Term
|
Definition
| Committee of Sponsoring Organizations of the Treadway Commission |
|
|
Term
|
Definition
| control concepts are crucially important to entities subject to the '34 Act. |
|
|
Term
|
Definition
| with $75 million in market equity must include in its annual report an assessment by management of whether ICFR is effective. Auditor is required to also cover ICFR, but not management's assessment of IC in an integrated audit. |
|
|
Term
| second standard of fieldwork under GAAS |
|
Definition
| The auditor must obtain a sufficient understanding of the entity and its environment, including IC, to assess the RMM of the F/S whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. |
|
|
Term
| goal of internal control (IC) |
|
Definition
provide reasonable assurance regarding the achievement of objectives related to the following:
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance w/applicable laws and regulations |
|
|
Term
|
Definition
control environment- tone at the top
risk assessment- identification and analysis of relevant risks as a basis for risk management
control activities- policies and procedures
information and communication- identification, capture, and exchange of information to help people carry out their responsibilities
monitoring- assess IC quality over time |
|
|
Term
| relationship between entity's objectives and components- direct? indirect? or none? |
|
Definition
|
|
Term
| Is IC relevant to the entire entity? |
|
Definition
Yes, controls relating to objectives that are not related to an audit and need not be considered.
Furthermore, understanding IC relevant to each operating unit or business function may not be needed to perform an audit. |
|
|
Term
| Why reasonable, not absolute assurance? |
|
Definition
| Scope and time limitations, faulty judgment, management override, collusion. |
|
|
Term
|
Definition
| The foundation or other components, providing discipline and structure. |
|
|
Term
| How does the auditor understand the CE? |
|
Definition
| auditor considers programs and controls addressing fraud risk that have been implemented by management and those charged w/governance. Their absence or inadequacy may be a material weakness. |
|
|
Term
| evaluating the design of the CE includes: |
|
Definition
Communication and enforcement of integrity and ethical values. Also, give incentives for doing good acts and remove incentives to do what is wrong.
Commitment to competence.
Participation of those charged w/governance (BOD, audit committee, etc).
Management's philosophy and operating style. Attitudes towards taking and managing business risks, financial reporting, information processing, accounting functions, and personnel.
Organizational structure.
Assignment of authority and responsibility.
HR policies and practices. |
|
|
Term
|
Definition
| include events and circumstances that may adversely affect an entity's ability to initiate, authorize, record, process, and report financial data consistent w/F/S assertions. |
|
|
Term
|
Definition
Changes in operating environment.
New personnel.
New or revamped information systems.
Rapid growth.
New technology.
New business models, products, or activities.
Corporate restructurings.
Expanded foreign operations.
New accounting pronouncements. |
|
|
Term
|
Definition
performance reviews
information processing
physical controls
segregation of duties |
|
|
Term
|
Definition
|
|
Term
|
Definition
| checks of accuracy, completeness, and authorization of transactions. Includes general and application controls. |
|
|
Term
|
Definition
| safeguarding of assets, records, periodic counts, and reconciliations that create asset accountability. |
|
|
Term
|
Definition
| physical and hardware elements, software, data, manual and automated procedures, and people that interrelate to achieve a business goal. |
|
|
Term
| IS and financial reporting |
|
Definition
| For financial reporting, the information system encompasses automated and manual procedures and records used to initiate, authorize, record, process, and report transactions, events, and conditions and to maintain accountability for assets, liabilities, and equity. |
|
|
Term
|
Definition
| automatic through programmed methods |
|
|
Term
|
Definition
| management's approval process |
|
|
Term
|
Definition
| identification and capture of relevant information |
|
|
Term
|
Definition
| edit and valuation, calculation, measurement, valuation, summarization, and reconciliation by manual or automated means |
|
|
Term
|
Definition
| financial and other information for control (and decision-making) functions |
|
|
Term
|
Definition
Identifies and records all valid transactions
Describes transactions sufficiently for proper classification
Measures transactions
Determines the proper reporting period for transactions
Presents transactions and related disclosures properly |
|
|
Term
|
Definition
| providing an understanding to employees about their roles and responsibilities |
|
|
Term
|
Definition
| management's timely assessment of IC and the taking of corrective action so that controls operate as intended and are modified for changes in conditions. |
|
|
Term
| Establishing and maintaining IC is the responsibility of... |
|
Definition
|
|
Term
| components of monitoring process |
|
Definition
Ongoing activities built into normal recurring actions such as supervision, possibly combined w/separate evaluations
