Control, Security & Audit Flashcards Preview

ACCA: F1: C: Accounting & Reporting Systems, Controls & Compliance > Control, Security & Audit > Flashcards

Flashcards in Control, Security & Audit Deck (46):
1

An internal control is...

...any action taken by management to enhance the likelihood that established objectives and goals will be achieved

2

The internal control system comprises...

...the control environment and control procedures.
It includes all the policies and procedures adopted by the directors and management of an entity to assist in achieving their objective of ensuring, the orderly and efficient conduct of its business, including:
1. Adherence to internal policies
2. Safeguarding of assets
3. Prevention and detection of fraud and error
4. Accuracy and completeness of accounting records
5. The timely preparation of reliable financial information

3

The control environment is...

...the overall context of control; the attitude of directors and managers towards control
...the overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity
...management style, corporate culture and values shared by all employees
...the background against which the various other controls operate

4

Control procedures are...

...the detailed controls in place
...policies and procedures in addition to the control environment which are established to achieve the entity's specific objectives

5

Elements of a strong control environment: (6)

1. Clear strategies
2. Culture, code of conduct, HR policies and performance reward systems support objectives, risk management and internal control systems
3. Senior management's commitment to competence, integrity and fostering a climate of trust
4. Clear definition of authority, responsibility and accountability
5. Communication
6. Knowledge, skills and tools to support objectives

6

Controls can be classified in various ways:

1. Administrative & accounting
2. Prevent, detect & correct
3. Discretionary & non-discretionary
4. Voluntary & mandated
5. Manual & automated

7

Classification of controls: Administration:

Concerned with achieving objectives and implementing policies; Relate to channels of communication and reporting responsibilties

8

Classification of controls: Accounting:

Aim to provide accurate accounting records and achieve accountability;
Apply to recording transactions and establishing responsibilities for records, transactions and assets

9

Classification of controls: Prevent:

Prevent errors from happening in the first place;
Checking invoices from suppliers against GRN's before paying

10

Classification of controls: Detect:

Detect errors once they have happened;
Bank reconciliations; Physical checks of inventory against inventory records

11

Classification of controls: Correct:

Designed to minimise or negate the effect of errors;
Backup of computer input

12

Classification of controls: Discretionary:

Subject to human discretion
Checking a signature on a PO

13

Classification of controls: Non-discretionary:

Provided automatically by the system; cannot be overridden;
Pin at an ATM

14

Classification of controls: Voluntary:

Chosen by the organisation to support the management of the business

15

Classification of controls: Mandated:

Required by law; imposed by external authorities

16

Classification of controls: Manual:

Demonstrate a one-to-one relationship between the processing functions and the controls, and the human functions

17

Classification of controls: Automated:

Programmed procedures designed to prevent, detect and correct errors all the way through processing

18

Classification of controls: General:

Used to reduce the risks associated with the computer environment; Relate to the environment in which the application is operated

19

Classification of controls: Application:

Used to reduce the risks associated with the computer environment; Prevent, detect and correct errors

20

Classification of controls: Financial:

Focus on key transaction area, emphasis being on safeguarding assets and maintenance of proper accounting records and reliable financial information

21

Types of Financial Control Procedures: (8 - 'SPAMSOAP')

1. Segregation of duties
2. Physical
3. Authorisation & approval
4. Management
5. Supervision
6. Organisation
7. Arithmetical and accounting
8. Personnel

22

Internal controls should not be confused with internal checks which are...

