Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CPA Study > BEC - Internal Controls > Flashcards

BEC - Internal Controls Flashcards

1
Q

Control environment?

A

One of five components of internal control. The foundation of any system of internal controls. Ecompasses:

  1. Integrity and ethical values
  2. Commitment to competence
  3. Human resource polices & practices
  4. assignment of authority and responsibility
  5. managements philosophy & operating style
  6. board of directors or audit committee participation
  7. organizational structure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

two most important models of accounting controls

A
  1. Committee of Sponsoring Organizations (COSO)

2. COSO Enterprise Risk Managment (ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internal Control definition and categories

A

Process effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories

  1. Effectiveness and efficiency of operations
  2. Reliability of financial and nonfinancial reporting
  3. Compliance with applicable laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

General control objectives

A
  1. Safeguard assets of the firm
  2. Promote efficiency of the firms operations
  3. Measure compliance with managements prescribed policies and procedures
  4. Ensure accuracy and reliability
    a. ID and record all valid transactions
    b. Provide timely information in appropriate detail to permit proper classification and financial reporting
    c. Accurately measure the financial value of transactions
    d. Accurately record transactions in the time period in which they occured.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Primary areas of focus of an internal control system

A
  1. Operations
    – Objectives related to the fundamental mission and
    vision of the entity.
    – Include improving financial performance, productivity,
    quality, environmental practices, innovation, and
    customer and employee satisfaction, as well as
    safeguarding assets (protecting and preserving assets)
  2. Reporting
    —Objectives related to the preparation of (financial or
    nonfinancial) reports for use by shareholders and the
    organization. Reporting objectives may be for internal
    or external objectives
    > External financial reporting objectives
    > External nonfinancial reporting objectives
    > Internal Financial reporting objectives
  3. Compliance
    –Compliance objectives concern complying with
    external laws and regulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

COSO “Cube Model”

A

Has 3 dimensions:

  1. What is internal control (fundamental components) (depicted in a pyramid)
    - – Control environment (internal)
    - – Risk assessment
    - – Information and communication
    - – Monitoring
    - – Control activities
  2. Why we have internal control (goals or objectives)
    - – Operations
    - – Reporting
    - – Compliance
  3. Where we have internal control (units of analysis to design, implement, and test)
    - – Specifies the units and activities that must be controlled within the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

17 principles of internal control

A

Control principles (5)

  1. Integrity and ethical values
  2. Board of directors independence of mgmt & oversight of internal controls
  3. Management establishes structures, reporting lines, and appropriate authorities and responsiblitities
  4. Competence
  5. Accountability

Risk Assessment (4)

  1. Objectives
  2. Assessment
  3. Fraud
  4. Change Management

Control Activities (3)

  1. Risk reduction
  2. Technology Controls
  3. Policies

Information and Communication (3)

  1. Quality
  2. Internal
  3. External

Monitoring Activities (2)

  1. Ongoing and periodic
  2. Address deficiencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control Environment (5)

A
  1. Demonstrates a commitment to integrity and ethical values.
    — Sets and demonstrates “tone at the top”
    — Establishes and adheres to standards of conduct
    — Attends to ethical failures quickly and effectively
  2. board of directors demonstrates independence of mgmt, & oversees the internal controls
    — Clear board of directors oversight and independence
    — Evidence and application of relevant expertise
  3. Management establishes structures, reporting lines, and appropriate authorities and responsibilities to achieve objectives, including integrating organizational structures and services including outsourced service providers.
    — Mgmt cannot outsource responsibility for internal controls
  4. Competence —The organization demonstrates a commitment to attract, develop, and retain competent individuals consistent with achieving organizational objectives, including:
    —Establishing policies and procedures to attract, develop, and retain competent individuals
    — Assessing competencies, creating development plans to achieve needed skills and competencies, and addressing deficiencies in skills and competencies through training, hiring, or outsourcing
    — Planning and preparing for turnover and succession
  5. Accountability
    — Enforcing accountability through structures,
    authorities, and responsibilities
    — Establishing and evaluating performance measures, incentives, rewards, and disciplinary actions for individuals
    — Monitoring and considering the potential for excessive performance pressures, including unrealistic performance (e.g., earnings) targets, and an excessive concern with short-term (e.g., quarterly earnings) targets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Assessment (4)

