Internal Control Monitoring and Change Control Processes Flashcards
What are some control monitoring process methods?
1) Reviewing process
2) Benchmarking assessments
3) Questionnaires
4) Focus groups and interviews
Define reviewing process?
Include reviews of flowcharts, and, risk and control documentation
What is benchmarking assessments?
Comparing to other companies or other components within the organization
What are the three stages in the COSO Model of the control monitoring process?
1) Establish foundation (tone at the tope, organizational structure, and baseline understanding of internal control effectiveness)
2) Design and execute- (prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures)
3) Assess and report- (prioritize findings, report results to the appropriate level, and follow-up on corrective action)
What is the foundation for monitoring?
Generate a “baseline” of known effective IC to guide future monitoring and evaluation
How do you design and execute monitoring procedures?
Generate persuasive information about key controls and meaningful risks
Prioritize risks (which are critical?)
How do you assess and report results?
Prioritize findings?
- Determine severity of identified deficiencies
Report results
- Follow up with corrective action
How do you assess changes in IC effectiveness? (Four stage process called “monitoring-for-change continuum”
1) Establish a control baseline (begin with area where controls are well understood. Provides baseline for enhanced monitoring)
2) Change Identification (Identify changes in control operations, design, or, related risks)
3) Control revalidation (periodically revalidate that controls remain effective, thus maintaining continuous control baseline)
4) Change management (when changes occur, verify that controls remain effective. Establish a new control baseline for modified controls)
Effective change controls processes must…:
1) anticipate and promptly react to changes
2) Control change management must consider costs vs benefits
- If they are minor, don’t assign much money to fix it
3) Must have well-structured documentation
4) Appropriate procedures
Change management is part of risk assessment including consideration of what….?
- Changes in operations
- Personnel change
- Changing technologies and information systems
- Rapid, unexpected growth
Identify three activities that comprise assessing and reporting on control monitoring?
1) Prioritize finds
2) Report results as appropriate
3) Follow-up to implement corrective actions
What are the three elements for establishing a foundation for control?
1) Tone at the top
2) Organization structure
3) baseline understanding of control effectiveness
Define ongoing monitoring
Actives the effectiveness of IC in the ordinary course of business
