389 Exam 2 Flashcards
(180 cards)
1
Q
Internal Controls
A
Policies, plans and procedures designed to protect the assets of the company.
2
Q
Internal Control System
A
the methods used to achieve the following objectives:
- safeguarding assets
- checking the accuracy and reliability of accounting data
- promoting operational efficiency
- encouraging adherence to prescribed managerial policies.
3
Q
Threat
A
any potential adverse occurrence or unwanted event that could injure the AIS or the organization
4
Q
Exposure / Impact
A
the potential dollar loss that would occur if the threat becomes a reality
5
Q
risk / likelihood
A
the probability that the threat will occur
6
Q
Types of threats:
A
natural and political, software errors and equipment malfunction, unintentional acts, intentional acts.
7
Q
internal controls perform three important functions:
A
- preventive controls
- detective controls
- corrective controls.
8
Q
preventive controls? examples?
A
deter problems before they arise
i. e. firewall
i. e. locking doors before leaving home
9
Q
detective controls? examples?
A
discover problems when they do arise.
i. e. an alarm system. if someone were to get in your home the alarm would sound.
i. e. bank reconciliation
i. e. a trial balance making sure debits and credits balance and making sure nothing crazy is going on.
10
Q
Corrective controls? examples?
A
remedy problems that have occurred by:
identifying the cause, correcting the resulting errors, modifying the system to prevent future problems of this sort.
11
Q
What are some regulations of controls?
A
Foreign Corrupt Practices Act, COSO, SOX
12
Q
COSO meaning and what they do:
A
Committee of Sponsoring Organizations of Internal Control
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
13
Q
Control environment:
A
establishes the tone of a company, influencing the control awareness of the company’s employees.
Is the general attitude towards the control environment within a company
14
Q
Factors included within the control environment are:
A
integrity, ethical values and competence of employees
management philosophy and operating style
Assignment of authority and responsibility
effectiveness of the board of directors.
15
Q
Control environment starts ___ and ___
A
at the top and works it way down.
16
Q
Risk assessment:
A
an important consideration when designing controls for a company
17
Q
Risks come from
A
internal and external sources
18
Q
Risks that may affect the accomplishment of a company’s goals and objectives should be ____
A
identified, analyzed and promptly addressed
19
Q
cost-benefit analysis
A
does the benefits of a particular control implementation outweigh the costs?
20
Q
A measure of lost should include ___
A
both the exposure and risk
21
Q
Control activities:
A
relate to the policies and procedures that help ensure that management directives are carried out in an effective manner.
22
Q
Audit trail
A
enables auditors and accountants to follow the path of a transaction
23
Q
Sound personal policies and competent employees
A
specific hiring procedures… rotation of certain key employees in different jobs, enforced vacations… regular performance reviews.
24
Q
Separation of Duties:
A
A control activity within an internal control system that essential says that one employees serves as a monitor for another employee. Keep separate custody of assets, recording transactions, and authorizing transactions.
25
Separation of duties, custodial functions:
handling cash, inventories, tools, or fixed assets, writing checks, receiving checks in the mail
26
Separation of duties, recording functions:
Preparing source documents, maintaining journals, ledgers or other files, preparing reconciliations, p preparing performance reports.
27
separation on duties, authorization functions:
authorization of transactions
28
collude:
come together.
| this makes segregation of duties impotent and controls can be overridden.
29
Physical protection of assets:
a process to safeguard inventory... how about cast?
30
internal audits
perform periodic reviews
31
opperational audits:
performed to evaluate the efficiency and effectiveness of that particular department
32
information:
refers to the output of the accounting system
- it includes the methods used to record, process, summarize and report a company's transactions and maintain accountability for assets, liabilities, and equity.
33
Communication:
refers to providing a company's personnel with an understanding of their role and responsibilities pertaining to internal control over financial reporting.
34
Monitoring:
relates to the process that assesses the quality of internal control performance on continuous basis.
35
examples of monitoring:
perform internal control evaluations, implement effective supervision, use responsibility accounting systems such as budgets, schedules, standard costs, etc., tract purchased software and mobile devices, periodic audits
36
9-14 why?
| a. separate cash payments from cash receipts
Both are custody
37
9-14 why?
| b. lock up signature plates
prevents unauthorized use
38
9-14 why?
| c. match invoices to receiving reports
ensure item was received and invoice quantity is correct
39
9-14 why?
| d. checks mailed by person not preparing check
separation of duties: person mailing may notice suspicious payments
40
9-14 why?
| e. match invoices to POs
Ensure purchase is authorized and invoice price is correct
41
9-14 why?
| f. keep checks under lock
prevent unauthorized payments
42
9-14 why?
| g. impress payroll account (deposit inly payroll amt.)
identify payroll fraud / error and limit loss
43
9-14 why?
| h. separate bank reconciliation from writing checks or handling cash
separation of duties- prevents concealing a theft by making it appear that GL cash reconciles to bank statement cash.
