Control, Security & Audit Flashcards Preview

ACCA: F1: C: Accounting & Reporting Systems, Controls & Compliance > Control, Security & Audit > Flashcards

Flashcards in Control, Security & Audit Deck (46):

An internal control is...

...any action taken by management to enhance the likelihood that established objectives and goals will be achieved


The internal control system comprises...

...the control environment and control procedures.
It includes all the policies and procedures adopted by the directors and management of an entity to assist in achieving their objective of ensuring, the orderly and efficient conduct of its business, including:
1. Adherence to internal policies
2. Safeguarding of assets
3. Prevention and detection of fraud and error
4. Accuracy and completeness of accounting records
5. The timely preparation of reliable financial information


The control environment is...

...the overall context of control; the attitude of directors and managers towards control
...the overall attitude, awareness and actions of directors and management regarding internal controls and their importance in the entity style, corporate culture and values shared by all employees
...the background against which the various other controls operate


Control procedures are...

...the detailed controls in place
...policies and procedures in addition to the control environment which are established to achieve the entity's specific objectives


Elements of a strong control environment: (6)

1. Clear strategies
2. Culture, code of conduct, HR policies and performance reward systems support objectives, risk management and internal control systems
3. Senior management's commitment to competence, integrity and fostering a climate of trust
4. Clear definition of authority, responsibility and accountability
5. Communication
6. Knowledge, skills and tools to support objectives


Controls can be classified in various ways:

1. Administrative & accounting
2. Prevent, detect & correct
3. Discretionary & non-discretionary
4. Voluntary & mandated
5. Manual & automated


Classification of controls: Administration:

Concerned with achieving objectives and implementing policies; Relate to channels of communication and reporting responsibilties


Classification of controls: Accounting:

Aim to provide accurate accounting records and achieve accountability;
Apply to recording transactions and establishing responsibilities for records, transactions and assets


Classification of controls: Prevent:

Prevent errors from happening in the first place;
Checking invoices from suppliers against GRN's before paying


Classification of controls: Detect:

Detect errors once they have happened;
Bank reconciliations; Physical checks of inventory against inventory records


Classification of controls: Correct:

Designed to minimise or negate the effect of errors;
Backup of computer input


Classification of controls: Discretionary:

Subject to human discretion
Checking a signature on a PO


Classification of controls: Non-discretionary:

Provided automatically by the system; cannot be overridden;
Pin at an ATM


Classification of controls: Voluntary:

Chosen by the organisation to support the management of the business


Classification of controls: Mandated:

Required by law; imposed by external authorities


Classification of controls: Manual:

Demonstrate a one-to-one relationship between the processing functions and the controls, and the human functions


Classification of controls: Automated:

Programmed procedures designed to prevent, detect and correct errors all the way through processing


Classification of controls: General:

Used to reduce the risks associated with the computer environment; Relate to the environment in which the application is operated


Classification of controls: Application:

Used to reduce the risks associated with the computer environment; Prevent, detect and correct errors


Classification of controls: Financial:

Focus on key transaction area, emphasis being on safeguarding assets and maintenance of proper accounting records and reliable financial information


Types of Financial Control Procedures: (8 - 'SPAMSOAP')

1. Segregation of duties
2. Physical
3. Authorisation & approval
4. Management
5. Supervision
6. Organisation
7. Arithmetical and accounting
8. Personnel


Internal controls should not be confused with internal checks which are...

