assurance that the following control objectives are achieved
o Safeguard assets: prevent or detect their unauthorized acquisition, use, or disposition.
o Maintain records in sufficient detail or report company assets accurately and fairly.
o Provide accurate and reliable information.
o Encourage adherence to prescribed managerial policies
o Comply with applicable laws and regulations.
Deter problems before they arise. Examples include hiring qualified personal, segregating employee duties, and controlling physical access to assets and information. These are superior to detective because it is good to stop bad things before they happen.
Discover problems that are not prevented. Examples include duplicate checking of calculations and preparing bank reconciliations and monthly trial balances.
Identify and correct problems as well as correct and recover from the resulting errors. Examples include maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.
Make sure an organizations control environment is stable and well managed. Examples include security; IT infrastructure: and software acquisition, development and maintenance controls.
Make sure transactions are processed correctly. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.
Describes how the company creates values, helps employees understand managements vision.
Helps employees act ethically by setting boundaries on employee behavior.
Diagnostic control system
Measures, monitors, and compares actual company progress to budgets and performance goals.
Interactive control system
Helps managers to focus subordinates attention on key strategic issues and be more involved in their decision.
Foreign corrupt policies act
Was passed to prevent companies from bribing officials to obtain business.
Passed in 2002, applied to publicly help companies and their auditors and was designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud.
Public company accounting oversight board PCAOB
Created by SOX to control the auditing profession. This sets and enforces auditing, quality control, ethics, independence, and other auditing standards.
Control objectives for information and related technology COBIT
Consolidates control standards from 36 different sources into a single framework that allows;
1. Management to benchmark security and control
practices of IT environments.
2. Users to be assured that adequate IT security and control exist.
3. Auditors to substantiate there internal control opinion and to advise on IT security and control matters.
Committee of sponsoring organizations COSO
Consists of the American accounting association,the American institute of CPAs, the institute of internal auditors, the institute of management accountants, and the financial executives institute.
the first control framework created by COSO. Is widely accepted as the authority on IC and is incorporated into policies,rules, and regulations used to control business activities. COSO's five components are;
A second control framework created by COSO. This is the process the board of directors and management use to set strategy,identify events that may affect the entity, assess and manage risk, and providereasonable assurance that the company achieves its objectives and goals. The basic principles are;
1. Companies are formed to create value fortheir owners.
2. Management must decide how much uncertaintyit will accept as it creates value.
3. Uncertainty results in risk, which ispossibility that something positively affects the company’s to create orpreserve value.
4. Uncertainty results in opportunity, which isthe possibility that something positively affects the company’s ability tocreate or preserve value.
Or company culture, influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk
The amounts of risk companies are willing to accept to achieve their goals.
Is responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors, who report all critical accounting policies and practices to them.
Policy and procedures manual
Explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and list the resources provided to carry out specific duties. Includes the chart of accounts and is helpful on the job reference for current employees and a useful tool for training new employees.
Includes talking to references, checking for a criminal record, examining credit records, and verifying education and work experience.
High-level goals that are aligned with the company’s mission, support it, and create shareholder value, are set first.
Deals with the effectiveness and efficiency of company operations, determine how to allocate resources.
Helps to ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
Help the company comply with all applicable laws and regulations.
COSO defines an event as an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.
Exist before management takes any steps to control the likelihood or impact of the event.
Is what remains after management implements internal controls of some other response to risk.
Impact X likelihood
Are policies and procedures that provide
reasonable assurance that control objectives are met and risk responses are
1. Proper authorization of transactions and activities.
2. Segregation of duties.
3. Project development and acquisition controls.
4. Change management controls
5. Design and use documents and records
6. Safeguarding assets, records, and data.
7. Independent checks on performance.
When management establishes policies for employees to follow and then empowers them.
A means of signing a document with data that cannot be forged.
Special approval required by management. For example, management having to approve transactions over 10,000.
When management authorizes employees to handle routine transactions.
Segregation of accounting duties
This is achieved when authorization, recording, and custody are all separated.
Collusion occurs when tow people are in a system of the separation of duties are working together to embezzle.
Segregation of system duties
In an information system, procedures once performed by components operate smoothly and efficiently.
1. System administrator
2. Network manager
4. Change management system analyst
6. System analysis
make sure all information system components operate smoothlyand efficiently.
ensure that devise are linked to the organizations internal and external networks and that those networks operate properly.
makes sure that systems are secure and protected from internal and external threats.
Change management system analyst
is the process of making sure that changes are made smoothly and efficiently and that they do not negatively affects systems reliability, security, confidentiality, integrity, and availability.
users record transactions, authorize data to be processed, and use system output.
helps users determine their information needs and design systems to meet those needs.
takes the analysts’ design and creates a system by writing the computer programs.
runs the software on the company’s computers. They ensure that data are input properly, that they are processed correctly, and that output is produced when needed.
Information system library
the information system librarian maintains custody of corporate databases, files, and program in a separate storage area called the information system library.
Data control group
ensures that source data have properly approved, monitors that flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.
Guides and oversees system development and acquisition.
Strategic master plan
Is developed and updated yearly to align an organization’s information system with its business strategies.
Project development plan
Shows the tasks to be performed, who will perform them, project cost, completion cost, and project milestones.
Significant points when progress is reviewed and actual and estimated completion times are compared.
Data processing schedule
Shows when each task should be performed.
System performance measurements
Are established to evaluate the system.
1. Throughput – output per unit of time.
2. Utilization– percentage of time the system is used.
3. Response time – how long it takes the system to respond.
Is performed after a development project is completed to determine whether the anticipated benefits where achieved.
Manages a system development effort involvingits own personnel, its clients, and other vendors.
is an examination of the relationships between different sets of data.
the accounting records and procedures,supporting documents, and financial statements, that allows transactions to betraced back and forth between their origination and the financial statements.
Computer security officer CSO·
Is in charge of system security, independent ofthe information system function, and reports to the COO and the CEO.
Chief compliance officer CCO·
In charge of making sure that a company is complying with SOX.
Specialize in fraud are Computer forensics specialist Discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will notsuccumb to legal challenges.
Programs with learning capabilities than can accurately identify fraud.
Fraud hot line·
Is an effective way to comply with the law and resolve whistle-blower conflict.
management can respond to risk in one of four ways: