impact of the risk
Don’t act to prevent or mitigate it |
|
|
Term
|
Definition
share or transfer it to someone else by buying insurance, outsourcing an activity or entering into hedging transactions
like insurance, outsourcing or hedging |
|
|
Term
|
Definition
by not engaging in the activity that produces the risk, may require the company to sell a division, exit a product line or not expand as anticipated
may require: sale of division, exiting a product line, canceling an expansion plan |
|
|
Term
| what are the 7 sub comp of "control activities" |
|
Definition
•Proper authorization of transactions and activities
•Segregation of duties
•Project development and acquisition controls
--change mgmt controls
-•Design and use of documents and records
•Safeguard assets, records and data
•Independent checks on performance |
|
|
Term
|
Definition
| control policies and procedures are established and implemented |
|
|
Term
| control activities cont'd |
|
Definition
• Must more effective when place in the system as it is built
• Proper authorization of transactions and activities- auditors review transactions should verify the presence of appropriate authorizations
Employees who process transactions should verify the presence of the appropriate authorizations |
|
|
Term
|
Definition
| good internal control requires that no single employee is given too much responsibility over business transactions or processes; Should not be able to commit and conceal fraud |
|
|
Term
| Segregation of accounting duties- achieved when (3 things) |
|
Definition
1) authorization
2) recording
3) custody |
|
|
Term
|
Definition
| detecting fraud where 2 or more people are together to override the controls is more difficult and much easier to commit |
|
|
Term
| Segregation of systems duties- |
|
Definition
| restricting access to computer, programs and live data could perpetrate and conceal fraud |
|
|
Term
|
Definition
| approving transactions or decisions |
|
|
Term
|
Definition
| preparing source documents, maintaining journals, ledgers, or files, preparing reconciliations and preparing performance reports |
|
|
Term
|
Definition
| handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organizations bank accounts |
|
|
Term
| what systems duties need to be segregated? (10 things) |
|
Definition
i. Systems administration
ii. Network management
iii. Security management
iv. Change management
v. Users
vi. Systems analysis
vii. Programming
viii. Computer operations
ix. Information systems library
x. Data control
xi. Don’t want a person to do one or more of these that way they cant commit fraud |
|
|
Term
| • Project development and acquisition controls- |
|
Definition
| contain appropriate controls for management approval, user involvement, analysis, design, testing, implementation and conversion |
|
|
Term
|
Definition
| guides and oversees systems development and acquisition |
|
|
Term
|
Definition
| developed and updated yearly |
|
|
Term
| • Design and use of documents and records |
|
Definition
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.
Form and content should be kept as simple as possible to:
i. Promote efficient record keeping
ii. Minimize recording errors
iii. Facilitate review and verification
Documents that initiate a transaction should contain a space for authorization.
Those used to transfer assets should have a space for the receiving party’s signature.
Documents should be sequentially pre-numbered:
i. To reduce likelihood that they would be used fraudulently.
ii. To help ensure that all valid transactions are recorded.
A good audit trail facilitates:
i. Tracing individual transactions through the system.
ii. Correcting errors.
iii. Verifying system output. |
|
|
Term
| • Safeguard assets, records and data |
|
Definition
Maintain accurate records of all assets
i. Periodically reconcile recorded amounts to physical counts.
ii. Restrict access to assets
Top-level reviews
Analytical reviews
Reconciliation of independently maintained sets of records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
Protect records and documents
• Independent checks on performance |
|
|
Term
| o Information and communication- |
|
Definition
info must be identified, captured and communicated so employees can fulfill their responsibilities
• Info must be able to flow through all levels and functions in the company as well as flowing to and from external parties
• Accountants must understand how:
Transactions are initiated
Data are captured in or converted to machine-readable form
Computer files are accessed and updated
Data are processed
Information is reported to internal and external parties |
|
|
Term
|
Definition
| ERM processes must be monitored on an ongoing basis and modified as needed |
|
|
Term
|
Definition
• Accomplished with a series of ongoing events or by separate evaluations
• Perform ERM evaluation
• Implement effective supervision
• Use responsibility accounting
• Monitor system activities
• Track purchased software
• Conduct periodic audits
• Employ a computer security officer and security consultants
• Engage forensic specialists
• Install fraud detection software
• Implement a fraud hotline
• Internal auditing should be organizationally independent of the accounting and operating functions.
• The head should report to the audit committee of the board of directors rather than to the controller or CFO |
|
|
Term
|
Definition
a. Enterprise Risk Managements- process the BOD and management use to set strategies, identify events that may affect the entity, assess and manage risks and provide reasonable assurance that the company achieves its objectives and goals
o Companies are formed to create value for their owners
o Management must decide how much uncertainty it will accept as it creates value
o Uncertainty results in risk, which is the possibility that something negatively affects the companies ability to create or preserve value
o The ERM can manage uncertainty as well as create and preserve value
o Base evaluation of internal control on a recognized framework
o Subsidiary
o Business unit
o Division
o Entity level |
|
|
Term
| a. Enterprise Risk Managements- |
|
Definition
| process the BOD and management use to set strategies, identify events that may affect the entity, assess and manage risks and provide reasonable assurance that the company achieves its objectives and goals |
|
|
Term
| COSO UPDATE CONTROL ENVIRONMENT (5 principles) |
|
Definition
• Commitment to integrity and ethics
• Oversight for internal control by the board of directors, independent of management
• Structures, reporting lines, and responsibilities in the pursuit of objectives established by management and overseen by the board
• Commitment to attract, develop, and retain competent individuals in alignment with objectives
• Holding individuals accountable for their internal control responsibilities in pursuit of objectives |
|
|
Term
| COSO UPDATE RISK ASSESSMENT (4) |
|
Definition
• Specifying objectives clearly enough for risks to be identified and assessed
• Identifying and analyzing risks to determine how they should be managed
• Considering the potential of fraud
• Identifying and assessing changes that could significantly impact the system of internal controls |
|
|
Term
| COSO UPDATE CONTROL ACTIVITIES (3) |
|
Definition
• Selecting and developing controls that help mitigate risks to an acceptable level
• Selecting and developing general control activities over technology
• Deploying control activities as specified in policies and procedures |
|
|
Term
| COSO UPDATE INFORMATION AND COMMUNICATION (3) |
|
Definition
• Obtaining or generating relevant high-quality information to support internal control
• Internally communicating information, including objectives and responsibilities to support the other internal control components
• Communicating relevant internal control matters to external parties |
|
|
Term
| COSO UPDATE MONITORING ACTIVITIES (2) |
|
Definition
• Selecting, developing and performing ongoing or separate evaluations of internal control components
• Evaluating and communicating deficiencies to those responsible for corrective action, including senior management and the board of directors where appropriate |
|
|
Term
|
Definition
|
|
