ACC 377 Test 1

Accounting information system (AIS)

An information system that performs data collection, transformation, and reporting that is specific to financial data. It captures accounting data created by business events (or activities) that involve an exchange of economic resources.

Basic Business Model

A fundamental model that consists of three primary types of business processes: acquisitions and payments processes; conversion processes; and marketing, sales, and collections processes.

Business Activity

A single business activity in a business process that takes place during the normal operation of a business. Examples of business events include “Sell goods to customer” and “Purchase equipment from vendor.” Business events give rise to accounting transactions if they involve an exchange of economic resources that impacts the accounting equation. Also called a business activity.

Business event

A single business activity in a business process that takes place during the normal operation of a business. Examples of business events include “Sell goods to customer” and “Purchase equipment from vendor.” Business events give rise to accounting transactions if they involve an exchange of economic resources that impacts the accounting equation. Also called a business activity.

Business model

A company’s plan for operations. It identifies the customer base, products, operation plans, and sources of revenue and financing.

Business process

A group of related business events designed to accomplish the strategic objectives of a business.

Data analytics

The process of using technology to transform raw data, or facts, into useful information. Data analytics answers strategic questions beyond historical reporting by transforming data into insights. It can use either raw data from an information system or reports generated by an information system.

Data integrity

The completeness, accuracy, reliability, and consistency of data throughout its life cycle in an information system.

Decision context

The preferences, constraints, and other factors that affect how a decision is made. The decision context helps understand the intended use of information: Who are the users, and why do they need the information?

Direct to consumer business model

A business model that involves selling directly to customers.

Enhancing characteristics

Additional characteristics beyond the fundamental characteristics of relevance and faithful representation that enhance the usefulness of information. There are four of these characteristics: verifiability, timeliness, understandability, and comparability.

Financing event

A business event that helps a company operate by acquiring incoming cash flows to fund operating events.

Franchise business model

A business model in which individuals purchase and run a franchise, such as a franchise of a popular fast food chain (for example, McDonald’s).

Freemium business model

A business model that involves offering free services but charging a fee to access upgraded features (for example, Dropbox).

Fundamental characteristics

The two characteristics that are required to make information useful for decision making, according to the Financial Accounting Standards Board (FASB): relevance and faithful representation.

Information event

A business event that involves an exchange of information and never involves an exchange of economic resources.

information quality

The suitability of information for a particular purpose in a specific task.

Information system

A system that consists of interrelated components including physical hardware like monitors and laptops, the software that users interact with, databases used for storage, networks that send data and information throughout the system, and the people who use and maintain it.

input

In an information system, raw and unorganized data captured by the system.

investing event

In an information system, raw and unorganized data captured by the system.

key performance indicator

A quantifiable metric used to measure and evaluate the success of a company based on its objectives.

operating event

A business event that occurs during the normal operations of a company and directly relates to the company’s creation and provision of a good or service to its customers.

output

In information systems, information that comes from a system in a format that is useful to users.

peer to peer business model

A business model that connects individuals with one another (for example, Airbnb).

process-based information system

An information system that captures all the data of interest generated in a business process, including informational events.

purpose of a business

The goal of making a profit and generating enough cash flow to continue operating. Without the profit motive, a business would not be a business (at least not for very long).

reporting

The process of aggregating data into information on the activities and performance in a company. Reporting provides a strictly descriptive view of what happened and does not seek insights into the context or reasons.

retailer business model

The process of aggregating data into information on the activities and performance in a company. Reporting provides a strictly descriptive view of what happened and does not seek insights into the context or reasons.

subscription business model

A business model that involves charging a monthly subscription fee for unlimited access to a service or product (for example, Netflix).

transaction-based AIS

A traditional information system that captures only accounting business events and ignores nonfinancial data and the relationships between business events and business processes.

actual residual risk

The risk that actually remains after a risk is addressed.

business function

A high-level business area or department that performs business processes to achieve company goals. More than one business function may be necessary to complete a single business process.

compliance risk

Risk that occurs when a company fails to follow regulation and legislation and is subjected to legal penalties, including fines.

cyber risk

A unique type of technology risk that occurs when an external party accesses a company’s technology assets and performs unauthorized actions that are malicious. For example, cyberattacks can cause data breaches or lock down a company’s systems and hold them for ransom. Attackers may simply mean to prove that they have the skill needed to perform attacks successfully.

