Palmer AC 389 Exam 1

Title

Internal Audit

Perform formal risk assessments when creating an audit plan

External Audit

Assess audit risks when creating audit plans

Controls

Specific procedures to assess and prevent risk

Risk

The likelihood of an unfavorable event occurring

Formal Risk Assessment

Identify, categorize, and prioritize individual risks so companies can leverage their understanding of risk in strategic planning. Companies want to be right in the middle where optimal risk taking sits. Not too much, not too little.

Business Function Level

A high-level business area or department that performs business processes to achieve company goals

Portfolio View

Examines risk at the entity level

Profile View

Examines risk at a more granular level of the business event, process, or event

Risk Statement

Contains two parts: the issue and the possible outcome. Presented in the format of "cause" and "effect" respectively

Internal Risks

Occur throughout a company's operations and arise during normal operations

External Risks

These risks are outside of the project, but directly affect it—for example, legal issues, labor issues, a shift in project priorities, or weather. "Force majeure" risks call for disaster recovery rather than project management. These are risks caused by earthquakes, tornadoes, floods, civil unrest, and other disasters.

External and Internal Risks can be further categorized by:

Six subcategories: Operational, Financial, Reputational, Compliance, Strategic, and Physical

Operational Risk (Internal)

The most important type of risk for an AIS, which occurs during day-to-day business operations and causes breakdowns in business activities. These risks are a priority for an AIS because they result from inadequate or failed procedures within the company.

Financial Risk (Internal)

Refers to money transitioning from within to outside of the company and the likelihood that a substantial sum may be lost.

Reputational Risk (Internal)

Occurs when the reputation/good name of a company is damaged.

Compliance Risk (External)

Occurs when a company fails to follow regulation and legislation and is subjected to legal penalties, including fines. (EPA)

Strategic Risk (External)

The inevitable risk that a strategy becomes less effective

Physical Risk (External)

Weather, crimes, and physical damage.

Risk Inventory

Once all risks have been categorized, this is basically a list of risks.

Risk Severity

The likelihood of risks occurring and their potential impact on the company

Risk Appetite

The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

Inherent Risk

the natural level of risk in a business process or activity if there are no risk responses in place

Residual Risk

The remaining risk after management has implemented risk responses and controls.

Responses to Risks

Accept, Avoid, Mitigate, Transfer/Share

Internal Controls

Processes that specifically mitigate risks to a company's financial information.

Function of a Control

Prevent, Detect, and Correct

Policy and Procedure Documentation

By specifying how employees should execute procedures and clarifying company policies, an organization lowers its risk of error and misconduct

Segregation of Duties

lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity (Authorization, Recording Data, and Custody [of money])

Detective Controls

Controls designed to discover control problems that were not prevented (Cameras, physical invetory counts, reconciling the cash register, etc)

Corrective Controls

Controls designed to correct problems that have arisen (Insurance, police report, virus quarantine, etc)

Managment Override

Occurs when internal control activities don't work because management is not following policy or procedures. The Achilles Heel of fraud prevention (store writeoffs and price discounts).

Collusion

Two or more people acting in coordination to circumvent internal controls

Time-Based Model of Controls

Specific to the time it takes for a technology attack to bypass preventive controls compared to the company's detective and corrective control reaction times that measures the residual risk for technology attacks by comparing the relationship of the three control functions.

Physical Control

A control not in the computer environment (a lock on a door)

IT General Control or a IT Application Control

A control within the computer environment (firewall)

Systems Security

Controls embedded in the company's system specifically target the risk of external, unauthorized users performing malicious activities against company data or systems.

Data Backups

Previous/Alternate sets of the system that can be brought online to continue operations in the event of disaster.

Duplicate Environments

Changes to systems are not released to the software before they have been reviewed and approved. Instead changes are created in a duplicated environment - a copy - of the software.

Field Check

Characters in a field are of the proper type

Sign Check

Data in a field is appropriate sign (positive/negative)

Limit Check

Tests numerical amount against a fixed value

Range Check

Tests numerical amount against lower and upper limits

Redundant Check

Requires the inclusion of two identifiers in each input record

Size Check

Input data fits into the field

Completeness Check

Verifies that all required data is entered

Validity Check

Compares data from transaction file to that of master file to verify existence

Reasonableness Check

Correctness of logical relationship between two data items

Manual Controls

Requires human judgement or physical interaction is required.

Automatic Controls

Use technology to implement control activities

Continuous Monitoring

1. Internal auditors, who are data analysts, use continuous monitoring technology to create detective controls that use rules-based programming to monitor a business's data for red flags or risks.

Business Operations

The 1st line of defense in the internal controls category. Management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. This is where financial accountants, tax accountants, system analysists, and other accounting professionals who are not auditors or compliance officers work.

Risk Management and Compliance

The 2nd line of defence in the internal controls category. In many companies, ERM and compliance operation are combined, while in teams they might be separated departments. Accountants who specialize in compliance - such as designing and monitoring internal controls, performing risk assessments and responses, or assisting the legal team, work here.

Internal Audit (IA)

The 3rd line of defense in the internal controls category. IA is an independent function of the company that has a unique reporting relationship in an organization. IA is removed from the business process and has no stake in or influence over the outcome of the business processes that they are auditing. IA reports directly to both executive management and to the board of directors. Internal audit provides assurance, insight, and objectivity to a company.

Purchasing Process

also known as procurement process, is focused on acquiring the necessary resources for a business to operate

Inventory

Is a balance sheet line item that includes all items used in the creation of products. These can be classified as: Raw materials (RM),Work in process (WIP), and Finished Goods (FG).

Source Documents

Provide documenting of a transaction, such as a receipt, bill, or invoice, and may be electronic or paper documents, depending on the sophistication of the system

Purchase Requisition

An internal company document created when an employee formally requests to obtain goods and services from authorized sources

Purchase Order

A document created from the purchase requisition evolves into a legally enforceable purchase order.

Packing Slip

A document supplier delivers along with an order which shows quantities and descriptions of items delivered, to the receiving department at the specified warehouse location

Receiving Report

A document that shows the descriptions and quantities of goods received from vendors

Discrepancy Report

Identifying variances between the receiving report and the purchase order

Vendor Invoice

Bill from the vendor that includes the related purchase order number, billing date, description and quantities of goods, the amount due, and payment terms

Three-Way Match

The matching of a purchase order to the related receiving report and vendor invoice

Payment Voucher

An internal document that includes the vendor, amount due, and payment terms.

Remmitance Advice

Shows the invoices included in the payment to the vendor

Business-to-Consumer (B2C) Sales

Selling finished goods directly to customers

Business-to-Business (B2B) Sales

Selling finished goods to other businesses, like distributors and retail companies.

Marketing Deparments

Are generally responsible for marketing research, advertising, branding, promotional programs, and search engine optimization

Sales Orders

Are source documents that contain order details and are sent as order confirmations to customers.

Billl of Lading

A legal contract that defines responsibility for the goods in transit.

COSO

Control Environment, Risk Assessment, Control Activities, and Information & Communication

Risk Score

Impact * Likelihood