ACCTN578 Test 2 Flashcards

Question

What was the goal of the Sarbanes-Oxley Act?

Answer 1

The Sarbanes-Oxley Act (2002) - Legislation intended to prevent financial statement fraud - make financial reports more transparent - provide protection to investors - strengthen internal controls at public companies - punish executives who commit fraud SOX changed the way Board of Directors & Management operate. Had an impact on CPA's who audit them.

Answer 2

- PCAOB - Public Company Accounting Oversight Board - new rules for auditors - new rules for audit committees - new rules for management - new IC requirements

Answer 3

The Public Company Accounting Oversight Board - created by SOX to control the auditing profession - sets & enforces auditing, quality control, ethics, independence & other auditing standards.

Answer 4

- auditors must report specific information to audit committee eg critical acc policies & practices. - SOX prohibits auditors from performing certain non audit services (eg info system design). - audit firm can't provide service to companies if top management was employed by audit firm and worked on company's audit in previous 12 months.

Answer 5

- members must be on the company's Board of Directors and be independent of the company. - one member must be a financial expert. - the audit cttee hires, compensates & oversees the auditors, who report directly to them.

Answer 6

Requires CEO & CFO to certify: 1. F/S & disclosures are fairly presented, were reviewed by management, not misleading. 2. Auditors were told about all material IC weaknesses and fraud. Prosecution & fines if mgmt knowingly violate. Companies must disclose in plain english material changes to fin. condition on a timely basis.

Answer 7

Section 404 requires companies to issue a report accompanying the F/S stating that mgmt is responsible for establishing and maintaining an adequate IC system. Report must include mgmt's assessment of the company's IC's, attest to their accuracy & report significant weaknesses or material non compliance. Mmgt have to base their eval. on a recognised control framework; and conclude that a company doesn't have effective financial reporting IC's if there are material weaknesses.

Answer 8

- COBIT5 Framework (Control Objectives for Information Related Technology) - COSO's Internal Control Framework (Committee of Sponsoring Organisations) (IC) - COSO's Enterprise Risk Management Framework (ERM)

Answer 9

Developed by Information Systems Audit & Control Association. A security and control framework that allows: 1. Mgmt to benchmark security & control practises of IT environments. 2. Users to be assured that adequate IT security & controls exist 3. Auditors to substantiate their IC opinions & to advise on IT security and control matters. COBIT5 framework describes best practises for effective governance & mgmt of IT. Based on 5 key principles of IT governance and management that protect stakeholder's investments & produce best possible information system. Governance and mgmt of IT ongoing process. Board of Dirs & mgmt monitor orgn's activities, use that feedback to modify existing plans & procedures or develop new strategies to respond to changes in business objectives & new developments in IT.

Answer 10

1. Meeting stakeholder needs. - through customising business processes and procedures. Allows company to create proper balance between risk and reward. 2. Covering the enterprise end to end - integrates all IT functions & processes into company wide functions and processes. 3. Applying a single, integrated framework - can be aligned at high level w other stds & framework so that overarching framework for IT governance & mgmt created. 4. Enabling a holistic approach - resulting in effective governance & mgmt of all IT functions in the company 5. Separating governance from management

Answer 11

To create value by optimising the use of organisational resources to produce desired benefits in a manner that effectively addresses risk. The responsibility of Board of Directors who: 1. evaluate stakeholder needs to identify objectives 2. provide mgmt w direction by prioritising objectives 3. monitor mgmt's performance

Answer 12

Planning, building, running and monitoring the activities & processes used by the organisation to pursue the established objectives. Provide periodic feedback to Board of Dir's that can be used to monitor orgn's objectives, and if necessary revaluate and modify objectives.

Answer 13

It's comprehensiveness.

Answer 14

5 governance processes: - evaluate, direct, monitor 32 management processes, split into 4 domains - Align, Plan, Organise (APO) - Build, Acquire, Implement (BAI) - Deliver, Service, Support (DSS) - Monitor, Evaluate, Assess (MEA)

Answer 15

The business processes and control activities that affect the accuracy of an organisation's f/s and it's compliance with external regulations.

Answer 16

A framework that defines IC's and provides guidance for evaluation & enhancing IC systems. Issued in 1992, updated in 2013. Widely accepted as the authority on internal control. Has been incorporated into policies, rules, regulations used to control business activities. Has five components, and 17 principles.

Answer 17

1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring NB: Control activities are built into databases

Answer 18

This is the foundation for all other components of IC. "Tone at the top" The core of any business is its people, including individual attributes (integrity, discipline, ethical values, competence), and the environment in which they operate.

Answer 19

1. Commitment to integrity and ethics 2. IC oversight by Board of Dirs, independent of management 3. Structures, reporting lines, appropriate responsibilities in pursuit of obj. established by mgmt & oversee by Board. 4. Commitment to attract, develop & retain competent individuals in alignment w obj. 5. Holding individuals accountable for IC responsibilities in pursuit of objectives.

Answer 20

The organisation must identify, analyse, and manage its risk. Managing risk is a dynamic process. Mgmt must consider changes in external environment and within the business that may be obstacles to its objectives.

Answer 21

6. Specifying objectives clearly enough for risks to be identified and assessed 7. Identifying & analysing risks to determine how they should be managed. 8. Considering the potential of fraud 9. Identifying and assessing changes that could significantly impact the system of IC

Answer 22

Control policies and procedures help ensure that the actions identified by mgmt to address risks and achieve the organisation's objectives are effectively carried out. Control activities are performed at all levels and at various stages within the business process & over technology.

Answer 23

10. Selecting and developing controls that might help mitigate risks to an acceptable level 11. Selecting and developing general control activities over technology 12. Deploying control activities as specified in policies and relevant procedures.

