Chapter 6 Flashcards
WHAT ARE THE 3 INTERNAL AUDIT FRAMEWORKS
1 - INTERNAL CONTROL INTEGRATED FRAMEWORK (COSO)
2 - GUIDANCE ON CONTROL (COCO - CANADIAN)
3 - INTERNAL CONTROL: REVISED GUIDE FOR DIRECTORS ON THE COMBINED CODE (TURNBULL REPORT)
WHAT DOES SOX REQUIRE OF THE CFO AND CEO?
THE SEC REQUIRES THE CFO AND CEO OF PUBLICLY TRADED COMAPNIES OPINE ON THE DESIGN ADEQUACY AND OPERATING EFFECTIVENESS OF INTERNAL CONTROLS OVER FINANCIAL REPORTING (ICFR)
OPINION MUST BE BASED IN A SUITABLE FRAMEWORK
REQUIREMENTS OF A SUITABLE CONTROL FRAMEWORK
- FREE FROM BIAS
- PERMIT CONSISTANT QUAL AND QUANT MEASURE OF A COMPANY’S IC ENVIRONMENT
- BE COMPLETE TO REDUCE OR ELIMINATE OMISSIONS
- BE RELEVANT TO A REVIEW OF ICFR
WHAT IS THE BENEFIT OF USING STANDARDS IN REVIEWING ICFR
PROMOTE COMPARABILITY OF THE IC REPORTS OF DIFFERENT COMPANIES
COSO DEFINITION OF INTERNAL CONTROL
A PROCESS, EFFECTED BY AN ENTITY’S BOD, MGMT, AND OTHER PERSONNEL, DESIGNED TO PROVIDE REASONABLE ASSURANCE REGARDING ACHIEVEMENT OF OBJECTIVES RELATING TO OPERATIONS, REPORTING AND COMPLIANCE
WHO IS ULTIMATELY RESPONSIBLE FOR THE IC OF AN ORGANIZATION
THE CEO
WHAT ARE THE 3 CATEGORIES OF COSO OBJECTIVES
- OPERATIONS OBJECTIVES
- REPORTING OBJECTIVES (INTERNAL & EXTERNAL)
- COMPLIANCE OBJECTIVES
WHAT ARE THE 5 COMPONENTS OF IC COVERED BY THE COSO FRAMEWORK
- CONTROL ENVIRONMENT
- RISK ASSESSMENT
- CONTROL ACTIVITIES
- INFORMATION AND COMMUNICATION
- MONITORING ACTIVITIES
WHAT IS THE CONTROL ENVIRONMENT COMPRISED OF
SOFT CONTROLS
- INTEGRITY AND ETHICAL VALUES OF THE ORG
- PARAMETERS ENABLING THE BOD TO CARRY OUT ITS GOV OVERSIGHT RESPONSIBILITIES
- ORG STRUCTURE AND ASSIGNMENT OF AUTH AND RESP
- PROCESS FOR RECRUITING THE RIGHT PEOPLE
- RIGOR AROUND PERFORMANCE MEASURES AND PAY
WHAT IS A PRECONDITION TO RISK ASSESSMENT
ESTABLISHMENT OF OBJECTIVES LINKED AT DIFFERENT LEVELS OF THE ENTITY
WHAT IS INVOLVED IN RISK ASSESSMENT
PROCESS FOR IDENTIFYING AND ASSESSING RISKS TO THE ACHIEVEMENT OF OBJECTIVES
SUCCESSES THAT MUST BE ACCOMPLISHED FOR OBJECTIVES TO BE ACHIEVED
CRITICAL SUCCESS FACTORS
ACTIONS TAKEN BY MGMT, THE BOD, AND OTHER PARTIES TO MITIGATE RISK AND INCREASE LIKELIHOOD THAT ESTABLISHED OBJECTIVES AND GOALS WILL BE ACHIEVED
CONTROL ACTIVITIES
8 TYPES OF CONTROLS THAT ARE PRESENT IN A WELL DESIGNED IC ENVIRONMENT
- PERFORMANCE REVIEWS
- AUTHORIZATIONS
- IT ACCESS CONTROL ACTIVES
- DOCUMENTATION
- PHYSICAL ACCESS CONTROL ACTIVITIES
- IT APPLICATION
- INDEPENDENT VERIFICATION AND RECONCILIATIONS
- SEGREGATION OF DUTIES
4 ACTIONS THAT SHOULD BE SEPARATED
- TRANSACTION AUTH
- ACCOUNTING FOR TRANS
- ASSET CONTROLLERSHIP
- RECONCILING FUNCTION
WHAT IS MEANT BY HIGH QUALITY INFORMATION?
