Studied by 1 person
Internal Audit
Perform formal risk assessments when creating an audit plan
External Audit
Assess audit risks when creating audit plans
Controls
Specific procedures to assess and prevent risk
Risk
The likelihood of an unfavorable event occurring
Formal Risk Assessment
Identify, categorize, and prioritize individual risks so companies can leverage their understanding of risk in strategic planning. Companies want to be right in the middle where optimal risk taking sits. Not too much, not too little.
Business Function Level
A high-level business area or department that performs business processes to achieve company goals
Portfolio View
Examines risk at the entity level
Profile View
Examines risk at a more granular level of the business event, process, or event
Risk Statement
Contains two parts: the issue and the possible outcome. Presented in the format of "cause" and "effect" respectively
Internal Risks
Occur throughout a company's operations and arise during normal operations
External Risks
These risks are outside of the project, but directly affect it—for example, legal issues, labor issues, a shift in project priorities, or weather. "Force majeure" risks call for disaster recovery rather than project management. These are risks caused by earthquakes, tornadoes, floods, civil unrest, and other disasters.
External and Internal Risks can be further categorized by:
Six subcategories: Operational, Financial, Reputational, Compliance, Strategic, and Physical
Operational Risk (Internal)
The most important type of risk for an AIS, which occurs during day-to-day business operations and causes breakdowns in business activities. These risks are a priority for an AIS because they result from inadequate or failed procedures within the company.
Financial Risk (Internal)
Refers to money transitioning from within to outside of the company and the likelihood that a substantial sum may be lost.
Reputational Risk (Internal)
Occurs when the reputation/good name of a company is damaged.
Compliance Risk (External)
Occurs when a company fails to follow regulation and legislation and is subjected to legal penalties, including fines. (EPA)
Strategic Risk (External)
The inevitable risk that a strategy becomes less effective
Physical Risk (External)
Weather, crimes, and physical damage.
Risk Inventory
Once all risks have been categorized, this is basically a list of risks.
Risk Severity
The likelihood of risks occurring and their potential impact on the company
Risk Appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Inherent Risk
the natural level of risk in a business process or activity if there are no risk responses in place
Residual Risk
The remaining risk after management has implemented risk responses and controls.
Responses to Risks
Accept, Avoid, Mitigate, Transfer/Share
Internal Controls
Processes that specifically mitigate risks to a company's financial information.
Function of a Control
Prevent, Detect, and Correct
Policy and Procedure Documentation
By specifying how employees should execute procedures and clarifying company policies, an organization lowers its risk of error and misconduct
Segregation of Duties
lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity (Authorization, Recording Data, and Custody [of money])
Detective Controls
Controls designed to discover control problems that were not prevented (Cameras, physical invetory counts, reconciling the cash register, etc)
Corrective Controls
Controls designed to correct problems that have arisen (Insurance, police report, virus quarantine, etc)
Managment Override
Occurs when internal control activities don't work because management is not following policy or procedures. The Achilles Heel of fraud prevention (store writeoffs and price discounts).
Collusion
Two or more people acting in coordination to circumvent internal controls
Time-Based Model of Controls
Specific to the time it takes for a technology attack to bypass preventive controls compared to the company's detective and corrective control reaction times that measures the residual risk for technology attacks by comparing the relationship of the three control functions.
Physical Control
A control not in the computer environment (a lock on a door)
IT General Control or a IT Application Control
A control within the computer environment (firewall)
Systems Security
Controls embedded in the company's system specifically target the risk of external, unauthorized users performing malicious activities against company data or systems.
Data Backups
Previous/Alternate sets of the system that can be brought online to continue operations in the event of disaster.
Duplicate Environments
Changes to systems are not released to the software before they have been reviewed and approved. Instead changes are created in a duplicated environment - a copy - of the software.
Field Check
Characters in a field are of the proper type
Sign Check
Data in a field is appropriate sign (positive/negative)
Limit Check
Tests numerical amount against a fixed value
Range Check
Tests numerical amount against lower and upper limits
Redundant Check
Requires the inclusion of two identifiers in each input record
Size Check
Input data fits into the field
Completeness Check
Verifies that all required data is entered
Validity Check
Compares data from transaction file to that of master file to verify existence
Reasonableness Check
Correctness of logical relationship between two data items
Manual Controls
Requires human judgement or physical interaction is required.
Automatic Controls
Use technology to implement control activities
Continuous Monitoring
Internal auditors, who are data analysts, use continuous monitoring technology to create detective controls that use rules-based programming to monitor a business's data for red flags or risks.
Business Operations
The 1st line of defense in the internal controls category. Management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. This is where financial accountants, tax accountants, system analysists, and other accounting professionals who are not auditors or compliance officers work.
Risk Management and Compliance
The 2nd line of defence in the internal controls category. In many companies, ERM and compliance operation are combined, while in teams they might be separated departments. Accountants who specialize in compliance - such as designing and monitoring internal controls, performing risk assessments and responses, or assisting the legal team, work here.
Internal Audit (IA)
The 3rd line of defense in the internal controls category. IA is an independent function of the company that has a unique reporting relationship in an organization. IA is removed from the business process and has no stake in or influence over the outcome of the business processes that they are auditing. IA reports directly to both executive management and to the board of directors. Internal audit provides assurance, insight, and objectivity to a company.
Purchasing Process
also known as procurement process, is focused on acquiring the necessary resources for a business to operate
Inventory
Is a balance sheet line item that includes all items used in the creation of products. These can be classified as: Raw materials (RM),Work in process (WIP), and Finished Goods (FG).
Source Documents
Provide documenting of a transaction, such as a receipt, bill, or invoice, and may be electronic or paper documents, depending on the sophistication of the system
Purchase Requisition
An internal company document created when an employee formally requests to obtain goods and services from authorized sources
Purchase Order
A document created from the purchase requisition evolves into a legally enforceable purchase order.
Packing Slip
A document supplier delivers along with an order which shows quantities and descriptions of items delivered, to the receiving department at the specified warehouse location
Receiving Report
A document that shows the descriptions and quantities of goods received from vendors
Discrepancy Report
Identifying variances between the receiving report and the purchase order
Vendor Invoice
Bill from the vendor that includes the related purchase order number, billing date, description and quantities of goods, the amount due, and payment terms
Three-Way Match
The matching of a purchase order to the related receiving report and vendor invoice
Payment Voucher
An internal document that includes the vendor, amount due, and payment terms.
Remmitance Advice
Shows the invoices included in the payment to the vendor
Business-to-Consumer (B2C) Sales
Selling finished goods directly to customers
Business-to-Business (B2B) Sales
Selling finished goods to other businesses, like distributors and retail companies.
Marketing Deparments
Are generally responsible for marketing research, advertising, branding, promotional programs, and search engine optimization
Sales Orders
Are source documents that contain order details and are sent as order confirmations to customers.
Billl of Lading
A legal contract that defines responsibility for the goods in transit.
COSO
Control Environment, Risk Assessment, Control Activities, and Information & Communication
Risk Score
Impact * Likelihood
Note 
Flashcard (54)