Actions of internal auditors
Consideration of communications from external parties |
|
|
Term
|
Definition
| Hence, the auditor should obtain sufficient knowledge about major monitoring activities, including the sources of related information and the basis for considering it to be reliable. |
|
|
Term
| How does the auditor gain a sufficient understanding of the 5 IC components to assess the RMM and to design further audit procedures? |
|
Definition
| by performing risk assessment procedures to evaluate the design of controls relevant to the audit and determine whether they have been implemented. |
|
|
Term
| Is the auditor obligated to search for control deficiencies? |
|
Definition
| No obligation to search for deficiencies, but any significant deficiencies must be communicated. |
|
|
Term
| How should the auditor use his/her understanding of IC? |
|
Definition
Identify types of potential misstatements
Consider factors that affect the RMMs
Design tests of controls if appropriate
Design substantive procedures |
|
|
Term
| auditor & accounting policies |
|
Definition
Auditor should understand the selection, application, and appropriateness of accounting policies, including:
Significant and unusual transactions
Significant policies applied when there is a lack of guidance or consensus in controversial or emerging areas
Changes in policies
Adoption of new standards and regulations |
|
|
Term
|
Definition
| controls that ordinarily address objectives related to the preparation of fairly presented F/S, including management of RMMs. |
|
|
Term
| How are relevant controls assessed? |
|
Definition
| professional judgment of the auditor |
|
|
Term
| What should the auditor do in case of significant risks? |
|
Definition
| the auditor should evaluate the design of the related controls and determine whether they have been implemented. For this purpose, the auditor considers the control component, the circumstances, materiality, entity size, nature of business and ownership, diversity and complexity of operations, nature and complexity of control systems, and legal and regulatory concerns. |
|
|
Term
| How are relevant controls identified? |
|
Definition
Identified through
Previous experience w/the entity
Understanding of entity and its environment
Information gathered during the audit. |
|
|
Term
| Which controls are relevant (not just asking for professional judgment here)? |
|
Definition
Controls related to financial reporting, including controls over completeness, accuracy, operations and compliance and safeguarding of assets.
Controls over the completeness and accuracy of information used by the auditor.
Controls over operations and compliance may be relevant if they relate to information or data involved in performance of audit procedures.
Controls over safeguarding of assets against unauthorized acquisition, use, or disposition may include those relating to financial reporting and operations objectives. |
|
|
Term
| control design and implementation |
|
Definition
| Considers whether a control can effectively prevent or detect and correct material misstatements. |
|
|
Term
| When has a control been implemented? |
|
Definition
| it exists and the entity is using it. |
|
|
Term
| Should implementation always be considered? |
|
Definition
| Not if the design is improper. Improper design may be a material weakness. |
|
|
Term
| risk assessment procedures include... |
|
Definition
| If design is improper. Improper design may be a material weakness. |
|
|
Term
|
Definition
Concerned w/how and by whom the control was applied and the consistency of application.
Obtaining the understanding is insufficient to test the operating effectiveness of controls, unless they are automated and subject to effective IT general controls. |
|
|
Term
| understanding IT-based systems |
|
Definition
| IT skills may be required to determined the effect of IT on the audit, understand IT controls, and design and perform tests of IT controls and substantive procedures. |
|
|
Term
| required IT expertise for auditors |
|
Definition
| The auditor must have sufficient IT expertise to communicate audit objectives, evaluate whether the IT professional's procedures will meet those objectives, and evaluate the results. |
|
|
Term
| required IS expertise for auditors |
|
Definition
| Auditor should understand the information system relevant to financial reporting- classes of significant transactions, automated and manual procedures to initiate, authorize, record, process, and report transactions; the related accounting records, supporting information and specific accounts; how the system captures other significant events and conditions; and the financial reporting process. |
|
|
Term
|
Definition
| required by GAAS; more extensive if controls are more complex and audit procedures are more extensive |
|
|
Term
| systems (document) flowcharts |
|
Definition
| diagrams of the client's system that track the flow of documents and processing. Provide a visual representation of the system and are flexible in construction. |
|
|
Term
|
Definition
consist of a series of interrelated questions about IC policies and procedures.
Helps identify control concerns and prevents the auditor from overlooking important control considerations. |
|
|
Term
| Yes and No questionnaires |
|
Definition
“Yes”- control strength.
