Question
study guide: please provide a response to each question Week 1: Define and explain key internal control concepts. (Generally) Explain and differentiate business and IT
study guide: please provide a response to each question
Week 1:
Define and explain key internal control concepts. (Generally)
Explain and differentiate business and IT processes, recognizing that IS services are delivered through ongoing IT processes
and business functions are accomplished in business processes where processes are the focus of internal controls.
List internal control categories based on several facets. Provide illustrative examples of controls in each category.
More fully explain the purposes of and integrated nature of internal control systems.
Identify one or more examples of how each of the COSO principles are embodied in internal control processes.
Week 2:
Identify and explain several types of IT audits: In support of financial audit, Compliance audits, SOC audits, agreed-upon
procedures
List and spell out acronyms for standards setting bodies and standards/frameworks including PCAOB, SEC, SOX act of 2002,
FASB, GAAP, GAAS, AICPA, GLBA, FERPA, HIPAA identifying specific area of coverage
Explain the role of the SEC and PCAOB in oversight of audits including audits of internal control
Explain assertions, attestation, and auditing as they relate to IT control audits
Explain the importance of IUC (information used in controls) assessments and provide contemporaneous examples for
control situations
Define and differentiate governance and management, explain the Plan, Build, Run, Monitor "virtuous cycle" and the
governance cycle - Plan, Do, Check, Correct
Spell out and define PII
List, define, and categorize examples of types of controls
o Preventive, Detective, Corrective
o ITGC vs application vs. governance controls
Explain what it means for a control to be designated a compensating control
Differentiate Automatic and Manual controls; provide examples including mixed examples where parts of a control are
automatic and part manual; explain why automatic controls are generally preferred but not always feasible.
Week 3:
IS RISK
Explain the relationship between and differentiate technical and business risk
Articulate the difference between IS risk and audit risk
Understand cost/benefit tradeoffs for risk mitigation
Formulate quantitative risk assessments (likelihood * exposure)
Identify residual risks as a function of inherent risk after the effect of mitigation
Explain how insuring a risk contrasts works as compared to other controls
Explain risks as both directly negative outcomes and forgone benefits
Quantify risk using non-dollar scales for severity and non-percentage scales for likelihood
List for options for addressing risk with examples (control, transfer, avoid, accept)
AUDIT RISK:
Explain, with examples, the three components of audit risk IR, CR, and DR
Explain how both control design and operation impact control risk
Identify the role of Tolerable Exception Rate (TER) in estimating CR
Understand that TER is related to but not the same as CR because CR results from the cumulative effect of multiple control
activities
Understand that because a sample may not exactly represent a population, observed exceptions in a sample of less than
100% will need to be below the TER
Understand that sampling is only one way to test controls
Explain that auditors do not impact IR the estimate it
Explain that auditors do not impact CR, they estimate and verify it
Compute Risk of Material Misstatement (RMM) as IR * CR
Explain that DR is set based on desired AR and estimated RMM
Explain that DR is achieved by designing appropriate audit procedures
Apply the relationships between RMM and DR to achieve AR (e.g., more audit testing to obtain lower DR when RMM is
higher)
Explain how compensating controls may allow target DR (and associated substantive testing) to remain unchanged even
when a control deficiency is found
Explain why some audits are done based on CR estimates or 1 (no effective controls)
Understand that internal control testing may be done to meet regulation or compliance requirements
Week 4:
List elements included in the three IS Audit Phases as listed in FISCAM
Explain reasons why it is common practice and advantageous to have a multi-year audit plan
Explain and differentiate audit objectives and procedures with examples
Explain how audit criteria form the basis for sufficient and appropriate audit evidence
Recall that understanding of underlying business and IS processes is needed to plan and execute an audit
List, with examples, categories of subject matter risk as presented in ITAF 1202
Explain several salient points about fraud risk as it relates to auditing
List elements required in an audit report as per ITAF
Explain why it is important that guidelines are provided in ITAF regarding audit follow up activities
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started