AIS Final

Evaluate, Direct, and Monitor (EDM)

is the only IT governance–focused domain in COBIT 2019. This domain states that the board of directors or governing body of an organization must evaluate stakeholder needs and IT strategic options, create direction by prioritizing and making decisions about these options, and monitor these IT strategies for performance, progress, and compliance. The control objectives in this domain include frameworks, resource optimization, and transparency with stakeholders.

Align, Plan, and Organize (APO)

addresses the way IT is used to meet organizational objectives. Includes some control objectives around risk, security, budgets, and innovation.

Build, Acquire, and Implement (BAI)

is where management assesses IT requirements, acquires technology, and implements the technology. In this objective, IT is integrated with business processes. Control objectives cover topics like defining project requirements, addressing change management, and executing projects.

Deliver, Service, and Support (DSS)

relates to the operational side of IT projects, including IT support. IT projects are delivered to end users. The component includes service requests, business process controls, and IT security support among its control objectives.

Monitor, Evaluate, and Assess (MEA)

focuses on existing IT projects and whether they are meeting the organization’s objectives. IT projects are compared to internal performance targets, control objectives, and external regulatory requirements. Some of the control objectives focus on the internal control system, regulatory compliance, and performance.

Time based model of control

Preventive > [Detective + Corrective] = Effective (P>[D+C])

IT general controls (ITGCs)

A control that applies to the entire operation of a system and its environment. All corporate applications, like emails, web browsers, time-keeping software, benefits management systems, and more, are subject to ITGCs.

application control

A control that only applies to a specific application, including all the business processes and accounts that are linked to it. Application controls in an AIS can be called transaction controls because they relate specifically to accounting transaction processing.

manual control

A control that is executed by people or physical interaction. Manual controls are used when human judgement or physical interaction is required. Manual controls are subject to human error or intentional manipulation and override, which means control might fail. For this reason, auditors- both internal and external-frequently focus on manual controls during their assessments.

automated control

A control that uses technology to implement control activities and requires no human intervention. Automated controls are often more reliable and consistent than manual controls because they are not susceptible to human error, judgment, or override. Automated controls include embedded IT controls and controls that use other automation technologies, such as robotics, to perform what have traditionally been manual tasks.

Continuous monitoring

Data analytics technology that internal auditors use to create detective controls that use rules- based programming to monitor a business’ data for red flags of risk. Continuous monitoring is often programmed to keep tabs on key performance indicators (KPIs) or to look for red flags indicating possible fraud.

What are the stages in the change in management process?

1. Creating changes in the test environment

2. Evaluating accuracy of changes in the model environment

3. Implementing changes in the production environment

What are the steps of enterprise risk management (ERM)?

1. Identify

2. Categorize

3. Prioritize

4. Respond

business function

A high-level business area or department that performs business processes to achieve company goals. More than one business function may be necessary to complete a single business process.

enterprise risk management (ERM)

The comprehensive process of identifying, categorizing, prioritizing, and responding to a company’s risks.

ERM 1st step

identify

ERM 2nd step

categorize

ERM 3rd step

prioritize

ERM 4th step

respond

risk severity

The likelihood of risk occurring and their potential impact on a company.

likelihood

The estimated probability of risk occurrence.

impact

is the estimation of damage that could be cause if a risk occurs. Earlier in this chapter, we started with an issue and defined a possible outcome to form a risk statement.

risk score

= Likelihood score * Impact Score

risk appetite

The amount of risk a company is willing to take on at a particular time

residual risk

The remaining risk posed by a process or an activity once a plan to respond to the risk is in place. It is the risk after implementing a risk response.

manual control

A control that is executed by people or physical interaction. Manual controls are used when human judgment or physical interaction is required. Manual controls are subject to human error or intentional manipulation and overrride, which means there is an increased risk that a manual control might fail. For this reason, auditors-both internal and external-frequently focus on manual controls during their assessments.

It general control (ITGC)

A control that applies to the entire operation of a system and its environment. All corporate application, like email, web browsers, time-keeping software, benefits management systems, and more, are subject to ITGCs.

What are the control functions?

• preventive

• detective

• corrective

What are the control locations?

• physical

• IT General (ITGC)

• IT Application

How are controls implemented

• manual

• automated

corruption

The inappropriate use of influence to obtain a benefit contrary to the perpetrator’s responsibility or the rights of other people.

external fraud

Fraud perpetrated by customers, vendors, or other outside parties against a company.

horizontal analysis

This type of analysis involves investigating the changes in financial statement items by comparing two or more financial statements from different periods.

vertical analysis

This type of analysis involves calculating each line item in the same financial statement as a percentage of another line item in the same financial statement. Vertical analysis becomes more insightful when used in conjunction with horizontal analysis. The combination makes it possible to compare the vertical analysis of one reporting period with others.

expense reimbursement scheme

A fraudulent disbursement in which a business reimburses a perpetrator for expenses they never incurred.

First line of defense

The business operations portion of the Institute of Internal Auditors’ three lines of defense model. In this line of defense, management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. This line of defense reports only to executive management.

Second line of defense

The risk management and compliance portion of the Institute of Internal Auditors’ three lines of defense model. In this line of defense, the ERM team identifies and assesses organizational risks. This line of defense aids the first line of defense in ensuring that controls are designed to adequately address risk and monitors the controls to ensure that the first line of defense is complying with internal control requirements. This line of defense reports only to executive management.

Third line of defense

The internal audit portion of the Institute of Internal Auditors’ three lines of defense model. The primary objective of internal audit is to test internal controls to provide assurance of their effectiveness to executive management and the board of directors. Internal audit is an independent function of the company that reports both to executive management and to the board of directors.

Phase 1

Limited:

• informal process

• ad hoc controls

• localized efforts

• reactive management

• reliance on key individuals

Phase 2

Informal:

• some defined processes

• some defined controls

• lack of documentation

• primarily manual controls

• inconsistencies

• reliance on key individuals

Phase 3

Defined:

• clearly defined processes

• clearly defined controls

• formal documentation

• mix of manual and automated controls

• no reliance on key individuals

Phase 4

Optimized:

• enterprise-wide risk management

• enterprise-wide control environment

• top-down, proactive approach

• clearly defined processes

• clearly defined controls

• formal documentation

• clear communication throughout organization

• more automated controls than manual controls

• internal audit provides strategic value

channel stuffing

a fraud scheme where the seller encourages the sales of extra inventory to increase the current year’s sales, when it is stated or implied that the customer can return the goods after the year end but not providing a reserve against these expected returns in the current year

Maturity model

A model that shows how far along a company is on its journey to reach the ideal state by comparing the current state to a predetermined set of best practices. Companies use maturity models to judge their current performance and create a roadmap, or plan, for continuous improvement.