Internal Control Monitoring Purpose and Terminology Flashcards
Define “sufficient information”.
Enough information to form a reasonable conclusion.
Define “relevant information”.
Information is meaningful to assessing a risk, control, or control component.
Define “board monitoring”
Execution of monitoring procedures by the board of directors or its committees. Includes oversight of management’s performance in relation to all of the COSO components, including evaluating management’s own monitoring process and assessing the risk that management may override controls.
Define “key risk indicators”
Forward-looking metrics that seek to identify potential problems, thus enabling an organization to take timely action, if necessary.
Define “evaluator”.
An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.
Define “accuracy”
The degree to which information can reasonably be expected to be free from error and/or to communicate results that reflect reality.
Define “competence”.
Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency.
Define “verifiable or verifiability”.
Can be established, confirmed or substantiated as true or accurate.
Define “key performance indicators”.
Metrics that reflect critical success factors. They help organizations measure progress towards goals and objectives.
Define “indirect information”.
Relevant, but secondary, information for assessing whether a risk is mitigated by a control.
Define “objective or objectivity”.
The measure of the extent of factors that might influence a person to report inaccurate or incomplete information about risks or controls.
Define “persuasiveness of information or persuasive information”.
The degree to which the information provides support for conclusions. Derived from its suitability (i.e., its relevance, reliability, and timeliness) and its sufficiency.
Define “self-review”.
Person responsible for a control (but not that person’s peer or supervisor) assesses control effectiveness. The least objective type of “self assessment.”
Define “compensating controls”.
Controls that accomplish the same objective as another control and that can be expected to “compensate” for deficiencies in the first control
Define “key controls”.
Controls that are most important to monitor in order to support a conclusion about the internal control system’s ability to manage or mitigate meaningful risks.
Define “direct information”.
Directly substantiates the operation of controls and is obtained by observing controls in operation, reperforming them, or otherwise directly evaluating their operation.
Define “timely information”
Information is produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material.
Define “control objectives”.
They provide specific targets for evaluating the effectiveness of internal control. Typically stated in terms that describe the nature of the risk that should be managed or mitigated
Define “self-assessment”.
Person responsible for a control, or that person’s peer or supervisor, assesses control effectiveness.
Define “suitable information”.
Must be relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source), and timely (i.e., produced and used in an appropriate time frame).
Define “reliable information”.
Information must be accurate (see “Accuracy”), verifiable (see “Verifiable”) and from an objective source (see “Objective”).
