Internal Control and Risk Flashcards
Definition of internal control
a process, effected by an entity’s board of directors, management & other personnel, designed to provide reasonable assurance regarding the achievement of objectives in:
- effectiveness / efficiency of operations
- reliability of financial reporting
- compliance with laws & regulations
The control environment includes - 6 things
- Integrity & ethical values
- Management’s philosophy & operating style
- Organizational structure
- Assignment of authority & responsibility
- HR policies / practices
- Competence of personnel
Definition of control environment
the attitudes & actions of the board & management regarding the importance of control within the organization
provides discipline & structure for achieving primary objectives
Entity-level controls & 2 sub-types
apply to the entire organization
sub-types of entity-level controls:
- governance controls
- management oversight controls
Governance controls & examples
a type of entity-level control
establish control culture, clarify organizational expectations & include organization-wide policies & procedures
examples:
- institution of audit committee oversight
- code of ethics
- compliance policies
- IT policies
Management oversight controls & examples
a type of entity-level control
set at the business unit / line management level to address achieving business unit objectives
examples:
- risk committees
- some period-end controls
- IT general controls
Process-level controls & examples
established by a process owner to ensure that the objectives of the process are achieved
examples:
- supervision
- monitoring
- performance evaluations
- key account reconciliation
- inventory counts
Transaction-level controls & examples
specific to individual transactions & ensure that the objectives of the transaction are achieved
examples:
- documentation requirements
- segregation of duties
- IT application controls (input, processing, output)
The intent behind identifying key controls is…
to ensure management supervision, control testing & other audit procedures are efficient and focus on key risks / achievement of business objectives
Preventive controls & example
proactive
deter undesirable events from occurring
example:
1. rewards based on KPIs rather than hitting arbitrary budget numbers
Detective controls & examples
reactive
detect undesirable events that have occurred
examples:
- account reconciliations
- exception reports
Corrective controls & examples
reactive
allow manual / automated correction of errors uncovered through detective controls
examples:
- audit trails
- backup & recovery procedures
- resolution of duplicate payments from A/P
Directive controls & examples
proactive
cause / encourage a desirable event to occur
examples:
- guidelines
- training programs
- incentive plans
Mitigating controls & example
reduce the potential impact should an event occur
example:
1. insurance
Compensating controls & example
compensate for the lack of an expected control
example:
1. close supervisory review if no segregation of duties exists (think of Vantage)