Answer 24

Information and communication systems capture and exchange the information needed to conduct, manage and control the organisation's operations. Communication must occur internally and externally to provide information needed to carry out day to day IC activities. All personnel must understand their responsibilities.

Answer 25

13. Obtaining or generating relevant, high-quality information to support internal control 14. Internally communicating information, including objectives and responsibilities, necessary to support the other components of internal control 15. Communicating relevant internal control matters to external parties

Answer 26

The entire process must be monitored, and modified as necessary so the system can change as conditions warrant. Evaluations ascertain whether each component of IC is present & functioning. Deficiencies are communicated in a timely manner, w serious matters reported to senior mgmt and Board.

Answer 27

16. Selecting, developing and performing ongoing evaluations of the components of IC 17. Evaluating and communicating deficiencies to those responsible for corrective action, including senior mgmt & Board of Directors where appropriate.

Answer 28

Enterprise Risk Management Framework - improves the risk management process, by expanding the IC - integrated framework (adding 3 additional elements). - ERM is the strategy the Board of Dir & Mgmt use to set strategy, ID events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its goals & objectives.

Answer 29

- Companies are formed to create value for their owners - mgmt must decide how much uncertainty it will accept as it creates value - uncertainty results in risk (ie the possibility that something negatively effects the company's ability to create or preserve value) - uncertainty results in opportunity (ie the possibiity that something positively affects .....) - ERM framework can manage uncertainty and create & preserve value.

Answer 30

4 columns along the top are the obj. mgmt must meet to achieve company's goals - strategic, operations, reporting, compliance 4 columns on the right are the company's units - Entity-Level, Division, Business Unit, Subsidary Horizontal rows are 7 interrelated risk and control components. 3D model - each of the 8 risk & control components applies to each of the 4 objectives and to the company and/or one of it's subunits.

Answer 31

ERM is more comprehensive. ERM takes a risk based approach. IC framework takes controls based approach. ERM adds 3 additional components to IC - Objective Setting - Event identification - Risk Response Resulting controls are flexible & relevant b/c linked to current obj. of the organisation. Recognises that risk, in addition to being controlled, can be accepted, avoided, diversified, shared or transferred.

Answer 32

The company culture that is the foundation for all other ERM components. Influences how organisations establish strategies and objectives, structure business activities and identify, assess & respond to risk. Weak or deficient results in breakdowns in risk mgmt and control.

Answer 33

1. Management's philosophy, operating style & risk appetite. 2. Commitment to integrity, ethical values, competence 3. IC oversight by Board of Directors 4. Organisational Structure 5. Methods of assigning authority & responsibility 6. HR standards that attract, develop, retain competent individuals 7. External influences. The more responsible the style, and more clearly communicated, more likely employees will behave responsibly. If mgmt have little concern for IC's and risk mgmt, employees less diligent in achieving control objectives.

Answer 34

The amount of risk a company is willing to accept to achieve its goals & objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

Answer 35

The outside, independent Board of Dir members responsible for financial reporting, regulatory compliance, IC, and hiring & overseeing internal and external auditors, who report all critical accounting policies & practices to them.

Answer 36

Provides a framework for planning, executing, controlling and monitoring operations. - centralised/decentralised authority - direct/matrix reporting - organisation by industry, product line, location or marketing network - allocation of responsibility affects info reqs - organisation of and lines of authority for acc, auditing & IS functions - size & nature of company activities.

Answer 37

- Hierarchical structures being replaced w flat organisations of self directed work teams, that make decisions without needing multiple layers of approval. - emphasis on continuous improvement rather than periodic reviews & appraisals - these org. structure changes impact the nature and types of controls used.

Answer 38

A document that explains proper business practises, describes needed knowledge and experience, explains documentation procedures, explains how to handle transactions and lists the resources provided to carry out specific duties. Manual including chart of accounts, copies of forms and docs.

Answer 39

The honesty of employees. HR policies & practices governing working conditions, job incentives, career advancement can be a powerful force in encouraging honesty, efficiency and loyal service.

Answer 40

Hiring (based on education BG, experience, achievement, ethical values. Eval. through resumes, ref letters, IV's, BG checks) Compensating, evaluating & promoting (poorly compensated = resentful= more likely fraud. Fair pay, incentives help motivate. Periodic appraisals to understand strengths/weaknesses. Promos based on perf. and quals) Training (teach responsibilities, expected levels of perf & behaviour, company's policies, culture, op style. Ongoing training - tackle new challenges, adapt to changing tech) Managing disgruntled employees (disgruntled seek revenge - fraud, sabotage systems. Grievance channels, counsellors) Discharging (dismissed employees removed from sensitive jobs immediately, denied access etc) Vacations & Rotation of Duties (helps discover fraud from ongoing perpetrations) Confidentiality Agreements, Fidelity Bond Insurance Prosecute & Incarcerate Perpetrators

Answer 41

1. PR disaster - reveal system vulnerable to further hackers/fraud 2. Law enforcement & Courts busy w violent crimes 3. Fraud is difficult, costly & time consuming to prosecute. 4. Lack of skills req. to investigate and prosecute in judges, lawyers, police etc 5. fraud sentences often light

Answer 42

Mgmt determines what the company hopes to achieve (corporate vision/mission) Mgmt sets objectives at corporate level & then subdivides them into more specific objectives for company subunits. Company determines what must go right to achieve the objectives & establishes performance measures to determine whether they are met.

