Podcast
Questions and Answers
What is referred to as a threat in an accounting information system?
What is referred to as a threat in an accounting information system?
- An unforeseen opportunity for revenue increase
- Any adverse occurrence that can injure the system or organization (correct)
- Any positive occurrence that benefits the system
- A potential source of financial gain
What does the term 'exposure' or 'impact' refer to?
What does the term 'exposure' or 'impact' refer to?
- The effectiveness of existing controls
- The total money spent on implementing controls
- The likelihood of a threat occurring
- The potential dollar loss if a threat becomes a reality (correct)
Which of the following is NOT a primary objective of an accounting information system?
Which of the following is NOT a primary objective of an accounting information system?
- Creating unrestricted revenue streams (correct)
- Controlling the organization to achieve intended objectives
- Taking a proactive approach to eliminating threats
- Detecting and recovering from system threats
What type of control is designed to deter problems from occurring?
What type of control is designed to deter problems from occurring?
Which of the following objectives is associated with safeguarding assets?
Which of the following objectives is associated with safeguarding assets?
Why is it important for management to comply with laws and regulations?
Why is it important for management to comply with laws and regulations?
What is the main focus of detective controls in an internal control system?
What is the main focus of detective controls in an internal control system?
What role does management expect accountants to play concerning system threats?
What role does management expect accountants to play concerning system threats?
What is one of the first steps in monitoring internal controls?
What is one of the first steps in monitoring internal controls?
Which of the following is a method for communicating internal control matters to external parties?
Which of the following is a method for communicating internal control matters to external parties?
How can a company effectively track software and mobile devices?
How can a company effectively track software and mobile devices?
Which action is NOT a part of internal monitoring of controls?
Which action is NOT a part of internal monitoring of controls?
What is the primary purpose of fraud detection software?
What is the primary purpose of fraud detection software?
Which of the following best describes responsibility accounting systems?
Which of the following best describes responsibility accounting systems?
What action should be taken when an employee's laptop containing sensitive information is stolen?
What action should be taken when an employee's laptop containing sensitive information is stolen?
What is a significant risk if a store manager purchases installation of wireless access points without notifying IT?
What is a significant risk if a store manager purchases installation of wireless access points without notifying IT?
What is the primary purpose of the Foreign Corrupt Practices Act (FCPA)?
What is the primary purpose of the Foreign Corrupt Practices Act (FCPA)?
Which act was introduced to enhance the transparency of financial statements?
Which act was introduced to enhance the transparency of financial statements?
Which of the following is NOT a component of the COSO Internal Control – Integrated Framework?
Which of the following is NOT a component of the COSO Internal Control – Integrated Framework?
What is the main focus of the COBIT framework?
What is the main focus of the COBIT framework?
What are the two perspectives of risk assessment?
What are the two perspectives of risk assessment?
What is the correct response if a company decides to buy insurance to handle a risk?
What is the correct response if a company decides to buy insurance to handle a risk?
What role does the Control Environment play in internal controls?
What role does the Control Environment play in internal controls?
Which of the following is a principle of effective information and communication?
Which of the following is a principle of effective information and communication?
Separation of duties is primarily aimed at which of the following?
Separation of duties is primarily aimed at which of the following?
The Sarbanes-Oxley Act punishes executives who do what?
The Sarbanes-Oxley Act punishes executives who do what?
What does the COBIT 2019 framework emphasize regarding governance and management?
What does the COBIT 2019 framework emphasize regarding governance and management?
What type of risk exists before any plans are made to control it?
What type of risk exists before any plans are made to control it?
What is a significant advantage of implementing internal controls?
What is a significant advantage of implementing internal controls?
Which of the following is an example of a control activity?
Which of the following is an example of a control activity?
Flashcards are hidden until you start studying
Study Notes
Control & AIS - Overview
- A threat is any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization.
- Exposure, or impact, refers to the potential dollar loss should a particular threat become a reality.
- Likelihood is the probability that a specific threat will occur.
Primary Objective of an AIS
- The primary objective of an AIS is to control the organization so that it can achieve its intended objectives.
- Management expects accountants to take a proactive approach to eliminating system threats and to detect, correct, and recover from threats when they occur.
Internal Control
- Internal control processes are implemented to achieve the following:
- Safeguard assets
- Maintain sufficient records
- Provide accurate and reliable information
- Prepare financial reports according to established criteria
- Promote and improve operational efficiency
- Encourage adherence to management policies
- Comply with laws and regulations
Functions of Internal Control
- Preventive Controls: Deter problems from occurring.
- Detective Controls: Discover problems that are not prevented.
- Corrective Controls: Identify and correct problems; correct and recover from the problems.
Legislations
- Foreign Corrupt Practices Act (FCPA) (1977): Passed to prevent companies from bribing foreign officials to obtain business and requires all publicly owned corporations to maintain a system of internal accounting controls.
- Sarbanes–Oxley Act (SOX) (2002): Applies to publicly held companies and their auditors to prevent financial statement fraud, make financial reports transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud.
Control Frameworks
- COBIT: Framework for IT control.
- COSO: Framework for enterprise internal controls (control-based approach).
- COSO-ERM: Expands the COSO framework taking a risk-based approach.
COBIT Framework
- The current framework version is COBIT 2019.
- COBIT 2019 is based on the following principles:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single, integrated framework
- Enabling a holistic approach
- Separating governance from management
Components of COSO Internal Control Integrated Framework
- The COSO Internal Control–Integrated Framework outlines five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
Control Environment
- The control environment encompasses:
- Management’s philosophy, operating style, and risk appetite
- Commitment to integrity, ethical values, and competence
- Internal control oversight by the Board of Directors
- Organizing structure
- Methods of assigning authority and responsibility
- Human resource standards
Risk Assessment
- Two Perspectives:
- Likelihood: Probability that the event will occur.
- Impact: Estimated potential loss if the event occurs.
- Types of risk:
- Inherent risk: Risk that exists before plans are made to control it.
- Residual risk: Risk that is left over after you control it.
Risk Response
- Reduce/Mitigate: Implement effective internal control.
- Accept: Do nothing; accept the likelihood and impact of the risk.
- Share/Transfer: Buy insurance, outsource, or hedge.
- Avoid: Do not engage in the activity.
Control Activities
- Control activities include:
- Proper authorization of transactions and activities
- Segregation of duties
- Project development and acquisition controls
- Change management controls
- Design and use of documents and records
- Safeguarding assets, records, and data
- Independent checks on performance
Information & Communication
- Three principles apply to the information and communication process:
- Obtain or generate relevant, high-quality information to support internal control.
- Internally communicate information, including objectives and responsibilities, necessary to support the other components of internal control.
- Communicate relevant internal control matters to external parties.
Monitoring
- Monitoring encompasses:
- Performing internal control evaluations (e.g., internal audit)
- Implementing effective supervision
- Using responsibility accounting systems (e.g., budgets)
- Monitoring system activities
- Tracking purchased software and mobile devices
- Conducting periodic audits (e.g., external, internal, network security)
- Employing a computer security officer
- Engaging forensic specialists
- Installing fraud detection software
- Implementing a fraud hotline
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
