B1: Corporate Governance - Internal Control (COSO)

Question 1

What is COSO?

Answer 1

The Committee on Sponsoring Organizations

Question 2

Basic information of COSO?

Answer 2

1. Private sector initiative
2. Five major internal control components (CRIME)
3. Used by management, directors, and external stockholders
4. Principles-based - requires judgement

Question 3

What is internal control?

Answer 3

A process that is designed and implemented by an organization’s management to provide reasonable assurance that it will achieve its compliance, operating, and reporting objectives.
* Best practice: in 1992 COSO issued Internal Control - Integrated Framework.

Question 4

What is COSO internal control framework objectives? (Memorize!!!) - Compare with ERM enterprise objectives

Answer 4

The “ORC”

1. Operations objectives - effectiveness and efficiency
2. Reporting objectives - focus of COSO, accurate and timey
3. Compliance objectives - laws and regulations

Question 5

What are the five components of internal control? (Memorize!!!)

Answer 5

The “CRIME”

1. Control environment
2. Risk assessment
3. Information and communication systems
4. Monitoring
5. Existing control activities

Question 6

What does the control environment refer to? (Memorize!!!)

Answer 6

Refers to “tone at the top” - “EBOCA”

Question 7

What is EBOCA? (Memorize!!!)

Answer 7

Internal control component - control environment (C of CRIME)
E: ethics (integrity)
B: board independence (and oversight)
O: organizational structure
C: commitment to competence - hire, develop ann retain competent employees
A: accountability

Question 8

What is EAR? (Memorize!!!)

Answer 8

Internal control component - risk assessment (R of CRIME)
E: event identification
A: assess risks
R: respond to risks

Question 9

What is FACT? (Memorize!!!)

Answer 9

Internal control component - information and communication (I of CRIME)
F: fair
A: accurate
C: complete
T: timely

Question 10

What do monitoring activities refer to? (Memorize!!!)

Answer 10

1. Ongoing and/or separate evaluation - frequency of testing is dictated by risk
2. Communication of deficiencies

Question 11

What do (existing) control activities refer to? (Memorize!!!)

Answer 11

1. To mitigate risk
2. Detect or prevent
3. Segregation of duties
4. IT controls
5. Put policies into action

Question 12

What does the COSO Cube include?

Answer 12

1. Columns: “ORC”
2. Rows: “CRIME”
3. Third dimension: Entity level - Division - Operating unit - Function

Question 13

What does the effective internal control mean? - The general requirements

Answer 13

1. framework provides reasonable assurance
2. relevant to present: included in design
3. relevant to functioning: operating as designed

Question 14

What does the effective internal control mean? - The specific requirements

Answer 14

The “ORC”: achieve the operational, reporting and compliance objectives
* The framework requires judgement (principles-based).

Question 15

What does “major deficiency” mean in COSO internal control?

Answer 15

Implies ineffective internal control:

1. reduces the likelihood that an organization can achieve the objectives
2. may not conclude that the entity meets the requirements of effective internal control

Question 16

What are internal control limitations? - No guarantee

Answer 16

e.g. Errors; Human failures; Beyond-scope events; Collusion; Management override