“No”- control weakness. |
|
|
Term
|
Definition
| written description of the process and flow of documents and of the control points. Flexibility is the advantage. |
|
|
Term
|
Definition
| identifies the contingencies considered in the description of a problem and the appropriate actions to be taken in each case. Decision tables are logic diagrams presented in matrix form. Do not present sequence as do flowcharts. |
|
|
Term
|
Definition
| series of procedures to be performed |
|
|
Term
|
Definition
| useful tool for systems development as well as for understanding IC |
|
|
Term
|
Definition
pictorial diagram of the definition, analysis, or solution of a problem in which symbols are used to represent operations, data flow, documents, records, etc.
Flowcharts are used to understand, evaluate, and document client IC. |
|
|
Term
| processing (in flowcharts) |
|
Definition
| presented sequentially from the point of origin to the distribution of final output. Flows from top to bottom and from left to right. |
|
|
Term
|
Definition
| provides an overall view of the inputs, processes, and outputs of a system |
|
|
Term
|
Definition
| represents the specific steps in a computer program and the order in which they will be carried out. Macro- and micro-flowcharts describe a program in less or greater detail, respectively. |
|
|
Term
|
Definition
depicts flow of documents through an entity
Areas of responsibility are usually depicted in vertical columns or areas. |
|
|
Term
| system availability is dependent on... |
|
Definition
Uninterrupted flow of electricity
Protection of computer hardware from environmental hazards
Protection of software and data files from unauthorized alteration
Preservation of functioning communications channels between devices |
|
|
Term
| volatile transaction trails |
|
Definition
| In online, real-time systems, data are entered directly into the computer, eliminating portions of the audit trail provided by source documents. |
|
|
Term
| decreased human involvement |
|
Definition
| Because employees who enter transactions may never see the final results, the potential for detecting errors is reduced. Computers also carry a mystique of infallibility. |
|
|
Term
| uniform processing of transactions |
|
Definition
Computer processing uniformly subjects like transactions to the same processing instructions, therefore virtually eliminating clerical error. Thus, it permits consistent application of predefined business rules and the performance of complex calculations in high volume.
On the other hand, with programming errors, all like transaction will be processed incorrectly. |
|
|
Term
|
Definition
| Firewalls and user-id-and-password combinations are vital because access can be carried out through multiple terminals in the organization or through hackers. |
|
|
Term
|
Definition
| Duplicate organization's computer files and store them offsite periodically to protect against the effects of the destruction of hardware devices or units. |
|
|
Term
| reduced separation of duties |
|
Definition
| Tasks combined in an automated environment. |
|
|
Term
| reduced individual authorization of transactions |
|
Definition
| This reduced level of oversight for individual transactions requires careful coding to ensure that computer programs accurately reflect management's goals for business processes. |
|
|
Term
|
Definition
| transactions are accumulated and submitted to the computer as a single batch. Still widely used; can't be changed unless aborted completely. |
|
|
Term
| online, real-time systems |
|
Definition
database is updated immediately upon entry of the transaction by the operator.
These include online transaction processing (OLTP) systems. |
|
|
Term
|
Definition
| umbrella under which the IT function operates. Auditors should be satisfied that these work before relying on application controls. |
|
|
Term
| controls over data center and network operations |
|
Definition
| ensure efficient and effective operations of the computer activity. |
|
|
Term
| controls over software acquisition, change, and maintenance |
|
Definition
| ensure that proper software is available for use. |
|
|
Term
|
Definition
| encompasses access to both computer hardware devices themselves (physical access) and to data and programs through the system (logical access). |
|
|
Term
|
Definition
| particular to each of the organization's applications. Some features come built-in when applications are acquired from vendors. Software developed by the organization's own programmers must have appropriate controls incorporated in the design |
|
|
Term
|
Definition
| provide reasonable assurance that data received for processing have been identified, properly authorized, and converted into machine-sensible form, and that data have not been lost, added to, suppressed, duplicated, or otherwise improperly changed. Input controls may also related to rejection, correction, and resubumission of data initially incorrect. |
|
|
Term
|
Definition
| provide reasonable assurance that processing has been performed as intended for the particular application. |
|
|
Term
|
Definition
| ensure the accuracy of the processing result and the receipt of output by authorized personnel only. |
|
|
Term
| From an audit perspective, what is the most significant general control? |
|
Definition
| The assignment of authority and responsibility. |
|
|
Term
| database administrators (DBAs) |
|
Definition
| responsible for developing and maintaining the organization's databases and for establishing controls to protect their integrity. |
|
|
Term
|
Definition
| maintain the bridges, hubs, routers, switches, cabling, and other devices that interconnect the organization's computers, as well as maintaining the organization's connection to other network. |
|
|
Term
|
Definition
| responsible for the content of the organization's website. S/he works closely w/programmers and network technicians to ensure that the appropriate content is displayed and that the site is reliably available to users. |
|
|
Term
| computer (console) operators |
|
Definition
| responsible for the moment-to-moment running of the organization's servers and mainframes (medium- and large-scale computers) These require 24-hour monitoring. |
|
|
Term
|
Definition
| maintain control over and accountability for documentation, programs, and data storage media |
|
|
Term
|
Definition
| maintain and fine-tune the operating systems on the organization's medium- and large-scale computers). |
|
|
Term
|
Definition
uses his/her detailed knowledge of the organization's databases and applications programs to determine how an application should be designed to best serve the user's needs.
