BEC 1 Flashcards
What is COSO?
Committee of Sponsoring Organizations. An independent “private sector” initiative initially established in the 1980s to study factors that lead to fraud.
Why did COSO release “Internal Control” - Integrated Framework?
To assist organizations in developiong comprehensive assessments of internal control effectiveness.
How many objectives, components and principles are in the COSO internal controls framework?
3 objectives, 5 components, 17 principles.
Who uses the framework?
Company management and the Board create the framework to obtain an initial understanding of what constitutes an effective system of internal control and to provide insight as to when internal controls are being properly applied within an organization. The framework also provides confidence to external stakeholders that an organization has a system of internal control in place that is conducive to achieving its objectives.
What does an effective system of internal control require of management?
More than the adherence to policies and procedures by managment, the board, and internal auditors. It requires the use of judgement. Not black and white, thus not rules-based.
Define Internal Control
Process that is designed and implemented by an organization’s management, board, and other employees to provide reasonable assurance that the organization will achieve its operating, reporting, and compliance objectives.
What areas does the framework assist an entity’s management and board of directors (internal takeholders)?
- Effectively applying internal controls
- Determining requirements of an effective system of internal controls.
- Allowing judgement and flexibility in its designe and implementation within all operation and functional ares.
- Identifying and analyzing risks, developing responses.
- Eliminating redundant, ineffective, or inefficient controls.
- Extending internal control application beyond organization’s financial reporting.
How does the framework provide value to external stakeholders?
- Understanding of effective internal controls.
- Confidence in management’s management of controls.
- Confidence in Board Oversight.
- Confidence orgnization will achieve objectives and will be capable of identifying, analyzing, and responding to risks.
Name the categories of objectives.
ORC:
- Operating
- Reporting
- Compliance
Name the internal control components.
CRIME:
- Control environment.
- Risk Assessment
- Information and Communication
- Monitoring Activities
- (Existing) Control Activities
Name the basic levels of organizational structure.
Entity level, division, operating unit, and function.
Operational Objectives relate to what? And ensure what?
Relate to effectiveness and efficiency of an entity’s’ operations. Includes financial and operation performance goals as well as ensuring that the assets of the organization are adequately safeguarded againast potential losses.
Reporting Objectives pertain to what?
Pertain to reliability, timeliness, and transparency of an entity’s external and internal financial and nonfinancial reporting as established by regulators, accounting standard setters, or firm’s internal policies.
Compliance Objectives ensure what?
Ensure the entity is adhering to all apllicable laws and regulations (in all countries and states).
What is needed to achieve the three objectives of internal control (ORC)?
CRIME. The five components of internal control.
Name and describe the five compenents of internal control (CRIME).
Control Environment - Tone @ top, ethics.
Risk Assessement - Financial statements misstated, not efficient, breaking law.
Information and Communication - Fair, accurate, complete, timely (FACT).
Monitoring Activities - Effectiveness of controls or report deficiencies.
(Existing) Control Activities - Policies/Procedures to mitigate risks.
What are the principles related to the control environment?
EBOCA (5)
- Committment to ethics and integrity.
- Board Independence and Oversight
- Organizational Structure.
- Committment to competence.
- Accountability
What are the principles related to risk assessment?
SAFR (4)
- Specify objectives
- Identify and analyze risks.
- Consider the potential for fraud.
- Identify and Assess changes.
What are the principles related to information and communcation?
OIE (3)
- Obtain useful information.
- Internally communication information.
- Communicate with external parties.
What are the principles related to monitoring activies?
SOD (2)
- Ongoing and Separate Evaluations.
- Communication of deficiencies.
What are the principles related to (existing) control activities?
CA T P (3)
- Select and develop control activities.
- Select and develop technology control.
- Deployment of policies and procedures.
What are the general requirements of effective internal control?
Effective system of internal control provides “reasonable” assurance that the entity’s objecttives will be achieved.
What does an organization want all five compenents and 17 principles that are relevant to be?
Present and functioning. Also, that all five components operate together as an integrated system in order to reduce risk that an entity will not ahieve its objectvies.
Define present (design).
Compenents and relevant principles are included in teh design and implementation of the internal control system.
Define functioning (operating effectively).
Components and relevant principles are currently operating as designed in the internal control system.
To be considered an effective system of internal control, seniot management and the board must have reasonable assurance that the entity:
- Achieves effective and efficient operations.
- Understands the extent to which operations are managed effectively and efficiently.
- Complies with all applicable rules, regulations, external standards, and laws.
- Prepares reports that are in conformity with the entity’s reporting objectives and all applicable standards, rules and regulations (FACT).
What must senior management and the board do to make sure that the entity achieves effective and efficient operations?
- Make external threats unlikely to have a significant impact on the achievement of objectives.
- The organization can reasonably predict and mitigate the impact of external events to an acceptable level.
Why must senior management and the board understand the extent to which operations are managed effectively and efficiently?