Answer 43

Strategic Objectives Operations Objectives Compliance Objectives Reporting Objectives

Answer 44

Strategic Objectives - high level goals that are aligned with & support company's mission & create S/H value. - Mgmt should ID alternative ways of accomplishing strategic objectives. - Identify and assess the risks & implications of each alternative. - Formulate a corporate strategy & set operations, compliance and reporting objectives.

Answer 45

Operations Objectives - deal with the effectiveness and efficiency of company operations. - determine how to allocate resources - reflect mgmt's preferences, judgements & style - key factor in corporation's success. - Can vary substantially eg early adapter of tech, adopt once proven, only when generally accepted.

Answer 46

Reporting Objectives - help ensure the accuracy, completeness & reliability of company reports - improve decision making - monitor company activities & performance

Answer 47

Compliance Objectives - help the company comply w all applicable laws & reg's - most compliance objectives, and many reporting objectives imposed by external entities in response to laws and regulations. - how well a company meets compliance and reporting objectives can significantly impact it's reputation.

Answer 48

An event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both. Positive event = opportunity Negative event = risk An event represents uncertainty. May or may not occur, if it does, hard to know when. Until it occurs hard to determine impact. When it does occur, may trigger another event. Events may occur individually or concurrently. Mgmt must try & anticipate all possible positive & negative events, determine which are most & least likely to occur & understand interrelationship of events.

Answer 49

- using a comprehensive list of events - performing an internal anlaysis - monitoring leading events & trigger points - conducting workshops & IV's - using data mining - analysing business processes.

Answer 50

During objective setting process, mgmt must specify their objectives clearly enough for risks to be ID'd & assessed. Should include assessment of all threats: - natural and political disasters - software errors & equipment failures - unintentional acts - possibility of intentional acts like fraud. Must ID and analyse risks to determine how they should be managed. Must also ID and assess changes that could significantly impact the system of internal control. To align identified risks w the company's tolerance for risk, mgmt must take an entity wide view of risk. Assess likelihood, impact, as well as costs & benefits of alternative responses.

Answer 51

Likelihood Positive & Negative Impacts Individually & by Category Their effect on organisational units On an inherent & residual basis Companies should asses inherent risk, develop a response and then assess residual risk.

Answer 52

Inherent Risk: - the susceptibility of a set of accounts, or transactions to significant control problems in the absence of internal control. Residual Risk: - the risk that remains after mgmt implements IC's or some other response to risk.

Answer 53

Management can respond to risk in 1 of 4 ways: - Reduce Reduce likelihood & impact of risk by implementing an effective system of IC's - Accept Accept the likelihood & impact of risk - Share Share risk or transfer it to someone else (buying insurance, outsourcing an activity, hedging transactions) - Avoid Avoid risk by not engaging in the activity that produces the risk (sell a division, exit a product line, not expand)

Answer 54

Accountants & system designers help mgmt design effective control systems to reduce inherent risk. They also evaluate IC systems to ensure they are operating effectively. They assess and reduce risk using a risk assessment & response strategy.

Answer 55

1. Identify the events, or threats, that confront the company 2. Estimate the likelihood, or probability of each threat occurring. 3. Estimate the impact, or potential loss, from each threat. 4. Identify controls to guard against each threat. 5. Estimate the costs and benefits from instituting controls 6. Is it cost-beneficial to protect the system from a threat? No - Avoid, share, or accept risk. Yes - see 7. 7. Reduce risk by implementing controls to guard against the threat.

Answer 56

As either increases, both the materiality of the event & the needs to protect against it rise.

Answer 57

ERM software lets managers enter perceived risks, assess their nature, likelihood and impact, and assign them a numerical rating. An overall assessment of corporate risk is developed by aggregating all the rankings.

Answer 58

Preventative Detective Corrective

Answer 59

Because having too many controls is cost prohibitive and affects operational efficiency.

Answer 60

Benefits can be hard to quantify accurately - increased sales & productivity - reduced losses - better integration w customers & suppliers - increased customer loyalty - competitive advantage - lower insurance premiums

Answer 61

Costs are usually easier to measure - primary cost element is personnel, including time to perform control procedures - costs of hiring additional employees to achieve affective segregation of duties - costs of programming controls into a computer system

Answer 62

Mathematical product of the potential dollar loss that would occur should a threat become a reality (called IMPACT or EXPOSURE) and the risk or probability that the threat will occur (LIKELIHOOD). Expected Loss = impact x likelihood

Answer 63

The difference between the expected loss w the control procedure(s) and the expected loss without it. Mgmt must consider factors other than those in the expected cost/benefit calculation. eg event threatens organisation's existence, extra cost = catastrophic loss insurance premium.

Answer 64

Cost effective controls should be implemented to reduce risk Risks not reduced must be accepted, shared or avoided Risk can be accepted if it is within the company's risk tolerance range. eg small impact, small likelihood A response to reduce or share risk helps bring residual risk into an acceptable risk tolerance range. A company may choose to avoid the risk, when there is no cost effective way to bring risk into acceptable risk tolerance range.

Answer 65

Policies, procedures & rules that provide reasonable reassurance that control objectives are met & risk responses are carried out.

Answer 66

Responsible for developing a secure & adequate controlled system. Must make sure that: - controls are selected & developed to help reduce risk to acceptable level - appropriate general controls are selected & developed over technology - control activities are implemented and followed as specified in company's policies and procedures.

Answer 67

Information Security Officer & Operations Staff

Answer 68

When placed in the system as it is built, rather than as an afterthought. Therefore managers need to involve systems analysts, designers, and end users when designing computer based control systems.

