Palmer AC 389 Exam 1

Perform formal risk assessments when creating an audit plan

Assess audit risks when creating audit plans

Specific procedures to assess and prevent risk

The likelihood of an unfavorable event occurring

Identify, categorize, and prioritize individual risks so companies can leverage their understanding of risk in strategic planning. Companies want to be right in the middle where optimal risk taking sits. Not too much, not too little.

A high-level business area or department that performs business processes to achieve company goals

Examines risk at the entity level

Examines risk at a more granular level of the business event, process, or event

Contains two parts: the issue and the possible outcome. Presented in the format of "cause" and "effect" respectively

Occur throughout a company's operations and arise during normal operations

These risks are outside of the project, but directly affect it—for example, legal issues, labor issues, a shift in project priorities, or weather. "Force majeure" risks call for disaster recovery rather than project management. These are risks caused by earthquakes, tornadoes, floods, civil unrest, and other disasters.

Six subcategories: Operational, Financial, Reputational, Compliance, Strategic, and Physical

The most important type of risk for an AIS, which occurs during day-to-day business operations and causes breakdowns in business activities. These risks are a priority for an AIS because they result from inadequate or failed procedures within the company.

Refers to money transitioning from within to outside of the company and the likelihood that a substantial sum may be lost.

Occurs when the reputation/good name of a company is damaged.

Occurs when a company fails to follow regulation and legislation and is subjected to legal penalties, including fines. (EPA)

The inevitable risk that a strategy becomes less effective

Weather, crimes, and physical damage.

Once all risks have been categorized, this is basically a list of risks.

The likelihood of risks occurring and their potential impact on the company

The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

the natural level of risk in a business process or activity if there are no risk responses in place

The remaining risk after management has implemented risk responses and controls.

Accept, Avoid, Mitigate, Transfer/Share

Processes that specifically mitigate risks to a company's financial information.

Prevent, Detect, and Correct

By specifying how employees should execute procedures and clarifying company policies, an organization lowers its risk of error and misconduct

lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity (Authorization, Recording Data, and Custody [of money])

Controls designed to discover control problems that were not prevented (Cameras, physical invetory counts, reconciling the cash register, etc)

Controls designed to correct problems that have arisen (Insurance, police report, virus quarantine, etc)

Occurs when internal control activities don't work because management is not following policy or procedures. The Achilles Heel of fraud prevention (store writeoffs and price discounts).

Two or more people acting in coordination to circumvent internal controls

Specific to the time it takes for a technology attack to bypass preventive controls compared to the company's detective and corrective control reaction times that measures the residual risk for technology attacks by comparing the relationship of the three control functions.

A control not in the computer environment (a lock on a door)

A control within the computer environment (firewall)

Controls embedded in the company's system specifically target the risk of external, unauthorized users performing malicious activities against company data or systems.

Previous/Alternate sets of the system that can be brought online to continue operations in the event of disaster.

Changes to systems are not released to the software before they have been reviewed and approved. Instead changes are created in a duplicated environment - a copy - of the software.

Characters in a field are of the proper type

Data in a field is appropriate sign (positive/negative)

Tests numerical amount against a fixed value

Tests numerical amount against lower and upper limits

Requires the inclusion of two identifiers in each input record

Input data fits into the field

Verifies that all required data is entered

Compares data from transaction file to that of master file to verify existence

Correctness of logical relationship between two data items

Requires human judgement or physical interaction is required.

Use technology to implement control activities

1. Internal auditors, who are data analysts, use continuous monitoring technology to create detective controls that use rules-based programming to monitor a business's data for red flags or risks.

The 1st line of defense in the internal controls category. Management has the ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring. This is where financial accountants, tax accountants, system analysists, and other accounting professionals who are not auditors or compliance officers work.

The 2nd line of defence in the internal controls category. In many companies, ERM and compliance operation are combined, while in teams they might be separated departments. Accountants who specialize in compliance - such as designing and monitoring internal controls, performing risk assessments and responses, or assisting the legal team, work here.

The 3rd line of defense in the internal controls category. IA is an independent function of the company that has a unique reporting relationship in an organization. IA is removed from the business process and has no stake in or influence over the outcome of the business processes that they are auditing. IA reports directly to both executive management and to the board of directors. Internal audit provides assurance, insight, and objectivity to a company.

also known as procurement process, is focused on acquiring the necessary resources for a business to operate

Is a balance sheet line item that includes all items used in the creation of products. These can be classified as: Raw materials (RM),Work in process (WIP), and Finished Goods (FG).

Provide documenting of a transaction, such as a receipt, bill, or invoice, and may be electronic or paper documents, depending on the sophistication of the system

An internal company document created when an employee formally requests to obtain goods and services from authorized sources

A document created from the purchase requisition evolves into a legally enforceable purchase order.

A document supplier delivers along with an order which shows quantities and descriptions of items delivered, to the receiving department at the specified warehouse location

A document that shows the descriptions and quantities of goods received from vendors

Identifying variances between the receiving report and the purchase order

Bill from the vendor that includes the related purchase order number, billing date, description and quantities of goods, the amount due, and payment terms

The matching of a purchase order to the related receiving report and vendor invoice

An internal document that includes the vendor, amount due, and payment terms.

Shows the invoices included in the payment to the vendor

Selling finished goods directly to customers

Selling finished goods to other businesses, like distributors and retail companies.

Are generally responsible for marketing research, advertising, branding, promotional programs, and search engine optimization

Are source documents that contain order details and are sent as order confirmations to customers.

A legal contract that defines responsibility for the goods in transit.

Control Environment, Risk Assessment, Control Activities, and Information & Communication

Impact * Likelihood