A
  1. Objectives
    —The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks that threaten the achievement of objectives. In so doing, the organization should consider:
    — The precision of risk tolerance levels: for example, can we quantify the risk? To within what range?
    — Materiality in relation to risk assessment. How big of a risk poses a threat to objectives (a loss of $10,000? $100,000? $1,000,000?)?
    — Risks related to the organization’s ability to comply with standards, frameworks, laws and regulations
    — Risks related to operational and financial performance goals
    — Risks in committing resources
  2. Assessment
    —The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risk should be managed. In so doing, the organization should:
    — Involve appropriate levels of management in risk assessment
    — Consider and include entity, subsidiary, division, operating unit, and functional levels
    — Analyze internal and external factors
    — Estimate risk importance
    — Develop appropriate risk responses
  3. Fraud
    —The organization considers the potential for fraud in assessing risks to the achievement of objectives. In so doing, it:
    — Considers fraud risk factors and threats
    — Assesses the potential fraud influences of incentives and pressures
    — Assesses opportunities that may exist in the organization for fraudsters to commit fraud
    — Assesses attitudes and potential rationalizations that might be used to justify fraudulent actions
  4. Change management
    —The organization identifies and assesses changes in the external environment (regulatory, economic, and physical environment of operation), assessing changes in the business model (new or existing business lines, rapid growth, new technologies, or acquisitions/divestitures) and changes in leadership.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Control Activities (3)

A
  1. Risk reduction
    —Organizational control activities mitigate (i.e., reduce) the risks to the achievement of objectives to acceptable levels. In so doing, the organization:
    — Integrates controls with risk assessments
    — Uses risk reduction analyses to determine which business processes require a control focus
    — Considers how the environment, complexity, nature and scope of operations influence risk reduction and control activities
    — Evaluates a mix of potentially control activity types, including manual and automated, and preventive and detective controls
    — Segregates incompatible activities and implements alternative controls where segregation is impossible
  2. Technology controls
    —The organization selects and implements general controls over technology, which support the achievement of its objectives. These activities include:
    — Management understanding and determining the dependencies between business processes, automated controls, and technology general controls
    — Management establishing controls to ensure the completeness, accuracy, and availability of technology and processing
    — Restricting technology access rights to authorized users
    — Establishing relevant security management process controls
    — Establishing relevant technology acquisition, development, and maintenance process controls
  3. Policies
    —The organization deploys control activities through policies and procedures that establish stakeholder expectations. Established procedures ensure the implementation of these policies. These activities include:
    — Establishing policies and procedures that support the achievement of management’s directives
    — Establishing responsibility and accountability for executing policies and procedures
    — Employing competent personnel to perform control activities in a timely manner and to take corrective action to investigate and act on control problems and issues
    — Management periodically reassessing and revising policies and procedures to address changing conditions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Information and Communication (3)

A
  1. Quality
    —Relevant, high-quality information supports the internal control processes.
    — Organizational processes to ensure that high-quality information supports internal control processes should:
    Identify the information required to support internal control processes.
    — Capture internal and external courses of data.
    — Transform relevant data into information.
    — Produce information that is relevant, timely, current, accurate, verifiable, protected, and retained.
    — Consider the costs and benefits of information in relation to organizational objectives.
  2. Internal
    —Internal communication supports internal control processes. This includes:
    — Organizational processes communicate required information to enable all personnel to understand and execute their internal control responsibilities.
    — Communication between management and the board of directors supports the achievement of organizational objectives.
    — Separate communication lines, such as a whistle-blower hotline, exist as a fail-safe mechanism to enable anonymous, confidential communication.
    — Internal communication methods are sensitive to the timing, audience, and nature of the communication.
  3. External
    —Communication with outsiders supports internal control processes. Organizational processes:
    — Communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and others.
    — Enable inbound communications. Communication channels support the receipt of information from customers, suppliers, external auditors, regulators, financial analysts and others.
    — Separate communication lines, such as a whistle-blower hotline, exist as fail-safe mechanisms to enable anonymous, confidential communication
    — Communicate relevant information resulting from assessments conducted by external parties (e.g., reviews of internal control) to the board of directors
    — Ensure that external communication methods are sensitive to the timing, audience, and nature of the communication and to legal, regulatory and fiduciary requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Monitoring Activities (2)

