BEC - COSO & Corp Governance Flashcards
Control Environment - Integrity and Ethical Values
Most important principle - the organization demonstrates a commitment to INTEGRITY AND ETHICAL VALUES. “Tone at the top”.
Control Environment - Board of Directors
The BoD demonstrates independence of management, and oversees development and monitoring of internal control.
Control environment - Competence
The organization demonstrates commitment to attract, develops, and retain competent (high quality) individuals.
Control environment - Accountability
The organization holds individuals accountable for their internal control responsibilities.
– do not want to put too much pressure on individuals or else it will work against the organization.
Risk Assessment - Objectives
Organization objectives have sufficient clarity to enable the identification and assessment of risks that threaten achievement of objectives including consideration of:
- Precision of risk tolerance levels (quantify risk? Range?)
- Materiality in relation to risk assessment.
Risk Assessment - Assessment
The organization identifies risks to achievement of objectives and analyzes risks to guide risk management strategy
Risk Assessment - Fraud
The organization considers potential fraud in assessing risks to achieve objectives.
Risk Assessment - Change Management
The organize identifies and assesses changes in external environment, business model and organizational leadership that could impact system of internal control.
Control Activities - Risk Reduction
Control activities reduce the risks to the achievement of objectives to acceptable levels.
Control Activities - Technology Controls
The organization selects and implements general controls over technology which support the achievement of its objectives.
Control Activities - Policies
The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure that implementation of these policies.
Information and Communication - Quality
Relevant, high-quality information supports internal control processes including organizational processes that identify information required to support internal control processes, capture internal and external sources of data & transform data into information.
Information and Communication - Internal
Internal Communication supports internal control processes.
Can either support or hinder internal controls.
Information and Communication - External
Communication with outsiders supports internal control processes.
Monitoring - Both ongoing and Periodic
Monitoring evaluates internal control including benchmarking and providing feedback.
Monitoring - Address Deficiencies
Parties charged with taking corrective action, including senior management and the BoDs, receive timely communication of internal control deficiencies.
Control Environment - Management
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives.
Internal control is the responsibility of
Management (not the auditors)
What is internal control?
a PROCESS designed to provide REASONABLE (cost-effective) assurance. (Not absolute assurance)
Who is responsible for Internal Control?
Management, the BoD and other personnel
What are the goals (the why) of internal control?
Regarding achievement of objectives related to:
- Effectiveness and efficiency of operations
- Reliable financial reporting
- Compliance with laws and regulations
Control deficiency
Least serious of the three types. Shortcomings that reduces likelihood of entity achieving its objectives. Management must assess the severity of deficiency
Significant deficiency
More serious than a control deficiency but less severe than a material weakness.
Material weakness
Creates a reasonable possibility of a material misstatement of the entity’s financial statements.
Prevent control
Before controls. Ex:locks on building.
Detective controls
Detect errors after occurrence ex: reconcile accounting records to physical assets
*also have preventive benefits
Corrective controls
Reverse effects of error.
Ex: maintenance of backup files
General control (holistic)
Apply broadly to most computerized functions. IT functions.
Ex: backup file systems, background checks of personnel.
Ex: security features (not specific), data transmission errors, restricting access to computer center
Application controls
Focus on applications (actual data input)
Ex: data checks (dates, dollar amounts)
Feedback control
Evaluate and respond to the results of a process
Feed-forward controls
Project future results and alter inputs in response
Ex: inventory ordering system
Contingency planning relates primarily to which two control procedures (categories)?
Detective and corrective procedures
Board of Directors responsibilities relating to internal control
Oversight of KEY internal control activities and enterprise wide risk management.
Create expectations about integrity and ethical values, transparency.
Accountable for performance of internal control responsibilities.
Have competency and Communication
Must be objective, capable and inquisitive
Have open and unrestricted communication channels
Managements responsibility to internal control
Set the “tone at the top” they are the “first line of defense” in IC
Accountable to the BoD for internal control
Oversight and control over controls and risks
Compensation often based on achieving objectives.
Controls can be outsourced but they remain managements responsibility
Support (business-enabling) functions on IC
“Second line of defense”
Ex: legal, compliance, finance, HR, IT
Help mgmt respond, communicate, and educate others regarding risks
Most likely to have responsibility for determining system access.
