Internal Control and Audit Flashcards

Flashcards about cyberattacks, internal controls, COSO framework, and audit procedures to help students review lecture notes and prepare for the exam.

What was the Sony Pictures cyberattack in 2014?

A cyberattack where Sony's computer system was hacked, resulting in data theft, system shutdown, and compromised financial reporting.

What are the three primary objectives of effective internal control?

Reliability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations.

What are management's and the auditor's responsibilities for internal control?

Management is responsible for maintaining internal control, while the auditor is responsible for evaluating and reporting on internal control.

What are the five components of the COSO internal control framework?

Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.

How do general controls and application controls reduce information technology risks?

General controls relate to all parts of the IT function, while application controls apply to processing transactions.

How does outsourcing to a computer service center work?

The client submits input data, the service center processes it for a fee, and then returns the agreed-upon output and the original input.

What are application controls?

Controls typically at the business process level that apply to processing transactions.

What are Application Service Providers (ASPs)?

Third-party entities that manage and supply software applications or software-related services to customers through the Internet.

What are automated controls?

Application controls done by the computer.

What is a chart of accounts?

A listing of all the entity’s accounts that classifies transactions into individual balance sheet and income statement accounts.

What are Cloud Computing Environments?

A computer resource deployment and procurement model that enables an organization to obtain IT resources and applications at an IT service center shared with other organizations from any location via an Internet connection.

What is collusion?

An act of two or more employees who conspire to steal assets or misstate records.

What are control activities?

Policies and procedures that help ensure necessary actions are taken to address risks.

What is the Control Environment?

The actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity.

What are COSO Principles?

Represent the fundamental concepts related to each of the five components of internal control; all principles must be functioning for controls to be effective.

What is cybersecurity?

The information technology and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access.

What are Database Management Systems?

Hardware and software systems that allow clients to establish and maintain databases shared by multiple applications.

What are digital signatures?

Electronic certificates that are used to authenticate the validity of individuals and companies conducting business electronically.

What are Encryption Techniques?

Computer programs that change a standard message or data file into one that is coded, then decoded using a decryption program.

What are Enterprise Resource Planning (ERP) Systems?

Systems that integrate numerous aspects of an organization’s activities into one accounting information system.

What are Entity-Level Controls?

Controls that have a pervasive effect on the entity’s system of internal control.

What is a firewall?

A system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through a control gateway.

What is general authorization?

Companywide policies for the approval of all transactions within stated limits.

What are general controls?

Controls that relate to all parts of the IT function and affect many different software applications.

What are hardware controls?

Controls built into the computer equipment by the manufacturer to detect and report equipment failure.

What are independent checks?

Internal control activities designed for the continuous internal verification of other controls.

What is Information and Communication?

The set of manual and/or computerized procedures that initiate, record, process, and report an entity’s transactions and maintain accountability for the related assets.

What are Input Controls?

Controls designed by an organization to ensure that the information to be processed by the computer is authorized, accurate, and complete.

What is Internal Control?

A process designed to provide reasonable assurance regarding the achievement of management’s objectives in the categories of reliability of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

What are local area networks (LANs)?

Networks that connect computer equipment, data files, software, and peripheral equipment within a local area, such as a single building or a small cluster of buildings, for intracomany use.

What are manual controls?

Application controls done by people.

What is Monitoring?

Management’s ongoing and periodic assessment of the quality of internal control performance to determine that controls are operating as intended and are modified when needed.

What are Output Controls?

Controls designed to ensure that computer-generated data are valid, accurate, complete, and distributed only to authorized people.

What is parallel testing?

A company’s computer testing approach that involves operating the old and new systems simultaneously.

What is pilot testing?

A company’s computer testing approach that involves implementing a new system in just one part of the organization while maintaining the old system at other locations.

What are Processing Controls?

Controls designed to ensure that data input into the system are accurately and completely processed.

What is Risk Assessment?

Management’s identification and analysis of risks relevant to the preparation of financial statements in accordance with an applicable accounting framework.

What is Separation of Duties?

Separation of custody of assets from accounting, authorization from custody of assets, operational responsibility from record keeping, and IT duties from outside users of IT.

What is a service center?

An organization that provides IT services for companies on an outsourcing basis.

What is specific authorization?

Case-by-case approval of transactions not covered by companywide policies.

Who are those charged with governance?

The person(s) with responsibility for overseeing the strategic direction of the entity and its obligations related to the accountability of the entity, including overseeing the financial reporting and disclosure process.

What are wide area networks (WANs)?

Networks that connect computer equipment, databases, software, and peripheral equipment that reside in many geographic locations.

What is Assessment of Control Risk?

A measure of the auditor’s expectation that internal controls will neither prevent material misstatements from occurring nor detect and correct them if they have occurred.

What is Auditing Through the Computer?

Auditing by testing automated internal controls and account balances electronically because effective general controls exist.

What is a Compensating Control?

A control elsewhere in the system that offsets the absence of a key control.

What is a Control Deficiency?

A deficiency in the design or operation of controls that does not permit company personnel to prevent or detect and correct misstatements on a timely basis.

What is a Control Risk Matrix?

A methodology used to help the auditor assess control risk by matching key internal controls and internal control deficiencies with transaction-related audit objectives.

What is the Embedded Audit Module Approach?

A method of auditing transactions processed by IT whereby the auditor embeds a module in the client’s application software to identify transactions with characteristics that are of interest to the auditor.

What is a Flowchart?

A diagrammatic representation of the client’s documents and records and the sequence in which they are processed.

What is Generalized Audit Software (GAS)?

