Internal Control Frameworks Flashcards
What is the Committee of Sponsoring Organizations (COSO)?
an independent private sector initiative that was established to study the factors that lead to fraudulent financial reporting
includes: American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives Institute (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA)
in 1992, COSO issued Internal Control - Integrated Framework, to assist organizations in developing comprehensive assessments of internal control effectiveness
What does it take for an effective system of internal control?
It requires more than adherence to policies and procedures by management, the board, and internal auditors. It requires the use of judgment in determining the sufficiency of controls, in applying the proper controls, and assessing the effectiveness of the system of internal controls
What is an internal control?
a process that is designed and implemented by an organization’s management, board, and other employees to provide reasonable assurance that the organization will achieve its operating, reporting, and compliance objectives
COSO Cube
Objectives: operations, reporting, and compliance
Internal control components: control environment, risk assessment, control activities, information and communication, and monitoring activities
Organizational structure: entity level, division, operating unit, and function
The 3 categories of objectives within the framework
Operations: relate to the effectiveness and efficiency of an entity’s operations
Reporting: pertain to the reliability, timeliness, and transparency of an entity’s external and internal financial and nonfinancial reporting
Compliance: established to ensure the entity is adhering to all applicable laws and regulations
the COSO framework does not prescribe which controls an entity should implement for effective internal control; instead, an organization’s selection of controls requires management’s judgment based on factors unique to the entity
It’s a CRIME to forget the five components of internal control (be familiar with the 5 components of internal control and each of the 17 principles within the components)
Control Environment - commitment to ethics and integrity, board independence and oversight, organizational structure, commitment to competence, and accountability (the importance of internal control and expected standards of conduct is established through a “tone at the top” approach taken by senior management and the board)
Risk Assessment - specify objectives, identify and analyze risks, consider potential for fraud, and identify and assess changes
Information and Communication - obtain and use information, internally communicate information, and communicate with external parties
Monitoring Activities - ongoing and/or separate evaluations and communication of deficiencies
(Existing) Control Activities - select and develop control activities, select and develop technology controls, and deployment of policies and procedures
An effective system of internal control requires all 5 components and 17 principles that are relevant to be both present and functioning
present = components and relevant principles are included in the design and implementation of the internal control system
functioning = the components and relevant principles are currently operating as designed in the internal control system
all 5 components operate together as an integrated system in order to reduce, to an acceptable level, the risk that the entity will not achieve its objectives
the framework requires judgment in designing, implementing, and conducting internal control and in assessing the effectiveness of internal control
Internal control deficiencies are shortcomings in a component(s) and relevant principles that reduce the likelihood of an entity achieving its objectives
although U.S. GAAS uses the terms “significant deficiency” and “material weakness,” the COSO framework uses the term “major deficiency”
a major deficiency represents a material internal control deficiency or combination of deficiencies that significantly reduces the likelihood that an organization can achieve its objectives, and the entity may not conclude that it has met the requirements for an effective internal control system under the COSO framework
T/F: the process for evaluating risk is dynamic and ongoing
True; risks vary as entities operate in multiple industries, markets, and geographic areas which can hold multiple regulatory environments with different standards
What does management override refer to?
actions taken by management in an attempt to override controls for personal gain; management override of controls can lead to fraud
this is not the same as management intervention which is the fully appropriate involvement of management in unusual transactions
Fact: Management considers how the risk of material omissions and misstatements should be managed across the entity
management selects, develops, and deploys controls to effectively apply principles within each component to respond to assessed risk