...the checks on the day-to-day transactions whereby the work of 1 person is proved independently or is complementary to the work of another, the object being the prevention / early detection of errors and fraud;
Allocation of authority and the division of work
Method of recording transactions
Use of independently ascertained totals


Arithmetical internal checks include: (3)

1. A pre-list drawn up before any processing takes place
2. A post-list drawn up during or after processing
3. A control total used for control purposes by comparing to another total that ought to be the same


Characteristics of a good internal control system: (11)

1. Clearly defined organisation structure (overall coordination of company activities)
2. Adequate internal checks
3. Acknowledgment of work done (Signatures)
4. Physical security
5. Formal documents acknowledging transfer of goods
6. Pre-review
7. Clearly defined system for authorising transactions
8. Post-review
9. Authorisation, custody and re-ordering procedures (Access to assets limited to authorised personnel)
10. Capable and qualified personnel
11. Internal audit department


Internal audit is... independent appraisal activity established within an organisation as a service to it; control which functions by examining and evaluating the adequacy and effectiveness of other controls; Part of the internal control system


The need for internal audit will depend on: (7)

1. Scale, diversity and complexity of activities
2. Number of employees
3. Cost-benefit consideration
4. Changes in structure, reporting processes or information systems
5. Changes in key risks
6. Problems with internal control systems
7. Increased number of unexplained or unacceptable events


Objectives of Internal Audit: Work may cover the following tasks: (8)

1. Review of accounting and internal control systems
2. Examination of financial and operating information
3. Review of the economy, efficiency and effectiveness of operations
4. Review of compliance
5. Review of safeguarding assets
6. Review of implementation of corporate objectives
7. Identification of significant business & financial risks
8. Special investigations


The 2 main features of internal audit:

1. Independence
2. Appraisal (not carry out any organisational work themselves)


Accountability: The internal auditor is accountable to the Audit committee for 3 main reasons:

1. Auditor needs access to all parts of the organisation
2. Auditor should be free to comment on management performance
3. Auditor's report may need to be actioned at the highest level


External audit is...

...a periodic examination of the books of account and records of an entity carried out by an independent third party to ensure:
- they have been properly maintained
- accuracy and compliance with established concepts, principles, accounting standards and legal requirements
- Give a true and fair view of the financial state of the entity


IT Systems: Security can be divided into a number of aspects: (6)

1. Prevention
2. Detection
3. Deterrence
4. Recovery procedures
5. Correction procedures
6. Threat avoidance


Physical access controls: (4)

1. Personnel
2. Door locks
3. Key pad / card entry system
4. Intruder alarms


Controls in an information system: (3)

1. Security controls
2. Integrity controls
3. Contingency controls


Security controls can be defined as...

...the protection of data from accidental or deliberate threats which might cause unauthorised modification, disclosure or destruction of data and the protection of the information system from the degradation or non-availability of services


Risks to data: (8)

1. Human error
2. Technical error
3. Natural disasters
4. Deliberate actions
5. Commercial espionage
6. Malicious damage
7. Industrial action
8. Malware programs


Integrity controls consist of: (2)

1. Data integrity
2. Systems integrity


Data integrity is...

...preserved when data is the same as in source documents and has not been accidentally or intentionally altered, destroyed or disclosed


Systems integrity is...

...system operation conforming to the design specification despite attempts to make it behave incorrectly


Integrity controls include: (5)

1. Input controls:
a. Data verification (Matches source documents)
b. Data validation (Check digits, control totals, hash totals, range checks, limit checks)
2. Processing controls
3. Output controls
4. Back up controls
5. Archiving


Back up means... make a copy in anticipation of future failure or corruption. A back-up copy is a duplicate kept separately from the main system; only used if the original fails


A password is...

...a set of characters which may be allocated to a person, a terminal or a facility which is required to be keyed into the system before further access is permitted


An audit trail is...

...a record showing who has accessed a computer system and what operations he or she has performed.


A contingency is...

... an unscheduled interruption of computing services that requires measures outside the day-to-day routine operating procedures


A disaster recovery plan must provide for: (3)

1. Standby procedures
2. Recovery procedures
3. Personnel management policies


Types of audit: (5)

1. Operational audit
2. Systems audit
3. Transactions audit
4. Social audit
5. Management investigations


An operational audit may also be known as a(n):

1. Management audit
2. Efficiency audit
3. Value for money audit