Answer 69

1. Proper authorisation of transactions and activities 2. Segregation of duties 3. Project development & acquisition controls 4. Change management controls 5. Design & use of documents & records 6. Safeguarding assets, records & data 7. Independent checks on performance

Answer 70

- management lacks the time & resources to supervise each company activity & decision - so establishes policies for employees to follow & empowers them to perform certain organisational functions. - Authorisation is often documented by signing, initialing or entering an authorisation code on a document or record. - Mgmt should have written policies about specific & general authorisation for all types of transactions. - Employees who process transactions should verify the presence of appropriate authorisation. - auditors review transactions to verify proper authorisation, as absence indicates possible control problem.

Answer 71

A means of electronically signing a document w data that cannot be forged.

Answer 72

Special approval an employee needs to be allowed to handle a transaction.

Answer 73

The authorisation given to employees to handle routine transactions without special approval.

Answer 74

Good IC's require that no single employee be given too much responsibility over business transactions or processes. An employee shouldn't be in a position to commit AND conceal fraud. In a system w effective separation of duties, it is difficult for any single employee to embezzle successfully.

Answer 75

Separating the functions of authorisation, custody & recording to minimise an employee's ability to commit fraud. - authorisation - approving transactions & decisions - recording - preparing source documents, entering data into computer systems, maintaining journals, ledges, files or databases - custody - handling cash, tools, inventory or fixed assets, receiving incoming customer checks (payments), writing checks (making payments) If one person performs 2 of these functions or more, problems arise.

Answer 76

Collusion is cooperation between 2 or more people in an effort to thwart internal controls. Detecting fraud where 2 or more people are in collusion to override controls is more difficult, because much easier to commit and conceal the fraud.

Answer 77

Custodial/Recording: Employees could falsify records in order to conceal theft of assets entrusted to them Recording/Authorisation: Employees could falsify records to cover up an inaccurate or false transaction that was inappropriately authorised. Custodial/Authorisation: authorisation of a fictitious or inaccurate transaction as a means of concealing asset thefts.

Answer 78

In an IS, procedures once performed by separate individuals are combined. Any person who has unrestricted access to the computer, its programmes & live data could perpetrate and conceal fraud. Segregation of systems duties is the implementation of control procedures to clearly divide authority and responsibility within the information system function.

Answer 79

Among the following functions: 1. System Administration (System Administrators) 2. Network Management (Network Managers) 3. Security Management (Security Managers) 4. Change Management 5. Users 6. Systems Analysis (System Analysts) 7. Programming (Programmers) 8. Computer Operations (Computer Operators) 9. Information System Library (Info System Librarian) 10. Data Control (Data Control Group) Allowing a person to do 2 or more of these functions exposes company to fraud.

Answer 80

1. System Administration (System Administrators) - all IS components operate smoothly & efficiently

Answer 81

2. Network Management (Network Managers) - devices are linked to the organisation's internal & external networks & networks operate properly

Answer 82

3. Security Management (Security Managers) - systems are secure & protected from internal & external threats

Answer 83

4. Change Management - process of making sure changes are made smoothly & efficiently, don't negatively affect system's reliability, security, confidentiality, integrity, availability.

Answer 84

5. Users - record transactions, authorise data to be processed & use systems output

Answer 85

6. Systems Analysis (System Analysts) - help users determine their info needs, design systems to meet those needs

Answer 86

7. Programming (Programmers) - take the analyst's design & develop, code & test company programmes

Answer 87

8. Computer Operations (Computer Operators) - run the software on the company's computers. Ensure data input properly, processed correctly, needed output is produced.

Answer 88

9. Information System Library (Info System Librarian) - maintains custody of corporation's DB's, files, programmes in a separate storage area called info system library.

Answer 89

10. Data Control (Data Control Group) - source data have been properly approved, monitors the flow of work through the computer. Reconciles input & output, maintains a record of input effors to ensure their correction & resubmission, distributes system output. Allowing a person to do 2 or more of these functions exposes company to fraud.

Answer 90

Important to have a proven methodology to govern the development, acquisition, implementation & maintenance of information systems. Should contain appropriate controls for management approval, user involvement, analysis, design, testing, implementation and conversion.

Answer 91

1. Steering committee 2. Strategic master plan 3. Project development plan 4. Data processing schedule 5. System performance measurements 6. Post implementation review

Answer 92

1. Steering committee - guides & oversees system development & acquisition

Answer 93

2. Strategic master plan - developed & updated yearly to align organisation's info system w it's business strategies. - shows projects that must be completed, addresses company's hardware, software, personnel & infrastructure requirements - a multiple year plan of the projects the company must complete to achieve its long range goals.

Answer 94

3. Project development plan - Shows tasks to be performed, who will perform them, project costs, completion dates & project milestones - project milestones are significant points when progress reviewed & actual & estimate completion times compared. - each project assigned to a mgr and a team who are responsible for its success or failure.

Answer 95

4. Data processing schedule - shows when each data processing task should be performed.

Answer 96

5. System performance measurements - established to evaluate the system. Common measurements include: - throughput (output per unit of time) - utilisation (percentage of time system is used) - response time (how long it takes for system to respond)

Answer 97

6. Post implementation review - performed after a development project is completed to determine if the anticipated benefits were achieved.

Answer 98

Some companies hire a system integrator to manage a systems development effort, involving its own personnel, its client and other vendors. Subject to same overruns, missed deadlines etc. In addition to following the system development controls above they should - develop clear specifications (exact descriptions, system definitions, explicit deadlines, precise acceptance criteria) - monitor the project (companies should establish formal procedures for measuring and reporting a project's status)

Answer 99

Organisations modify existing systems to reflect new business practises & to take advantage of IT advancements. Those in charge should make sure they don't introduce errors & facilitate fraud.

