Ch.6 Internal control

Question 1

5 components of internal control covered in the COSO framework?

Answer 1

• Control Environment
  
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities

Question 2

What are objectives? What 3 categories of objectives are set forth in the COSO framework?

Answer 2

• Objectives: Objectives are what an organization strives to achieve.

• 3 categories of objectives:
	○ Operations objectives: pertains to how effective and efficient entity's operations
	○ Reporting objectives: pertain to internal + external financial ,and non financial reporting
		§ May encompass reliability, timeliness, transparency, other terms set forth by regulators, standard setters, entity policies.
	○ Compliance Objectives: Adherence to laws and regulations entity is subject to

Question 3

Objectives

Answer 3

Objectives are what an organization strives to achieve.

Question 4

3 categories of objectives

Answer 4

Operations Objectives
Reporting Objectives
Compliance Objectives

Question 5

Operations Objectives

Answer 5

how effective and efficient entity’s operations

Question 6

Reporting Objectives

Answer 6

internal + external financial ,and non financial reporting. May encompass reliability, timeliness, transparency, other terms set forth by regulators, standard setters, entity policies.

Question 7

Compliance Objectives

Answer 7

Adherence to laws and regulations entity is subject to

Question 8

What are control activities?

Answer 8

• Control Activities: Actions taken by mgmt, the board, and other parties to Mitigate risk + increase likelihood that established objectives/goals will be reached

Question 9

Examples of control activities

Answer 9

○ Performance reviews
○ Authorizations (approvals)
○ IT access control activities
○ Documentation
○ Physical access control activities
○ IT application(input, processing, output) control activities.
○ Independent Verifications and reconciliations

Question 10

What is high quality information? Why must high quality Information be communicated?

Answer 10

High quality Information: is relevant, accurate, and timely

It supports the achievement of their operating, reporting, and compliance responsibilities

Question 11

When are monitoring activities most effective?

Who performs monitoring activities?

What distinguishes separate evaluations from ongoing monitoring activities?

Answer 11

• Monitoring activities Most effective when a layered approach implemented

Who performs monitoring activities: Most organizations have functions other than internal audit that provide separate, independent assessments such as environmental and safety departments, quality assurance groups, or trading control activities

	○ Separate evaluations: conducted periodically, vary in scope and frequency depending on assessment of risk, effectiveness of ongoing evaluations, other mgmt considerations
	○ Monitoring activities: ongoing evaluations built in to business processes at different levels of entity that provide timely information.

Question 12

When are monitoring activities most effective?

Answer 12

Monitoring activities Most effective when a layered approach implemented (3 layers)
○ Layered approach provides organization with higher level of confidence that the system of internal controls are effective

Question 13

3 layers of monitoring activities layered approach?

Answer 13

○ 1st layer: everyday activities performed by mgmt of a given area
○ 2nd layer: separate (non independent) evaluation of area’s internal controls performed by mgmt on regular basis to ensure deficiencies are identified and resolved.
○ 3rd layer: independent assessment by outside area or function performed to validate the results

Question 14

What distinguishes separate evaluations from ongoing monitoring activities?

Answer 14

Separate evaluations: conducted periodically, vary in scope and frequency depending on assessment of risk, effectiveness of ongoing evaluations, other mgmt considerations
○ Monitoring activities: ongoing evaluations built in to business processes at different levels of entity that provide timely information.

Question 15

What responsibilities do the following group of ppl have regarding internal control:
Management
Board of directors
Internal auditor
Other in org.
Independent outside auditor

Answer 15

○ Management: The CEO and senior management own internal control, - set the tone at the top- ( how ethical how much integrity org has)
○ Board of directors: provides governance and oversight,
§ oversees mgmt, provides direction, has responsibility for overseeing system of internal controls
○ Internal auditors: provide independent assessment of operating effectiveness. Provide assurance and advisory support to mgmt on internal controls
○ Others in organization: produce or monitor elements of an organization’s system of internal controls.
○ Independent outside auditor: do not have responsibility for the organization’s internal control, they do contribute independence and objectivity through their opinions covering the fairness of the financial statements and the effectiveness of internal control over financial reporting.

