SOX Interview Prep > 07: Resume Command - Control Classification > Flashcards

07: Resume Command - Control Classification Flashcards

Classify every control you claim (42 cards)

Study These Flashcards
1
Q

Control: Change Advisory Board (CAB) approval
Classify: Timing? Execution? Key? Level?

Context: ERP Migration

A
  • Preventive — Approval happens BEFORE deployment
  • Manual — Humans review and vote
  • Key — Unauthorized changes could corrupt financial data
  • Process-level — Governs the change management process

Memory hook: “CAB = Committee Approves Before” → Preventive/Manual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Control: UAT evidence standards / sign-off requirements Classify: Timing? Execution? Key? Level?

Context: ERP Migration

A
  • Preventive — Sign-off required BEFORE go-live
  • Manual — Business owner physically signs
  • Key — Untested system could misprocess transactions
  • Process-level — Part of SDLC process

Memory hook: “No signature = No go-live” → Preventive gate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Control: Data migration validation
Classify: Timing? Execution? Key? Level?

Context: ERP Migration.

A
  • Detective — Compares data AFTER migration to find errors
  • IT-Dependent Manual — Human reviews system-generated reconciliation report
  • Key — Missing/corrupted employee records = wrong paychecks
  • Process-level — Part of migration process

Memory hook: “Validation” = checking AFTER the fact → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Control: Parallel payroll run
Classify: Timing? Execution? Key? Level?

Context: ERP Migration.

A
  • Detective — Compares outputs AFTER both systems run to find differences
  • IT-Dependent Manual — Human reviews variance report
  • Key — Payroll errors = material misstatement
  • Application-level — Tests the application’s calculations

Memory hook: “Parallel” = run both, compare AFTER → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Control: SoD matrix for new system
Classify: Timing? Execution? Key? Level?

Context: ERP Migration.

A
  • Preventive — System BLOCKS conflicting access assignments
  • Automated — Once configured, system enforces without human intervention
  • Key — SoD failures enable fraud
  • Application-level — Configured within the ERP application

Memory hook: System says “ACCESS DENIED” automatically → Preventive/Automated/Application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Control: Internal control ownership framework
Classify: Timing? Execution? Key? Level?

Context: Stakeholder Alignment.

A
  • Preventive — Establishes accountability BEFORE problems occur
  • Manual — Governance structure defined by humans
  • Key — No ownership = no controls executed
  • Entity-level — Applies across the entire organization

Memory hook: “Framework” = org-wide governance → Entity-level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Control: Process documentation requirements
Classify: Timing? Execution? Key? Level?

Context: Stakeholder Alignment.

A
  • Preventive — Requires documentation BEFORE process is approved
  • Manual — Humans write and review documents
  • Non-key — Supports controls but doesn’t directly prevent misstatement
  • Process-level — Applies to specific processes

Memory hook: Documentation supports but doesn’t directly touch money → Non-key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control: Risk quantification/reporting
Classify: Timing? Execution? Key? Level?

Context: Stakeholder Alignment.

A
  • Detective — Identifies and reports risks AFTER assessment
  • Manual — Human analysis and reporting
  • Non-key — Informs decisions but doesn’t directly control transactions
  • Entity-level — Risk reporting to executive leadership

Memory hook: “Reporting” = telling someone what you found → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control: API authentication/authorization
Classify: Timing? Execution? Key? Level?

Context: Zendesk-Smartsheet Integration.

A
  • Preventive — BLOCKS unauthorized API calls before they execute
  • Automated — System validates tokens without human intervention
  • Non-key — Ticketing system doesn’t process financial transactions
  • Application-level — Configured in API/application layer

Memory hook: “Authentication” = gatekeeper that blocks → Preventive/Automated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Control: Audit trail logging
Classify: Timing? Execution? Key? Level?

Context: Zendesk-Smartsheet Integration.

A
  • Detective — Records events AFTER they happen for later review
  • Automated — System writes logs without human action
  • Non-key — Supports investigation but doesn’t prevent misstatement
  • Application-level — Built into the application

Memory hook: “Logging” = recording what already happened → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Control: Duplicate ticket detection
Classify: Timing? Execution? Key? Level?