enterprise risk management

The comprehensive process of identifying, categorizing, prioritizing, and responding to a company’s risks. It involves creating a formal risk assessment and plans for addressing the risks.

external risk

The comprehensive process of identifying, categorizing, prioritizing, and responding to a company’s risks. It involves creating a formal risk assessment and plans for addressing the risks.

financial risk

A risk specifically related to money going into and out of a company and the potential loss of a substantial sum. This type of risk is associated with various types of financial transactions, including investments, sales, purchases, and loans.

heat map

A type of risk matrix that uses different colors to represent values of data in a map or diagram format. The different colors in the risk matrix heat map typically represent the priority of a risk based on the risk score; for example, green may indicate a lower priority and red a higher priority.

impact

The estimation of damage that could be caused if a risk occurs. It is equivalent to the outcome in a risk statement.

inherent risk

The natural level of risk in a business process or activity if there are no risk responses in place. It is the risk before implementing a risk response. Inherent risk consists of two parts: likelihood and impact.

internal risk

A risk that occurs throughout a company’s operations and arises during normal operations. Most internal risks are preventable through careful risk identification and management. Note that an internal risk may relate to an external party, such as the company’s reputation with customers.

likelihood

The estimated probability of risk occurrence. Companies use different methods to calculate likelihood, but likelihood is always ranked on a spectrum. In different industries, likelihood is described as “frequency” or “probability”; these terms are synonymous.

operational risk

The most important type of risk for an AIS, which occurs during day-to-day business operations and causes breakdowns in business activities. These risks are a priority for an AIS because they result from inadequate or failed procedures within the company.

physical risk

A threat such as adverse weather, crime, or physical damage. Physical risk is the easiest type of risk to understand, and it is one of the most important types of risk to identify because the impact is usually high. The losses from physical risks range from financial loss to legal actions and reputational loss due to mismanagement of assets.

portfolio view

A view of risk that examines risk at the entity level.

profile view

A view of risk that considers risk at the granular level of a business function, process, or event.

reputational risk

Risk that occurs when the reputation—or good name—of a company is damaged. With reputational risk comes financial loss through a loss of customers and revenue. Reputational risk can be both internal and external in nature. The exact financial loss tied to a reputational risk is hard to quantify, but reputation is so important to a company that in accounting it is considered an intangible asset.

residual risk

The remaining risk posed by a process or an activity once a plan to respond to the risk is in place. It is the risk after implementing a risk response.

risk

The likelihood of an unfavorable event occurring. Risks differ by business type, size, industry, and location.

risk acceptance

A risk response in which an inherent risk is present but the organization chooses not to act. The company chooses to live with the risk.

risk appetite

The amount of risk a company is willing to take on at a particular time.

risk assessment

An assessment that identifies, categorizes, and prioritizes individual risks in a company. After assessing risk, management decides how to manage it.

risk avoidance

A risk response that involves eliminating the risk by completely avoiding the events causing the risk. Rather than accept or reduce risk, companies avoid risk when it is both significant and highly likely to occur.

risk inventory

A listing of all a business’s known risks. A risk inventory is an essential part of approaching risk at the entity level and creating a portfolio view.

risk matrix

A diagram that helps paint a clearer picture of risk by helping users visualize variations in risk scores. Using a risk matrix allows management to plot risk and move prioritization around; it is especially helpful for risks that are scored the same numerically.

risk mitigation

The most commonly used risk response. It involves reducing risk based on careful consideration and calculation. Risk mitigation enables a company to take on risks in order to create a competitive advantage.

risk severity

The likelihood of risks occurring and their potential impact on a company.

risk statement

A statement that summarizes a potential problem that needs to be addressed. It contains two parts: the issue and the possible outcome. The outcome of a risk varies greatly, from delaying the launch of an information system to preventing the success of an entire company.

risk transfer

A risk response that involves shifting a risk to a third party. In other words, a third party assumes the liabilities for the risk. Most often, this is done through a contract, such as an insurance policy.