A
  1. Ongoing and periodic
    —Ongoing and separate evaluations evaluate internal control functioning. These activities include:
    — Considering the mix of ongoing and separate evaluations
    — Benchmarking—considering the design and state of the existing system of internal control to establish a baseline understanding for ongoing and separate evaluations
    — Developing and selecting ongoing and separate evaluations through management consideration of the rate of change of business activities and processes
    — Ensuring that personnel have sufficient knowledge to conduct evaluations
    — Integrating ongoing evaluations with business processes and adjusting, as needed, to changing conditions
    — Providing periodic, separate evaluations for objective feedback
    — Adjusting the scope and frequency of evaluations based on risk assessments
  2. Address deficiencies
    —Parties responsible for taking corrective action, including senior management and the board of directors, receive timely communication of internal control deficiencies. These activities include:
    — Assessment of the results of ongoing and separate evaluations, as appropriate, by management and the board of directors
    — Communication of deficiencies to those responsible for acting upon them, and to management at least one level above the identified problem
    — Communication of deficiencies to senior management and the board of directors, as appropriate
    — Tracking by management whether deficiencies are corrected on a timely basis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Limitations of Internal Control

A
  1. The suitability of objectives established as a precondition to internal control. Internal control is the responsibility of management (not the auditors). Management may set objectives that lead to poor controls (e.g., make earnings targets even if it means committing fraud).
  2. Internal control depends heavily on people. People are wonderful, fallible, imperfect creatures. Human judgment can be faulty, flawed, and biased. Breakdowns in control can occur because of humans (God love ’em).
  3. Management may be able to, and may choose to, override internal control.Many of the major financial reporting scandals are examples of management override, including Enron, WorldCom, and Computer Associates.
  4. Collusion is an ever-present risk in internal control systems. Management, employees, and/or third parties may collude to circumvent controls. The examples listed in the previous point are also relevant here.
  5. External events beyond the organization’s control may lead to control failures. For example, the Fukushima nuclear disaster occurred due to a combination of events that created circumstances that exceeded TEPCO’s risk assessment planning scenarios. Stated simply, unexpected doo doo can (and sometimes does) happen.
  6. Inherent limitations, such as those listed above, preclude an internal control system from providing absolute assurance. Hence, a cost-effective system of internal control provides reasonable but not absolute assurance of the achievement of organizational objectives.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Deficiencies in Internal Control

A
  1. An internal control deficiency is a shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives. Hence, a control deficiency occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
    - – When an organization determines that an internal control deficiency exists, management must assess the severity of that deficiency (i.e., classify it)
  2. Types of Internal Control Deficiencies—According to the SEC:
    - – Control deficiency—Defined above. The least serious of the three types of control deficiencies.
    - – Significant deficiency—A deficiency (or combination of deficiencies) in internal control that is more serious than a control deficiency but less severe than a material weakness, yet it is important enough to merit attention by those charged with governance.
    - – Material weakness—A deficiency (or combination of deficiencies) in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. This is a serious, really bad problem.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Categories of controls

