E. Internal Controls

  1. Governance, risk, and compliance
    a. Internal control structure and management philosophy
    b. Internal control policies for safeguarding and assurance
    c. Internal control risk
    d. Testing methods for internal controls
    e. Control deficiency remediation
    f. Corporate governance
    g. External audit requirements
  2. System controls and security measures
    a. General accounting system controls
    b. Application and transaction controls
    c. Technology controls
    d. Backup controls
    e. Business continuity planning

Part 1 – Section E.1. Governance, risk, and compliance

The candidate should be able to:

  • a. demonstrate an understanding of internal control risk and the management of internal control risk
  • b. identify and describe internal control objectives
  • c. explain how a company’s organizational structure, policies, objectives, and goals, as well as its management philosophy and style, influence the scope and effectiveness of the control environment
  • d. identify the Board of Directors’ responsibilities with respect to ensuring that the company is operated in the best interest of shareholders
  • e. identify the hierarchy of corporate governance (i.e., articles of incorporation, bylaws, policies, and procedures)
  • f. demonstrate an understanding of corporate governance, including rights and responsibilities of the CEO, the CFO, the Board of Directors, the audit committee, managers, and other stakeholders; and the procedures for making corporate decisions
  • g. describe how internal controls are designed to provide reasonable (but not absolute) assurance regarding achievement of an entity’s objectives involving (i) effectiveness and efficiency of operations, (ii) reliability of financial reporting, and (iii) compliance with applicable laws and regulations
  • h. explain why personnel policies and procedures are integral to an efficient control environment
  • i. define and give examples of segregation of duties
  • j. explain why the following four types of functional responsibilities should be performed by different departments or different people within the same function: (i) authority to execute transactions, (ii) recording transactions, (iii) custody of assets involved in the transactions, and (iv) periodic reconciliations of the existing assets to recorded amounts
  • k. demonstrate an understanding of the importance of independent checks and verification
  • l. identify examples of safeguarding controls
  • m. explain how the use of prenumbered forms, as well as specific policies and procedures detailing who is authorized to receive specific documents, is a means of control
  • n. define inherent risk, control risk, and detection risk
  • o. define and distinguish between preventive controls and detective controls
  • p. describe the major internal control provisions of the Sarbanes-Oxley Act
  • q. identify the role of the Public Company Accounting Oversight Board (PCAOB) in providing guidance on the auditing of internal controls
  • r. differentiate between a top-down (risk-based) approach and a bottom-up approach to auditing internal controls
  • s. identify the PCAOB preferred approach to auditing internal controls
  • t. identify and describe the major internal control provisions of the Foreign Corrupt Practices Act
  • u. identify and describe the five major components of COSO’s Internal Control— Integrated Framework
  • v. assess the level of internal control risk within an organization and recommend risk mitigation strategies
  • w. demonstrate an understanding of external auditor responsibilities, including the types of audit opinions that external auditors issue
  • x identify and explain methods for testing the adequacy of internal controls, including inquiry, observation, inspection, and re-performance
  • y. explain how to remediate internal control deficiencies

Part 1 – Section E.2. System controls and security measures

The candidate should be able to:

  • a. describe how the segregation of accounting duties can enhance systems security
  • b. identify threats to information systems, including input manipulation, program alteration, direct file alteration, data theft, sabotage, viruses, Trojan horses, theft, and phishing
  • c. demonstrate an understanding of how system development controls are used to enhance the accuracy, validity, safety, security, and adaptability of systems input, processing, output, and storage functions
  • d. identify procedures to limit access to physical hardware
  • e. identify means by which management can protect programs and databases from unauthorized use
  • f. identify input controls, processing controls, and output controls and describe why each of these controls is necessary
  • g. identify and describe the types of storage controls and demonstrate an understanding of when and why they are used
  • h. identify and describe the inherent risks of using the internet as compared to data transmissions over secured transmission lines
  • i. define data encryption and describe why there is a much greater need for data encryption methods when using the internet
  • j. identify a firewall and its uses
  • k. demonstrate an understanding of how flowcharts of activities are used to assess controls
  • l. explain the importance of backing up all program and data files regularly, and storing the backups at a secure remote site
  • m. define business continuity planning
  • n. define the objective of a disaster recovery plan and identify the components of such a plan including hot, warm, and cold sites