COSO Framework
It would be a _______ to have poor internal controls.
CRIME
What is automation bias?
The tendency to favor outputs generated from automated systems.
What is the most common form of internal control documentation?
Narratives
Segregation of duties
What does CRIME stand for?
Components of Internal Controls:
Control Activities
Risk Assessment
Information and Communication
Monitoring Activities
Control Environment
What are the two types of internal controls? Define them.
Preventive: Stop errors or fraud from occurring
Detective: Identify and correct any errors or fraud that did occur
Name the 3 types of IT controls.
IT General Controls
IT Application Controls
IT-Dependent Manual Controls
What are the ways to document understanding of internal controls?
Flowcharts, narratives, questionnaires, and combination of flowcharts and narratives
Bimberly is the CEO of the company. Her and the board of directors have determined a core set of ethical values and adhere to them religiously. What is this positive ethical behavior by executives called AND what COSO component does it fall under?
Tone at the top - Control Environment
When performing segregation of duties, what does "separating the ARC" mean?
Authorization of transactions
Recording of transactions
Custody of assets
What are the two main objectives of ICFR?
1) Prevent misstatements in the financial statements
2) Detect and correct misstatements in the financial statements
What are the 3 types of IT Application controls
Input, processing, and output
What usually determines whether to use a narrative or flowchart for documentation?
The complexity of the reporting environment
More complex = Flowchart; Less complex = narrative
Bhiron is testing the controls of a client. The specific control he is testing reviews sales at the end of the day and develops a report of clients not found on a preapproved list. What would be the best description for this type of control?
Detective control
What are the Objectives and Organizational Structure of the COSO Framework?
Objectives:
Operations, reporting, compliance
Organizational Structure:
Entity, Division, Operating Unit, Function
What do preventive controls lack that makes assessing effectiveness difficult?
Physical evidence
What is the particular importance of IT General controls?
Controlling cybersecurity risks
What is the name of the document used to help build trust and confidence in services performed?
SOC 1 Report
A company wants to develop a control to help manage transactions within the revenue-receivable cycle, which is an automated process. To ensure the accuracy of information given to the system, what type of IT control should be used?
IT Application input control
Categorize the 17 Principles into the proper components (THEY ARE NOT IN ORDER).
- Enforces authority
- Communicates externally
- Evaluates and communicates deficiencies
- Selects and develops general controls over technology
- Identifies and analyzes significant change
- Establishes structure, authority, and responsibility
- Exercises oversight responsibility
- Uses relevant information
- Assesses fraud risk
- Demonstrates commitment to competence
- Conducts ongoing and/or separate evaluations
- Communicates internally
- Deploys through policies and procedures
- Demonstrates commitment to integrity and ethical values
- Specifies suitable objectives
- Selects and develops control activities
- Identifies and analyzes risk
Control Environment:
1) Demonstrates commitment to integrity and ethical values
2) Exercises oversight responsibility
3) Establishes structure, authority, and responsibility
4) Demonstrates commitment to competence
5) Enforces authority
Risk Assessment:
6) Specifies suitable objectives
7) Identifies and analyzes risk
8) Assesses fraud risk
9) Identifies and analyzes significant change
Control Activities:
10) Selects and develops control activities
11) Selects and develops general controls over technology
12) Deploys through policies and procedures
Information and Communication:
13) Uses relevant information
14) Communicates internally
15) Communicates externally
Monitoring Activities:
16) Conducts ongoing and/or separate evaluations
17) Evaluates and communicates deficiencies
What is the detective control that tests the completeness for shipment of goods being billed or recorded in sales journal/general ledger?
A comparison is done between the bills of lading with sales invoices. Any differences are generated in a report followed-up by the billing supervisor.
What are the 5 types of IT General controls
1) Data center and network operations controls
2) System software acquisition, change, and maintenance controls
3) Program change controls
4) Access controls
5) Application system acquisition, development, and maintenance controls
What is the difference between a Type 1 and Type 2 SOC 1 Report?
Type 1 only deals with the design of the controls, Type 2 deals with design and effectiveness of controls.
Do your best impersonation of the receiving clerk from the Alchemy, Inc videos.
Something along the lines of "I think I can count, why does someone need to supervise me? I know how to count!"