Internal Controls and Sarbanes-Oxley Act Study Notes

Internal Controls
  • Types of Internal Controls:
    • Preventive Controls: These are designed to deter problems from occurring.
    • Detective Controls: These discover problems that have not been prevented.
    • Corrective Controls: These identify and correct problems, enabling recovery from issues.
Sarbanes-Oxley Act of 2002 (SOX)
  • Section 302: CEO and CFO must personally sign off on the completeness and accuracy of financial statements.
    • Must assert effectiveness of Internal Control over Financial Reporting (ICFR); if ineffective, must disclose shortcomings.
  • Section 404: Requires the auditor to conduct an integrated audit of ICFR and form an opinion on their effectiveness.
    • Aims to prevent financial statement fraud, improve transparency, protect investors, and enforce stronger internal controls.
COSO Framework
  • Five Components:
    1. Control Environment
    2. Risk Assessment
    3. Control Activities
    4. Information and Communication
    5. Monitoring
  • Three Categories of COSO: Operations, Reporting, Compliance
Control Environment
  • Encompasses management's philosophy, operating style, and commitment to integrity and ethics.
  • Emphasizes oversight by the Board of Directors and structured assignment of authority.
Risk Assessment
  • Two Perspectives of Risk:
    • Likelihood: Probability of risk occurrence.
    • Impact: Potential loss estimation if the event occurs.
  • Types of Risk:
    • Inherent Risk: Risk present before controls are implemented.
    • Residual Risk: Remaining risk after controls are applied.
Risk Responses
  • Strategies to address risks include:
    • Reduce: Implement effective internal controls.
    • Accept: Acknowledge and accept risks' likelihood and impact.
    • Share: Use insurance or outsource processes.
    • Avoid: Opt not to engage in risky activities.
Control Activities
  • Key activities include:
    • Proper transaction authorization.
    • Segregation of duties to prevent fraud.
    • Change management and project development controls.
    • Asset safeguarding and independent performance checks.
Information and Communication
  • Organizations need to:
    • Generate relevant, quality information to support internal controls.
    • Communicate objectives and responsibilities related to internal controls.
    • Engage with external parties about internal control functionalities.
Monitoring Controls
  • Include:
    • Internal control evaluations, supervision, responsibility accounting systems, and periodic audits.
    • Use of technology (e.g., fraud detection software, forensic specialists).
Time-based Model of Security
  • Formula: P > D + C
    • Where:
    • PP = Time it takes to break preventive controls.
    • DD = Time to detect an ongoing attack.
    • CC = Time to respond and implement corrective actions.
Authentication Controls
  • Types include:
    • Something the person knows: Passwords.
    • Something the person has: ID cards, authentication fobs.
    • Biometric characteristics: Fingerprints, facial recognition.
Privacy Regulations
  • Key regulations include:
    • GDPR: EU's General Data Privacy Regulation.
    • CCPA: California Consumer Privacy Act of 2018.
    • HIPAA: Health Insurance Portability and Accountability Act.
Confidentiality Measures
  • Steps for protecting confidential information:
    • Identify and classify information value.
    • Assign access and operational policies for information management.
Data Protection Procedures
  • Provide notice of privacy practices before data collection.
  • Collect only necessary information, allowing for user review and correction.
  • Implement secure disposal processes for unnecessary information.
Backup Types
  • Incremental Backups: Copies only changed data since the last backup; efficient but less effective for recovery.
  • Differential Backups: Includes all changes since the last full backup; more efficient recovery process.
REA Modeling
  • Resources: Economic assets (like cash, inventory).
  • Events: Business activities needing information collection.
  • Agents: Individuals/organizations involved in events.
  • Entity-Relationship Diagrams: Visual representation of entities and their relationships in REA modeling.
Byzantine General Problem
  • Refers to challenges in decentralized systems achieving consensus on a single truth.
Site Recovery Types
  • Cold Site: Inexpensive but slower to restore operations.
  • Hot Site: Operationally ready but more expensive to maintain.

This structured and detailed exploration of internal controls, risk management, and compliance ensures thorough preparation for exams related to accounting, internal controls, and relevant laws like the Sarbanes-Oxley Act.