Chapter 8 - Internal Control and COSO Framework

Question 1

What is internal control?

Answer 1

Internal control—the policies and procedures instituted and maintained by the management of an entity in order to provide reasonable assurance that management’s objectives are met.

Question 2

Management designs systems of internal control to accomplish the following four broad objectives:

Answer 2

1. Strategic, high-level goals that support the mission of the entity.
2. Reliability of financial reporting.
3. Efficiency and effectiveness of operations.
4. Compliance with laws and regulations.

Question 3

What are the responsibilities of management related to internal controls?

Answer 3

• Management, not the auditor, must establish and maintain the entity’s internal controls.
• Also, in the case of public companies, management is required to publicly report on the operating effectiveness of internal controls over financial reporting.

Question 4

What are the responsibilities of the auditor related to internal controls?

Answer 4

Auditors are responsible for understanding the entity’s internal controls relevant to the audit, in order to achieve their objective of identifying the risks of material misstatement at the financial statement and assertion level.

Question 5

What are entity-level controls? Give examples.

Answer 5

Entity-level controls are those controls that are pervasive in nature and do not address particular transaction cycles but may prevent or detect and correct misstatements in several cycles.

Examples: controls over management override, human resource policies, codes of conduct, fraud risk controls, whistleblower programs, etc.

Question 6

What are transaction controls?

Answer 6

Transaction controls—controls that are implemented for specific transaction risks and are designed to specifically prevent or detect and correct misstatements in classes of transactions, account balances, or disclosures and their related assertions.

Question 7

What are the 5 components of internal control?

Answer 7

1. Control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring.

Question 8

What is the control environment?

Answer 8

The control environment is the foundation of effective internal control. It addresses governance and management functions as well as the attitudes, awareness, and actions of those charged with governance and management concerning internal control and its importance.

Question 9

What are transaction controls?

Answer 9

Transaction controls are control activities implemented to mitigate transaction processing risk for specific business processes.

Question 10

The control activities should be a combination of:

Answer 10

Preventative and detective controls:

Preventive controls—controls designed to avoid errors or irregularities.

Detective controls—controls that identify errors or irregularities after they have occurred so corrective action can be taken.

Question 11

What is a business process?

Answer 11

Business process—the set of manual and/or computerized procedures that collect, record, and process data and report the resulting output

Question 12

What are 5 typical controls of the business processes?

Answer 12

1. Proper authorization of transactions and activities.
2. Adequate documents and records.
3. Physical and logical control over assets and records.
4. Adequate segregation of duties.
5. Independent checks of performance, recorded data, and actual results.

Question 13

Why is it important to have proper authorization of transactions and activities?

Answer 13

• Want to make sure that we are only committed to transactions that are consistent with the strategic objectives of the organization
• Make sure we are using resources effectively
• Make sure we have proper accountability for transactions

Question 14

Adequate documents and records: Documents should be…

Answer 14

• Prenumbered or automatically numbered consecutively to facilitate control over missing records, and to aid in locating records when they are needed at a later date (significantly affects the transaction-related audit objective of completeness).
• Prepared at the time a transaction takes place, or as soon thereafter as possible.

Question 15

Why is it important to have physical control over assets and records?

Answer 15

• If assets are left unprotected, they can be stolen.

- If records are not adequately protected, they can be duplicated, stolen, damaged, or lost.

Question 16

What are some examples of physical precautions used to safeguard physical assets and records?

Answer 16

• Locks on doors
• Passwords on computers
• Fireproof safes

Question 17

Which duties should be segregated in an organization?

Answer 17

• Custody of assets
• Recording/reconciliation responsibilities
• Authorization

Question 18

Why do we need to conduct independent checks of performance, recorded data, and actual results?

Answer 18

The need for careful and continuous review of the other controls, often referred to as independent checks on performance or internal verification, arises because internal control tends to change over time unless there is a mechanism for frequent review.

Question 19

What is an accounting information and communication system?

Answer 19

Accounting information and communication system initiates, records, processes and reports transactions, and maintains accountability for the related assets.

Will include controls over:

• Transfer of business process info to GL
• Capture of relevant events/conditions that are not transaction based
• Journal entries
• Accumulation and summation of other information that must be disclosed in the FS

Question 20

Describe the control activity of deploying policies and procedures.

Answer 20

The policies and procedures for the control activities should be spelled out in systems documentation (in a manual or on the company intranet) to encourage consistent application.

The organization should review its policies periodically to ensure that they are still appropriate or identify if they need to be revised.

Question 21

What controls should organizations have in place in regards to internal communication?

Answer 21

• Communication within the organization includes both formal and informal communication, such as policy manuals, newsletters, job descriptions, and training sessions.
• The organization’s messaging should reinforce that internal control responsibilities must be taken seriously and critical information should be disseminated quickly.
• There also should be a process for employees to communicate improprieties—often referred to as “whistleblowing.”

Question 22

What controls should organizations have in place in regards to external communication?

Answer 22

• The organization should have in place processes to communicate relevant and timely information to external parties including shareholders, members, partners, owners, regulators, customers, financial analysts, and any other relevant stakeholder.
• The communication should be two-way and should involve processes that track communications with customers, vendors, regulators, and other relevant stakeholders

Question 23

How can organizations incorporate monitoring into their business processes?

Answer 23

• Monitoring should include evaluation built into business/financial reporting and performed on a real-time basis (ongoing) as well as separate periodic evaluations.
• For many companies, especially larger ones, a competent internal audit department is essential to effective monitoring of internal controls and often performs the periodic reviews.
• To be effective, internal audit staff must be independent of both the operating and accounting departments. They report directly to a high level of authority within the organization such as the Audit Committee.