Answer 100

The proper design & use of electronic and paper documents & records help ensure the accurate & complete recording of all relevant transaction data. Their form & content should be as simple as possible, minimise errors & facilitate review & verification. Documents that initiate a transaction should have space for authorisation. Documents that transfer assets need space for receivin g party's signature. Documents should be sequentially pre-numbered so each can be accounted for. An audit trail facilitates tracing individual transactions through the system, correcting errors & verifying system output.

Answer 101

A company must protect its cash & physical assets as well as its info. Employees much greater risk than outsiders. Better able to hide illegal acts, because know system weaknesses better. Employees cause unintentional threats eg deleting data, virus laden emails. Can result in crashed networks, hardware/software malfunctions, corrupt data.

Answer 102

Computer based controls Create & enforce appropriate policies & procedures Maintain accurate records of all assets (periodically reconcile recorded to physical counts) Restrict access to assets (eg inventory, storage, cash reg. lockboxes, safes etc) Protect records & docs (fireproof storage areas, locked filing cabinets, back up files, offsite storage)

Answer 103

Independent checks on performance, done by someone other than the person who performs the original operation, help ensure that transactions are processed accurately.

Answer 104

Top Level Reviews Analytical Reviews Reconciliation of independently maintained records Comparison of actual quantities w recorded amounts Double entry accounting Independent Review

Answer 105

Top Level Reviews - mgmt monitor company results, periodically compare actual performance to: planned performance (budgets, forecasts); prior period performance; competitors performance.

Answer 106

Analytical Reviews - examination of the relationships between different sets of data eg if credit sales increase, so should accounts receivable.

Answer 107

Reconciliation of independently maintained records - records should be reconciled to docs or records w the same balance eg bank reconciliation verifies that company's checking account balances w bank statement balances. Comparing subsidiary ledger totals w general ledger totals.

Answer 108

Comparison of actual quantities w recorded amounts -significant assets are periodically counted & reconciled to company records. eg cash in cash register drawer matches till tape. Inventory physical count matches recorded count.

Answer 109

Double entry accounting - The fact that debits equals credits provides number of opportunities for independent checks. Discrepancies indicate presence of an error.

Answer 110

Independent Review - after a transaction is processed, a second person reviews the work of the first, checking for proper authorisation, reviewing supporting documents, checking accuracy of prices, quantities & extensions

Answer 111

Information & communication systems should capture & exchange the information needed to conduct, manage and control the organisations operations. 3 principles apply to communication & information process: - obtain or generate relevant, high quality information to support internal control - internally communicate the information, incl. objectives and responsibilities, necessary to support the other components of IC. - Communicate relevant IC matters to external parties

Answer 112

The primary purpose of an AIS is to gather, record, store, summarise and communicate information about an organisation. This includes: - understanding how transactions are initiated, data are captured, files are accessed & updated, data are processed, info is reported - understanding of acc. records & procedures, supporting docs and f/s These items = audit trail - which allows transactions to be traced back & forth between their origination and the F/S. AIS should ID & record all valid transactions, properly classify them, record transactions at proper monetary value, record transactions in proper acc. period & properly present transactions & related disclosures in the F/S. Generally consist of several subsystems, each designed to process a particular type of transaction using the same sequence of procedures, called accounting cycles.

Answer 113

A path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin.

Answer 114

The IC system that is selected or developed must be continuously monitored, evaluated and modified as needed. Any deficiencies must be reported to Senior Management & Board of Directors.

Answer 115

- Perform IC evaluations -Implement Effective Supervision (esp. impt when no segregation of duties or responsibility reporting) - Use Responsibility Accounting Systems (budgets, quotas, schedules, std costs, quality stds, compare actual & planned, procedures to investigate variances) - Monitor system activities - track purchased software & mobile devices (comply w copyrights, protect from piracy lawsuits, software audits. Mobile devices = exposure, track how has them, what they do, security features) - conduct periodic audits (external, internal, network security) - employ a computer security officer (CSO) and a chief compliance officer (CCO) (CSO independent of IS function, monitors, disseminates info re improper system uses & consequences) - engage forensic specialists (forensic investigators, computer forensic specialists) - install fraud detection software (neural networks can spot trends) - Implement a fraud hotline

Answer 116

Meet Goals Mitigate risk Address fraud & errors

Answer 117

Purpose (preventive, detective, corrective) Timing (input, process, output) Scope (general, application)

Answer 118

Authentication Controls - identify the person or device attempting access Authorisation Controls - restrict access to authorised users. Training Physical Access controls Remote Access controls - routers, firewalls, intrusion prevention systems to prevent unauthorised access. Encryption - final barrier.

Answer 119

Length of the key Key management policies Nature of the encryption algorithm

Answer 120

Log Analysis - process of examining logs, which record who accesses the system & actions they take Intrusion detection systems (IDS) - automate the monitoring of logs of network traffic permitted to pass the firewall Penetration Testing - involves an authorised attempt by either an internal audit team or external audit team or external security consulting firm to break into the organisation's info systems.

Answer 121

CERT - Computer Emergency Response Team - consisting of technical specialists and senior operations management

Answer 122

Critical Information - sometimes most impt & valuable asset of a business Volume - enormous amounts of data (require substantial resources to design, use & maintain) Distribution - some centralised, others distributed (duplicated). Distribution can make difficult to ensure data accuracy, completeness, security. Irreplaceable Data - unique to the organisation, priceless Need for Accuracy - data must be complete, comprehensive, accurate. Consequences can be substantial (eg remove wrong limb) Privacy - Often contain sensitive info. Protection from unauthorised access. IC procedures to protect DB = critical Internet Uses - DB's are critical components of both internal & external web systems Big Data - such great volume can't be capture, stored, analysed by traditional DBs & hardware. DBs - structured. Big Data - unstructured. - declines in processing & storage costs - big data analysis now possible.