RELEVANT
ACCURATE
TIMELY
WHY MUST HIGH QUALITY INFORMATION BE COMMUNICATED?
INFORMATION MUST BE PROVIDED AS APPROPRIATE TO ACHIEVE OPERATING, REPORTING, AND COMPLIANCE REPORTING OBJECTIVE RESPONSIBILITIES
2 TYPES OF MONITORING ACTIVITIES
ONGOING EVALUATIONS (CONTINUOUS MONITORING) SEPARATE EVALUATIONS
WHEN ARE MONITORING ACTIVITIES MOST EFFECTIVE
WHEN A LAYERED APPROACH IS USED (3 LINES OF DEFENSE MODEL)
WHAT IS INCLUDED IN LAYERED ACTIVITY MONITORING
- EVERYDAY ACTIVITIES PERFORMED BY MGMT OF A GIVEN AREA
- SEPARATE EVALUATION ON A REGULAR BASIS TO ENSURE DEFICIENCIES ARE ADDRESSED AND FIXED TIMELY
- INDEPENDENT ASSESSMENT BY OUTSIDE AREA OR FUNCTION
WHO IS ULTIMATELY RESPONSIBLE FOR ENSURING AN IC ENVIRONMENT IS PUT INTO PLACE
BOD
WHAT IS THE ROLE OF MGMT (CEO) IN THE IC ENVIRONMENT
- PRIMARY RESPONSIBILITY FOR THE SYSTEM OF IC
- THE IC ENVIRONMENT IS ADEQUATELY DESIGNED AND IS OPERATING EFFECTIVELY
- TONE AT THE TOP IS SET BY UPPER LEVEL MGMT
WHAT IS THE ROLE OF THE BOD IN THE IC ENVIRONMENT
- OVERSEES MGMT AND PROVIDES DIRECTION REGARDING THE IC SYSTEM
- ULTIMATELY HAS RESP FOR OVERSEEING THE SYSTEM OF IC
WHAT IS THE ROLE OF THE INTERNAL AUDITOR IN THE IC ENVIRONMENT
- VERIFYING MGMT HAS MET IS RESPONSIBILITIES FOR IC
2. INDEPENDENTLY VALIDATE MGMT ASSERTIONS OF THE IC ENVIRONMENT
WHAT IS THE IMPORTANCE OF ALL COMPANY PERSONNEL IN THE IC ENVIRONMENT
IC IS THE RESPONSIBILITY OF EVERYONE IN THE ORG AND CONSTITUTES AN EXPLICIT OR IMPLICIT PART ON EVERYONE’S JOB DESCRIPTION
WHAT IS THE ROLE OF THE INDEPENDENT OUTSIDE AUDITOR IN THE IC ENVRIONMENT
- NOT RESPONSIBLE FOR THE IC ENVIRONMENT
2. PROVIDE AND INDEPENDENT, OBJECTIVE OPINION OVER THE EFFECTIVENESS OVER ICFR
EXAMPLES OF LIMITATIONS OF THE IC SYSTEM
- OBJECTIVES AREN’T ESTABLISHED
- HUMAN JUDGEMENT IN DECISION MAKING CAN BE FAULTY
- SIMPLE ERRORS CAN OCCUR
- ABILITY OF MGMT TO OVERRIDE INTERNAL CONTROLS
- CIRCUMVENTION OF CONTROLS BY COLLUSION
- EXTERNAL EVENTS BEYOND THE CONTROL OF THE ORG
- COST BENEFIT LIMITATIONS
GROSS RISK THAT EXISTS ASSUMING THERE ARE NO IC FEATURES IN PLACE
INHERENT RISK
HOW ARE RISKS MEASURED
IMPACT
LIKELIHOOD
PORTION OF INHERENT RISK THAT MGMT CAN INFLUENCE AND REDUCE BY DAT TO DAY BUSINESS ACTIVITIES