A
  1. Preventive, Detective, and Corrective Controls—This classification focuses on the timing of the control relative to the potential error: that is, when the controls are applied. A well-controlled system balances preventive and detective controls and includes corrective controls as needed.
    — Preventive controls—(“before the fact”) controls—Preventive controls attempt to stop an error or irregularity before it occurs. They tend to be “passive” controls, that is, once established, they simply need to be activated to be effective. Examples of preventive controls include locks on buildings and doors, use of user names and password to gain access to computer resources, and building segregation of duties into the organizational structure.
    — Detective controls—(“after the fact” controls)—Detective controls attempt to detect an error after it has occurred. They tend to be “active” controls: that is, they must be continually performed to be effective. Examples of detective controls include data entry edits (e.g., checks for missing data, values that are too large or too small), reconciliation of accounting records to physical assets (bank reconciliations, inventory counts), and tests of transactions to determine whether they comply with management’s policies and procedures (audits).
    > Effective detective controls, when known to the relevant constituency, often take on preventive characteristics. For example, surveillance cameras are fundamentally detective controls: They are designed to detect the commission of an unauthorized act. However, when it is known that surveillance cameras are in use, they also can serve to prevent unauthorized acts. The decrease in the number of drivers running red lights when drivers know that surveillance cameras are installed on traffic signals is an example of this phenomenon.
    — Corrective controls are always paired with detective controls—They attempt to reverse the effects of the observed error or irregularity. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.
    Feedback and Feed-Forward Controls—This classification of controls closely relates to the previous one. Feedback and feed-forward controls focus on changing inputs or processes to promote desirable outcomes by comparing actual results (feedback) or projected results (feed-forward) to a predetermined standard.
    Feedback controls—Evaluate the results of a process and, if the results are undesirable, adjust the process to correct the results; most detective controls are also feedback controls.
    Feed-forward controls—Project future results based on current and past information and, if the future results are undesirable, change the inputs to the system to prevent the outcome. Many inventory ordering systems are essentially feed-forward controls: The system projects product sales over the relevant time period, identifies the current inventory level, and orders inventory sufficient to fulfill the sales demand.
    General Controls and Application Controls—This classification appears in many control models, including auditing standards, the COSO model, and the COBIT model (see the lessons related to these topics). Its focus is on the functional area of the control: that is, where the control is applied rather than when it is applied. The model divides information processing controls into two categories:
    General controls—General controls are controls over the environment as a whole. They apply to all functions, not just specific accounting applications. General controls help ensure that data integrity is maintained.
    Examples of general controls include restricting physical access to computer resources, production and storage of backup files, and performing background checks of computer services personnel.
    Application controls—Application controls are controls over specific data input, data processing, and data output activities. Application controls are designed to ensure the accuracy, completeness, and validity of transaction processing. As such, they have a relatively narrow focus on those accounting applications that are involved with data entry, updates, and reporting.
    Examples of application controls include checks to ensure that input data is complete and properly formatted (e.g., dates, dollar amounts), that account numbers are valid, and that values are reasonable (e.g., that we don’t sell quantities that are greater than the quantity currently in inventory).
    Application controls are sometimes called “transaction controls” since they relate specifically to transaction processing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Internal Control Role and Responsibility

A
  1. Internal control exists partly because of the people who create, maintain, and monitor it. These people include the board of directors or equivalent oversight body, management and personnel, support (i.e., business-enabling) functions, and internal auditors. If aspects of internal control are outsourced, the service provider performs controls, but management retains responsibility.
  2. Four key roles and responsibilities for internal control are:
    —- The board of directors (BOD) is responsible for oversight of key internal control activities and the organization’s enterprise-wide risk management.
    —- Management’s responsibility is for maintaining effective internal controls related to daily operations. Often their compensation is partly (or fully) based on the organization’s achievement of objectives (e.g., earnings targets).
    Some COSO documents refer to management
    as the “first line of defense” in internal controls.
    —- Support (business-enabling) functions may include legal, compliance, finance, human resources, IT, and others. Support functions clarify internal control requirements and evaluate control-related compliance with set standards. Support function compensation should not be tied directly to the achievement of organizational objectives.
    Support (business-enabling) functions are also
    called the “second line of defense” in internal controls.
    —- Internal auditors assess and report on internal control and provide recommendations to correct or improve activities. Their compensation should be unrelated to the business areas that they review and assess.
    Internal auditors are also called the “third line of
    defense” in internal controls.
17
Q