Answer 123

Administration & Supervision, DB development & maintenance Documentation Metadata Importance of Data Integrity Data processing accuracy & completeness Back Up & Security Concurrency controls

Answer 124

Overall supervisor to provide cohesion/direction DB Administrator to supervise design, development, installation of large DB's Maintain, secure, changes Must be skilled & trustworthy

Answer 125

Critical throughout design, development & use. Especially when changes are made. Include documentation on DB structures, contents, security features, ER diagrams, security policies) Data dictionary - critical. Describes data fields in each DB record. Data about data.

Answer 126

Data dictionary (data about data) has a variety of uses - documentation aid for those who develop, correct, enhance DB's or the computer programmes that access it - security purposes - audit trail (b/c id's input sources of data items - what progs/reports use) help trace data paths - useful aid when investigating or documenting IC procedures

Answer 127

Transaction processing = sequence of steps DB system uses to accomplish a specific processing task. - need transaction controls to ensure DB system processes each transaction accurately & completely. - auditable log of transactions. If only partially completed - verifies, reverses, starts again. - ability to audit any particular transaction to ensure processing accuracy and completeness is critical. Processing controls ensure data is processed accurately and include: - file labels (ext and int) - recalculation of batch totals Database processing integrity measures: DB administrators, data dictionaries, concurrent update controls.

Answer 128

Costly to change incorrectly entered information. Simple errors = big mistakes, bad decisions. Edit tests to prevent erroneous entries. Data integrity controls (Data entry controls) - completeness/required field (missed a field) - conformance to data type - valid code (prefix) - reasonableness checks (eg order amount way bigger than normal, or 10 keyboards and 2 screens) - limit check/authorisation control (requires authorisation for an input over a certain amount) - key entry verification (i.e. input key info more than once) -

Answer 129

Need concurrent controls to prevent 2 users accessing the same record at the same time. Locking mechanism One user's transaction complete, before next user can change.

Answer 130

Information in accounting DB critical, irreplaceable - must be protected. Back up procedures - recreate data if originals lost/damaged Protect from unauthorised access - passwords, encryption (especially for laptops) View controls (who can see what, need to know basis).

Answer 131

High Volume - size High Variety - composition High Velocity - speed Low Veracity - reliability Data that is high volume, high velocity and high variety must be processed with advanced tools (analytics and algorithms) to reveal meaningful information. B/c of these characteristics of the data, the knowledge domain that deals with the storage, processing, and analysis of these data sets has been labeled Big Data.

Answer 132

- the SIZE of a data set (the amount of data that is being generated, stored, or processed) - the sheer volume of new data being generated is overwhelming the capacity of institutions to manage it and researchers to make use of it. - if the data set cannot be stored and processed w current DB technologies = HIGH.

Answer 133

- the COMPOSITION of the data set, i.e. of what different types of data is the data set comprised? - the sources its coming from (unstructured - (DB's, ERM), semi structured (xml tagged), structured - big data unstructured) - how we extract it, integrate it and get it ready for analysis major task for acc. today - if the data set is heterogeneous (as opposed to homogenous) = HIGH

Answer 134

- the SPEED with which data is generated and processed. - if the data are captured and processed in real time = HIGH

Answer 135

- the RELIABILITY of the data in the data set for decision making purposes - Big data is messier - not as accurate

Answer 136

Variety - how to integrate all the different sources - there aren't a lot of highly developed systems in audit to do this. One of the tools popular now is Alteryx - a data integration tool - able to pull data from many different sources and organise it into a meaningful data warehouse. Veracity - how reliable the data is. If you cannot rely on the data, it only 20% accurate, should that change the outcome of an audit?

Answer 137

Wave 1: Data Deluge - more and more data being generated. Communication repositories (eg email) Enterprise Systems (eg ERP systems, SAP) Intranet/Extranet logs Internet of things (sensor logs) Social Media Website logs Phones

Answer 138

- Alexa audio log murder trial - Delta's RFID (radio frequency identification) baggage tracking process (almost realtime) $50M investment, but massive savings from lost bag costs, notifications - use of drones in accounting - assessment & monitoring, dronnovation of accounting (drones, mechanical robots, robotic processes) In the realm of bots, automated routine data collection procedures and data analysis applications will converge in a cloud-based, real-time monitoring and auditing system supervised and utilized by accountants, who will be able to focus on more complex and judgmental tasks. Drones - can get in where people can't (access). Robots used in warehousing/inventory - allow data collection. This will allow accountants to focus on those transactions that require nuanced human analysis and not worry about routine high-volume transactions. (CPA JOurnal). This process will comprise three steps—adoption as an extension of the accountant, the augmentation of accounting tasks, and finally, the full automation of accounting. - Heineken ignite - improving operations through data analytics. IoT - internet of things. The company’s New Zealand branch is piloting a new way to engage with customers through Bluetooth Low Energy beacons. They have enabled bar and restaurant management with a smartphone app and content-management software so they can use Heineken LIVE to send out messages, specials and rewards to those within range of their establishment’s beacon.

Answer 139

Companies realise the use of all this data, opportunities with new data sources. Big players start figuring out how to store & process these new data sources & analyse. Second wave - technologies that are able to store & process such massive sets of complex data. Facebook (Hive)- Hive is an open source, peta-byte scale date warehousing framework based on Hadoop that was developed by the Data Infrastructure Team at Facebook. Yahoo (Hadoop) - Hadoop, an open source platform designed to crunch epic amounts of data using an army of dirt-cheap servers. Google (MapReduce) - MapReduce is a programming model and an associated implementation for processing and generating large data sets Yahoo (Apache Pig) - Apache Pig is a high-level platform for creating programs that run on Apache Hadoop. Twitter (Storm)- Storm is a real- time fault-tolerant and distributed stream data processing system.

