Chapter 6 Flashcards
What are the three objectives of COSO
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with laws and regulations
Who designs and enforces internal controls
The board of directors and management team
What act requires management of all public company to issue an internal control report
Sarbanes Oxley
It must include an assessment of effectiveness and statement of responsibility and identify COSO as the framework.
What is COSO
A framework used for evaluating the effectiveness of internal controls for financial reporting (IFCR)
What are the 5 COSO components
Control environment
Risk assessment
Information and Communication
Control Activities
Monitoring of controls
What is the control environment (COSO)
The basis for carrying out controls across an organization. Examples are company integrity and values, oversight responsibiity
What is risk assessment (COSO)
A dynamic process for identifying and analyzing the risks to achieving the entity’s objectives. Example: fraud risk and significant change
What is control activity (COSO)
Actions established by the policies and procedures that are performed at all levels of the entity. Examples: Selecting and developing any controls in the company and deploying them
What is information and communication (COSO)
Internal and external communication that provides the organization with the
information to carry out their day-to day control activities and for personnel to understand their responsibilities. Example: internal and external communications
What is Monitoring Activities (COSO)
The ongoing and separate evaluation used to ascertain whether each of the
five components are present and functioning.
What are the inherent limitations of controls/COSO
Management override
Human error
Collusion
What is an Integrated Audit
An integrated audit
combines a financial
statement audit with an audit
of internal control over
financial reporting (ICFR).
What is a control defficiency
The design or implementation of internal controls doesn’t permit employees to prevent or detect mistatement
What is a significant deficiency
A deficiency that is less severe than a material weakness but important enough to merit attention
What is a material Weakness
A significant deficiency or combination of that results in a reasonably probability the control will not prevent or detect and a material misstatement.
What is remediation of a material weakness
The process of correction a material weakness in the ICFR
When you do give an adverse opinion on ICFR
When there is a material weakness in ICFR
What is a management letter
The method for auditors to communicate internal matters in writing on a timely basis for those charged with governments. This includes internal control weaknesses, significant deficiencies, and other matters from the audit
What is an auditor’s responsibility for communicating ICFR to management?
Auditors must communicate in writing any deficiencies or material weaknesses identified during the audit
What is an entity level control?
Controls that exist at the organizational level like HR policies and attitude towards internal controls
What are transaction level controls
Transaction-level controls are controls that affect a particular transaction or group of transactions.
What is segregation of duties
Separating incompatible duties so one person doesn’t have all three of the following responsibilities
Authorizing
Safekeeping
Record keeping
What is a SOC Report
Internal controls report users need to assess and address the risk associated with an outsourced service. SOC 3 reports you give to the public
What is a SOC type 1
Expresses opinion on the fairness of the design of controls
What is a SOC type 2
Expresses an opinion on the fairness of the design and operating effectiveness of internal controls
What are IT general controls
The overall information processing environment. Example: data center, access controls. software changes
What are IT application controls
Controls that apply to processing specific computer applications. Examples: Input controls for data like date formatting, error controls
What is a financial total, hash total, and record count
Financial total is the summary of amounts for all records in a batch like total dollars of all vendors to be paid
Hash total is the summary or codes from a batch like employee ID
Record count is summary of all physical records like invoices
What are examples of input controls
Missing data check
Verification controls
Valid character checks
Valid code check
What is pilot and parallel testing
Pilot testing is when a new system is implemented in one part of the organization while the other locations rely on the old system.
Parallel testing is when the old and new systems operate simultaneously in all locations
