COSO Flashcards
The Control Environment
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards
What establishes the foundation for all other components of the internal control model?
The internal environment
Assessing the internal environment involves observance of the…
Organizational behavior of management actions and evaluation of policies and procedures
What is the importance of HR
We need to make sure that we hire competent people (what are the job descriptions)
Once we hire the right people we need to continue to train and educate them
We also need to have steps for how we are going to handle people that are terminated (fired and retired)
Why would companies require employees to take a whole week vacation?
It is hard to hide fraud if you are gone for an entire week
Risk Assessment
Risk is assessed from two perspectives:
Likelihood - Probability that the event will occur
Impact - Estimate potential loss if event occurs
Types of Risk
Inherent - Risk that exists before plans are made to control it
Residual - Risk that is left over after you control it
What is the most difficult step for organization?
Risk assessment - because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs
Qualitative Perspective of Risk Assessment
Simply assign high, medium, or low risk based upon their collective discussion (red, orange, yellow)
Quantitative Analysis of Risk Assessment
Examine probabilistic techniques to model the cashflow or earnings based upon the risk identified
Risk Responses
Reduce/Control: Implement effective internal control
Accept: Do nothing, accept likelihood, and impact of risk
Share: Buy insurance, outsource, or hedge
Avoid: Do not engage in the activity
How can management respond to risk?
- Reduce the amount of risk by implementing internal controls
- Do nothing and accept the likelihood and impact of the risk
- Share the risk by buying insurance, doing a joint venture, or hedging transactions
- Avoid the risk entirely and sell off a division or not manufacture that product line
Control Activities
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
Project Development
Have a steering committee
People hate change - they will try to sabotage your change
Forms design is really important
Separation of Duties
Prevents an employee from committing and concealing fraud
Prevents employees from falsifying records in order to conceal theft of assets entrusted to them
Prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts
Prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized
Custodial Functions
- Handling cash
- Handling inventories, tools, or fixed assets
- Writing checks
- Receiving checks in the mail
Recording Functions
- Preparing source documents or entering data online
- Maintaining journals, ledgers, files, databases
- Preparing reconciliations
- Preparing performance reports
Authorization Functions
- Authorization of transactions or decisions
Information and Communication
Obtain or generate relevant, high-quality information to support internal control.
Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control.
Communicate relevant internal control matters to external parties.
Monitoring
Perform internal control evaluations (e.g., internal audit)
Implement effective supervision
Use responsibility accounting systems (e.g., budgets)
Monitor system activities
Track purchased software and mobile devices
Conduct periodic audits (e.g., external, internal, network security)
Employ computer security officer
Engage forensic specialists
Install fraud detection software
Implement fraud hotline
Governance & Culture
- Exercises board risk oversight
- Establishes operating structure
- Defines desired culture
- Demonstrates commitment to core values
- Attracts, develops, and retains capable individuals
Strategy & Objective-Setting
- Analyzes business context
- Defines risk appetite
- Evaluates alternative strategies
- Formulates business objectives
Performance
- Identifies risk
- Assesses severity of risk
- Prioritizes risks
- Implements risk responses
- Develops portfolio view
Review & Revision
- Assesses substantial change
- Reviews risk and performance
- Pursues improvement in enterprise risk management
