1 - Internal Control Frameworks Flashcards
COSO issued the “internal Control - Integrated Framework” to assist organizations do what?
develop comprehensive assessments of IC effectiveness
This framework is also often referred to as “the framework”
How does the principles-based approach support an effective system o internal control under the COSO framework?
An EFFECTIVE system of IC requires the use of judgment in determining the sufficiency of controls, applying the proper controls, and assessing the effectiveness of the system of controls.
The principles-based approach of the COSO framework emphasizes the importance of MGT JUDGMENT
MS: One framework for controls does not fit all companies because every company is different (i.e. in size, its business, process, etc), and as such mgt must use judgment
Define “internal control”
a process that is designed and implemented by an organization’s management, board of directors, and other employees to provide REASONABLE ASSURANCE that the organization will achieve its OPERATING, REPORTING, and COMPLIANCE objectives
What are the objectives of internal controls
- financial Reporting
- effective & efficient Operations
- Compliance with laws & regulations
What is comprised in the “COSO Cube”
ORC - 3 main objectives
CRIME - 5 I/C components
Organizational structure
Describe the Operations objective
relates to the effectiveness and efficiency of an entity’s operations.
Want to ensure the assets of the org. are adequately safeguarded against potential losses
Describe the Reporting objective
pertains to the RELIABILITY, TIMELINESS, and TRANSPARENCY of an entity’s external & internal financial AND nonfinancial reporting as established by regulators
Describe the Compliance objective
established to ensure the entity is adhering to all applicable laws and regulations
What are the five components of internal control
Control environment Risk assessment Information & communication Monitoring Controls Existing Control activities
“CRIME”
What things are needed in order to achieve the 3 objectives of I/C?
ALL 5 components (CRIME) and the 17 principles that are relevant to be both PRESENT & FUNCTIONING
Describe Control Environment
Tone at the top - ethics
includes the processes, structures, and standards that provide the foundation for an entity to establish a system of I/C.
What are the principles related to Control Environment?
“EBOCA”
- Commitment to ETHICS & Integrity — establish standards/code of conduct
- Board Independence & Oversight — independent and knowledgeable
- Organizational Structure — reporting lines, the authority and responsibilities are all appropriate
- Commitment to Confidence — there is a commitment to hire, develop, and retain competent employees
- Accountability — establish performance measures, incentives, and rewards without excessive pressure
Describe Risk Assessment
an entity’s identification and analysis of risk to the achievement of its objectives
What principles are related to Risk Assessment
Make an entity “SAFR”
- Specify objectives — identify and assess risks related to those (not achieving ) objectives
- Identify and ASSESS Changes — the org identifies and assesses changes that could significantly affect I/C such as change in external environment, business model, and leadership
- Consider potential for FRAUD — assess fraud triangle
- Identify and analyze RISKS — determine how risks should me managed (Enterprise Risk Management)
Describe the Information & Communication component
these systems support the identification, capture, and exchange of information (b/t internal and external parties) in a timely and useful manner.
List the principles included in Information and Communication
“OIE”
- Obtain and use information — obtains or generates and uses RELEVANT, HIGH QUALITY information to support functioning of IC
- Internally communicate information – information necessary to support functioning of I/C is communicated in a flow of information up, down, and across the organization
- Communicate with external parties — two way external communication channels using a variety of methods and channels (i.e. CPA firm or consultants)
Describe Monitoring Activities
process of assessing the quality of I/C performance over time by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions
What principles relate to Monitoring Activities
“SOD”
- SO = Ongoing and/or Separate Evaluations — on whether the comoponent’s of I/C are present and functioning (the frequency of testing is dictated by RISK)
- Communication of deficiencies —report deficiencies in a timely manner and make sure corrective action is taken
Describe Existing Control Activities
the controls set forth by an entity’s policies and procedures to ensure that the directives initiated by mgt to mitigate risks are performed
Control activities may be detective or preventive
Segregation of duties is usually a big one
What principles relate to Existing Control Activities
“CAT PP”
- Select and develop CONTROL ACTIVITIES
- Select and develop TECHNOLOGY controls
- Deployment of POLICIES & PROCEDURES
Define present and functioning
present - included in the design and implementation of the I/C
functioning - operating as designed in the I/C system
What specific requirements must I/C have in order to be considered and EFFECTIVE SYSTEM?