CONTROLLABLE RISK
PORTION OF INHERENT RISK THAT REMAINS AFTER MGMT EXECUTES ITS RISK RESPONSES
RESIDUAL RISK
HOW IS RESIDUAL RISK CONTROLLED
- IF THE RESIDUAL RISK IS BELOW THE ORG’S RISK APPETITE, THE IC SYSTEM IS OPERATING AT AN ACCEPTABLE LEVEL
- IF THE RESIDUAL RISK EXCEEDS THE RISK APPETITE, THE SYSTEM SHOULD BE REEVALUATED (SHARE OR TRANSFER A PORTION OF THE RESIDUAL RISK)
EXAMPLES OF LIMITATIONS OF THE IC SYSTEM
- OBJECTIVES AREN’T ESTABLISHED
- HUMAN JUDGEMENT IN DECISION MAKING CAN BE FAULTY
- SIMPLE ERRORS CAN OCCUR
- ABILITY OF MGMT TO OVERRIDE INTERNAL CONTROLS
- CIRCUMVENTION OF CONTROLS BY COLLUSION
- EXTERNAL EVENTS BEYOND THE CONTROL OF THE ORG
- COST BENEFIT LIMITATIONS
GROSS RISK THAT EXISTS ASSUMING THERE ARE NO IC FEATURES IN PLACE
INHERENT RISK
HOW ARE RISKS MEASURED
IMPACT
LIKELIHOOD
PORTION OF INHERENT RISK THAT MGMT CAN INFLUENCE AND REDUCE BY DAT TO DAY BUSINESS ACTIVITIES
CONTROLLABLE RISK
PORTION OF INHERENT RISK THAT REMAINS AFTER MGMT EXECUTES ITS RISK RESPONSES
RESIDUAL RISK
HOW IS RESIDUAL RISK CONTROLLED
- IF THE RESIDUAL RISK IS BELOW THE ORG’S RISK APPETITE, THE IC SYSTEM IS OPERATING AT AN ACCEPTABLE LEVEL
- IF THE RESIDUAL RISK EXCEEDS THE RISK APPETITE, THE SYSTEM SHOULD BE REEVALUATED (SHARE OR TRANSFER A PORTION OF THE RESIDUAL RISK)
CONTROLS THAT HAVE A PERVASIVE EFFECT ON THE ACHIEVEMENT OF OVERALL OBJECTIVES
ENTITY LEVEL CONTROLS
EXAMPLES OF ENTITY LEVEL CONTROLS
- CONTROLS RELATED TO THE CONTROL ENVIRONMENT
- CONTROLS OVER MGMT OVERRIDE
- CENTRALIZED PROCESSING AND CONTROLS LIKE SHARED SERVICE ENVIRONMENTS
- CONTROLS MONITORING RESULTS OF OPERATIONS
- CONTROLS OVER PERIOD END FINANCIAL REPORTING
2 CATEGORIES OF ENTITY LEVEL CONTROLS
GOVERNANCE CONTROLS
MGMT OVERSIGHT CONTROLS
1 CATEGORY OF ENTITY LEVEL CONTROLS ESTABLISHED BY THE BOARD AND EXECUTIVE MGMT TO INSTITUTE THE ORG’S CONTROL CULTURE AND PROVIDE GUIDANCE THAT SUPPORTS STRATEGIC OBJECTIVES
GOVERNANCE CONTROLS
1 CATEGORY OF ENTITY LEVEL CONTROLS ESTABLISHED BY MGMT AT THE BUSINESS UNIT LEVEL TO REDUCE RISK TO THE BUSINESS UNIT AND INCREASE THE PROBABILITY THAT BUSINESS UNIT OBJECTIVES ARE ACHEIVED
MGMT OVERSIGHT CONTROLS
