Risk Assessment 3 Flashcards Preview

CITP > Risk Assessment 3 > Flashcards

Flashcards in Risk Assessment 3 Deck (10):
1

What are examples of controls to lower "Control Risk" for assertion level risk?

• Controls over admin access to server(s) for app
• Controls to limit user access to app
• Controls over how changes are authorized, developed and deployed to app

2

What are the 2 levels where RMM exists/resides?

(1) FS level or
(2) Assertion level

- Bc RMM exists at 2 levels, auditor should assess RMM at both of levels separately and in aggregate

3

How does an auditor assess "Control Risk" at the assertion level?

- Auditor determine if entity has controls (policies) to limit access to all aspects of app (db, program code and user apps)

4

What does "Financial Statement Level Risks" require?

- "FS level risks" requires an overall response, like more supervision to engagement team or modifying selection of audit procedures

5

How are "Assertion Level Risks" addressed?

- Assertion level risks are addressed by the nature, timing, and extent of FAP, which may include substantive procedures or combo of ToCs and substantive procedures

6

What is the "Risk Score" formula?

- Risk Score formula = Probability x Significance
- Higher score = higher risk

7

Describe the 4 response types or test to an Assess Level of Risk?
(List from least to most assurance/reliance on test results)

IOIR

(1) Inquiry - Low
(2) Observation - Moderate
(3) Inspection - High
(4) Re-perform/Confirm - High

8

What is a primary factor in prevention and deterrence?

- Increase the Perception of detection (PoD)

9

What is Perception of Detection (PoD)?

- PoD is the environment that leads potential fraudsters to perceive/believe that if commit fraud, will get caught, and go to jail
- Potential results cause some potential fraudsters to forego frauds out of fear

10

What are examples of anti-fraud activities that can increase Perception of Detection (PoD)?

- Surveillance, anonymous tips and complaints system, surprise audits, mandatory vacation/rotation of duties, prosecution of a fraudster who was caught and background checks
- Some of these considered "detective measures", if entity does them effectively, can increase PoD bc potential fraudster fears s/he will get caught by detective activity (surprise audit)
- Early "detection controls" might serve as "Preventive Control" bc might increase PoD