Internal Control Accountability: Roles and Responsibilities

A
  1. Ultimately, internal controls are the responsibility of all individuals within an entity. That is, all employees play a role in the entity’s control objectives. Specific responsibilities related to internal control, of course, depend on the individuals’ function. This section describes some key functions in the system of internal control.
  2. The board of directors and its committees, including the audit committee, are responsible for: oversight of the system of internal control; and for defining expectations about integrity and ethical values, transparency, and accountability for the performance of internal control responsibilities. The BOD:
    - – Must have a working knowledge of the entity’s activities and environment and commit to fulfilling their governance responsibilities. In addition, they must be objective, capable, and inquisitive.
    - – Should maintain open and unrestricted communications channel with all entity personnel, internal auditors, independent auditors, external reviewers, and legal counsel.
  3. COSO charges senior management, including the CEO and CFO, with ownership of the internal control system. Management’s behavior sets the organizational ethical tone at the top by providing leadership. Accordingly, management:
    - – Is accountable to the board of directors
    - – Provides leadership and direction including shaping the entity’s values, standards, expectations of competence, organizational structure, and accountability for internal control system (e.g., by specifying entity-wide objectives and policies)
    - – Maintains daily oversight and control over relevant entity risks
    - – Must guide and develop control activities at the entity level
    - – Is responsible for delegating the design, implementation, and assessment of internal control to appropriate levels of management
    - – Is responsible for communicating expectations (i.e., integrity, competence, key controls, and policies) and information requirements related to internal control
    - – Must evaluate control deficiencies and the impact on the ongoing and long-term effectiveness of the system of internal control
  4. Support Personnel (also called business-enabling) functions are personnel in law, compliance, IT, and risk management who assist in achieving effective and efficient internal control in multiple ways. Their activities include the following:
    - – Provide guidance and assessments of internal control in their areas of expertise.
    - – Identify known or emerging risks, and help management respond, communicate, and educate others about these risks.
    - – Evaluate the effectiveness of developed control and risk assessment processes.
    - – Help define effective controls to comply with laws and regulations.
  5. Other Personnel—Internal control is the responsibility of everyone in an organization; therefore, the principles and components’ objectives are, to differing extents, requirements of all employees.
    - – Almost all employees produce information that is relevant to the internal control systems. These employees are responsible for communicating problems related to operations, code of conduct, or other policy violations or illegal actions.
  6. Internal auditors evaluate the adequacy and effectiveness of controls and thereby contribute to their ongoing effectiveness. In addition, internal auditors often play a significant role in monitoring internal controls.
  7. External parties, such as external auditors, customers, legislators and regulators, and financial analysts, also play a significant role in contributing to the achievement of an entity’s objectives. For example, the ability of external auditors to independently and objectively conduct the financial statement audit is critical to the system of internal control. These external parties often provide information that aids management and the board of directors in improving their internal controls; however, these parties are not responsible for, nor a part of, the internal control system.
18
Q

How Does Monitoring Benefit Corporate Governance?

A
  1. Monitoring is the core, underlying control component in COSO documents. Its position at the foundation is not accidental and reflects the importance of monitoring to achieving strong internal control and effective risk management.
  2. Why is control monitoring important?
    - – People forget, quit jobs, get lazy, or come to work hung over; machines fail. Over time, controls deteriorate. This deterioration is called “entropy.”
    - – Advances in technology and management techniques demand that internal control and related monitoring processes continually evolve and improve.
  3. Well-designed control monitoring helps lessen the negative effects of entropy and ensure that:
    - – Management identifies internal control problems on a timely basis, meaning before they create crises, and addresses them proactively, rather than reactively.
    - – Decision makers receive more timely and accurate information.
    - – Financial statements are timely, reliable and accurate.
    - – Certifications of internal control, e.g., as required by -SOX Section 404, occur on a timely basis.
    - – Organizational efficiencies are maximized and costs are reduced.
19
Q

The Terminology of Control Monitoring

A

Evaluators monitor internal control. They must have the skills, knowledge, and authority to enable them to:

  1. understand the risks that can materially affect the organization’s objectives,
  2. identify critical controls related to managing or mitigating those risks, and
  3. conduct and/or oversee the monitoring of appropriately persuasive information about the effectiveness of the internal control system. Two primary attributes of effective evaluators are competence and objectivity.
    — Competence—The evaluator’s knowledge of the
    controls and related processes, including how
    controls should operate and what constitutes a
    control deficiency.
    — Objectivity—This concerns the extent to which the
    evaluator may be influenced by personal or vested
    interests in the outcome of the evaluation. For
    example, having a financial or personal interest (e.g.,
    the CEO’s son works in the unit that she is
    evaluating) would likely inappropriately influence an
    evaluator due to their loss of objectivity.
20
Q

Levels of Monitoring

A
  1. Board monitoring—Control monitoring by the board, its committees, or others charged with overseeing management conduct. Includes evaluating management’s own monitoring process and should include an assessment of the risk of management override of controls.
  2. Self-assessment occurs when persons responsible for a particular unit or function determine the effectiveness of controls for their activities. The term is often used to describe assessments made by the personnel who operate the control (i.e., self-review), but may also refer to peer or supervisory review within the same unit that the control was created.
  3. Self-review refers to the review of one’s own work. It represents the least objective type of “self-assessment” described above.
21
Q

The nature or quality of controls

A
  1. Control objectives—Specific targets against which the effectiveness of internal control is evaluated. Typically stated in terms that describe the nature of the risk they are designed to help manage or mitigate.
  2. Compensating controls—Controls that accomplish the same objective as another control and that can be expected to “compensate” for deficiencies in that control
  3. Deficiency or internal control deficiency—A condition within an internal control system requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the internal control system to provide a greater likelihood of achieving its objective.
  4. Key controls—Those controls that are most important to monitor to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks. Identifying key controls helps ensure that the organization directs monitoring resources where they can provide the most value. Key controls often have one or both of the following characteristics:
    — Their failure might materially affect the
    organization’s objectives, yet not reasonably be
    detected in a timely manner by other controls.
    — Their effective operation might prevent other control
    failures or detect such failures before they have an
    opportunity to become material to the organization’s
    objectives.
  5. Key performance indicators—Metrics that reflect critical success factors. They help organizations measure progress toward goals and objectives.
  6. Key risk indicators (KRIs)—Forward-looking metrics that seek to identify potential problems, thus enabling an organization to take timely action, if necessary.
    — KRIs range from simple (e.g., key ratios used by the
    board or senior management) to elaborate (e.g.,
    collecting and aggregating multiple indicates of risk
    into multidimensional risk scores that are displayed to
    senior managers in dashboards).
    — KRIs measure events or causes that can prevent the
    achievement of performance goals.
    — Elements of well-designed key risk indicators:
    —-> Are based on established practices or benchmarks
    —-> Are developed and used consistently across the
    organization
    —-> Provide unambiguous, intuitive view of the risk
    —-> Are comparable over time and across business
    units
    —-> Provide opportunity for timely assessments of the
    performance of risk “owners”
    —-> KRIs use resources efficiently
22
Q

Terms Related to Quality of Evidence in Control Monitoring and Assessment

A
  1. Direct information
    —Information that directly substantiates the operation of controls and is obtained by observing them in operation, reperforming them, or otherwise directly evaluating their operation. Direct information is generally highly persuasive because it provides an unobstructed view of control operation. It can be obtained from either ongoing or separate evaluations, but it must link directly to a judgment regarding the effective operation of controls.
  2. Indirect information
    —Relevant information, other than direct information, for assessing whether controls are operating and an underlying risk is mitigated. Does not provide explicit evidence as to whether controls are operating effectively. In the presence of an effective monitoring structure, persuasive indirect information influences the type, timing and extent of monitoring procedures required to obtain direct information.
  3. Persuasiveness of information
    —This refers to the degree to which the information provides support for conclusions. The level of persuasiveness is derived from its suitability (i.e., its relevance, reliability, and timeliness) and its sufficiency.

