Ch.6 Internal control Flashcards
5 components of internal control covered in the COSO framework?
- Control Environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
What are objectives? What 3 categories of objectives are set forth in the COSO framework?
• Objectives: Objectives are what an organization strives to achieve.
• 3 categories of objectives: ○ Operations objectives: pertains to how effective and efficient entity's operations ○ Reporting objectives: pertain to internal + external financial ,and non financial reporting § May encompass reliability, timeliness, transparency, other terms set forth by regulators, standard setters, entity policies. ○ Compliance Objectives: Adherence to laws and regulations entity is subject to
Objectives
Objectives are what an organization strives to achieve.
3 categories of objectives
Operations Objectives
Reporting Objectives
Compliance Objectives
Operations Objectives
how effective and efficient entity’s operations
Reporting Objectives
internal + external financial ,and non financial reporting. May encompass reliability, timeliness, transparency, other terms set forth by regulators, standard setters, entity policies.
Compliance Objectives
Adherence to laws and regulations entity is subject to
What are control activities?
• Control Activities: Actions taken by mgmt, the board, and other parties to Mitigate risk + increase likelihood that established objectives/goals will be reached
Examples of control activities
○ Performance reviews
○ Authorizations (approvals)
○ IT access control activities
○ Documentation
○ Physical access control activities
○ IT application(input, processing, output) control activities.
○ Independent Verifications and reconciliations
What is high quality information? Why must high quality Information be communicated?
High quality Information: is relevant, accurate, and timely
It supports the achievement of their operating, reporting, and compliance responsibilities
When are monitoring activities most effective?
Who performs monitoring activities?
What distinguishes separate evaluations from ongoing monitoring activities?
• Monitoring activities Most effective when a layered approach implemented
Who performs monitoring activities: Most organizations have functions other than internal audit that provide separate, independent assessments such as environmental and safety departments, quality assurance groups, or trading control activities
○ Separate evaluations: conducted periodically, vary in scope and frequency depending on assessment of risk, effectiveness of ongoing evaluations, other mgmt considerations ○ Monitoring activities: ongoing evaluations built in to business processes at different levels of entity that provide timely information.
When are monitoring activities most effective?
Monitoring activities Most effective when a layered approach implemented (3 layers)
○ Layered approach provides organization with higher level of confidence that the system of internal controls are effective
3 layers of monitoring activities layered approach?
○ 1st layer: everyday activities performed by mgmt of a given area
○ 2nd layer: separate (non independent) evaluation of area’s internal controls performed by mgmt on regular basis to ensure deficiencies are identified and resolved.
○ 3rd layer: independent assessment by outside area or function performed to validate the results
What distinguishes separate evaluations from ongoing monitoring activities?
Separate evaluations: conducted periodically, vary in scope and frequency depending on assessment of risk, effectiveness of ongoing evaluations, other mgmt considerations
○ Monitoring activities: ongoing evaluations built in to business processes at different levels of entity that provide timely information.
What responsibilities do the following group of ppl have regarding internal control: Management Board of directors Internal auditor Other in org. Independent outside auditor
○ Management: The CEO and senior management own internal control, - set the tone at the top- ( how ethical how much integrity org has)
○ Board of directors: provides governance and oversight,
§ oversees mgmt, provides direction, has responsibility for overseeing system of internal controls
○ Internal auditors: provide independent assessment of operating effectiveness. Provide assurance and advisory support to mgmt on internal controls
○ Others in organization: produce or monitor elements of an organization’s system of internal controls.
○ Independent outside auditor: do not have responsibility for the organization’s internal control, they do contribute independence and objectivity through their opinions covering the fairness of the financial statements and the effectiveness of internal control over financial reporting.
What does “ Limitations of internal control” mean. Provide examples of limitations inherent to internal control
○ Limits of internal control are the confines that relate to the limits of human judgment, resource constraints and the need to consider the cost of controls in relation to expected benefits, the reality that breakdowns can occur, and the possibility of collusion or management override
examples:
§ Human judgement in decision making may be faulty and bias
§ Human failure– simple errors
§ Ability of mgmt to override internal control
§ Ability of mgmt, other personnel, 3rd parties to circumvent controls (collusion)
§ External events beyond control
Inherent risks
• Inherent risk: combination of internal and external risk factors in their pure, uncontrolled state. The gross risk that exist assuming no internal controls in place
Controllable risk
• Controllable risk: portion of inherent risk that mgmt can reduce through day to day operations and mgmt activities
Residual risk
• Residual risk: Portion of inherent risk that remains after mgmt executes its risk responses (aka net risk)
Key control
○ Key control: an activity designed to reduce risk associated with a critical business objective
Secondary control
○ Secondary Control: designed to reduce risk associated with biz objectives not critical to the org survival or success OR serve as a backup to a key control
Compensating control
○ Compensating Control: if key controls do not fully operate effectively, may help reduce related risk.
§ will not reduce risk to acceptable level on its own
Preventative controls
Detective Controls
○ Preventative controls: designed to deter unintended events from happening in the 1st place (i.e physical and logical access controls- locked doors, user ID’s with unique passwords
○ Detective control: designed to discover undesirable events that have already happened (i.e security cameras- unauthorized physical access, review of computer logs- unauthorized access attempts)
2 broad types of information systems (technology) controls?
○ General computing controls: apply to many or all application systems + help ensure continued, proper operation
○ Application Controls: Computerized steps in the application SW + related manual procedures to control the processing of various types of transactions.
