COSO LISA Flashcards
Control Environment - Tone at the Top
Chopper is the original, but here there’s only 5
Organizational Structure - set it up, lines of authority
Competency - Show commitment to by hiring competent people (human resources)
Oversight - With authority comes, responsibility, show that they exercise oversight
Accountability - Hold them accountable for their actions
Ethics and Integrity - Show that behavior is supported
A lot of verbs here, demonstrates commitment to integrity, exercises oversight responsibility, establishes organizational structure, demonstrates commitment to competence, enforces accountability
CHOPPER
Commitment to Competency - Ensure employees have proper skill set, especially those
Involved in control functions
Human Resource Policy and Procedures - policies that ensure staff is hired, trained, evaluated,
Compensated
Organizational Structure - Provides basis for running the place
Philosophy and Operating Style of Management - unethical mgt = unethical ee’s
Participation of the BOD or Audit Cmte
Ethical and Integrity Values - lead by example, code of conduct, whistle blower policies
Responsibility and Authority Assignment - job descriptions, org charts
Risk Assessment (4)
ORFC
Be Objective about analyzing Risk and Fraud because things Change
Specifies Suitable Objectives - you need to know what u r trying to accomplish b4 you
Can specify what’s at risk, who r u reporting to, what laws must u comply with
Identifies and Analyzes Risk- those risks that emanate from sources inside the company, those
From outside the company, economy, regulatory, political, social, technological, at the
Transaction level, the effect and how you are going to mitigate the risk via getting rid of
The possibility entirely, sharing it, hedging, or establishing controls
Assesses Fraud Risk - Types, nature of, incentives for, opportunities, attitudes that develop
Over time and are a precursor
Identifies and Analyzes Significant Change - Are the assumptions underlying our conclusions
About risk still valid, or has our organization or the world changed significantly
Objectives
Risk Analysis (other than Fraud)
Fraud Risks
Change Risk
Control Activities
PIPS
Performance Reviews
Information Processing - IT General vs. Applicaton Controls (input, processing, output)
Physical Controls
Segregation of Duties - Noah and the ARCCS. Authorization, Recording, Custody, Comparison
COSO FIVE COMPONENTS
CRIME. BUT IN ORDER IT’S ERCIM
Control Activities Risk Assessment Information and Communication Monitoring Control Environment
Crime said ERiC I’M
Monitoring Component Internal Control
What are the people called who monitor and what should they be?
Why do internal control systems fail?
What is the sequence of activities for monitoring IC?
Evaluators and they need to be competent and objective
Systems fail because controls or not designed or implemented properly or the environment has changed.
Sequence of Monitoring:
Baseline - Learn how system was designed and implemented
Change Identification - Ongoing and separate evals (2 categories) to identify and address changes in the Effectiveness of IC to initiate changes
Change Management - Determine when changes are needed and what types are effective
Control Revalidation/Update - New baseline of of the revised system
Monitoring IC - 2nd step after baseline understaning - what are the two types of evaluations?
Ongoing Evaluations and Separate Evaluations
Not sure what the difference is, need to look up
Information systems have embedded modules that look for unusual or suspicious activity
Limitations of Internal Control: COCO
Collusion
Override by Mgt
Cost/Benefit Constraints
Obsolescence: Change in Co.’s operation or size
ENTERPRISE RISK MANAGEMENT - 4 COMPONENTS
ROCS REPORTING OPERATIONS COMPLIANCE STRATEGY
Enterprise Risk Management - Control Environment
The internal environment component sets the tone of the entity. It reflects the entity’s (1) risk management philosophy, (2) risk appetite, (3) integrity, (4) ethical values, and (5) overall environment.
Risk Mgt Philosophy Risk Appetite Integrity Ethical Values Overall Environment
ENTERPRISE RISK MANAGEMENT - Capabilities of ERM
The following are the categories of the capabilities of ERM:
Idiots: should say capabilities to hone or improve likelihood of
Risk appetite and strategy
Risk response decisions
Operational surprises and losses
Multiple and cross-enterprise risks
Opportunities
Deployment of capital
Although increased productivity may result from ERM, it is not directly a capability provided by ERM.
ENTERPRISE RISK MANAGEMENT - Limitations of ERM Arise From
Limitations of ERM arise from the possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple errors or mistakes, (4) collusion, and (5) management override of ERM decisions.
The failure to achieve objectives is a risk of poor enterprise risk management.
ENTERPRISE RISK MANAGEMENT: What’s a result of poor ERM
The failure to achieve objectives is a risk of poor enterprise risk management
ENTERPRISE RISK MANAGEMENT - 8 COMPONENTS
Crime Plus What - need to figure out
eight components of the COSO ERM framework are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION AND COMMUNICATION MONITORING