Senior mgt and the board must have reasonable assurance that the entity:
- achieves effective and efficient operations
- complies with all applicable rules, regulations, laws, etc.
- prepares reports that are in conformity with the entitiy’s reporting objectives and standards.
What results when there is an ineffective I/C
= greater risk that ORC is not achieved
GAAS uses the terms “material weakness” and “Significant deficiency”
COSO uses the term “major deficiency”
Describe a “major deficiency” and what results if one exists
represents a material I/C deficiency that significantly reduces the likelihood that an organization can achieve its objectives
if identified, the entity may NOT conclude that it has met the requirements for an effective I/C system under the COSO framework
List some inherent I/C limitations
human failure faulty or biased judgment external events collusion mgt override suitability of entity objectives
What is comprised in applying the internal control framework
- manage application
- evaluate effectiveness
- deficiency assertions
How will mgt use the COSO framework to document its IC assessment
“COPS”
Follow these steps:
Overall assessment
(which are supported by..)
Component evaluations (which are supported by…)
Principal evaluations (which serve as the source for isolating and defining internal control deficiencies)
Summary of IC deficiencies (if any)
What are the common risks normally identified using the COSO framework
material omission
fraud
mgt override of controls
illegal acts
What is the underlying premise of ERM
the underlying premise of ERM is that every entity exists to provide value for stakeholders and that all entities face risk in the pursuit of value for their stakeholders.
value = increased stock price and/or pay dividends
Define “risk” according to COSO
Risk is the possibility that events will occur and affect the achievement of strategy and business objectives
How is value developed
“CPER”
creation
preservation
erosion (don’t want this)
realization
Describe value creation
your benefit has to exceed your resource costs
ROIC > Cost of Capital
+NPV
need to create a profit
costs = people, financial capital, technology, process and brand and value must outweigh this
Describe value preservation
want to have SUSTAINABLE operating profit (not a one time deal, ongoing)
Describe value erosion
we don’t want the value of the business to go down (i.e when cost > benefit)
stock price goes down
ROIC < cost/hurdle rate
-NPV
Describe value realization
when benefits are received by stakeholders either monetary or nonmonetary in form
Dividends or stock price/capital gain
Customer satisfaction
Describe mission
represents the CORE PURPOSE of the entity. Represents the WHY the company exists and what it hopes to accomplish
Describe vision
represents the aspirations of the entity and WHAT it hopes to achieve over time (
Describe core values
represent an organization’s beliefs and ideals about what is good or bad
the HOW the org plans to achieve goals (ethics, culture, core values)
What elements are included in Enterprise Risk Managment
CCPIS
Culture
Capabilities (competitive advantage)
Practices
Integration with strategy setting and performance
Describe culture as it relates to ERM
represents COLLECTIVE THINKING of the people within an org.
Culture plays an important role in SHAPING DECISIONS regarding risk
correlate with core values
Describe capabilities as it relates to ERM
Competitive advantage
produces value for an entity
exploitation of competitve advantage and adaptation to change are skill sets embedded within ERM
Describe practices as it relates to ERM
continually applied at all levels of the entity (not just the board or officers, the entire entity)
Describe integration with strategy setting and performance as it relates to ERM
Why do you exist? Ie what is your mission?
&
What’s your vision? strategy?
Describe risk appetite
represents the types and amounts of risk, on a broad level, than an organization is willing to accept in pursuit of value
it’s a range rather than a specific limit and provides guidance encouraging a firm to pursue or not pursue certain endeavors
expressed first in mission and vision
varies between products, business units, or over time
what is the relationship of value and risk appetite
directly related
Greater the risk, greater the expected return
What is the application of ERM intended to do?
provide management with a REASONABLE EXPECTATION of success
Define risk inventory
all risk that could impact an entity
could be societal, economic, demographic, or legal risk etc
Define reasonable expectation as it relates to ERM
the amount of risk of having strategy and business objectives that is appropriate for an entity, recognizing that no one can predict risk with precision