Internal Controls Flashcards
Assessment of internal controls occurs when in the audit
After audit planning and before substantive procedures
Assessment of internal controls occurs when in the audit
After audit planning and before substantive procedures
What is COSO
The most widely accepted way to design, maintain, and implement an internal controls system.
Not the mandatory framework required but most widely used
What are the objectives of internal controls
Accurate and Reliable Financial Reporting
Compliance with applicable laws & regulations
Effective business operations
What are the 5 components of COSO
COSO has 17 principes which are associated with 5 components. Acronym CRIME:
1. Control Activities
2. Risk Assessments
3. Information and Communication
4. Monitoring
5. Control Environment
What is the control environment (COSO)
The firm envionment in which controls are being enacted
1. Integrity/Ethics
2. Board has oversight responsibility (doing their job)
3. etc
What is Risk Assessment (COSO)
Identification, analysis, and management of risk
What are Control Activities (COSO)
Develop controls that contribute to the mitiation of objectives to acceptable levels
Example: Segregation of Duties
What is segregation of duties
Ensures that the following roles aren’t handled by the same person
1. Authorization
2. Recordkeeping
3. Custody
4. Comparison
Difficult in a small organization, alternative is disclose to auditors
What is Monitoring (COSO)
Making sure all other components of COSO are working effectively in practice
What is Information and Communication (COSO)
Identification, retention, and transfer of information on a timely manner enabling personnel to execute their responsibilities
- This applies both internally and externally
- Information needs to be accurate and reliable
What are the inherent limitations of internal controls
Includes but not limited to:
1. Competence of Employees
2. Obsolescene (external events making IC obsolete)
3. Collusion
4. Override by Management
5. Cost Constraints (does benefit override cost)
What is the correlation between Effective Controls, Control Risk, RMM, and Detection Risk
Controls are operating effectively:
1. Control Risk Down
2. Risk of Material Mistatement Down
3. Can afford a higher Detection Risk
4. Less Substantive work neccessary to test NET (nature timing extent)
What is an integrated audit
For issuers auditors are required to do an integrated audit. Mandatory to do test of controls for effectiveness of ICFR. Conducts simultaneously with controls of financial statements
Non issuers do not need an integrated audit, optional
What are the risk assessment steps
Risk Assessment Examples
How often must you retest internal controls
Every 3 years or 3rd audit
What is a walkthrough
A test of internal controls by following a transaction from the beginning to end
What is a test of details
Testing the details of a transaction to determine whether internal controls are operating effectively, whether they have been implemented, and look for material mistatements
What are the two types of control defincies
Operating Deficiency: Designed properly but does not work
Design Deficiency: Not designed properly
What are the three levels of deficiencies related to controls
- Control deficiency: Exists when the design or operation of a control does not prevent, ir detect and correct mistatements on a timely basis
- Significant deficiency: a deficiency or combination of deficiencies in internal controls less severe than material weakness but important enough to merit attention
- Material Weakness: a deficiency or combination thereof in internal controsl such that there is a reasonable possibiklity that a material mistatement of the entty’s financial statements will not beprevented, detected, or corrected on a timely basis
What is a SOC 1 Report
Provides an opinion on the design an operating effectiveness of controls (transaction and security focused)
What are SOC Reports
Reports on controls for firms a company outsources information too
What is a SOC 2 and 3 report
SOC 2: Provides an opinion on the design and operating effectiveness of controls over the security, availability, confidentiality, privacy, and integrity of systems used to proccess entity’s data at service organization (more security focused)
SOC 3: SOC 2 report dumbed down and released publicly
