Term
| Threat, Exposure, and Likelihood |
|
Definition
threat: any potential adverse occurrence is called a threat or an event
exposure: (impact) the potential dollar loss from a threat
likelihood: probability that the threat will happen |
|
|
Term
| Inherent limitations or Internal Control Systems |
|
Definition
they are susceptible to errors and poor decisions.
they can be overridden by management or by collusion of two or more employees |
|
|
Term
| Internal control: definition |
|
Definition
a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations. |
|
|
Term
| Three important functions of internal controls |
|
Definition
Preventative controls
Detective controls
Corrective controls |
|
|
Term
|
Definition
| deter problems before they arise |
|
|
Term
|
Definition
| discover problems that are not prevented |
|
|
Term
|
Definition
| identify and correct problems as well as correct and recover from the resulting errors |
|
|
Term
| two categories of internal controls |
|
Definition
General controls: make sure an organization's control environment is stable and well managed
Application controls: make sure transactions are processed correctly |
|
|
Term
| four levels of control espoused by Robert Simons, Harvard business professor |
|
Definition
belief system: describes how the company creates value, helps employees understand management's vision, communicates company core values, and inspired employees to live by those values
boundary system: helps employees act ethically by setting boundaries on employee behavior
diagnostic control system: measures, monitors, and compares actual company progress to budgets and performance goals
interactive control systems: helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions |
|
|
Term
| Foreign Corrupt Practices Act (FCPA) |
|
Definition
| passed in 1977 to prevent companies from bribing foreign officials to obtain business |
|
|
Term
|
Definition
| passed in 2002 in response to frauds like the one committed by Arthur Anderson. SOX applies to publicly traded companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud. |
|
|
Term
| SOX Public Company Accounting Oversight Board (PCAOB) |
|
Definition
| oversight of auditing profession |
|
|
Term
| SOX New rules for auditors |
|
Definition
- partners must rotate periodically
- prohibited from performing certain non-audit services |
|
|
Term
| SOX New roles for audit committee |
|
Definition
- be part of board of directors and be independent
- one member must be a financial expert
- oversees external auditors |
|
|
Term
| SOX New rules for management |
|
Definition
- financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.
- the auditors were told about all material internal control weaknesses and fraud |
|
|
Term
| SOX New internal control requirements |
|
Definition
| - management is responsible for establishing and maintaining an adequate internal control system |
|
|
Term
| after SOX was passed, the SEC mandated that management must: |
|
Definition
- Base evaluation of internal control on a recognized framework.
- Disclose all material internal control weaknesses.
- Conclude a company does not have effective financial reporting internal controls of material weaknesses. |
|
|
Term
|
Definition
Control Objectives for Information and Related Technology (COBIT)
framework addresses control from three vantage points:
- Business objectives
- IT Resources
- IT Processes |
|
|
Term
COSO Internal Control Framework
(Internal Control - Integrated Framework) |
|
Definition
Committee of Sponsoring Organizations (COSO)
5 interrelated components of COSO's Internal Control Model:
- control environment
- control activities
- risk assessment
- information and communication
- Monitoring |
|
|
Term
|
Definition
| company culture; influences how organizations establish strategies and objectives, structure business activities, and identify, assess, and respond to risk. |
|
|
Term
| 7 components of an internal environment |
|
Definition
1. Management's philosophy, operating style, and risk appetite
2. The board of directors
3. Commitment to integrity, ethical values, and competence
4. Organizational structure
5. Methods of assigning authority and responsibility
6. Human resources standards
7. External influences |
|
|
Term
|
Definition
| the amount of risk one is willing to accept to achieve his/her goals |
|
|
Term
|
Definition
Inherent: risk that exists before any plans are made to control it
Residual: remaining risk after controls are in place to reduce it |
|
|
Term
|
Definition
Reduce: implement effective internal control
Accept: do nothing, accept likelihood of risk
Share: by insurance, outsource, hedge
Avoid: do not engage in activity that produces risk |
|
|
Term
| Control Activities: definition and categories |
|
Definition
policies and procedures to provide reasonable assurance that control objectives are met
1. proper authorization of transactions and activities
2. segregation of duties
3. project development and acquisition control
4. change management controls
5. design and use of documents and records
6. safeguarding assets, records, and data
7. independent checks on performance |
|
|
Term
| Segregation of Accounting Duties |
|
Definition
| no one employee should be given too much responsibility. Separate authorization, recording, and custody |
|
|
Term
| 5 primary purposes of an AIS |
|
Definition
1. Gather
2. Record
3. Process
4. Summarize
5. Communicate |
|
|
Term
| CORBIT Control Objective for IT |
|
Definition
- strategic alignment: IT is aligned with the business
- value delivery: IT delivers the promised benefits against the strategy
- resource management: optimal investment and management of IT resources
Risk Management: It risks are managed appropriately
Performance Measurements: track and monitor all areas of IT |
|
|
Term
|
Definition
|
|
Term
| COBIT: IT activities fall into these four domains: |
|
Definition
1. Plan & Organize IT activities to support the business
2. Acquire & Implement IT resources and strategies
3. Deliver & Support those resources and strategies
4. Monitor & Evaluate IT resources and strategies |
|
|
Term
| policy and procedures manual |
|
Definition
| explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties |
|
|
Term
|
Definition
| guides and oversees systems development and acquisition |
|
|
Term
|
Definition
| developed and updated yearly to align an organization's information system with its business strategies |
|
|
Term
|
Definition
| shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones |
|
|
Term
|
Definition
| shows when each task should be performed |
|
|
Term
| system performance measurements |
|
Definition
| established to evaluate the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), and response time (how long it takes the system to respond). |
|
|
Term
| Post-implementation review |
|
Definition
| is performed after a development project is completed to determine whether the anticipated benefits were achieved |
|
|
Term
| computer security officer |
|
Definition
| person in charge of system security, independent of the information system function, and reports to the chief operating officer or the CEO |
|
|