44
9-14 why?
| i. use check protector:
keep people from changing check amount
45
9-14 why?
| j. conduct surprise counts of cash
catch thieves who do not generate fictitious support documents at the time of the theft.
46
9-14 why?
| k. use approved vendors:
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
47
9-14 why?
| l. all purchases made by purchasing department
prevent vendors that are 1.) fictitious, 2.) have high prices, 3.) have poor quality products.
48
electronic eavesdropping:
security risk with wireless technology
49
data encryption
this can stop eavesdropping. this means the data is scrambled and only receiver can de-scramble
50
VPN
Virtual private network:
| security appliance that allows remote access to a company's system.
51
Security for wireless system:
electronic eavesdropping, data encryption, VPN
52
Security for hard-wired system:
in distributed data processing processing, data processing is handled by many PCs
Routing verification procedures -
message acknowledgment procedures -
53
in distributed data processing processing, data processing is handled by many PCs
PCS are linked to a central computer
| Electronic eavesdropping could be a problem here as well
54
Routing verification procedures
ensure that messages are routed to the correct computer
Header label: i.e. identify message destination
checked before acceptance of message
55
message acknowledgment procedures
prevent loss of part of message
trailer label: i.e. data indicating message length
checked after data received
56
Management is responsible for:
directing and controlling operations and establishing, communication, monitoring all company policies and procedures.
57
security policies:
help protect the organization from internal and external threats
58
5 components of internal control process
- control environment
- risk assessment
- control activities
- information and communication
- monitoring
59
Types of general computer controls:
personnel controls, file security, backup, contingency planning, computer facility controls, access to computer files.
60
file security controls:
purposes:
examples:
protect computer files from either accidental or intentional abuse.
i.e. external file labels, internal file labels, lockout procedures (prevents 2 applications from simultaneously updating file, read-only files
61
fault-tolerant systems
purpose:
core concept:
types:
to tolerate computer errors and keep functioning.
Redundancy
consensus-based protocols, watchdog processor, disk mirroring or disk shadowing
62
consensus-based protocols:
have odd number or processors, ignore incongruent processor
63
watchdog processor:
second processor that takes over if main processor fails
64
disk mirroring or disk shadowing
write all data to two disks
65
backup procedures:
similar to fault-tolerant systems but not exactly the same.
66
purpose of backup procedures:
mitigate risk of losing data before, during, or after processing work
67
Grandparent-parent-child procedure:
a backup procedure that
| keep three generations of the master file
68
electronic vaulting:
a backup procedure that
| electronically transmit data to a remote location for backup.
69
contingency planning purpose:
ready the organization for disaster that could affect data processing capabilities
70
offsite location types:
cold site
hot site
flying start site
71
Disaster recovery plan:
procedures to be followed in case of an emergency
72
cold site:
location where system could be installed quickly.
literally a room with nothing.
73
hot site:
location with a working system.
room plus you have a site and software you just don't have data
74
flying start site:
hot site with backup data
location, data, system and software.
75
computer facility controls purpose:
protect the physical assets of a data processing center
76
key points of computer facility controls
data center location should be safe, employee access to data center should be listed, physical assets should be insured.
77
access to computer files purpose:
safeguards sensitive data.
78
key points to access to computer files
strong password policies, limiting logical access by authority, removing users from system after termination, limiting controlling remote login capability
79
application controls:
controls designed to prevent errors in transaction processing
80
three classifications of application controls:
input controls
processing controls
output controls
81
types of inputs control:
observations
| edit tests
82
input controls - observation:
dual observation - having multiple employees involved in input process
recording safeguards- UPC, barcode scanners, POS devices
Standard AJEs
83
input controls - edit tests:
edit checks
84
Field check:
proper type of characters in a field
i.e. 9o210.
it won't process that because it is suppose to be 90210
85
Field Size check:
ensures that the input data will fit into the assigned field
i.e. twitter character count.
