Internal Control Frameworks Flashcards
Define “verifiable or verifiability.”
Information that can be established, confirmed or substantiated as true or accurate
Define “control activities” (according to the COSO internal control and ERM frameworks)
Policies and procedures that ensure that organizational actions address key risks related to the achievement of management’s objectives
Define “risk assessment” (according to the COSO internal control framework)
The process of identifying, analyzing, and managing the risks related to achieving the organization’s objectives.
Define “compensating controls.”
Controls that accomplish the same objective as another control and will “compensate” for deficiencies in the first control
Define “internal control.”
A process, effected by the entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in these categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Define “feed-forward controls.”
A process in which future results are projected based on current and past information and, if the future results are undesirable, the inputs to the system are changed to avoid the projected outcome. Many inventory ordering systems are essentially feed-forward controls: The system projects product sales over the relevant time period, identifies the current inventory level, and orders inventory sufficient to fulfill the sales demand.
Define “evaluator.”
An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.
Name the three activities that comprise assessing and reporting on control monitoring.
Prioritize findings.
Report results as appropriate.
Follow up to implement corrective actions.
Define “key controls.”
Controls that are most important to monitor in order to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks
Define “detective controls.”
After-the-event controls designed to detect an error after it has occurred (though preferably before the erroneous information is used to update the database or appears in reports). Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.
Define “corrective controls.”
Often paired with detective controls, corrective controls attempt to reverse the effects of the error or irregularity that has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.
How does monitoring benefit corporate governance?
Monitoring is the core, underlying control component in the COSO ERM model. Controls degrade over time, technologies change, and people forget or get lazy. Because of this, monitoring is essential to maintaining strong internal control and effective risk management.
Define “information and communications” (according to the COSO internal control framework).
This component enables an organization’s personnel to identify, process, and exchange the information needed to manage and control operations.
Define “general controls.”
Controls over the environment as a whole. General controls apply to all functions, not just specific accounting applications. They help ensure that data integrity is maintained.
Define “application controls.”
Controls over specific data input, data processing, and data output activities. They are designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.