4.Relevant information
—This tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls (see “direct information”) is most relevant. Information that relates indirectly to the operation of controls (see “indirect information”) can also be relevant, but is less so than direct information.

  1. Reliable information
    - – is accurate, verifiable and from an objective source.
  2. Sufficient information
    —Information is sufficient when evaluators have gathered enough of it to form a reasonable conclusion. However, in order for information to be sufficient, it must be suitable.
  3. Suitable information
    —Suitable information is relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame).
  4. Timely information
    —Timely information is produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an organization’s objectives.
  5. Verifiable or verifiability
    —Verifiable information is information that can be established, confirmed, or substantiated as true or accurate.
23
Q

Control Monitoring as an organizational process

A

Here is a brief description of the COSO (2006, 2008) model of control monitoring as an organizational process.
1. Internal control begins with management setting organizational objectives. This process, shown in gray in the following diagram underlies the internal control processes that are shown in colors.

  1. The first four processes (risk assessment, control environment, control activities, and information and communication) are discussed in the “Introduction to COSO, Internal Control, and the COSO Cube” lesson.
  2. Monitoring evaluates the internal control system’s ability to manage or mitigate “meaningful risks” to organizational objectives. A meaningful risk is one with potential consequences for organizational objectives.
24
Q

Monitoring Processes

A
  1. How do organizations monitor their control processes?
  2. Monitoring should be both (a) ongoing and continuous, and (b) periodic, i.e., through separate, formally designed and designated evaluation processes.
  3. Methods for reviewing control processes may include:
    - – Reviewing process incorporating reviews of flowcharts, and risk and control documentation
    - – Benchmarking assessments comparing organizational controls and processes with best practices in comparable functions
    - – Questionnaires that assess the extent to which controls are operating as stipulated
    - – Focus groups and interviews to identify concerns and surprises related to changes in the system of internal control
  4. Examples of organizational processes for monitoring controls, and of control evaluators, include:
    — Periodic evaluation and testing of controls by
    internal auditors (who, to increase independence,
    report to the board of directors or an audit
    committee but not to the CFO)
    — Continuous monitoring programs built into
    information systems
    — Analysis of, and appropriate follow-up on, operating
    reports or metrics that identify anomalies indicating
    control failure (these assessments are often built into
    quality control systems)
    — Supervisory reviews of controls, such as
    reconciliation reviews
    — Self-assessments by boards and management
    regarding the tone they set in the organization and
    the effectiveness of their oversight functions
    — Audit committee inquiries of internal and external
    auditors
    — Quality assurance reviews of the internal audit
    department
25
Q

COSO model of control monitoring

A
  1. Establish a foundation for monitoring, including
    1. a positive tone at the top;
    2. an effective organizational structure that assigns
      monitoring roles to people with appropriate
      capabilities, objectivity, and authority; and
    3. a starting point or “baseline” of known effective
      internal control from which ongoing monitoring
      and separate evaluations can be implemented.
  2. Design and execute monitoring procedures focused
    on persuasive information about the operation of key
    controls that address meaningful risks to
    organizational objectives.
  3. Assess and report control evaluation results, which
    includes evaluating the severity of any identified
    deficiencies and reporting the monitoring results to
    the appropriate personnel and the board for timely
    action and follow-up if needed.
26
Q

Conceptual model - baseline understanding of internal control effectiveness

A

As part of establishing a foundation for monitoring, COSO specifies a conceptual four-stage process for moving from an initial understanding of control effectiveness to a revised and enhanced understanding of control effectiveness, including an assessment of the presence and effects of changes in controls or risks. The following figure illustrates this process, which is called the “monitoring-for-change continuum.”