86
sign check
appropriate arithmetic sign
87
limit check
tests a numerical amount against a fixed value
floor or ceiling
88
reasonableness check:
determines the correctness of a logical relationship between two data items
89
types of processing controls
data access controls
| data manipulation controls
90
types of data access controls:
financial totals
has totals
record count
social security numbers
91
types of data manipulation controls:
review software documentation
| ensure proper programming using test data.
92
Fraud:
any act of deception with intent to gain an unfair advantage over another person.
93
Computer fraud:
illegal act that requires computer knowledge / use to perpetuate.
94
Types of fraud:
misappropriation of assets, corruption, fraudulent financial reporting
95
Examples of misappropriation of assets
Embezzlement, theft of money or property
96
Examples of Corruption
Using your position to take advantage
97
Example of Fraudulent financial reporting
intentional manipulation of financial statements i.e. Healthsouth
98
Computer Crime:
the us of a computer for illegal financial gain or infliction of measurable loss on a person.
99
Computer abuse:
mischievous, unauthorized use of a computer that is contrary to the owner's wishes i.e. invasion of privacy.
100
The Computer Fraud and Abuse Act of 1986 covers the following issues:
1. Use of, or conspiracy to use computer resources to commit a felony
2. Theft, use, access, modification, copying or destruction of software or data.
3. Theft of money by altering computer records, or theft of computer time.
4. Theft or vandalism of computer hardware.
5. Intent to illegally obtain information or property using the computer.
6. Trafficking in passwords or other login information.
7. Extortion using a computer system as a target.
101
What are some techniques used to commit computer crimes?
Trojan Horse
Data diddling
Hacking
Phishing
102
What is a trojan horse?
unauthorized commands hidden in authorized programs/
103
What are different types of trojan horses?
Virus
Worm
Logic Bomb
Salami Technique
104
What is a virus?
A program that attaches to other files or programs and spreads by copying itself. They can destroy programs and data and perform denial of service attacks.
105
What is a worm?
A stand-alone program that replicates itself until all memory is utilized. Can also be used in denial of service attacks.
Target puts a worm on walmart. If walmart is slow, customers will choose target instead.
106
What is a logic bomb?
A program that remains dormant until triggered by some event.
- Logic bombs can destroy programs and data.
107
What is the salami technique?
A program that makes small adjustments to many accounts in an effort to steal large amounts of money in small increments.
108
What is data diddling?
changing data before, during, or after an entry.
109
What is hacking?
Gaining unauthorized access to a system.
110
What is phishing?
e.g. pose as legitimate company.
111
Types of security technologies:
1. Antivirus software
2. Firewalls
3. Access controls
3. Physical security
4. Intrusion detection systems
5. Data encryption
112
Steps to identifying computer crime:
1. Look for accounting irregularities, or anomalous data.
2. Look for employees with lifestyle changes or unusually extravagant lifestyles given their income.
3. Look for employees with bizarre behavior. i.e. secretive and unwilling to take vacation.
113
Forensic accountants:
specialize in preventing or detecting fraud or white-collar crime.
114
Is it okay for your employer to read emails from your work account?
Yes
115
Is it fair for your potential or current employers to use Facebook or Twitter to monitor employees?
Yes it is okay.
116
When does the accounting cycle begin?
When the accounting personnel analyze a transaction from a source document.
117
What is a source document?
A puede of paper or electronic form that records a business activity such as the purchase or sale of goods.
118
Subsidiary ledger:
contains detailed records pertaining to a type of account (e.g. A/R, A/P, Payroll)
119
General Ledger:
a collection of account balances.
120
What is coding?
AIS depend on it to record, store, classify, and retrieve financial data.
121
What is the purpose of coding?
uniquely identify transactions and accounts, compress data, aid in classification process, and convey special meaning.
122
Types of codes:
mnemonic codes
Sequence codes
Block Codes
Group Codes
123
Mnemonic Codes:
give visible clues concerning the objects they represent (e.g. S, M, L, XL)
124
Sequence Codes
assign numbers or letters in consecutive order
125
Block Codes
sequential codes in which blocks of numbers are reserved for particular use.
126
Group codes:
Combines two or more codes.
127
A payroll clerk created a ghost employee and entered the name into the payroll system. He then prepared a paycheck for this employee, endorsed it to himself, took the paycheck to the bank, and deposited the check.
Require supervisors to approve time worked.
Have someone other than payroll clerk distribute signed checks.
Use direct deposit
Have employees sign for checks.