- External events may have a significant impact on the achievement of objectives.
- The organization can reasonably predict and mitigate the impact of external events to an acceptable level.
What do ineffective internal controls increase?
The risk that ORC (objectives) are not achieved goes ↑.
What is a major deficiency?
Represets a matieral internal control deficiency, or a combination of deficiencies, that significantly reduces the likelihood that an organization can achieve its objectives.
What can an entity not conclude when a major deficiency has been found?
That the company has met the requirements for an effective internal control system under the COSO framework.
What are the inherent limitations that may exist even in a n effective internal control system?
- Breakdowns in internal control due to errors or human failure.
- Faulty or biased judgment used in decision-making.
- Issues relating to the suitability of the entity’s objectives.
- External events beyond the control of the entity.
- Circumvention of controls through collusion.
Management override of internal controls.
Define risk (according to COSO).
The possibility that an event will occur and adversely affect the achievement of objectives.
Why did COSO issues Enterprise Risk Management (ERM)?
To assist organizations in developing a comprehensive response to risk management.
What is the underlying premise of ERM?
Every entity exists to provide value for stakeholders, that all entities face uncertainty, and that management must determine how much uncertainty to accept as it strives to grow stakeholder value.
What is the intent of ERM?
To allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value.
When is value maximized?
When strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives.
Define enterprise risk management.
Process effected by an entity’s board, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events the entity, and manage risk to be within its risk appetite, to provide reasonable assirance regarding the achievement of entity objectives.
What are the ERM framework themes?
- Aligning risk appetite and strategy.
- Enhancing risk response decisions.
- Reducing operational surprises and losses.
- Identifying and managing multiple and cross-enterprise risks.
- Seizing opportunities.
- Improving deployment of capital.
Name and describe the enterprise objectives?
S + ORC
- Strategic - high-level goals designed to achieve the mission.
- Operations - Achievement of objectives through the effective and efficient use of resources.
- Reporting - Achievement of reliable and consistent reporting.
- Compliance - Ensuring compliance with laws and regulations.
What are the components of Enterprise Risk Management?
IS EAR AIM
- Internal environment.
- Setting objectives.
- Event identification.
- Assessment of risk.
- Risk response.
- control Activities.
- Information and communication.
- Monitoring
Internal Environment =
Control Enviroment (EBOCA)
Risk Assessement =
SEAR
1. Setting objectives, event identification, assessment of risk and response (SAFR)
Control Activites =
CA T P
Information and communication =
OIE
Monitoring =
SO D
Elements of Internal Environment
EBOCA + HRR
- commitment to Ethical values and integrity.
- Board oversight
- Organizational structure.
- commitment to Competence.
- assignment of Authority and responsibility.
- Risk management philosophy.
- Human resources standards.
- Risk appetite.
Elements of Objective Setting
- Strategic objectives
- Related objectives
a. Operations objectives
b. Reporting objectives
c. Compliance objectives. - Selected Objectives
- Risk appetite
- Risk tolerance
Elements of event identification
- Events
- Influencing factors (internal and external)
- Event identification techniques (forecast event in advance).
- Event interdependencies (how change ins ind. variable affects dep. variable).
- Event categories (External and internal)
- Distinguishing risks and opportunities.
Elements of Risk assessment
- Inherent and residual risk
- Establishing likelihood and impact.
- Data sources.
- Assessment techniques
- Event relationships
Elements of risk response.
- Evalutation posible responses (ARSA)
- Selected responses.
- Portfolio view.
Elements of control activities.
- Integration with risk response
- Types of control activities
- Controls over information systes
- Entity-specific controls
Information and Communication
- Information is needed at all levels of an organization to manage risks.
- Communication is internal and external.
Elements of monitoring
- Ongoing monitoring activities
- Separate evaluations.
- Reporting deficiencies.
When is ERM effective?
It is a matter of judgment resulting from an assessment of whether the eight components are present and functioning effectively.
What are the elements of effectiveness?
IS EAR AIM (8)
- Each component must be present and functioning.
- No material weaknesses.
What is the significance of effective ERM?
- Management and the board have reasonabl assurance that they understand the extent to which the entity’s strategic and operating objectives are being achieved, and reporting is reliable and applicable laws and regulations are being complied with.
What are some limitations of ERM?
Human judgment limitations include faulty decisions, simples errors or mistakes, collusion, and management override.
WHAT does ARSA stand for?
Avoid (terminate)
Reduce (invest)
Share (Insurance)
Accept (Do nothing…for now)
What were the goals of the Sarbanes-Oxley Act of 2002?
- Increase corporate responsibility.
- Enhance disclosures
- Address fraud.
What did SOX affect?
The financial reporting requirements of public companies, specifically by expanding disclosures and specific requirements that must accompany financial statements.
What does title III of SOX address?
Corporate responsibility of the audit committee and CEO and CFO reps.