ACCT 333- Quiz 2

code of ethics

A formal expectation on what is considered to be ethical within an organization to promote ethical behavior; considered a form of internal control

What requires companies and their auditors to assess and report on the design and effectiveness of internal controls AND what did it establish?

SOX, PCAOB

Public Company Accounting Oversight Board

provides oversight of public company auditors, sets auditing standards oversees quality controls of public accounting firms

corporate governance

a set of processes and policies in managing an organization with sound ethics to safeguard the interests of stakeholders

Internal controls are…

processes that an organization implements to safeguard assets, provide accurate and reliable information, promote operational efficiency, enforce prescribed managerial policies and comply with applicable laws and regulations

Establishing and maintaining internal controls are ___________'s responsibilities.

management

preventive, detective, corrective

3 types of control

preventive

deter problems before they arise

detective

find problems when they arrive

corrective controls

Fix problems that have been identified, such as using backup files to recover corrupted data.

________ pertain to enterprise wide issues such as controls over accessing the network, developing and maintaining applications, and documenting changes of programs.

general controls

application controls

Controls specific to a subsystem or an application to ensure the validity, completeness, and accuracy of the transaction.

This internal control is a process, affected by the organization, to provide reasonable assurance regarding the achievement of: effectiveness/efficiency of operations, reliability of reporting, compliance with applicable laws and regulations

COSO Internal control framework

COSO internal control framework objectives?

operations, reporting, compliance

control environment, risk assessment, control activities, information and communication, monitoring

COSO Internal Control Framework components?

control environment

sets the tone for the organization, influences the control consciousness of employees, and is the foundation for all other components

Control environment factors?

management's philosophy and operating style, integrity and ethical values of employees

risk assessment

management should take steps to identify, properly assess and manage internal and external risks; focuses on likelihood and impact of risks

control activities

specific actions taken to help ensure that management directives are carried out; prevent, detect and correct errors and frauds

information and communication

managers must have access to timely, reliable and relevant information; communication includes report production and distribution

monitoring

mgmt must assess the quality of its internal controls on a continuous bases; ongoing and separate evaluations, reporting any deficiencies

enterprise risk mgmt

a process designed to identify potential events that may affect the entity and to manage those risks

internal environment, objective setting, event id, risk assessment, risk response, control activities, info and comm, monitoring

Components of COSO ERM Framework

likelihood and impact

Risk should be assessed from two perspectives:

reduce risks by applying effective controls, share by outsourcing, avoid by not engaging, accept risk

Options for Risk response

inherent risk

risk related to the nature of the business activity

control risk

threat that errors or irregularities in the transactions will not be prevented, detected, and corrected by the control system

residual risk

risk that remains after management's response to the risk or after control are put in place to address the risk

separation of duties

division of responsibilities/tasks the purpose of which is to limit the ability of one person to control a transaction from start to finish

authorization, recording, custody

Separation of duties components ?

IT general controls

apply to all applications and ensure they operate properly- enterprise level

IT application controls

steps within the software and related procedures to control processing

input

ensure that data received for processing have been authorized and converted to machine-readable form properly

processing

ensure that data has been processed as intended

output

ensure that only authorized persons receive reports or have access to output files

field, size, range, validity, completeness, reasonableness check

examples of input controls

prenumbered documents, sequence checks, batch totals, concurrent update controls

examples of processing controls

output controls

ensures output is provided only to authorized employees and is used and disposed of properly

COSO ERM

A process, affected by the entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.

governance, culture, strategy, objective setting, performance, review, info, communication

What are the components of COSO ERM?

Control Objectives for Info. Tech (COBIT)

provides a supporting toolset that bridges the gap among IT control requirements, technical issues and business risks

to protect confidentiality, integrity, availability

What are the main goals of information security and systems integrity?

virus, worm, trojan horse, span, spoofing, etc

What are some examples of information security risks and attacks?

encryption

provides confidentiality and privacy for data transmission and storage

key length, encryption algorithm, key management

What are the main factors for encryption?

symmetric encryption

sender and receiver use the same key; fast and good for large data sets

asymmetric encryption

sender uses a public key but receiver uses a private key; slow so not good for large data sets, but more secure

authentication

process that establishes the origin of information or determines the identity of a user, process or device

digital signature

a message digest of a document or data file that is encrypted using the creator's private key

data integrity

Maintaining and assuring the accuracy and consistency of data during transmission and at storage.

message digest

A short code, such as one 256 bits long, resulting from hashing a plaintext message using an algorithm

description of system and evaluation of controls

What are the 2 criteria of cybersecurity risk management framework?

fraud

any intended illegal act characterized by deceit, concealment or violation of trust

incentive, opportunity, rationalization

What is in the fraud triangle ?

physical intrusion, natural disasters, excessive heat, flooding, etc.

Types of vulnerabilities within the physical IT environment?

system intrusion, logical access failure, interruption of a system

Types of vulnerabilities within an information system?

social engineering, unintentional disclosure, intentional destruction

Types of vulnerabilities within the IT processes ?

vulnerability identification assessment

IT asset inventory, threat identification

vulnerability assessment and prioritization

What are the 2 parts of vulnerability risk assessment?

risk response plan, policy and requirements, control implementation

What are examples of vulnerability management remediation?

monitoring, ongoing assessment, continuous improvement

What are vulnerability management maintenance examples?

availability

making sure data is available at all times or at least when needed

System and Organization Controls (SOC)

reports are prepared after an accounting firm/auditor examines an organization's control ; gives assurance that controls are designed and functioning adequately

SOC 1

examines a service organization's internal controls relevant to the user organization's financial reporting; considered an auditor-to-auditor report

SOC 1 Type 1

(1) fairness of the presentation of management's description of the organization's systems and (2) suitability of the design of the controls at a specified date

SOC 1 Type 2

same as Type 1 but for a specified period

SOC 2

examines service organization's controls relevant to confidentiality or privacy; considered a report for institutional users, not public

SOC 3

Examines service organizations based on Trust Services criteria; intended for the general public

Disaster Recovery Planning

identifies significant events that may threaten an organization's operations; outlines procedures to ensure that the org will be able to resume operations

key personnel, resources, actions to be carried out

DRP must have a clearly defined and documented plan that covers:

business continuity management

activities required to keep an organization running during a period of interruption of normal operations