Context: Zendesk-Smartsheet Integration.

A
  • Detective — FINDS duplicates after tickets are created
  • Automated — Algorithm identifies matches without human
  • Non-key — Operational efficiency, not financial accuracy
  • Application-level — Logic embedded in system

Memory hook: “Detection” = finding something that exists → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Control: Pipeline error monitoring/alerting
Classify: Timing? Execution? Key? Level?

Context: Zendesk-Smartsheet Integration.

A
  • Detective — Identifies failures AFTER they occur
  • Automated — System generates alerts without human trigger
  • Non-key — Operational control, not financial
  • Application-level — Monitors application processes

Memory hook: “Monitoring” = watching for problems → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Control: Access provisioning runbook
Classify: Timing? Execution? Key? Level?

Context: SAP Support Transformation.

A
  • Preventive — Defines steps that must happen BEFORE access is granted
  • Manual (with IT-dependent steps) — Human follows documented procedure
  • Key — Unauthorized access enables fraud/errors
  • Process-level — Governs access management process

Memory hook: “Provisioning” = granting access = must control it tightly → Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Control: Configuration change runbook
Classify: Timing? Execution? Key? Level?

Context: SAP Support Transformation.

A
  • Preventive — Requires approval/testing BEFORE changes are made
  • Manual — Human follows documented procedure
  • Key — Bad config = wrong calculations in financial system
  • Process-level — Part of change management process

Memory hook: “Configuration change” in financial system = high risk → Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Control: Incident escalation procedures
Classify: Timing? Execution? Key? Level?

Context: SAP Support Transformation.

A
  • Detective — Responds to incidents AFTER they’re identified
  • Manual — Human judgment on severity and routing
  • Non-key — Operational response, doesn’t prevent misstatement
  • Process-level — Part of incident management process

Memory hook: “Escalation” = reacting to something that happened → Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Control: Knowledge transfer validation
Classify: Timing? Execution? Key? Level?

Context: SAP Support Transformation.

A
  • Preventive — Validates competency BEFORE staff take over duties
  • Manual — Human assessment of readiness
  • Non-key — Supports capability but doesn’t directly control transactions
  • Process-level — Part of training/transition process

Memory hook: Training validation is important but doesn’t touch money directly → Non-key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Control: Lease data entry/abstract validation
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Preventive — Validates lease terms BEFORE entry into system
  • Manual — Human reviews lease document against entry
  • Key — Wrong lease terms = wrong billing = revenue misstatement
  • Process-level — Part of lease setup process

Memory hook: “Validation before entry” → Preventive

18
Q

Control: Automated billing generation
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Preventive — System auto-calculates to PREVENT manual errors
  • Automated — No human intervention in calculation
  • Key — Billing accuracy = revenue accuracy
  • Application-level — Embedded in Yardi application

Memory hook: “Automated” + “generation” = system does it → Automated/Application

19
Q

Control: Rent escalation accuracy review
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Detective — Reviews escalations AFTER system calculates them
  • IT-Dependent Manual — Human reviews system-generated escalation report
  • Key — Wrong escalations = revenue misstatement
  • Process-level — Part of periodic billing review

Memory hook: “Review” = looking at what the system produced → Detective/IT-Dep Manual

20
Q

Control: Cash receipts application and matching
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Detective — Matches payments AFTER receipt to find unapplied cash
  • IT-Dependent Manual — Human reviews matching report
  • Key — Unapplied cash = AR misstated
  • Process-level — Part of cash receipts process

Memory hook: “Matching” = comparing two things that already exist → Detective

21
Q

Control: AR aging review and collection follow-up
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Detective — Reviews aged items AFTER they become overdue
  • Manual — Human reviews aging report and takes action
  • Key — Unidentified bad debt = AR overstatement
  • Process-level — Part of collections process

Memory hook: “Aging review” = looking at what’s old → Detective

22
Q

Control: Tenant account reconciliation
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Detective — Compares tenant ledger to lease terms AFTER transactions post
  • Manual — Human performs reconciliation
  • Key — Reconciliation ensures revenue accuracy
  • Process-level — Part of monthly close process