  1. Establish a control baseline—Begin with an area in
    which controls on risk are well understood, or do
    extensive initial assessment to gain an understanding
    of controls and risk within a specific area of the
    organization. This baseline understanding of control
    effectiveness provides a starting point for enhanced
    monitoring.
  2. Identify changes—Identify changes in the operations
    or design of controls or in related risks. Often
    includes ongoing and separate evaluations to
    identify, and address the potential changes in,
    internal control effectiveness.
  3. Manage changes—When changes occur, verify that
    controls remain effective despite identified changes
    in controls and/or risks. Establishes a new control
    baseline for the modified controls.
  4. Revalidate control baseline
    > Ideally, ongoing monitoring procedures will use
    highly persuasive information. If this is the case, they
    can routinely revalidate the conclusion that controls
    are effective, thus maintaining a continuous control
    baseline.
    > When ongoing monitoring uses less-persuasive
    information, or when the level of risk warrants,
    monitoring will need to revalidate control operation
    through separate evaluations using appropriately
    persuasive information.
27
Q

Everything changes yet control remains the same

A
  1. Entity operations constantly evolve. Internal control processes must anticipate and promptly react to these changes. To identify conditions that create change, entities often create information systems to capture and report on these activities.

– The French expression “Plus ça change, plus c’est la
même chose” is translated as “The more things
change, the more they stay the same.” When this
expression is applied to internal control, it means that,
even though the entity and its risks are always
changing, internal control should remain effective and
efficient despite these changes.

– According to the COSO internal control framework,
risks change over time; management must determine
whether and how the entity’s internal control system
can address future risks.

– Therefore, management’s ongoing monitoring
activities should carefully assess whether the entity
reconsiders the design of controls when risks change.
This process must also verify the continued operation
of existing controls that have been designed to
reduce these risks to an acceptably low level.

– Accordingly, COSO emphasizes:
—-> Monitoring as a fundamental process for analyzing
risks and
—-> An understanding of how controls may or may not
manage or mitigate these risks
These processes facilitate correcting control deficiencies before they impact the achievement of the entity’s objectives.

  1. Change control is the process used to request, review, specify, plan, approve, implement, and monitor changes to a system. Change control processes and policies ensure that implemented changes are structured, planned, and managed.

– Well-structured documentation is essential to an
effective change management system and helps to
identify what can be improved. These potential
improvements range in scope from major revisions to
simple fixes. Documentation also ensures proper
initiation, reviews, tests, and approvals.

– A practical change control process includes at least the following:
—-> Proper risk analysis
—-> Written change control procedures
—-> Change request forms
—-> Quality system methodologies to ensure
business requirements are met
—-> Change review team(s)
—-> Appropriate segregation of duties
—-> Appropriate permissions model
—-> Implementation and test teams
—-> Retention of applicable documentation

  1. Change management should be part of the entity’s risk assessment to identify potential areas of fraud, the effectiveness of the controls, and their likelihood for failure. Specific types changes should include:
    —-> Changes in operations—A divestiture, acquisition,
    restructuring, or regulatory change can result in
    increased risks.
    —-> Personnel change—Increase in turnover or new
    senior management can cause significant impacts
    on the entity’s controls.
    —-> Changing technologies or information systems—
    New technologies can cause control failures
    during the transitional period. As a practical
    example, consider how the Internet, mobile
    phones, tablet PCs, and wearable computing have
    and will affect internal control risks.
    —-> Rapid, unexpected growth—Current controls may
    be unable to keep pace with sudden growth.
  2. As always, control change management must
    consider costs versus benefits. Specifically,
    modifying information systems to address changes
    should be done conceptually to the point where the
    marginal dollar spent on the systems earns less than
    a dollar in return.

CPA Study (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions