BEC - COSO & Corp Governance Flashcards
Control Environment - Integrity and Ethical Values
Most important principle - the organization demonstrates a commitment to INTEGRITY AND ETHICAL VALUES. “Tone at the top”.
Control Environment - Board of Directors
The BoD demonstrates independence of management, and oversees development and monitoring of internal control.
Control environment - Competence
The organization demonstrates commitment to attract, develops, and retain competent (high quality) individuals.
Control environment - Accountability
The organization holds individuals accountable for their internal control responsibilities.
– do not want to put too much pressure on individuals or else it will work against the organization.
Risk Assessment - Objectives
Organization objectives have sufficient clarity to enable the identification and assessment of risks that threaten achievement of objectives including consideration of:
- Precision of risk tolerance levels (quantify risk? Range?)
- Materiality in relation to risk assessment.
Risk Assessment - Assessment
The organization identifies risks to achievement of objectives and analyzes risks to guide risk management strategy
Risk Assessment - Fraud
The organization considers potential fraud in assessing risks to achieve objectives.
Risk Assessment - Change Management
The organize identifies and assesses changes in external environment, business model and organizational leadership that could impact system of internal control.
Control Activities - Risk Reduction
Control activities reduce the risks to the achievement of objectives to acceptable levels.
Control Activities - Technology Controls
The organization selects and implements general controls over technology which support the achievement of its objectives.
Control Activities - Policies
The organization’s control activities inform policies that establish stakeholder expectations. Established procedures ensure that implementation of these policies.
Information and Communication - Quality
Relevant, high-quality information supports internal control processes including organizational processes that identify information required to support internal control processes, capture internal and external sources of data & transform data into information.
Information and Communication - Internal
Internal Communication supports internal control processes.
Can either support or hinder internal controls.
Information and Communication - External
Communication with outsiders supports internal control processes.
Monitoring - Both ongoing and Periodic
Monitoring evaluates internal control including benchmarking and providing feedback.
Monitoring - Address Deficiencies
Parties charged with taking corrective action, including senior management and the BoDs, receive timely communication of internal control deficiencies.
Control Environment - Management
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives.
Internal control is the responsibility of
Management (not the auditors)
What is internal control?
a PROCESS designed to provide REASONABLE (cost-effective) assurance. (Not absolute assurance)
Who is responsible for Internal Control?
Management, the BoD and other personnel
What are the goals (the why) of internal control?
Regarding achievement of objectives related to:
- Effectiveness and efficiency of operations
- Reliable financial reporting
- Compliance with laws and regulations
Control deficiency
Least serious of the three types. Shortcomings that reduces likelihood of entity achieving its objectives. Management must assess the severity of deficiency
Significant deficiency
More serious than a control deficiency but less severe than a material weakness.
Material weakness
Creates a reasonable possibility of a material misstatement of the entity’s financial statements.
Prevent control
Before controls. Ex:locks on building.
Detective controls
Detect errors after occurrence ex: reconcile accounting records to physical assets
*also have preventive benefits
Corrective controls
Reverse effects of error.
Ex: maintenance of backup files
General control (holistic)
Apply broadly to most computerized functions. IT functions.
Ex: backup file systems, background checks of personnel.
Ex: security features (not specific), data transmission errors, restricting access to computer center
Application controls
Focus on applications (actual data input)
Ex: data checks (dates, dollar amounts)
Feedback control
Evaluate and respond to the results of a process
Feed-forward controls
Project future results and alter inputs in response
Ex: inventory ordering system
Contingency planning relates primarily to which two control procedures (categories)?
Detective and corrective procedures
Board of Directors responsibilities relating to internal control
Oversight of KEY internal control activities and enterprise wide risk management.
Create expectations about integrity and ethical values, transparency.
Accountable for performance of internal control responsibilities.
Have competency and Communication
Must be objective, capable and inquisitive
Have open and unrestricted communication channels
Managements responsibility to internal control
Set the “tone at the top” they are the “first line of defense” in IC
Accountable to the BoD for internal control
Oversight and control over controls and risks
Compensation often based on achieving objectives.
Controls can be outsourced but they remain managements responsibility
Support (business-enabling) functions on IC
“Second line of defense”
Ex: legal, compliance, finance, HR, IT
Help mgmt respond, communicate, and educate others regarding risks
Most likely to have responsibility for determining system access.
Internal auditors regarding IC
“Third line of defense”
Independent of functions