strategic risk

The inevitable risk that results when a strategy becomes less effective. Companies constantly update their strategies—and change their risks—to stay ahead of the competition. Adopting new technology, overhauling a product design, and changing vendors to avoid high costs of materials are all examples of companies taking proactive measures to avoid strategic risk.

target residual risk

The goal level of residual risk after implementing a risk response.

technology risk

A specific subset of operational risk that exists when technology failures have the potential to disrupt business. Technology failures include threats, vulnerabilities, and exposures of information.

application

A type of software that allows end users to perform specific functions. Application software may be designed for general use or a specific function. It may also be custom developed for a specific function. Also called an application or an app.

application control

A control that only applies to a specific application, including all the business processes and accounts that are linked to it. Application controls in an AIS can be called transaction controls because they relate specifically to accounting transaction processing.

audit committee

A committee of a company’s board of directors that includes outside committee members with special qualifications in finance or accounting. The audit committee provides objective oversight of a company’s financial reporting, internal controls, and regulatory compliance, and the company’s internal audit department should have a direct line of communication to this committee.

automated control

A control that uses technology to implement control activities and requires no human intervention. Automated controls are often more reliable and consistent than manual controls because they are not susceptible to human error, judgment, or override. Automated controls include embedded IT controls and controls that use other automation technologies, such as robotics, to perform what have traditionally been manual tasks.

collusion

A secretive agreement to deceive others when two or more people work together to circumvent controls. For example, if a control requires one employee to input invoices into the accounts payable system and a different employee to approve payments for the invoices, these two employees could work together (that is, collude) to commit fraud by inputting a fictitious invoice and authorizing the payment to go to a bank account they control.

committee of sponsoring organizations of the treadway commision (COSO)

An organization that is committed to fighting corporate fraud. It is composed of five private organizations that focus on providing guidance to executives and government entities on fraud prevention and response. COSO helps publicly traded companies comply with SOX and the SEC requirement of using an internal control framework.

Control

A mechanism that is part of the internal control process—such as a rule, policy, or procedure—and that is put in place to mitigate risks by providing reasonable assurance that risk is at an acceptable level. Also known as a control activity.

Control component

One of the five key steps of the COSO Internal Control Framework involved in implementing an effective system of internal control. The control components flow from the top to the bottom of a business, starting with the control environment and ending with monitoring. Control components and their related principles help framework users understand what an effective control is and how to judge whether a control is effectively designed and implemented.

control environment

The first of the COSO Internal Control Framework control components. It is the foundation for other components and includes the attitude of management concerning integrity and ethical behavior. It is the most important component because it sets the overall tone for integrity and ethics for the organization.

control objective

One of the three areas on which the COSO Internal Control Framework focuses to achieve results: operations objectives, reporting objectives, and compliance objectives.

continuous monitoring

Data analytics technology that internal auditors use to create detective controls that use rules-based programming to monitor a business’s data for red flags of risks. Continuous monitoring is often programmed to keep tabs on key performance indicators (KPIs) or to look for red flags indicating possible fraud.

corrective control

A control that changes undesirable outcomes and occurs after the potential outcome of a risk has become a reality. Corrective controls are used when it is not cost-effective to implement preventive or detective controls to mitigate a specific risk. They are also used as a backup plan in the event of a failure of preventive or detective controls.

dectective control

A detective control is a type of internal control that seeks to uncover problems in a company's processes once they have occurred

erm framework

Enterprise Risk Management—Integrating with Strategy and Performance, a set of five interrelated components that highlight the importance of risk in creating strategies and driving a company’s performance. The ERM Framework aims to improve the risk management process by addressing more than just internal control.

first line of defense

The business operations portion of the Institute of Internal Auditors’ three lines of defense model. In this line of defense, management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. This line of defense reports only to executive management.

framework

A published set of specifications and criteria that defines a strategy to achieve certain objectives. Accounting frameworks are specific to the information appearing in a company’s financial statements, and risk management frameworks focus on how a company defines its strategy for eliminating or minimizing the impact of risks.

independence

A condition in which an auditor is removed from a business process and has no stake in or influence over the outcome of the business processes that they are auditing. It is important for an auditor to remain independent in order to audit the business objectively.

internal audit

An independent function in a company that tests internal controls to provide assurance of their effectiveness to executive management and the board of directors. Internal audit adds value to a business by providing assurance, insight, and objectivity to the company.

internal control

A process that specifically mitigates risks to the company’s financial information. Internal control, as it relates to accounting information, focuses on providing quality information to internal decision makers and external stakeholders.

internal control - integrated framework

A controls-based approach to risk management that is widely accepted as the authoritative guidance on internal controls and SOX compliance. It defines internal control and gives the criteria for developing, implementing, and monitoring an effective internal control system.

it general control (itgc)

A control that applies to the entire operation of a system and its environment. All corporate applications, like email, web browsers, time-keeping software, benefits management systems, and more, are subject to ITGCs.