Computer programs used by auditors that provide data retrieval, data manipulation, and reporting capabilities specifically oriented to the needs of auditors.

What is an Internal Control Questionnaire?

A series of questions about the controls in each audit area used as a means of indicating to the auditor aspects of internal control that may be inadequate.

What are Key Controls?

Controls that are expected to have the greatest effect on meeting audit objectives.

What is a Management Letter?

An optional letter written by the auditor to a client’s management containing the auditor’s recommendations for improving any aspect of the client’s business.

What is a Material Weakness?

Significant deficiency in internal control that results in a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected.

What is a Narrative?

A written description of a client’s internal controls, including the origin, processing, and disposition of documents and records, and the relevant control procedures.

What is Parallel Simulation Testing?

An audit testing approach that involves the auditor’s use of audit software to replicate some part of a client’s application system.

What are procedures to obtain an understanding?

Procedures used by the auditor to gather evidence about the design and implementation of specific controls

What should auditors do when rolling out a new and untested IT system?

When testing automated systems, going back to source documentation may be required.

What is a Significant Deficiency?

A control deficiency less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company’s financial reporting.

What is the Test Data Approach?

A method of auditing an IT system that uses the auditor’s test data to determine whether the client’s computer program correctly processes valid and invalid transactions.

What are Tests of Controls?

Audit procedures to test the operating effectiveness of controls in support of reduced assessed control risk.

What is a Walkthrough?

The tracing of selected transactions through the accounting system to determine that controls are in place.

What is the acquisition and payment cycle?

The transaction cycle that includes the acquisition of and payment for goods and services from suppliers outside the organization.

What is the accounts payable master file?

A computer file for maintaining a record for each vendor of individual acquisitions, cash disbursements, acquisition returns and allowances, and vendor balances.

What is the accounts payable trial balance?

A listing of the amount owed to each vendor at a point in time, prepared directly from the accounts payable master file.

What is the acquisitions journal?

A journal or listing generated from the acquisitions transaction file that typically includes information such as vendor name, date, amount, and account classification for each transaction.

What are cutoff tests?

Tests to determine whether transactions recorded a few days before and after the balance sheet date are included in the correct period.

What is a debit memo?

A document indicating a reduction in the amount owed to a vendor because of returned goods or an allowance granted.

What is FOB destination?

Shipping contract in which title to the goods passes to the buyer when the goods are received.

What is FOB origin?

Shipping contract in which the title to the goods passes to the buyer at the time that the goods are shipped.

What is a purchase order?

A document prepared or electronically issued by the purchasing department indicating the description, quantity, and related information for goods and services that the company intends to purchase.

What is a purchase requisition?

Request by an authorized employee to the purchasing department to place an order for inventory and other items used by an entity.

What is a receiving report?

A document prepared by the receiving department at the time tangible goods are received, indicating the description of the goods, the quantity received, the date received, and other relevant data; it is part of the documentation necessary for payment to be made.

What is a vendor's invoice?

A document or record that specifies the details of an acquisition transaction and amount of money owed to the vendor for an acquisition.

What is a vendor's statement?

A statement prepared monthly by the vendor that indicates the customer’s beginning balance, acquisitions, payments, and ending balance.

What is a voucher?

A document used to establish a formal means of recording and controlling acquisitions, primarily by enabling each acquisition transaction to be sequentially numbered.

What are commitments?

Agreements that the entity will hold to a fixed set of conditions, such as the purchase or sale of merchandise at a stated price, at a future date, regardless of what happens to profits or to the economy as a whole.

What is a completing the audit checklist?

A reminder to the auditor of aspects of the audit that may have been overlooked.

What is a contingent liability?

A potential future obligation to an outside party for an unknown amount resulting from activities that have already taken place.

What is a dual-dated audit report?

The use of one audit report date for normal subsequent events and a later date for one or more subsequent events that come to the auditor’s attention after the date of the audit report.

What is engagement quality review?

A review of the financial statements and the entire set of audit files by a completely independent reviewer to whom the audit team must justify the evidence accumulated and the conclusions reached, also referred to as ‘independent review’.

What is a financial statement disclosure checklist?

A questionnaire that reminds the auditor of disclosure problems commonly encountered in audits and that facilitates final review of the entire audit by an independent partner.

What is an inquiry of the client's attorneys?

A letter from the client requesting that legal counsel inform the auditor of pending litigation or any other information involving legal counsel that is relevant to financial statement disclosure.

What is a letter of representation?

A written communication from the client to the auditor formalizing statements that the client has made about matters pertinent to the audit.

What is a management letter?

An optional letter written by the auditor to a client’s management containing the auditor’s recommendations for improving any aspect of the client’s business.

What is other information included in annual reports?

Information that is not a part of the financial statements but is published with them; auditors must read this information for inconsistencies with the financial statements.

What is a review for subsequent events?

The auditing procedures performed by auditors to identify and evaluate subsequent events, also known as a post-balance-sheet review.

What is a review of audit documentation?

A review of the completed audit files by another member of the audit firm to ensure quality and counteract bias.

What is a subsequent discovery of facts?

Auditor discovery that the financial statements are materially misstated, or that the opinion on internal controls over financial reporting may not have been appropriate after they have been issued.

What are subsequent events?

Transactions and other pertinent events that occurred after the balance sheet date that affect the fair presentation or disclosure of the statements being audited.

What is an unadjusted misstatement audit schedule?

A summary of immaterial misstatements not adjusted at the time they were found, used to help the auditor assess whether the combined amount is material, also known as a summary of possible misstatements.

What is an unasserted claim?

A potential legal claim against a client where the condition for a claim exists but no claim has been filed.