Memory hook: “Reconciliation” always = Detective (comparing two sources)

23
Q

Control: Revenue recognition / straight-line rent calculation
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Preventive — System enforces ASC 842 calculation to PREVENT manual errors
  • Automated — System calculates without human intervention
  • Key — Rev rec = core financial statement assertion
  • Application-level — Built into Yardi

Memory hook: System “enforces” = Preventive/Automated

24
Q

Control: Billing exception report review
Classify: Timing? Execution? Key? Level?

Context: Yardi Revenue Cycle.

Study These Flashcards
A
  • Detective — Identifies exceptions AFTER billing cycle runs
  • IT-Dependent Manual — Human reviews system-generated exception report
  • Key — Unidentified exceptions = revenue misstatement
  • Process-level — Part of billing oversight process

Memory hook: “Exception report review” = system produces, human reviews → IT-Dep Manual/Detective

25
Control: **User provisioning/deprovisioning** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (1 of 6)
- **Preventive** — Controls access *BEFORE* user can act - **Manual** — Human approves system generated access listing - **Key** — Unauthorized/stale access = ongoing fraud risk - **Process-level** — Part of access management process
26
Control: **Periodic access review (quarterly)** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (2 of 6)
- **Detective** — Reviews access *AFTER* it’s been granted to find issues - **IT-Dependent Manual** — Human reviews system-generated access listing - **Key** — Stale access = ongoing fraud risk - **Process-level** — Part of access management process ## Footnote Memory hook: “Review” = looking at what exists → Detective
27
Control: **Password/MFA authentication policy** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (3 of 6)
- **Preventive** — System *BLOCKS* login w/o valid credentials - **Automated** — System enforces w/o human intervention - **Key** — Weak auth = unauthorized access - **Process-level** — Applies to all system access
28
Control: **Change management for customizations** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (4 of 6)
- **Preventive** — Requires approval BEFORE changes deploy - **Manual** — Human reviews and approves changes - **Key** — Unauthorized changes could corrupt financial processing - **Process-level** — Part of change management process
29
Control: **SoD monitoring with conflict review** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (5 of 6)
- **Detective** — Identifies conflicts AFTER they exist - **Automated** — System scans for conflicts automatically - **Key** — SoD violations = fraud enablement - **Process-level** — Part of access governance ## Footnote Memory hook: “Monitoring” = watching for conflicts
30
Control: **Audit log monitoring for unauthorized changes** Classify: Timing? Execution? Key? Level? | Context: NetSuite ITGCs (6 of 6)
- **Detective** — Reviews activity AFTER it occurs - **Automated** — System generates alerts on suspicious activity - **Non-key** — Supports investigation but doesn't prevent misstatement - **Process-level** — Part of security monitoring ## Footnote Memory hook: Audit logging supports but doesn't directly touch transactions → Non-key
31
Control: **Journal entry approval workflow (SuiteFlow)** Classify: Timing? Execution? Key? Level? | Context: NetSuite Application Controls (1 of 6)
- **Preventive** — BLOCKS posting until approved - **Automated**— System enforces workflow without human bypass - **Key**— Unapproved JEs = direct misstatement risk - **Application-level** — Configured in NetSuite SuiteFlow ## Footnote Memory hook: Approval workflow “blocks” → Preventive; “system enforces” → Automated
32
Control: **Chart of Accounts change control** Classify: Timing? Execution? Key? Level? | Context: NetSuite Application Controls (2 of 6)
- **Preventive** — Requires approval BEFORE COA changes - **Manual**— Controller reviews and approves - **Key**— Wrong COA = wrong financial classification - **Process-level** — Part of master data governance
33
Control: **Period lock controls** Classify: Timing? Execution? Key? Level? | Context: NetSuite App Controls (3 of 6)
