Internal Control Monitoring

Question 1

What does “competence” mean in relation to a control evaluator?

Answer 1

Refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency

Question 2

What is “accuracy”

Answer 2

The degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality

Question 3

Define “relevant information.”

Answer 3

Information is meaningful to assessing a risk, control, or control component

Question 4

Define “self-review.”

Answer 4

Person responsible for a control (but not that person’s peer or supervisor) assesses control effectiveness. The least objective type is “self-assessment.”

Question 5

Define “timely information.”

Answer 5

Information is produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material

Question 6

Define “suitable information.”

Answer 6

Must be relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame)

Question 7

Define “objective or objectivity.”

Answer 7

The measure of the extent of factors that might influence a person to report inaccurate or incomplete information about risks or controls

Question 8

Define “compensating controls.

Answer 8

Controls that accomplish the same objective as another control and will “compensate” for deficiencies in the first control

Question 9

Define “key controls.”

Answer 9

Controls that are most important to monitor in order to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks

Question 10

Define “persuasiveness of information or persuasive information.”

Answer 10

The degree to which the information provides support for conclusions. Derived from its suitability (i.e., its relevance, reliability, and timeliness) and its sufficiency

Question 11

Define “reliable information.”

Answer 11

Information must be accurate (see “Accuracy”), verifiable (see “Verifiable”) and from an objective source (see “Objective”)

Question 12

Define “key risk indicators.”

Answer 12

Forward-looking metrics that identify critical potential problems, thus enabling an organization to take timely action, if necessary

Question 13

Define “evaluator.”

Answer 13

An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity

Question 14

How does monitoring benefit corporate governance?

Answer 14

Monitoring is the core, underlying control component in the COSO ERM model. Controls degrade over time, technologies change, and people forget or get lazy. Because of this, monitoring is essential to maintaining strong internal control and effective risk management

Question 15

Define “key performance indicators.”

Answer 15

Metrics that reflect critical success factors. They help organizations measure progress toward critical goals and objectives

Question 16

Define “self-assessment.”

Answer 16

Either the person responsible for a control, or that person’s peer or supervisor, assesses control effectiveness

Question 17

Define “verifiable or verifiability.”

Answer 17

Can be established, confirmed, or substantiated as true or accurate

Question 18

Define “control objectives.”

Answer 18

These provide specific targets for evaluating the effectiveness of internal control. Typically they are stated in terms that describe the nature of the risk to be managed or mitigated