Have employees clock-in electronically (use badged)
Use a record count of employees
Use a hash total.
128
In a charitable organization, a cashier set aside checks for donations, endorsed them, and cashed them. She then sent gift acknowledgement cards to the donors.
* Use restrictive endorsement only (remove authority to cash checks).
* Have donations sent to a lockbox (remove custody).
* Accept donations online.
* Have 2 clerks open mail together.
* Have gift acknowledgement cards sent by someone other than cashier (separation of duties).
* Independently reconcile donations to gift acknowledgements (independent check).
129
A computer programmer obtained the payroll master file, loaded it into the system, and changed his salary.
* Have someone independent of payroll review all changes to the employee master file.
* Limit access to payroll data entry.
* Outsource payroll.
* Use a financial total (hourly or other pay rates).
130
A programmer quit in the middle of an assignment. Because no other programmers could make sense of the work already completed, the project was started over from scratch.
• Document systems in the planning and implementation phases.
131
5. During keying in a customer’s payment, the digit 0 in a payment of $102.34 was mistakenly entered as the letter O. As a result, the transaction was not processed correctly, and the customer received an incorrect statement.
• Use a field check (preventive control).
132
6. An employee gained unauthorized access to the system by observing her supervisor’s user name and then correctly guessing her password after 12 attempts.
* Limit numbers of attempts to enter system.
* Use smart passwords
* Change passwords frequently
133
7. A salesperson for a PC manufacturer, keying in a customer order from a remote laptop computer, entered an incorrect stock number. As a result, an order of 50 printers was placed for a customer who wanted to order 50 PCs.
* Redundant data check
| * Confirmation of order with customer
134
8. A salesperson keying in a customer order from a remote computer inadvertently omitted the delivery address from the order.
* Completeness check
| * Confirmation of order with customer
135
Acme Glass Company makes glass windows. In the final step, the windows are cleaned on a raised table in order to protect workers from work-related injuries. During cleaning the windows are secured by a tether to avoid damage. In 2% of the cases, the tether malfunctions and the window falls off the table. In 5% of the falls, the window is broken. Each broken window costs Acme $800. Acme makes 24,000 windows each year.
The Enron Tether Maintenance Company has agreed to provide monthly tether maintenance to Acme at a cost of $1,000 per month. If Enron provides tether maintenance, the likelihood of a window falling off the table is cut in half. The likelihood of breakage as the result of a fall is not affected by Enron’s tether maintenance.
9. Without purchasing tether maintenance, what is the expected loss due to breakage each year?
Expected cost = Risk * Exposure
Risk is 2% of windows fall and 5% of those break. Risk = 2% * 5% = 0.001.
If 0.001 of all windows break, and there are 24,000 windows per year, there are 24 breaks (on average) per year.
Exposure is $800 per window.
24 breaks @ $800 each = $19,200 expected cost
136
Acme Glass Company makes glass windows. In the final step, the windows are cleaned on a raised table in order to protect workers from work-related injuries. During cleaning the windows are secured by a tether to avoid damage. In 2% of the cases, the tether malfunctions and the window falls off the table. In 5% of the falls, the window is broken. Each broken window costs Acme $800. Acme makes 24,000 windows each year.
The Enron Tether Maintenance Company has agreed to provide monthly tether maintenance to Acme at a cost of $1,000 per month. If Enron provides tether maintenance, the likelihood of a window falling off the table is cut in half. The likelihood of breakage as the result of a fall is not affected by Enron’s tether maintenance.
9. Without purchasing tether maintenance, what is the expected loss due to breakage each year?
Expected cost without Enron Maintenance $19,200
Expected cost with Enron Maintenance $9,600*
```
Savings with Enron Maintenance $9,600
Cost of Enron Maintenance $12,000
Net Cost ($2,400)
```
*with Enron Maintenance, cost is ½ of current cost or:
1% * 5% = 0.0005 * 24,000 windows = 12 window breaks @ $800 each
137
Design of an effective AIS begins by
considering the outputs from the system.
138
Outputs of an AIS include:
1. Reports to MGT
2. Reports to investors and creditors.
3. Files that retain transaction data.
4. Files that retain current data about accounts.
139
Business process:
a collection of events
140
what are the two types of events in a business process?
- an economical event (accounting transaction)
| - a business event does not affect the financial statements but still needs to be recorded (a sales order)
141
What are the 2 core business processes?
sales
| purchasing.