Their duties are often combined with those of programmers. |
|
|
Term
|
Definition
| design, write, test, and document computer programs according to specifications provided by the end users. |
|
|
Term
|
Definition
| log problems reported by users, resolve minor difficulties, and forward more difficult problems to the appropriate person. |
|
|
Term
| Most important part of any disaster recovery plan. |
|
Definition
| periodic backup and offsite recovery |
|
|
Term
|
Definition
| duplicating all data files and application programs at least once a month. Incremental changes are then added about once a week. |
|
|
Term
|
Definition
| must be temperature- and humidity-controlled and guarded against physical intrusion. Must also be geographically remote enough from the site of the organization's main operations that it would not be affected by the same natural disaster. |
|
|
Term
|
Definition
| have generator or battery backup to prevent data destruction and downtime from electrical power disturbances. |
|
|
Term
| fault-tolerant computer systems |
|
Definition
| have additional hardware and software as well as a backup supply |
|
|
Term
| hot-site backup facilities |
|
Definition
| fully operational processing facility immediately available |
|
|
Term
| cold-site backup facilities |
|
Definition
| shell facility where the user an quickly install equipment |
|
|
Term
|
Definition
software program that infects another program or a system's primary storage (main memory) by altering its logic.
Infection can destroy data, then spread the virus to other software programs. |
|
|
Term
| common sources of viruses |
|
Definition
obtaining software through a shareware network
downloading from untrustworthy sources
propagating viruses through email attachments |
|
|
Term
| preventive controls (for viruses) |
|
Definition
| include establishing a formal security policy, using only clean and certified copies of software, not using shareware software, checking new software with antivirus software, restricting access and educating users. |
|
|
Term
| detective controls (for viruses) |
|
Definition
| include making file size and date/time stamp comparisons. |
|
|
Term
| corrective controls (for viruses) |
|
Definition
| include ensuring that clean backup is maintained and having a documented plan for virus recovery. |
|
|
Term
|
Definition
| viruses that make copies of themselves with either benign or malignant intent. Are independent and use operating system services as their means of replication. |
|
|
Term
|
Definition
| software that appears to have a legitimate function but performs some destructive or illicit function after it begins to run |
|
|
Term
|
Definition
| network based on the same technology as the internet, but access is limited to an organization or those w/specific authorization. |
|
|
Term
|
Definition
| provides web access for existing customers or specific users rather than the general public |
|
|
Term
| most important network control |
|
Definition
| install an entity-wide network security system |
|
|
Term
| user account management involves installing a system to ensure that... |
|
Definition
New accounts are added correctly and assigned only to authorized users.
Old and unused accounts are removed promptly.
Passwords are changed periodically, and employees are taught to create passwords that are not easily guessed. |
|
|
Term
|
Definition
| separates an internal from an external network and prevents passage of specific types of traffic. It identifies names, IP addresses, applications, etc. and compares them with programmed access rules. |
|
|
Term
| What do firewall systems do? |
|
Definition
| Firewall systems ordinarily produce reports on entity-wide Internet use, exception reports for unusual activity patterns, and system penetration-attempt reports. These reports are helpful to the auditor, but firewalls do not protect adequately against viruses. |
|
|
Term
| Do firewalls protect adequately against viruses? |
|
Definition
| No, but firewall reports are useful to auditors. |
|
|
Term
|
Definition
| form of encryption technology used by businesses to authenticate documents. |
|
|
Term
| control over systems software |
|
Definition
| ensure that operating systems, utilities, and DBMS are acquired and changed only under close supervision and that vendor updates are routinely installed. |
|
|
Term
| control over application software |
|
Definition
| ensure that programs used for transaction processing are cost-effective and stable |
|
|
Term
|
Definition
| collective term for systems software and application software controls; such controls require authorization, testing, and acceptance. All changes should be properly documented. |
|
|
Term
|
Definition
prevent improper use or manipulation of data files and programs. They ensure that only those persons with a bona fide purpose and authorization have access.