Answer 140

Target - shopping patterns, pregnant woman marketed (predict pregnancies) Google Search Queries - flu outbreak Rolls Royce - new business model due to engine performance monitoring

Answer 141

Democratisation - Big data tech for everyone. Self Service Business Intelligence Web Scrapers - Web scraping refers to the extraction of data from a website.

Answer 142

Self-Service Business Intelligence Tools 1. Provide extended business intelligence (BI) capabilities 2. Are easy to use Qlik, Spotfire Tableau (visualisation tool) Microsoft Power BI - download, free, get data from endless sources, integrate it, clean it, turn it into a data warehouse, analyse it, visualise it, report it out to users. Complete suite of data analytics tools. Used by audit firms, accounting firms, tax preparation etc

Answer 143

Changed nature of everyone's ability to do data analytics. Used to be only an area the biggest players could play in, now even smallest businesses are doing data analytics. eg butcher, footfall sensor/monitor - unexpected revenue stream from selling hot dogs/burgers to bar crowds.

Answer 144

Cleaning and organising data (60%).

Answer 145

Build training sets 3% Clean & organise data (60%) Collect data sets (19%) Mine data for patterns (9%) Refining algorithms (4%) Other (5%)

Answer 146

UNDERSTAND WHAT DATA IS AVAILABLE & RELEVANT Data Discovery Data Sources EXTRACT, CLEAN & INTEGRATE DATA Data Collection Organised data PREPARE FOR ANALYSIS BY BUILDING POWERFUL INFORMATION MODELS Information Model Building Enriched Data CREATE POWERFUL INTERACTIVE REPORTS Analytics Insights MAKE DECISIONS Problem Solving Solution 70% of the time is spent on the top TWO.

Answer 147

- Right to privacy, people should have meaningful control over data gathered about them. Questions companies should ask re using Big Data - How does the organization use Big Data, and to what extent is it integrated into strategic planning? (how to ensure veracity and quality?) - Does the organization send a privacy notice when personal data are collected? (can users give truly informed consent?) - Does the organization assess the risks linked to the specific type of data the organization uses? (privacy impact assessment, risk of misuse) - Does the organization have safeguards to mitigate these risks? (communication of prevenative measures, data access controls, punish misuse) - Does the organization make sure that the tools to manage these risks are effective and measure outcomes? (audit plays a role) - Does the organization conduct appropriate due diligence when sharing or acquiring data from third parties? (do suppliers uphold same ethical standards?)

Answer 148

- allows review of processes that improve quality and increase efficiency - prospective rather than retrospective - audit remains human activity at its heart - technology will change how auditors conduct activities & raise ethical/moral considerations.

Answer 149

- Increase in volume of data - Changes in business models (disruption creates innovation, can be enabled by tech) - Shift towards automation (auto or elim of manual & routine tasks. Cloud based acc systems, standardisation of processes - data more widely & easily available, easier to manipulate. Human skills still needed for what automation reveals) - Demand for proactive, forward looking approach. (forward looking insights derived from tech like ML, AI, data analytics, blockchain - auditor as the custodian & interpreter).

Answer 150

DLT - Distributed Ledger Technology Data Analytics (most mature) RPA - Robotic Process Automation Drones Technology AI - Artificial Intelligence ML - Machine Learning (not yet embedded) NLP - Natural Language Processing DL - Deep Learning Smart Contracts Blockchain Cloud Technology

Answer 151

Artificial Intelligence - umbrella term for group of technologies that can be combined in different ways - auditors in future will require more emotional intelligence - "intelligence" in AI - combo of processing power & access to data (enables analysis of entire populations of data to ID patterns or exceptions).

Answer 152

Robotic Process Automation - software routines - more like sophisticated macros than genuine AI - software easily programmed by end users to perform highly repeatable, rules based tasks - used commonly when output of one financial process needs to be input into another "swivel chair automation" - can perpetuate inadequate processes - only as good as what you tell it to do.

Answer 153

Data analytics is the science of analyzing raw data to make conclusions about that information (Investopedia) Not new Allows auditors to use 100% of population's transactions when performing tests. Data mining software - drills down. Focusing resources on identifying risks in addition to monitoring business as usual.

Answer 154

Machine Learning - uses statistical analyses to generate predictions or make decisions from the analyses of a large historical data set eg credit scoring, Xero's coding decisions - can achieve high levels of accuracy quickly - can be both forward and backward looking (used for risk management, detection of fraud and inaccuracy - can compare old data sets w new). - usefulness depends on data it learns from - auditors may need to start testing internal algorithms (not just for accuracy but conformation to regulations)

Answer 155

Natural Language Processing - ability of computer to recognise and understand human speech. - allows data to come from other non traditional sources eg phone call recordings, board minutes, social media posts

Answer 156

Deep Learning - subset of ML- more closely mimics human learning through use of artificial neural networks to perform more complex tasks like visual object recognition. (Google's AlphaGo) - means Big Data could potentially supply complementary audit evidence and feed into narrative req.s of audit.

Answer 157

Distributed Ledger Technology - family of tech incl. block chain. - "in a distributed ledger all participants are looking at a common view of the records" - key principle is "immutability" - historical entries can't be changed, only corrected w a balancing entry. - helps test for cut off & occurence - audit cycles could be replaced by more frequent or even continuous real time audit. - Blockchain's potential for transformative analytic capabilities. Easy access to structured data which can then be used to generate advanced analytics & accelerate machine learning.