Management override

A control weakness that occurs when internal control activities are ineffective because management is not following policy or procedure—as when managers tell employees who report directly to them to ignore specific controls. The American Institute of Certified Public Accountants (AICPA) describes management override as the Achilles heel of fraud prevention.

manual control

A control that is executed by people or physical interaction. Manual controls are used when human judgment or physical interaction is required. Manual controls are subject to human error or intentional manipulation and override, which means there is an increased risk that a manual control might fail. For this reason, auditors—both internal and external—frequently focus on manual controls during their assessments.

maturity model

A model that shows how far along a company is on its journey to reach the ideal state by comparing the current state to a predetermined set of best practices. Companies use maturity models to judge their current performance and create a roadmap, or plan, for continuous improvement.

preventive control

A control that prevents problems from happening. Examples of preventive controls include firewalls to prevent unauthorized access to an organization’s computer network and policy and procedure documentation that specifies how employees should execute procedures and clarifies company policies to reduce the organization’s risk of error and misconduct.

sarbanes-oxley act of 2002 (SOX)

A U.S. federal law that protects investors from fraud and other risks by improving the reliability and accuracy of financial statements. SOX primarily focuses on the internal control structure of a company. It changed the way companies operate by mandating audit trails and shifting the responsibility for financial reporting misstatements. Responsibility for control failures moved directly to management, and violation of internal control requirements now comes with serious criminal penalties—with fines up to $5 million and/or imprisonment for up to 20 years.

second line of defense

The risk management and compliance portion of the Institute of Internal Auditors’ three lines of defense model. In this line of defense, the ERM team identifies and assesses organizational risks. This line of defense aids the first line of defense in ensuring that controls are designed to adequately address risk and monitors the controls to ensure that the first line of defense is complying with internal control requirements. This line of defense reports only to executive management.

segregation of duties

A type of preventive control that reduces the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity: authorizing, recording, and custody. The work of one employee acts as a check on the work of another employee. Also called separation of duties.

third line of defense

The internal audit portion of the Institute of Internal Auditors’ three lines of defense model. The primary objective of internal audit is to test internal controls to provide assurance of their effectiveness to executive management and the board of directors. Internal audit is an independent function of the company that reports both to executive management and to the board of directors.

time-based model of controls

A model that measures the residual risk for technology attacks by comparing the relationship of preventive (P), detective (D), and corrective (C) control functions. If P > (D + C), then the controls are effective. Otherwise, the security measures are inadequate to protect the company’s systems from intruders.

acquisition

One company’s purchase of all or the majority of another company’s shares to gain control over that company.

acquisition-based growth

Growth in a company that occurs as the company purchases and integrates other companies into its infrastructure.

application software

A type of software that allows end users to perform specific functions. Application software may be designed for general use or a specific function. It may also be custom developed for a specific function. Also called an application or an app.

batch processing

In a transaction processing system, a type of processing in which data is collected as it is generated and then is processed later, at a scheduled time. Because transactions are processed together in a batch—whether at the end of a day, week, or month—batch processing is most suitable for transactions that are not time sensitive.

centralized system

An information system that connects all users to one central location that is built around a server or cluster of servers that all authorized users can access. All the network’s main business processing occurs at, and business information is stored in, that one place.

cloud computing

A type of computing that provides access to shared resources over the internet, such as computer processing, software applications, data storage, and other services. In the business context, cloud computing allows companies to minimize computer resources kept on hand, which can be expensive to both purchase and securely store. The costs are absorbed by the cloud provider, which maintains the physical equipment at its facility and provides access to customers via the cloud network.

compensating control

A control that can be used to reduce risk when more expensive or more complex controls are not available.