Question 16

What does “ Limitations of internal control” mean. Provide examples of limitations inherent to internal control

Answer 16

○ Limits of internal control are the confines that relate to the limits of human judgment, resource constraints and the need to consider the cost of controls in relation to expected benefits, the reality that breakdowns can occur, and the possibility of collusion or management override

examples:
§ Human judgement in decision making may be faulty and bias
§ Human failure– simple errors
§ Ability of mgmt to override internal control
§ Ability of mgmt, other personnel, 3rd parties to circumvent controls (collusion)
§ External events beyond control

Question 17

Inherent risks

Answer 17

• Inherent risk: combination of internal and external risk factors in their pure, uncontrolled state. The gross risk that exist assuming no internal controls in place

Question 18

Controllable risk

Answer 18

• Controllable risk: portion of inherent risk that mgmt can reduce through day to day operations and mgmt activities

Question 19

Residual risk

Answer 19

• Residual risk: Portion of inherent risk that remains after mgmt executes its risk responses (aka net risk)

Question 20

Key control

Answer 20

○ Key control: an activity designed to reduce risk associated with a critical business objective

Question 21

Secondary control

Answer 21

○ Secondary Control: designed to reduce risk associated with biz objectives not critical to the org survival or success OR serve as a backup to a key control

Question 22

Compensating control

Answer 22

○ Compensating Control: if key controls do not fully operate effectively, may help reduce related risk.
§ will not reduce risk to acceptable level on its own

Question 23

Preventative controls

Detective Controls

Answer 23

○ Preventative controls: designed to deter unintended events from happening in the 1st place (i.e physical and logical access controls- locked doors, user ID’s with unique passwords

	○ Detective control: designed to discover undesirable events that have already happened (i.e security cameras-  unauthorized physical access, review of computer logs- unauthorized access attempts)

Question 24

2 broad types of information systems (technology) controls?

Answer 24

○ General computing controls: apply to many or all application systems + help ensure continued, proper operation

	○ Application Controls: Computerized steps in the application SW + related manual procedures to control the processing of various types of transactions.

Question 25

MC-Which of the following best describes an internal auditors purpose in reviewing the organizations existing governance, risk mgmt, and control processes

Answer 25

Provide reasonable assurance that the processes will enable te organizations objectives and goals to be met efficiently and economically

Question 26

MC-What is Residual risk

Answer 26

risk that is not managed

Question 27

MC-the requirement that purhases be made from suppliers on approved list is exampe of a ….

Answer 27

PREVENTATIVE control

Question 28

MC-An effective system of internal controls is most likely to detect fraud by….

Answer 28

A single employee

Question 29

MC- The control that would most likely ensure payroll check written only for authorized amounts is…

Answer 29

Require supervisory approval of employee timecards

Question 30

MC- Internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which would NOT be required as part of such engagement

Answer 30

Determine if treasurer getting higher/lower rates

Question 31

MC-Appropriate Internal control for multinational corporation branch office that has department responsible for trf money requires that….

Answer 31

The person who initiates the trf, doesn’t also reconcile bank stmts

Question 32

MC-Who has primary responsibility for the monitoring component of internal control

Answer 32

organizational mgmt

Question 33

MC-Reasonable assurance, as it pertains to internal control, means that….

Answer 33

Inherent limitations if internal control preclude (prevent) a system of internal control from providing absolute assurance that objectives will be acheived.

Question 34

MC-Which of the following best exemplifies a control activity referred to as independent verification…

Answer 34

Reconciliation of bank accts by someone who doesn’t handle cash

Question 35

The risk assessment component of internal control involves the ….

Answer 35

Org. Identifying/analyzing risks that’s threaten obj.