Study Unit 4 Flashcards
(97 cards)
1
Q
Which control framework is widely accepted as the standard for the design and operation of internal control systems and where was it created?
A
- Internal Control - Integrated Framework (COSO)
- US
2
Q
Where was the Guidance on Control (aka CoCo Model) published?
A
-Canada
3
Q
Where was the Internal Control: Revised Guide for Directors on the Combined Code (aka the Turnbull Report) created?
A
-UK
4
Q
Which control framework recommended for sound governance as requiring the CEO and chairperson to be separate individuals?
A
-Internal Control: Revised Guide for Directors on the Combined Code (Turnbull Report)(UK)
5
Q
What is the best-known framework specifically for IT controls and what is the most recent version?
A
- Control Objectives for Information and Related Technology (COBIT)
- COBIT 5
6
Q
What is the name of the alternative control model for IT created by the IIA-Research Foundation?
A
-Electronic Systems Assurance and Control (eSAC)
7
Q
What is the COSO definition of internal control?
A
-It is a process, effected by an entity’s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
8
Q
What are the three classes of objectives of the COSO framework (hint: “ORC”)?
A
- Effectiveness and Efficiency of Operations
- Reliability of Financial Reporting
- Compliance with Laws and Regulations
9
Q
Which of the three classes of objectives of the COSO framework is a system of internal control more likely to provide “reasonable assurance” over and why?
A
- Reporting and Compliance
- Because Reporting and Compliance objectives are responses to standards established by external parties. Thus achieving these objectives depends on actions almost entirely w/n the entity’s control.
- Whereas operational effectiveness may not be within the entity’s control b/c it is affected by human judgment and many external factors.
10
Q
What are the five components of internal control under COSO (Controls stop “CRIME”)?
A
- Control Environment
- Risk Assessment
- Information and Communication
- Monitoring
- Control Activities
11
Q
What makes up the control environment (COSO)?
A
-It is a set of standards, processes, and structures that pervasively affects the system of internal control.
12
Q
What are the five principles that make up the control environment (COSO)?
A
- Org. demonstrates a commitment to integrity and ethical values.
- Board demonstrates independence from mgmt. and exercises oversight for internal control.
- Mgmt. establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities.
- Org. demonstrates a commitment to attract, develop, and retain competent individuals.
- Org. holds individuals accountable.
13
Q
Risk Assessment (COSO)
A
-This process encompasses an assessment of the risks themselves and the need to manage organizational change. It is a basis for determining how the risk should be managed.
14
Q
What are the four principles that relate to Risk Assessment?
A
- Org. specifies objectives w/ sufficient clarity to enable the identification and assessment of risks relating to (a) operations, (b) external financial/nonfinancial reporting, (c) internal reporting, and (d) compliance.
- Org. identifies risks to the achievement of its objectives across the entity and analyzes risks to determine how the risks should be managed.
- Org. considers the potential for fraud in assessing fraud risks. The org. must consider various types of fraud and assess incentives and pressures, opportunities, and assess attitudes and rationalizations.
- Org. identifies and assesses changes that could significantly affect the system of internal control.
15
Q
Control Activities (COSO)
A
-Policies and procedures help ensure that management directives are carried out. Whether automated or manual they are applied at various levels of the org and stages of processes. They may be preventative or detective, and segregation of duties is usually present.
16
Q
What are the three principles that relate to Control Activities?
A
- Org. selects and develops control activities that contribute to the mitigation of risks and the achievement of objectives to acceptable levels.
- Org. selects and develops general control activities over technology to support the achievement of its objectives.
- Org. deploys control activities through policies that establish what is expected and procedures that put the policies into action.
17
Q
Information and Communication (COSO)
A
-Enables the org. to obtain, generate, use, and communicate info to (1) maintain accountability and (2) measure and review performance.
18
Q
What are three principles that relate to Information and Communication?
A
- Org. obtains or generates and uses relevant, quality information to support the functioning of IC.
- Org. internally communicates information, including objectives and responsibilities for IC, necessary to support the function of IC.
- Org. communicates w/ external parties regarding matters affecting the functioning of IC.
19
Q
Monitoring Activities (COSO)
A
-Because control systems and the way controls are applied change over time, monitoring is the process that assesses the quality of IC performance over time to ensure the controls continue to meet the needs of the org.
20
Q
What are the two principles related to Monitoring Activities?
A
- Org. selects, develops, and performs ongoing or separate evaluations (or both) to determine whether the components of IC are present and functioning.
- Org. evaluates and communicates control deficiencies in a timely manner.
21
Q
Which control framework is thought to be more suited for IA purposes?
A
CoCo model (Guidance on Control)
22
Q
What are the four components of the CoCo Model that 20 criteria are grouped into?
(Pneumonic: “Police Can Catch Many Lawbreakers”)
A
- Purpose
- Commitment
- Capability
- Monitoring and Learning
23
Q
What are the five key principles of COBIT 5?
A
- Meeting Stakeholder Needs
- Covering Enterprise End-to-End
- Applying a Single Integrated Framework
- Enabling a Holistic Approach
- Separating Governance from Management
24
Q
COBIT 5 asserts that _________ _________ is the most basic stakeholder need.
A
-Value Creation
25
According to COBIT 5, what is the most fundamental goal of any enterprise, commercial or not?
-The creation of stakeholder value.
26
According to COBIT 5, what are the three components necessary for value creation?
1. Realization of benefits
2. Optimization (not minimization) of risk
3. Optimal use of resources
27
According to COBIT 5, what are stakeholder drivers?
-They are both internal and external factors that influence stakeholder needs.
28
According to COBIT 5, once stakeholder needs are identified, what needs to be established?
-Enterprise goals
29
COBIT 5 translates the _#_ generic enterprise goals into __ related goals.
-17 and IT
30
According to COBIT 5, ________ are identified that support pursuit of the IT related goals. A _____ is broadly defined as anything that helps achieve objectives.
-enablers
31
True/False: COBIT 5 provides an overarching framework that addresses specific technical issues.
-False: COBIT 5 is an overarching framework that does not address specific technical issues; i.e., its principles can be applied regardless of the particular hardware and software in use.
32
Enabling a Holistic Approach: What are the 7 categories of enablers that support comprehensive IT governance and management?
1. Principles, policies, and frameworks;
2. Processes;
3. Org. structures
4. Culture, ethics, and behavior
5. Information*
6. Service, infrastructure, and applications*
7. People, skills, and competencies*
*-These three enablers are also resources that must be optimized.
33
True/False: Enablers are interconnected because they:
a) Need the input of other enablers to be fully effective and
b) Deliver output for the benefit of other enablers.
True
34
Define Governance vs. Management
- Governance: is the setting of overall objectives and the monitoring of progress towards those objectives
* (COBIT 5 associates the Board w/ governance)
- Management: is the carrying out of activities in pursuit of enterprise goals
* (COBIT 5 associates executive mgmt. under the leadership of the CEO with mgmt.)
35
Within the Governance practice, what are the three practice that must be addressed?
-Evaluate, direct, and monitor.
36
Within the Management practice, what are the four responsibility areas that must be addressed?
-Plan, build, run, and monitor.
37
True/False: In the eSAC model, the entity's internal processes accepts inputs and produce outputs.
-True
38
What are the four inputs of the eSAC model?
-Mission, values, strategies, and objectives.
39
What are the three outputs of the eSAC model?
-Results, reputation, and learning.
40
True/False: The eSAC model's broad control objectives are influenced by the CoCo model.
-False: The eSAC model's broad control objectives are influenced by the COSO model.
41
What are eSAC's five IT business assurance objective?
| Pneumonic: A Court Finds People Accountable
- Availability
- Capability
- Functionality
- Protectability
- Accountability
42
What two control framework models emphasize soft controls?
-COSO and CoCo
43
True/False: Soft controls should not be distinguished from hard controls, such as compliance with specific policies and procedures imposed upon employees from above.
-False: Soft controls should be distinguished from hard controls.
44
Soft controls have become (more or less) necessary as technology advances have empowered employees.
-Soft controls have become more necessary.
45
What is a Control Self-Assessment used for?
-It is an approach used to audit soft controls. It is the involvement of mgmt. and staff in the assessment of internal controls within their workgroup.
46
Can hard and soft controls be measured? If so, how?
-Yes, hard and soft controls can be associated with particular risks and measured. The vulnerability addressed can be stated as the product of the probability of occurrence and the significant of the occurrence (V = P x S).
47
Enterprise Risk Management - Integrated Framework
-Describes a model that incorporates COSO control framework while extending it to the broader subject of enterprise risk management (ERM).
48
What is ERM based on and what is its emphasis on?
-Based on key concepts applicable to many types of organizations. The emphasis is on (a) the objectives of the specific entity and (b) establishing a means for evaluation the effectiveness of ERM.
49
How does the COSO framework define ERM?
-ERM is a process, effected by an entity's board of directors, mgmt., and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity's objectives.
50
Risk
-the probability that an event will occur and adversely affect the achievement of objectives.
51
Inherent Risk
-risk in the absence of a risk response.
52
Residual Risk
-risk after a risk response.
53
Risk Appetite
-the amount of risk an entity is willing to accept in pursuit of value. It reflects an entity's risk mgmt. philosophy and influences the entity's cultured operating style.
54
Opportunity
-the possibility that an event will positively affect the achievement of objectives.
55
What are the ERM Components
- Internal Environment
- Objective Setting (precedes event identification)
- Event Identification
- Risk Assessment
- Risk Responses (5 Strategies)
- Control Activities
- Identification and Communication
- Monitoring
56
What are the five strategies for Risk Response?
1. Risk Avoidance (ends activity)
2. Risk Retention (accepts risk)
3. Risk Reduction (Lowers risk)
4. Risk Sharing (shares risk)
5. Risk Exploitation (seeks high risk for high return on inv.)
57
Who had the ultimate responsibility for ERM?
-CEO
58
_____ _____ should ensure that sound risk management processes are in place and functioning.
-Senior Management
59
Who determines the entity's risk management philosophy?
-Senior Management
60
What is the Board of Directors responsibility regarding ERM?
- Oversight role
| - It should determine that risk management processes are in place, adequate, and effective
61
What qualities must the directors possess for them to be effective in ERM?
- A majority of the board should be outside directors
- Should have years of experience either in industry or in corporate governance
- Must be willing to challenge mgmt. choices (complacent directors increases the chances of adverse consequences).
62
Larger entities may wish to establish a _____ _______ composed of _____ that also includes _____, the individuals most familiar with the process.
- risk committee
- directors
- management
63
True/False: IA's may be directed by the board to evaluate the effectiveness and contribute to the improvement of risk management processes?
-True
64
The IAs' determination of whether risk management processes are effective is a ______ resulting from the assessment that:
i) Appropriate _____ _____ are selected that align risks and the entity's ____ ____.
ii) Relevant risk information is captured and communicated in a timely manner across the entity.
- judgment
| - risk responses, risk appetite
65
Limitations of ERM arise from the possibility of:
- faulty human judgment
- cost-benefit considerations
- simple errors or mistakes
- collusion
- management override of ERM decisions
66
What is IA's role regarding Risk Management?
-IA must evaluate the effectiveness and contribute to the improvement of risk management processes.
67
True/False: The internal audit activity may gather the information necessary to support their assessment of risk management during multiple engagements.
-True
68
How are risk management processes monitored?
-Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
69
What must the IA activity evaluate regarding risk exposures to the organization?
- IA must evaluate risk exposure relating to the org's governance, operations, and information systems regarding the following:
* Achievement of the org's strategic objectives;
* Reliability and integrity of financial and operational info.
* Effectiveness and Efficiency of operations and prog.
* Safeguarding of assets and
* Compliance w/ laws, regs, policies, procedures, and contracts.
-IA must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
70
What are some ways in which the IA activity can add value with regard to Risk Management?