Answer 158

DLT originated in relation to smart contracts. Self executing - terms written into code which exists in a blockchain network - therefore shares same characteristics. Don't require external enforcement by any kind of authority. Transactions take place without the underlying basis of trust. Can be anonymous. Bitcoin - cryptocurrency = smart contract to transfer value from one person to another.

Answer 159

Cloud system - hosted remotely, accessed remotely by generic devices. Provide high functionality at low price point. Geographically dispersed teams can work on same project in real time Forces organisation to adopt standardised processes Organisations will increasingly be referring to single data source, which updates for everyone, everywhere w no time lags or inconsistencies. Cyber risk, compliance risks. Need to protect critical data.

Answer 160

Focus on value added activities face to face contact imperative importance of human relationship continues - vital. Automation of routine work can make human interaction more meaningful Need to build an ethical dimension into all stages of AI journey Key skills for auditor will be flexibility to adapt to a continually evolving environment. Working with virtual workforce Issue w bringing people up the ranks & developing intuition, judgement, experience, communication skills if entry level jobs automated. Could lead to new intense training environment.

Answer 161

Professional scepticism remains key competency. Communication Skills: - TEQ - technical skills & ethics - IQ - intelligence - CQ - creative - DQ - digital - EQ - emotional - VQ - vision - XQ - experience Enterprise skills: - problem solving - communicate effectively - collaborate - lead - create - innovate

Answer 162

A database object used to view, change and analyse data. Database objects that manipulate and arrange the data stored in a database.

Answer 163

Tables & existing queries

Answer 164

Add fields from their original source table

Answer 165

Adhering to a few simple guidelines can greatly increase a query's level of readability. Query fields should become more specific as you move from L - R (i.e. general labels on the left, more specific on the right). Where ever possible, queries should contain descriptions for ID numbers. eg Item #, Item Description Always include ID numbers for text descriptions. eg don;t just have Item Description, have ID number too. When both are ID # and text description included, they should be placed next to each other. Many times is easier to modify an existing query than it is to create a new query from scratch.

Answer 166

Expression fields are added to queries to perform calculations eg total amount spent on each category of inventory, requires multiplying the price paid for each item, by the quantity of items purchased. Can build expressions based on information from both tables & queries. However much safer to select attributes from their source tables.

Answer 167

An interface that greatly simplifies creating equations or expressions.

Answer 168

1. if the query is used as a source for the attribute is deleted, all related queries will no longer function. 2. queries often restrict the data that is displayed. If you use a query as the source for an attribute, you may not get all the records. 3. simpler to interpret queries that collect information from the source tables. If you create a query that returns strange results, check where the data is being pulled from.

Answer 169

Make sure the : (colon) remains between the title and the expression itself, otherwise you'll get error messages.

Answer 170

Open query in design view Click E totals button, which will add a new row in the query design pane. This new total row is used to designate which fields are to be summed.

Answer 171

When access sums a column, it creates subtotals for each piece of different information included in the query. If you sum a field (eg extended cost field) and no changes occur, it's because of all the unique pieces of info contained in the query. Delete the columns that contain unnecessary information.

Answer 172

1. Identifying data requirements 2. Gathering necessary information from the database 3. Determining which data elements need to be manipulated

Answer 173

The query runs much slower. Can affect the results displayed in datasheet view.

Answer 174

Error messages are often ambiguous and not very helpful. Many errors in Access database applications can remain undetected.

Answer 175

When the expression title colon is accidentally deleted When the expression itself has been incorrectly edited.

Answer 176

Due to incorrect field names. Access provides error messages and prompts for information when incorrect field names are specified in queries. Can see this in datasheet view b/c column will have Expr1 as title & name column is missing.

Answer 177

One of the more dangerous access errors. Although not obvious to the user, including too many tables in a query can affect the results displayed in datasheet view. Best way to guard from this error - make sure unnecessary tables are not included in queries. Safer to start queries w too few tables, add tables only when necessary. Effect of this error (often goes undetected) provides good example of why results of any query, report, program etc should be manually verified.

Answer 178

Including too many tables in a query Omitted relationships.

Answer 179

Doesn't produce warning messages, can go easily undetected. Important to to manually confirm query results. To guard against this type of error, always ensure all of the objects displayed in the table pane are interconnected.

Answer 180

Check the results of your queries by looking at the tables where the data is being retrieved. Ask yourself: does the total quantity that I have calculated make sense based on the underlying data? Carefully look at the relationship view in access and thing about the data fields you absolutely need for your report, to avoid extra tables and the problems they bring.

Answer 181

1. Identifying data requirements 2. Finding where the data is stored 3. Manipulating the data to find the best answer

Answer 182

Design it thoroughly.

Answer 183

What attributes are needed for this query to make sense? eg ID #'s, descriptions, key fields. Where are the required fields stored? Look at REA diagram. Confirm how the required tables are inked using the REA diagram. Which table connects the tables you need? Do we need to manipulate the data in the DB for this report? Subtotals, calculations, averages?

Answer 184

Access returns queries in days, so you have to times the expression by 24 to get hours

Answer 185

Really only need two fields. Whatever you're averaging and whatever you're averaging it by. eg DealerID, Delay time. (could also include Dealer name).

Answer 186

Averages / Differences

Answer 187

Take the relationship away. The relationship links that dealer with that specific referral. When you take the relationship away - you're saying don't find the related dealer to that referral, find every dealer possible and choose the closest one.

Answer 188

When you make a query using two previous queries rather than tables.

ACCTN578 Test 2 Flashcards

(212 cards)