Physical security controls protect against unauthorized access to equipment and information. |
|
|
Term
|
Definition
| The use of passwords and ID numbers is an effective control in an online system to prevent unauthorized access to files. Lists of authorized persons are maintained online. To avoid unauthorized access, the entity may combine the entry of passwords or ID numbers, a prearranged sets of personal questions, and the use of badges, magnetic cards, or optically scanned cards. |
|
|
Term
| device authorization table |
|
Definition
| This control grants access only to those physical devices that should logically needs access. |
|
|
Term
|
Definition
| This log records all uses and attempted uses of the system. The date and time, codes used, mode of access, data involved, and interventions by operators are recorded. |
|
|
Term
|
Definition
| Encoding data before transmission over communication lines makes it more difficult for someone with access to the transmission to understand or modify its contents. Encryption technology converts data into a code. |
|
|
Term
|
Definition
| Requires remote user to call, give identification, hang up, and wait for a call to an authorized number. Ensures acceptance of data only from authorized modems. |
|
|
Term
| controlled disposal of documents |
|
Definition
| One method of enforcing access restrictions is to destroy data when they are no longer in use. Thus, paper documents may be shredded, and magnetic media may be erased. |
|
|
Term
|
Definition
| Automated methods of establishing an individual's identity using physiological or behavioral traits. |
|
|
Term
|
Definition
| may prevent the viewing of sensitive data on an unattended data terminal. |
|
|
Term
|
Definition
| An entity may hire security specialists. For example, developing an IS policy for the entity, commenting on security controls in new applications, and monitoring and investigating unsuccessful access attempts are appropriate duties of the IS officer. |
|
|
Term
|
Definition
| provide reasonable assurance that data submitted for processing are authorized, complete, and accurate. These controls vary depending on whether input is entered online or in batch mode. |
|
|
Term
| online input controls (OIC) |
|
Definition
| can be used when data are keyed into an input screen. |
|
|
Term
|
Definition
|
|
Term
| edit (field) checks (OIC) |
|
Definition
| error message for inputting invalid data; drop-down menus |
|
|
Term
| limit (reasonableness) checks (OIC) |
|
Definition
| certain amounts can be restricted to appropriate ranges |
|
|
Term
|
Definition
| algorithm is applied to any kind of serial identifier to derive a check digit. During data entry, the check digit is recomputed by the system to ensure proper entry. |
|
|
Term
| closed-loop verification (OIC) |
|
Definition
| inputs by a user are transmitted to the computer, processed, and displayed back to the user for verification. |
|
|
Term
| batch input controls (BIC) |
|
Definition
| can be used when data are grouped for processing in batches |
|
|
Term
|
Definition
| number of records in batch matches number of records calculated by the user |
|
|
Term
|
Definition
| sum of dollar amounts of the individual items as reported by the system matches the amount calculated by the user |
|
|
Term
|
Definition
| arithmetic sum of a numeric field, that has no meaning by itself, can serve as a check that the same records that should have been processed were processed. An example is the sum of all Soc. Sec. numbers. |
|
|
Term
|
Definition
provide reasonable assurance that all data submitted for processing were processed and only approved data are processed. These controls are built into the application code by programmers during the systems development process.
Some processing controls repeat the steps performed by the input controls, such as limit checks and batch controls. |
|
|
Term
|
Definition
| Identifiers are matched against master files to determine existence. |
|
|
Term
|
Definition
| any record with missing data is rejected |
|
|
Term
|
Definition
| cross-footing and zero-balance checking |
|
|
Term
|
Definition
| Computer effort is expended most efficiently when data are processed in a logical order. This check ensures that the batch is sorted in this order before processing begins. |
|
|
Term
| run-to-run control totals (PC) |
|
Definition
| The controls associated with a given batch are checked after each stage of processing to ensure all transactions have been processed. |
|
|
Term
|
Definition
| A record's key is the group of values in designated fields that uniquely identify the record. No application process should be able to alter the data in these key fields. |
|
|
Term
|
Definition
| compares an amount to the sum of its components. |
|
|
Term
|
Definition
| adds the debits and credits in a transaction or batch to assure they sum to zero. |
|
|
Term
|
Definition
| provide assurance that processing was complete and accurate. |
|
|
Term
| audit trail & output controls |
|
Definition
A complete audit trail should be generated by each process.
The audit trail is immediately submitted to a reasonableness check by the user who is most qualified to judge the adequacy of processing and the proper treatment of erroneous transactions. |
|
|
Term
|
Definition
| report all transactions rejected by the system. These should be corrected and resubmitted by the user. |
|
|