-Establishing a risk-based audit model and participating in the organization's risk management processes.
71
Risk Management is the key responsibility of ____ and the ____.
-senior management and the board
72
Who directs the IA activity to assist by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management's risk processes?
-The Board of Directors in their oversight role.
73
True/False: IA's acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks.
-True
74
In situations where the organization does not have formal risk management processes, what must the CAE do?
-The CAE must formally discuss with mgmt. and the board their obligations to understand, manage, and monitor risks within the organization and the need to satisfy themselves that there are processes operating w/n the organization, even if informal, that provide the appropriate level of visibility into the key risks and how they are being managed and monitored.
75
True/False: The CAE is to obtain an understanding of senior management's and the board's expectations of the IA activity in the organization's risk management process. This understanding is then codified in the charters of the IA activity and the board.
-True
76
True/False: Ultimately it is the role of the CAE to determine the role of IA in the risk management process.
-False: It is the role of senior management and the board.
77
Internal auditors need to obtain _____ and ____ evidence to determine that key objectives of the risk management processes are being met to form an opinion on the adequacy of risk management processes.
-sufficient and appropriate
78
Fraud is....
-any illegal act characterized by deceit, concealment, or violation of trust.
79
True/False: Monetary losses from fraud are significant, but its full cost is measurable.
-False: the full cost of fraud is immeasurable.
80
An organization should have a ____ ____ that includes awareness, prevention,and detection programs. It also should have a _____ _____ assessment process to identify fraud risks.
-fraud program, fraud risk
81
What are the causative factors of fraud? (Fraud Triangle)
- Pressures or incentive: is the need the fraudster is trying to satisfy.
- Opportunity - ability to commit the fraud (org. can influence this factor the most by means of controls and procedures)
- Rationalization - fraudsters justify
82
What is the principle means of preventing fraud?
-Control
83
Who is primarily responsible for establishing and maintaining control?
-Management
84
Who is primarily responsible for preventing fraud by examining and evaluating the adequacy and effectiveness of control?
-IA; however, they are not responsible for designing and implementing fraud prevention controls.
85
True/False: Internal auditors must have expert knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization.
-False: IA's are only required to have "sufficient knowledge". IA's are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
86
What level of care must IA's exercise when considering, among other things, the probability of significant errors, fraud, or noncompliance?
-Due professional care
87
True/False: Internal Auditors must consider the probability of fraud when developing engagement objectives.
-True
88
True/False: A strong ethical culture and setting the correct tone at the top are essential to fraud prevention.
-True
89
What are generally included in fraud risk assessments?
- Identifying and prioritizing fraud risk factors and fraud schemes.
- Mapping existing controls to potential fraud schemes and identifying gaps
- Testing the operating effectiveness of fraud prevention and detection controls
- Documenting and reporting the final risk assessment
90
What is the IA's responsibility for detection of fraud?
-IA is not responsible for the detection of all fraud, but must always be alert to the possibility of fraud.
91
True/False: The IA activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
-True
92
An internal auditor's responsibility for detecting fraud include...
-evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended.
93
Document symptom (fraud indicator)
-any kind of tampering with the accounting records to conceal a fraud (e.g. keeping 2 sets of books or forcing the books to reconcile)
94
Lifestyle symptom (fraud indicator)
-an unexplained rise in an employee's social status or level of material consumption
95
Behavioral symptom (fraud indicator)
-a drastic change in an employee's behavior
96
Analytical Procedures and Fraud
-Analytical procedures are routinely used in many engagements. They may provide an early indication of fraud.
97
Examples of Fraud Indicators (Red Flags)
- Lack of employee rotation
- Inappropriate combination of job duties
- Unclear lines of responsibility and accountability
- Unrealistic sales or production goals
- Employee refuses to take vacation or promotion
- Established controls not applied consistently
- High reported profits when competitors are suffering from an economic downturn
- High turnover among supervisory positions in finance and accounting areas
- Excessive or unjustifiable use of sole-source procurement
- An increase in sales far out of proportion to the increase in cost of goods sold.
