COSO Flashcards
The Control Environment
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards
What establishes the foundation for all other components of the internal control model?
The internal environment
Assessing the internal environment involves observance of the…
Organizational behavior of management actions and evaluation of policies and procedures
What is the importance of HR
We need to make sure that we hire competent people (what are the job descriptions)
Once we hire the right people we need to continue to train and educate them
We also need to have steps for how we are going to handle people that are terminated (fired and retired)
Why would companies require employees to take a whole week vacation?
It is hard to hide fraud if you are gone for an entire week
Risk Assessment
Risk is assessed from two perspectives:
Likelihood - Probability that the event will occur
Impact - Estimate potential loss if event occurs
Types of Risk
Inherent - Risk that exists before plans are made to control it
Residual - Risk that is left over after you control it
What is the most difficult step for organization?
Risk assessment - because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs
Qualitative Perspective of Risk Assessment
Simply assign high, medium, or low risk based upon their collective discussion (red, orange, yellow)
Quantitative Analysis of Risk Assessment
Examine probabilistic techniques to model the cashflow or earnings based upon the risk identified
Risk Responses
Reduce/Control: Implement effective internal control
Accept: Do nothing, accept likelihood, and impact of risk
Share: Buy insurance, outsource, or hedge
Avoid: Do not engage in the activity
How can management respond to risk?
- Reduce the amount of risk by implementing internal controls
- Do nothing and accept the likelihood and impact of the risk
- Share the risk by buying insurance, doing a joint venture, or hedging transactions
- Avoid the risk entirely and sell off a division or not manufacture that product line
Control Activities
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
Project Development
Have a steering committee
People hate change - they will try to sabotage your change
Forms design is really important
Separation of Duties
Prevents an employee from committing and concealing fraud
Prevents employees from falsifying records in order to conceal theft of assets entrusted to them
Prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts
Prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized
