1. Internal Control Framework Flashcards
What does COSO stand for?
Committee of Sponsoring Organization
Who created COSO?
Fiver organization:
AICPA, The Institute of Internal Auditors, the Institute of Management Accountants, the American Accounting Association, the Financial Executive Institute.
When and Why COSO created?
In 1987 to develop an integrated internal control model.
What are 4 COSO contents?
the COSO integrated framework.
Internal control - Integrated framework.
Enterprise Risk Management (ERM) - integrated framework.
COSO elements from additional documents, relating to recent changes in IT.
The original COSO cube: what is internal control?
- Control environment (core, management philosophy, organizational structure, system of authority, personnel practices, policies, procedures)
- Risk assessment (identify, analyze, manage risks)
- Information and communication
- Monitoring
- Control activities
The original COSO cube: Why do we have IC?
Operation (effectiveness/efficiency), Reporting (reliability), Compliance
The original COSO cube: Where do we have IC?
Entity, division, operating unit, function
The original COSO cube: what are 4 types of why?
Financial and Non-financial, External and internal.
The original COSO cube: what are 3 examples of external financial reporting?
Annual FS, Interim FS, Earning Release
The original COSO cube: what are 3 examples of external non-financial reporting?
IC, Report sustainability report, Supply chain/custody assets
The original COSO cube: what are 3 examples of internal financial reporting?
Divisional financial reporting, cash flow/budget, bank covenant calculations
The original COSO cube: what are 4 examples of internal non-financial reporting?
Staff/asset utilization, customer satisfaction survey, key risk indicator dashboards, board reporting.
What are 5 principles of control environment?
- A commitment to integrity and ethical values - management.
- Board of directors operate independent of management, oversees IC
- Management establishes structures, reporting lines, authorities, responsibilities, including those outsourced service providers.
- Competence
- Accountability
What are 4 principles of Risk assessment?
- Objectives
- Assessment
- Fraud
- Change management
What are 3 principles of control activities?
- Risk reduction
- Technology controls
- Policies
What are 3 principles of information and communication?
- Quality
- Internal
- External
What are 2 principles of monitoring activity?
- Ongoing and periodic
2. Address deficiencies
What are 6 limitations of IC?
- Unsuitable management objectives
- Dependence on people
- Management override
- Collusion
- External event beyond control
- Inherent limitations
What are 3 types of IC deficiencies?
- Control deficiency (in design or operation)
- Significant deficiency
- Material weakness
What are 3 categories of controls?
- Preventive, detective, and corrective control
- Feedback and feed-forward controls
- General controls and application controls
Who are 4 responsible parties for IC?
- The board of directors: oversight
- Managers
- Support functions
- Internal auditors.
Who is responsible for oversight?
The board of director and audit committee
To whom belongs ownership of IC?
Senior management, including CEO and FRO
Who are support function personnels?
Personnel in law, compliance , risk management, IT
Who evaluates IC? What are 2 important attributes for these people?
Evaluators.
Competence and objectivity.
What are 3 levels of monitoring?
- Board monitoring
- Self-assessment
- Self-review
What are 6 items in the nature or quality of control?
- Control objectives
- Compensating control
- Deficiency
- Key controls
- Key performance indicators
- Key risk indicators - forward looking metrics
What are 6 elements of successful KRIs?
- Based on established practices/benchmark
- Consistent across organization
- Unambiguous
- Comparable over time and across organization
- Timely
- Efficient
What are 2 types of information re: quality of evidence in IC?
Direct and indirect
What are 7 characteristics of quality of evidence in information?
Persuasive, relevant, reliable, sufficient, suitable, timely, verifiable.
What are 4 example method for reviewing control process?
- Review
- Benchmark assessment
- Questionnaires
- Focus groups and interview
What are 5 examples of risk consideration?
- Materiality
- Significant change
- Areas of previous errors/irregularities
- High turnover of key personnel
- Previous issues identified by self-assessment
What are 3 control monitoring process?
- Establish a foundation
- Design and execute
- Assess and report
What is change control?
The process used to request, review, specify, plan, approve, implement, monitor changes to a system. Ensure implemented changes are structured, planned, and managed.
COSO: What does control activity relate to?
risk reduction, technology controls, and policies.
COSO: What does control environment relate to?
establishing integrity and ethical values in the organizational culture.
COSO: What does monitorting relate to?
establishing ongoing and periodic evaluations, and addressing control deficiencies,
COSO: What does risk assessment relate to?
organizational objectives, risk assessment, fraud, and change management.
COSO: what does information and communication relate to?
proper measurement
Where does the level of suitability derived from?
Suitability and sufficiency.
What are 3 elements of suitable information?
relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame)
What are 2 elements of reliable information?
Accurate and verifiable.