CONTROLS ESTABLISHED BY PROCESS OWNERS TO REDUCE THE RISK THAT THREATENS THE ACHIEVEMENT OF PROCESS OBJECTIVES
PROCESS LEVEL CONTROLS
EXAMPLES OF PROCESS LEVEL CONTROLS
- RECONCILIATION OF KEY ACCOUNTS
- PHYSICAL VERIFICATION OF ASSETS
- PROCESS EMPLOYEE SUPERVISION AND PERFORMANCE EVALUATIONS
- MONITORING/OVERSIGHT OF SPECIFIC TRANSACTIONS
CONTROLS MORE DETAILED THAN PROCESS LEVEL CONTROLS AND REDUCE RISK RELATIVE TO A GROUP
TRANSACTION LEVEL CONTROLS
EXAMPLES OF TRANSACTION LEVEL CONTROLS
- AUTHORIZATIONS
- DOCUMENTATION
- SEGREGATION OF DUTIES
- IT APPLICATION CONTROLS (INPUT)
CONTROLS DESIGNED TO REDUCE PRIMARY RISKS ASSOCIATED WITH BUSINESS OBJECTIVES
KEY CONTROLS
CONTROLS DESIGNED TO EITHER MITIGATE RISK THAT ARE NOT KEY TO BUSINESS OBJECTIVES OR PARTIALLY REDUCE THE LEVEL OF RISK WHEN A KEY CONTROL DOES NOT OPERATE EFFECTIVELY
SECONDARY CONTROLS
CONTROL DESIGNED TO SUPPLEMENT KEY CONTROLS THAT ARE EITHER INEFFECTIVE OR CANNOT FULLY MITIGATE A RISK OR GROUP OF RISKS BY THEMSELVES
COMPENSATING CONTROLS
DIFFERENCE IN PREVENTIVE AND DETECTIVE CONTROLS
PREVENTIVE CONTROLS PREVENT EVENTS FROM OCCURRING THAT ARE INCORRECT. CAN BE DIFFICULT TO DESIGN BECAUSE OF EFFICIENCY AND EFFECTIVENESS
DETECTIVE CONTROLS ALLOW YOU TO SEE ERRORS THAT HAVE ALREADY OCCURED
CONTROLS DESIGNED TO EITHER MITIGATE RISK THAT ARE NOT KEY TO BUSINESS OBJECTIVES OR PARTIALLY REDUCE THE LEVEL OF RISK WHEN A KEY CONTROL DOES NOT OPERATE EFFECTIVELY
SECONDARY CONTROLS
CONTROL DESIGNED TO SUPPLEMENT KEY CONTROLS THAT ARE EITHER INEFFECTIVE OR CANNOT FULLY MITIGATE A RISK OR GROUP OF RISKS BY THEMSELVES
COMPENSATING CONTROLS
DIFFERENCE IN PREVENTIVE AND DETECTIVE CONTROLS
PREVENTIVE CONTROLS PREVENT EVENTS FROM OCCURRING THAT ARE INCORRECT. CAN BE DIFFICULT TO DESIGN BECAUSE OF EFFICIENCY AND EFFECTIVENESS
DETECTIVE CONTROLS ALLOW YOU TO SEE ERRORS THAT HAVE ALREADY OCCURED
TWO TYPES OF INFORMATION SYSTEMS CONTROLS
GENERAL COMPUTING CONTROLS
APPLICATION CONTROLS
INFO SYS CONTROL APPLIED TO MANY APPLICATION SYSTEMS AND HELP ENSURE CONTINUED PROPER OPERATION
GENERAL COMPUTING CONTROLS
COMPUTERIZED STEPS WITHIN THE APPLICATION SOFTWARE AND RELATED MANUAL PROCEDURES TO CONTROL THE PROCESSING OF VARIOUS TYPES OF TRANSACTIONS
APPLICATION CONTROLS
