4. Internal Control Flashcards
Process for Understanding Internal Control
and Assessing Control Risk
Phase 1
Obtain and document
understanding of internal control
design and operation
Phase 2
Assess control risk
Phase 3
Design, perform, and evaluate
tests of controls
Phase 4
Decide planned detection risk
and substantive tests
Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to
operations, reporting, and compliance.
COSO Internal Control (2013) – Integrated
Framework – Guidelines
Process:Internal control is a process. It is a means to an end, not an
end in itself
People: Internal control is effected by people. It is not merely about
policy and procedure manuals, systems, and forms, but people
and the actions they take at every level of an organization
affect internal control
Reasonable assurance: Internal control can be expected to provide reasonable
assurance, but not absolute assurance, to an entity’s senior
management and board of directors
Achievement of objectives: Internal control is geared to the achievement of objectives in one or more categories (operations, reporting, and compliance)
Entity structure: Internal control is flexible in application for the entire entity
or for a particular subsidiary, division, operating unit, or
business process
Who should be invovlved in internal control?
– Supervisory board – Management – Internal Auditors – Employees – External Auditors – Consultants – Others
what is the control environment?
The control environment is the set of standards,
processes, and structures that provide the basis for
carrying out internal control across the organization.
5 principles of control environment
- The organization demonstrates a commitment to
integrity and ethical values - The board of directors demonstrates independence
from management and exercises oversight of the
development and performance of internal control - Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives - The organization holds individuals accountable for
their internal control responsibilities in the pursuit of
objectives
how many components are there in the COSO framework?
- control environment
- risk assessment
- control activities
- info and communication
- monitoring
Describe the risk assessment component
• Risk assessment is a dynamic and iterative
process for identifying and analyzing risks
to achieving the entity’s objectives
• Risks are assessed according to their
probability and impact
what are the control activities?
• Control activities are actions established by
policies and procedures to help ensure that
management directives to mitigate risks to
the achievement of objectives are carried
out.
• For effective control activities formal and
informal measures are relevant:
Formal: laws, regulations, process
descriptions, organizational structures,
separation of functions, financial controls
Informal: knowledge, trust, high ethical
standards, openness and transparency
examples of control activities
• Directive Controls
– Support the achievement of objectives
• Preventive Controls
Prevent non-beneficial behavior or events
Organizational measures: Control effected by the company itself in terms of
separation of functions, design of work processes
Organizational tools: Plan of the organization, plan of processes, plan of
functions, guidance, time stamp, signatory power
Technical tools: Securities, IT controls
• Detective Controls
– Are designed to detect misstatements or omissions as soon as possible
• Corrective Controls
– Are designed to re-align the actual state with the target state
describe the info and communication control activity
Information and communication are necessary for
the entity to carry out internal control
responsibilities in support of achievement of its
objectives.
Communication should be effected in an adequate
manner so that every member of the organization
understands his or her role with respect to internal
control and its implications.
describe the monitoring component
• Internal control processes change in the course of
time due to different factors such as fluctuation of
personnel or resource restrictions.
• The monitoring of internal control ensures that
the control measures stay effective under
changing conditions.
• Monitoring includes: – Ongoing evaluations (dependent on the process) and / or – Separate evaluations (independent from the process)
• In case of deviances corrective measures must be
taken.
Responsibility for Internal Control
The board is responsible for determining the nature and extent of thesignificant risks it is willing to take in achieving its strategic objectives. Theboard should maintain sound risk management and internal control systems.
what is the COSO enterprise risk management(ERM)
• Internal Control is an integrated component of Enterprise Risk
Management (ERM). The ERM-Framework is hence broader than the Internal Control (IC)-Framework
- The IC-Framework remains valid for companies that want to consider Internal Control as such
- Main Difference: Strategic objectives were newly integrated in the ERM-Framework
differences between the COSO ERM-
Framework and the COSO IC-Framework
– Internal environment:
The ERM focuses more directly on how the risk affects the risk culture either implicitly or explicitly. Likewise, the ERM introduces the concept of risk inclination as the measure of risk which the company is willing to accept to achieve its objectives
– Objectives
The ERM states the achievement of objectives as a separate component
– Identification of events
The ERM explicitly regards events with a potential influence on strategy and objectives
- Risk management
The ERM regards the different alternatives of risk management (avoid, reduce, delegate, accept) with the goal to maintain the remaining risk below the tolerable/acceptable level of risk