- **Preventive** — BLOCKS postings to closed periods - **Automated**— System rejects without human intervention - **Key**— Open periods = cutoff risk - **Application-level** — NetSuite period close configuration ## Footnote Memory hook: “Lock” = system blocks → Preventive/Automated
34
Control: **Automated reconciliation with exception flagging** Classify: Timing? Execution? Key? Level? | Context: NetSuite App Controls (4 of 6)
- **Detective** — Identifies variances AFTER transactions post - **Automated**— System performs comparison without human - **Key**— Unidentified variances = misstatement - **Application-level** — Built into NetSuite ## Footnote Memory hook: “Reconciliation” always = Detective
35
# Classify the following dimensions: Timing? Execution? Key? Level? What is the control type for **non-standard journal entry review (above threshold)**? | Context: NetSuite App Controls (5 of 6)
* **Detective**: Reviews unusual JEs AFTER they’re created * **IT-Dependent Manual**: Human reviews system-flagged entries * **Key**: Large/unusual JEs = high misstatement risk * **Process-level**: Part of JE oversight ## Footnote Memory hook: “Review of flagged items” → Detective/IT-Dep Manual
36
# Classify the following dimensions: Timing? Execution? Key? Level? What type of control is **financial report review by Controller**? | Context: NetSuite App Controls (6 of 6)
* **Detective**: Reviews reports AFTER they’re generated * **Manual**: Controller reviews and signs off * **Key**: Final check before distribution * **Process-level**: Part of financial reporting process
37
# Classify the following dimensions: Timing? Execution? Key? Level? What is the control type of **pledge recording authorization**? | Context: Salesforce-MIP Pledge-to-Cash (1 of 6)
* **Preventive**: Requires approval BEFORE pledge becomes receivable * **Manual**: Supervisor reviews and approves * **Key**: Unauthorized pledges = overstated revenue * **Process-level**: Part of pledge intake process
38
# Classify the following dimensions: Timing? Execution? Key? Level? What does **donor acknowledgment automation** ensure? | Context: Salesforce-MIP Pledge-to-Cash (2 of 6)
* **Preventive**: Ensures acknowledgment happens (compliance requirement) * **Automated**: System generates without human intervention * **Non-key**: Compliance/operational, not financial accuracy * **Application-level**: Configured in Salesforce ## Footnote Memory hook: Acknowledgments are compliance, not financial accuracy → Non-key
39
# Classify the following dimensions: Timing? Execution? Key? Level? What does **payment matching/application** ensure? | Context: Salesforce-MIP Pledge-to-Cash (3 of 6)
* **Detective**: Matches payments AFTER receipt to find unapplied * **IT-Dependent Manual**: Human reviews matching report * **Key**: Unapplied cash = misstated AR * **Application-level**: Part of cash receipts process
40
# Classify the following dimensions: Timing? Execution? Key? Level? What does **revenue recognition review (ASC 958 classification)** ensure? | Context: Salesforce-MIP Pledge-to-Cash (4 of 6)
* **Detective**: Reviews classifications AFTER recording * **Manual**: Human reviews conditional vs unconditional, restricted vs unrestricted * **Key**: Wrong classification = misstated revenue * **Process-level**: Part of month-end close ## Footnote **Memory hook:** “Review of classifications” → Detective/Manual
41
# Classify the following dimensions: Timing? Execution? Key? Level? What is the control type of **three-way reconciliation (CRM↔GL↔Bank)**? | Context: Salesforce-MIP Pledge-to-Cash (5 of 6)
* **Detective**: Compares three sources AFTER transactions post * **Automated**: System performs comparison * **Key**: Cross-system variances = data integrity issues * **Application-level**: Custom integration logic ## Footnote **Memory hook:** “Reconciliation” = Detective; “Automated” = system does it
42
# Classify the following dimensions: Timing? Execution? Key? Level? What is the control type of **pledge write-off/aging review**? | Context: Salesforce-MIP Pledge-to-Cash (6 of 6)
* **Detective**: Reviews aged pledges AFTER they become overdue * **Manual**: Human reviews and approves write-offs * **Key**: Unwritten-off bad pledges = overstated AR * **Process-level**: Part of AR management
SOX Interview Prep
flashcards
Decks in class (15)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions