BEC Custom Flashcards
What is the anti-retaliation provision of Dodd-Frank?
Employees who provide information regarding a securities fraud (whistle-blowing) may sue to seek compensation for any retaliation they suffer
What is the whistle-blowing award percentage under Dodd-Frank for securities fraud information that results in SEC sanctions?
Between 10 and 30% of the sanctions imposed
What do corrective controls do?
Allow the user to recover from a problem once it has been identified
- reverse effect of error
- always with detective controls
What are internal controls?
A process designed to provide reasonable assurance
Who creates and maintains internal controls?
management, board of directors, and other personnel
Internal control goals?
Reasonable assurance of achieving objectives related to -
- effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with laws and regulations
What are preventive controls?
- preventive an error or irregularity
- i.e. building locks, usernames and passwords, segregation of duties
What are detective controls?
- detect error after occurrence
- i.e. data entry edits and reconciling accounting records to physical assets
(often also have secondary preventive benefits)
What do feedback controls do?
evaluate and respond to the results of a process
What do feed-forward controls do?
project future results and alter inputs in response
What are general controls?
- apply broadly to most computerized functions
What are application controls?
- focus on accounting applications that include data entry, update and reporting
What are detective controls more costly than?
preventive and corrective controls
In COSO, what does information and communication enable?
an organization’s people to identify, process, and exchange the information needed to manage and control operations
What is COSO?
- est. 1987 - created by five organizations to develop an integrated internal control model
What are the five components of a control system on the COSO Cube?
- monitoring
- information and communication
- control activities
- risk assessment
- control environment
Why do we have internal control according to COSO (three components)?
- effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with laws and regulations
What is a sustainability report primarily?
- external, non-financial report
What are the five principles of the control environment?
- commitment to integrity and ethical values
- board of directors demonstrates independence of management, and oversees the development and monitoring of internal control
- management establishes structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives
- competence
- accountability
What are the four principles of risk assessment?
- objectives
- assessment
- fraud - considering potential fraud in assessing risks to achieving objectives
- change management
What are the three principles of control activities?
- risk reduction
- technology controls
- policies
what are the three principles of information and communication?
- quality - relevant, high-quality information supports the internal control processes
- internal - internal communication supports internal control processes
- external - communication with outsiders supports internal control processes
What are the two principles of monitoring?
- ongoing and periodic - to evaluate internal control functioning
- address deficiencies
What does ERM stand for?
Enterprise risk management
What are the four objectives of the COSO ERM Model?
- strategic
- operations
- reporting
- compliance
What are the eight control components of the COSO ERM Model?
- internal environment
- objective setting
- event identification
- risk assessment
- risk response
- control activities
- information and communication
- monitoring
What does risk response include under COSO ERM?
management’s decision to avoid, accept, reduce, or share risk and to develop a set of actions to align risk with the entity’s risk preferences
What are the two primary attributes of effective evaluators according to COSO?
competence and objectivity
What is competence in the context of evaluating controls?
evaluator’s knowledge of controls and related processes, including their operation and what constitutes a control deficiency
What is board monitoring?
- monitoring by board or its committees
- includes evaluating management’s monitoring process and assessment of risk of management override of controls
Control objectives
specific targets against which the effectiveness of IC is evaluated
Compensating controls
Accomplish the same objective as another control and can “compensate” for deficiencies in that control
Key performance indicators
metrics that assess critical success factors
Key risk indicators
forward-looking metrics that help identify potential problems
Assessing Changes in IC Effectiveness Model (monitoring-for-change continuum)
four-stage process
- Establish control baseline
- change identification
- control re-validation
- change management
What are the three steps in the COSO Control Monitoring Process Model?
- establish a foundation
- design and execute
- assess and report
Foundation for Monitoring (COSO)
- proper tone at the top
- effective organizational structure
- generate “baseline” of known effective IC
Design and execute monitoring procedures (COSO)
- generate persuasive information about key controls about meaningful risks
- prioritize risks
- implement monitoring
Assess & report results (COSO)
- prioritize findings
- report results
- follow up with corrective action
Change Identification (COSO)
the monitoring for change process that would include ongoing and separate evaluations intended to identify and address changes in internal control effectiveness
What part of establishing a foundation for monitoring does establishing a baseline of an internal control known to be effective belong to?
it is a sub-activity, not a major step, in the COSO model of control monitoring
What is the starting point for a system of internal control?
setting organizational objectives
What does the IIA International Professional Practices Framework include among its “mandatory” guidance?
- definition of internal auditing
- core principles
- code of ethics
- international standards
What does the IIA International Professional Practices Framework include among its “strongly recommended guidance”?
- position papers
- practice advisories
- practice guides
What are the four principles under IIA code of ethics?
- integrity
- objectivity
- confidentiality
- competency
What are the two categories of standards under the IIA international standards?
- attribute standards - involve characteristics of entities and individuals performing internal auditing
- performance standards - involve the criteria to evaluate the quality of internal audit services
assurance relationship parties in internal auditing
3 party -
- the process owner
- the user
- the internal auditor
consulting relationship parties in internal auditing
2 party -
- the client
- the internal auditor
Who are the IIA’s standards issued by?
Internal Auditing Standards Board (IASB)
