BEC Flashcards
(35 cards)
What are the 7 cybersecurity framework (CSF) implementation steps?
- Prioritize and scope
- Orient
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement action plan
Upon conclusion of the 7 steps for CSF implementation, organization should proceed with
-CSF Action Plan Review and
-CSF Life Cycle Management
What is the Business Intelligence system? (BI)
Business intelligence (BI) is a system that provides immediate information about an organization’s critical success factors.
BI is not a program for providing top-management with advice and answers from a knowledge-based (expert) system.
Identify the 3 ASEC (Assurance Services Executive Committee) criteria for defining a set of data and evaluating its integrity?
- Includes the purpose of the data
- Is complete and accurate
- Identifies any information that has not been included within the set of data or the description but is necessary for understanding
each data element and the population.
What are the supporting aspects of the COSO ERM Framework?
- Governance and Culture
- Information, Communication, and Reporting
What are the process components of the ERM Framework?
- Strategy and Objective-setting
- Performance
- Review and Revision
What are the COSO ERM business objectives?
According to COSO ERM Framework, business objectives are:
- Specific
- Measurable or observable
- Obtainable
- Relevant
Limitations of the ERM model?
- Faulty human judgement
- Cost-benefit considerations
- Simple errors or mistakes
- Collusion
- Management override of ERM decisions
How is ERM defined?
ERM is best defined as the culture, capabilities, and practices that organizations rely on to manage risk in creating, preserving, and realizing value.
What are the COSO ERM Governance and Culture principals?
- Exercises board risk oversight
- Establishes operating structures
- Defines desired culture
- Demonstrates commitment to core values
- Attracts, develops, and retains capable individuals
What are the COSO ERM Strategy and Objective-Setting principals?
- Analyzes business context
- Defines risk appetite
- Evaluates alternative strategies
- Formulates business objectives
What are the COSO ERM Performance principals?
- Identifies risk
- Assesses severity of risk
- Prioritizes risk
- Implements risk responses
- Develops portfolio view
What are the COSO ERM Review and Revision Principals?
- Assesses substantial change
- Reviews risk and performance
- Pursues improvement in enterprise risk management
What are the COSO ERM Information, Communication, and Reporting principals?
- Leverages information systems
- Communicates risk information
- Reports on risk, culture, and performance
Query order
SELECT * FROM inventory_table WHERE Item = “Kitchen Faucet”;
Query order
SELECT “Column Name” – Can select more than one column – simply list all names separated by comma
FROM “Table Name”
WHERE “Condition”;
What are the 4 main categories of objectives that ERM model is geared toward achieving?
Strategic
Operations
Reporting
Compliance
Limitations of COSO?
- Human judgment can be faulty and subject to bias
- Breakdowns and failures occur as long as humans are involved, even from simple errors
- Management can override internal controls
- Management or other personnel can get around controls through collusion - -There will always be external events that are simply beyond management’s control
- Objectives for controls must be suitable as a precondition to internal control (unrealistic or improbable objectives can be set that internal controls can’t fully address)
Components of COSO?
● Control environment
● Risk assessment
● Information and communication
● Monitoring
● Control activities
Control Environment Principles of COSO?
Control Environment Principles:
● The organization needs to demonstrate a commitment to integrity and ethical values
● The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
● Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in pursuit of the objectives
● The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
● The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives
Risk Assessment Principles of COSO?
Risk Assessment Principles
● The organization specifies objectives with sufficient clarity to enable the identification and assessment of risk relating to objectives
● The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
● The organization considers the potential for fraud in assessing risks to the achievement of objectives
● The organization identifies and assesses changes that could significantly impact the system of internal control
Control Activities Principles of COSO?
Control Activities Principles
● The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
● The organization selects and develops general control activities over technology to support the achievement of objectives
● The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
Information and Communication Principles of COSO?
Information and Communication Principles
● The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
● The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
● The organization communicates with external parties regarding matters affecting the functioning of internal control
Monitoring Activities Principles of COSO?
Monitoring Activities Principles
● The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
● The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
Non-Attest Services which CANNOT be provided by external auditors
Auditors are not allowed to touch or help with any part of the financial statements or accounting records, because it creates a conflict of interest in the client’s accounting.