Internal auditors regarding IC
“Third line of defense”
Independent of functions
All employees regarding IC
Communication problems related to operations, code of conduct, and other policy violations or illegal actions
What is the BoD
Individuals elected as representatives of the stockholders.
Why monitor controls?
Entropy: over time, controls deteriorate.
Technology improvements
Changing in management techniques
People quit, take vacations
Benefits of monitoring internal control
More timely, accurate and reliable information, F/Ss, etc.
Who evaluates controls? And what are the two primary attributes?
Evaluators
Competence and objectivity
Competence (in regards to an evaluator)
Evaluator’s knowledge of controls and related processes, including their operation and what constitutes a control deficiency.
Board monitoring
Monitoring by board or Its committees
Ex: evaluating managements monitoring process and assessment of risk of management override of controls
Self-Assessment
*“self” is the unit or function
Assessment may be. H personnel who operate the control or peer or supervisory review within the same unit as control.
Self-review
*“self” is an individual
Least objective type of self-assessment.
Review of one’s own work.
Order of review objectivity (from least to most)
Self, peer, supervisor, impartial
Control Objectives
Specific targets against which the effectiveness of IC is evaluated. Typically state the risk that they should manage or mitigate.
Ex: allow a certain number of failures in a production process but over a particular number of failures it is considered a failure of control.
Compensating controls
Accomplish the same objective as another control and can “compensate” for deficiencies in that control.
Key controls
Most important to assessing IC system’s ability to manage or mitigate meaningful risks. (Critical risks)
Ex: having controls in place to make sure no fictitious transactions take place or fake vendors are set up. Can lead to fraud, misstatements.
Key performance indicators
Metrics that assess critical success factors (things that have already happened)
Help measure progress towards goals and objectives.
Direct information
Must link directly to a judgement regarding the effective operation of control
Highly persuasive
Ex: video footage of someone stealing
Indirect information
Relevant to assessing whether controls are operating and underlying risk is mitigated.
No explicit evidence of operating effectively
Ex: analytical measures
Persuasiveness of information
Degree to which information supports relevant conclusions
Relevant information
Helps in assessing the operation of the underlying controls or control component
Reliable information
Accurate, verifiable and from an objective source
Sufficient information
Obtains when evaluators have gathered enough to form a reasonable conclusion
To be sufficient, evidence must be suitable
Timely information
Produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an organization.
Verifiable information (verifiability)
Can be established, confirmed or substantiated as true or accurate
Key risk indicators
Forward-looking metrics
Identify critical potential problems
Enabling timely action
Reviewing process includes:
Reviews of flow charts, and, risk and control documentation
Benchmarking assessments
Comparing organizational controls and processes with best practices in comparable functions.
Questionnaires
Assess the extent to which controls are operating as stipulated.
Focus groups and interviews
Identify concerns and surprises related to changes in the system of internal control
COSO Model: Step 1 of the control monitoring process
Establish a foundation
- Tone at the top (ethical values, mora principles)
- Organizational structure
- Baseline understanding of internal control effectiveness
COSO Model: Step 2 of the control monitoring process
Design and execute
- Prioritize risks (determine severity of identified deficiencies)
- Identify controls
- Identify persuasive information about controls
- Implement monitoring procedures
COSO Model: Step 3 of the control monitoring process
Assess and report
- Prioritize finding
- Report results to the appropriate level
- Follow up on corrective action
Four-Stage process called the “monitoring-for-change-continuum”
- Establish Control Baseline
Begin with area where controls are well understood. Provides baseline for enhanced monitoring. - Change Identification
Identify changes in control operations, design, or related risks. - Control Revalidation
Periodically revalidate that controls remain effective (continuously) - Change Management
When changes occur, verify that controls remain effective. Establishes a new control Baseline for the modified controls.
Effective Change Control Processes
Internal control processes must anticipate and promptly react to changes.
Control change management must consider cost vs. benefit.
Well-structured documentation
Appropriate procedures (will go in detail later)
Change management is part of risk Assessment including consideration of:
Changes in operation
Personnel change
Changing technologies and information systems
Rapid, unexpected growth.
Define “ongoing monitoring”
Activities to monitor the effectiveness of internal control in the ordinary course of operations.
What is COSO ERM-integrated framework
Defines essential control components. Finds a common language to define risk management processes. It also guides risk management processes.
Requires a “portfolio” view of risk
ERM Defined
A process effected by an entity’s BoD, management and other personnel, APPLIED IN STRATEGY SETTING AND ACROSS THE ENTERPRISE, DESIGNED TO IDENTIFY POTENTIAL RVENTS THAT MAY AFFECT THE ENTITY, AND MANAGE RISKS TO BE WITHIN ITS RISK APPETITE, to provide reasonable assurance regarding the achievement of entity objectives.
*CAPS are differences from original COSO
COSO ERM control Activities (Components)
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
- Monitoring
COSO ERM FRAMEWORK - 4 Categories of Objectives
- Strategic
- Operations*
- Reporting*
- Compliance*
*come from the original COSO framework
COSO ERM framework - levels of activity
Entity (or enterprise)
Division or subsidiary
Business unit processes
(From largest to smallest)
Define Risk Appetite
Amount of risk an organization accepts in pursuit of its goals
Central to ERM
May state in numbers, words, or ranges
COSO ERM - Existing Risk Profile
Existing levels and distributions of risk across categories
COSO ERM - Risk Capacity
The maximum risk that an organization may bear.
COSO ERM - Risk Tolerance
The amount of allowed variation around specific objectives.
Standard deviation or variance idea.
COSO ERM - Attitudes Towards Risk
Stakeholders’ objectives and attitudes towards growth and risk.
COSO ERM - Define Strategic Objectives
One of four organizational objectives (this one is only for ERM - NOT original COSO)
High-level goals that support the organization’s overall mission.
Integrate strategy and ERM
COSO ERM - Define Risk Response
Managements response to risk
Depends on managements’ risk appetite
May include risk avoidance,reduction, sharing, or acceptance
Critical Accounting Functions that should be segregated (4 of them)
- Authorizing events
Ex: approving checks, credit authorizations - Recording events
Ex: inputting something into the accounting system - Safeguarding resources
Ex: could be physical, or virtual (behind firewalls or restricted access servers) - Reconciling, oversight and auditing
Segregation of Duties Software (SoD)
Helps identify and resolve conflicts
Ex: will tell you I someone is doing a specific function, the software will tell you what they shouldn’t be able to do (COSO)
Managing Internal Control Change - Define Change Agents
Promote and facilitate change: catalysts; ensure that changes are understood and embraced
Limitations of ERM (3 key limitations)
- Risk - the future is uncertain
- Things happen - failure to achieve objectives may occur despite good ERM operates at multiple levels in an organization.
- ERM (and internal control) provides reasonable not obsolete assurance
Corporate Responsibility - Audit Committees
- All members must be independent and at least one must be a “financial expert”.
- Hire, supervise, compensate, and fire outside auditors.
- Must set up procedures for handling tips from whistleblowers and preserving confidentiality.
Corporate responsibility - CEOs and CFOs must certify:
- that they have reviewed the arroyo and annual reports that their companies must file with the SEC
- that to their knowledge the reports do not contain any materially untrue statements or half-truths
- that based on their knowledge the financial information is fairly presented
- they are responsible for establishing and maintaining their company’s internal financial controls
- they have designed such control to ensure the relevant material information is made known to them
- they have recently (within 90 days) evaluated the effectiveness of the Internal controls
- they have presented in the report their conclusions about the controls’ effectiveness
CEOs and CFOs must certify to the auditors and audit committee that they have reported on:
All significant deficiencies and material weaknesses in the controls
Any fraud, whether or not material, that involves management or other employees playing a significant role in the internal controls
Corporate Responsibility - Define Clawbacks
If an issuer must materially restate its F/Ss as a result of “misconduct”, which apparently need NOT be intentional, the CEO and CFO shall reimburse the company for bonuses received due to the misstatement and for profits they realized from sale of the company’s stock during that period.
According to SOX you must retain workpapers for
7 years. But if you keep them for less than 5 it’s a crime
