SOX It To Me
This 2002 Act was named after a Senator from Maryland and a Representative from Ohio.
What is the Sarbanes-Oxley Act?
Developed by Donald Cressey, this geometric shape explains the three factors that lead to fraud: Pressure, Opportunity, and Rationalization.
What is the Fraud Triangle?
This defunct accounting firm was Enron's auditor and famously shredded documents before the SEC could get them.
Who is Arthur Andersen?
This is the specific term for a "gut feeling" based on years of experience that something in the ledger just looks...off.
What is Professional Skepticism?
This acronym stands for the "Golden Rule" of security: ensuring one person doesn't have the power to both initiate and approve a transaction.
What is SOD (Segregation of Duties)?
Under Section 404, this person and the CFO must personally certify that internal controls are effective,
Who is the CEO?
This "Law" states that in many real-life sets of numerical data, the leading digit is likely to be small (like the number 1).
What is Benford's Law?
This 2002 telecom scandal involved $11 billion in accounting fraud, mostly by recording expenses as capital investments.
What is WorldCom?
This is the degree of error that would actually change a stakeholder's mind - anything smaller is "noise".
What is Materiality?
This type of access - often called "God Mode" - gives a user full control over a system or database.
What is Privileged Access (or Superuser/Admin)?
This "item" isn't a piece of clothing, but a list of all the controls that keep a specific business process from going off the rails,
What is a Risk Control Matrix (RCM)?
This type of fraud involves stealing a payment from Customer A and covering it with a payment from Customer B.
What is Lapping?
This New York financier ran the largest Ponzi scheme in history, totally roughly $64.8 billion.
Who is Bernie Madoff?
This 4-letter acronym refers to the primary framework for internal controls used in the United States.
What is COSO?
When an employee leaves the company, this process must happen immediately to ensure they don't take the data with them.
What is Deprovisioning (or Termination/Offboarding)?
If a control fails but doesn't quite reach the level of a "Material Weakness", it is often given this less-scary title.
What is a Significant Deficiency?
According to the ACFE, this is the #1 way that fraud is actually detected in the workplace.
What is a Tip (or Whistleblower Hotline)?
This blood-testing startup's "internal controls" were so non-existent that the founder was convicted of multiple counts of fraud in 2022.
Who is Theranos?
Internal Audit is meant to be this "I" word, meaning they shouldn't have any operational responsibility for the things they audit.
What is Independent?
The common IT control ensures that changes to software are tested in a sandbox before they hit the live environment.
What is Change Management?
The regulatory body was created by SOX to oversee the auditors who are auditing the companies.
What is the PCAOB (Public Company Accounting Oversight Board)?
This "color" of crime refers to non-violent, financially motivated offenses committed by business and government professionals.
What is White-Collar Crime?
This 1720 event is often cited as one of the first major "audit" failures, involving a British joint-stock company and a massive speculative bubble.
What is the South Sea Bubble?
The "Three Lines of Defense" model (now the Three Lines Model) puts Internal Audit in this specific line.
What is the Third Line?
In the world of Cybersecurity, this "M" word refers to the secondary layer of security - like a text code or an app - used to prove you are who you say you are.
What is MFA (Multi-Factor Authentication)?