...the checks on the day-to-day transactions whereby the work of 1 person is proved independently or is complementary to the work of another, the object being the prevention / early detection of errors and fraud;
Delegation
Allocation of authority and the division of work
Method of recording transactions
Use of independently ascertained totals

23

Arithmetical internal checks include: (3)

1. A pre-list drawn up before any processing takes place
2. A post-list drawn up during or after processing
3. A control total used for control purposes by comparing to another total that ought to be the same

24

Characteristics of a good internal control system: (11)

1. Clearly defined organisation structure (overall coordination of company activities)
2. Adequate internal checks
3. Acknowledgment of work done (Signatures)
4. Physical security
5. Formal documents acknowledging transfer of goods
6. Pre-review
7. Clearly defined system for authorising transactions
8. Post-review
9. Authorisation, custody and re-ordering procedures (Access to assets limited to authorised personnel)
10. Capable and qualified personnel
11. Internal audit department

25

Internal audit is...

...an independent appraisal activity established within an organisation as a service to it; control which functions by examining and evaluating the adequacy and effectiveness of other controls; Part of the internal control system

26

The need for internal audit will depend on: (7)

1. Scale, diversity and complexity of activities
2. Number of employees
3. Cost-benefit consideration
4. Changes in structure, reporting processes or information systems
5. Changes in key risks
6. Problems with internal control systems
7. Increased number of unexplained or unacceptable events

27

Objectives of Internal Audit: Work may cover the following tasks: (8)

1. Review of accounting and internal control systems
2. Examination of financial and operating information
3. Review of the economy, efficiency and effectiveness of operations
4. Review of compliance
5. Review of safeguarding assets
6. Review of implementation of corporate objectives
7. Identification of significant business & financial risks
8. Special investigations

28

The 2 main features of internal audit:

1. Independence
2. Appraisal (not carry out any organisational work themselves)

29

Accountability: The internal auditor is accountable to the Audit committee for 3 main reasons:

1. Auditor needs access to all parts of the organisation
2. Auditor should be free to comment on management performance
3. Auditor's report may need to be actioned at the highest level

30

External audit is...

...a periodic examination of the books of account and records of an entity carried out by an independent third party to ensure:
- they have been properly maintained
- accuracy and compliance with established concepts, principles, accounting standards and legal requirements
- Give a true and fair view of the financial state of the entity

31

IT Systems: Security can be divided into a number of aspects: (6)

1. Prevention
2. Detection
3. Deterrence
4. Recovery procedures
5. Correction procedures
6. Threat avoidance

32

Physical access controls: (4)

1. Personnel
2. Door locks
3. Key pad / card entry system
4. Intruder alarms

33

Controls in an information system: (3)

1. Security controls
2. Integrity controls
3. Contingency controls

34

Security controls can be defined as...

...the protection of data from accidental or deliberate threats which might cause unauthorised modification, disclosure or destruction of data and the protection of the information system from the degradation or non-availability of services

35

Risks to data: (8)

1. Human error
2. Technical error
3. Natural disasters
4. Deliberate actions
5. Commercial espionage
6. Malicious damage
7. Industrial action
8. Malware programs

36

Integrity controls consist of: (2)

1. Data integrity
2. Systems integrity

37

Data integrity is...

...preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed

38

Systems integrity is...

...system operation conforming to the design specification despite attempts to make it behave incorrectly

39

Integrity controls include: (5)

1. Input controls:
a. Data verification (Matches source documents)
b. Data validation (Check digits, control totals, hash totals, range checks, limit checks)
2. Processing controls
3. Output controls
4. Back up controls
5. Archiving

40

Back up means...

...to make a copy in anticipation of future failure or corruption. A back-up copy is a duplicate kept separately from the main system; only used if the original fails

41

A password is...

...a set of characters which may be allocated to a person, a terminal or a facility which is required to be keyed into the system before further access is permitted

42

An audit trail is...

...a record showing who has accessed a computer system and what operations he or she has performed.

43

A contingency is...

... an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures

44

A disaster recovery plan must provide for: (3)

1. Standby procedures
2. Recovery procedures
3. Personnel management policies

45

Types of audit: (5)

1. Operational audit
2. Systems audit
3. Transactions audit
4. Social audit
5. Management investigations

46

An operational audit may also be known as a(n):

1. Management audit
2. Efficiency audit
3. Value for money audit