142
The sales process begins with...
a customer order of goods or services and ends with the collection of cash from the customer.
143
Simple description of Sales Process
GOODS OUT, CASH IN.
144
What are the steps in the sales process?
sales order, shipment of goods, bill customer, and cash receipt. (maybe sales return)
145
What are the o objectives of the sales process?
tracking sales, filing customer orders, billing customers, collecting payment, forecasting sales and cash receipts.
146
Inputs to the sales process (or source documents)
sales order, sales invoice, check, remittance advice, shipping notice, debit/ credit memo.
147
Outputs of the sales process:
customer billing statement, aging report, bad debt report, cash receipts forecast, approved customer list.
148
Threat: incomplete or inaccurate customer orders:
| control?
data entry edit checks.
149
threat: credit sales to customers with poor credit.
credit approval by credit manager, not by sales function; accurate records of customer account balances.
150
threat: legitimacy of orders:
signatures on paper documents; digital signatures and digital certificates for e-business.
151
threat: stockout, carrying costs, and markdowns.
inventory control systems, improved sales forecast, supply chain management.
152
threat: Shipping errors:
reconciliation of sales order with picking ticket and packing slip; bar code scanners ; data entry control application controls.
153
threat: theft of inventory:
restrict physical access to inventory.
documentation of all internal transfers of inventory and reconciliation of counts of recorded amounts.
Separate inventory custody from recording inventory usage from authorization to ship.
154
threat: failure to bill customers:
separation of shipping and billing functions.
renumbering of all shipping documents and periodic reconciliation to invoices; reconciliation of picking tickets and bills of lading with sales orders.
155
threat: billing errors:
data entry edit control.
price lists
reconcile the sales order and shipping documents to the invoice.
156
posting errors in updating account receivables
reconciliation of subsidiary accounts receivable ledger with general ledger; monthly statements to customers.
157
threat: theft of cash:
segregation of duties; minimization of cash handling; lockbox arrangements; prompt endorsement and deposit of all receipts
periodic reconciliation of bank statements with records by someone not involved in cash receipts processing.
158
threat: loss of data
backup and disaster recovery procedures. access controls.
159
threat: poor performance.
preparation and review of performance reports.
160
the purchasing process begins with
a request for goods or services and ends with a payment to the vendor.
161
the purchasing process simplified:
goods in; cash out.
162
steps in the purchasing process:
purchase requisition, purchase order, receive goods, approve payments and cash disbursements.
163
objectives of the purchasing process:
tracking purchases of goods and services from vendors.
tracking amounts owed (A/P)
Maintaining vendor records.
controlling inventory
making timely and accurate vendor payments
forecasting purchases and cash outflows.
164
inputs to the purchasing process:
```
purchase requisitions
purchase order
invoice from vendor.
receiving report
bill of lading
packing slip
debit/credit memo.
```
165
outputs of the purchasing process.
discrepancy reports
vendor checks
check register
cash requirements forecast.
166
threat: prevent stockout or excess inventory:
inventory control systems bar code scanners; periodic counts of inventory
167
threat: request unnecessary items:
accurate perpetual inventory records; require purchase requisition approval
168
threat: inflated prices.
bids; approved suppliers; approved purchase orders; budget review.
169
threat: inferior quality:
approved suppliers; approved purchase orders; monitory supplier performance.
170
threat: unauthorized suppliers:
require purchase order approval; restrict access to supplier master files approved suppliers.
171
kickback threat:
require disclosure of financial interests in suppliers; vendor audits.
172
threat: receive unordered goods.
receiving department require the existence of valid purchase order prior to acceptance.
173
threat: errors in counting goods.
bar code scanners; accuracy incentives.
174
threat: theft of inventory:
restrict physical access; decrement all internal transfers of inventory' periodic physical counts; reconciliation of counts to recorded amounts
Separate inventory custody from recording inventory usage from authorization to receive goods.
175
threat: uncaught errors in invoice:
train AP staff
Reconcile invoice to PO and receiving report.
176
threat- pay for goods not received.
reconcile invoice to receiving report
177
threat- missed purchase discounts
proper filing; cash flow budgets.
178
threat- pay same invoice twice-
support invoice with original voucher package.; timely cancel voucher package.
179
threat- recording pristine errors in aP
Data entry and processing edit controls
180
threat- theft of cash:
Segregation of duties between AP (approval and recording) and cashier; reconciliation of bank account by someone independent of cash disbursement; restrict access to blank checks; two signatures for higher check amounts
