Internal Controls Framework

Question 1

Committee of sponsoring organizations

Answer 1

Established in 1980. An independent private sector initiative to study the factors that lead to fraudulent financial reporting. Issued the “internal control integrated framework” to assist organizations in developing internal control effectiveness.

Question 2

Definition of internal controls

Answer 2

Designed and implemented by an organization’s management and board of directors to provide reasonable assurance that the organization will achieve its operating, reporting, and compliance objectives (ORC).

Question 3

The three framework objectives:

Answer 3

Operating, reporting, and compliance (ORC)

Question 4

Operating objective (O of ORC)

Answer 4

The effectiveness and efficiency of en entities operations. And ensuring the assets of an organization are adequately safeguarded against potential losses.

Question 5

Reporting objective (R of ORC)

Answer 5

The reliability, timeliness, and transparency of the entities external and internal financial and non-financial reporting.

Question 6

Compliance objective (C of ORC)

Answer 6

Ensure the entity is adhering to all the applicable laws and regulations

Question 7

The five components of internal control

Answer 7

Control environment, risk assessment, information and communication, monitoring, existing control activities (CRIME)

Question 8

The control environment (C of CRIME) is:

Answer 8

Established through the “tone at the top” approach token by the service management and board of directors of an entity. There are 5 principles related to the control environment. The acronym is EBOCA.

Question 9

Th 5 principles related to the control environment are:

Answer 9

Commitment to ethics and integrity, board independence and oversight, organizational structure, commitment to competence, and accountability (EBOCA).

Question 10

Commitment to ethics and integrity (the E of EBOCA) is defined as:

Answer 10

A commitment to ethical values and overall integrity throughout the organization. Includes setting a tone at the top and establishing standards of conduct.

Question 11

Board of independence and oversight (the B of EBOCA) is defined as:

Answer 11

The board is independent from management and oversees the development and performance of internal controls.

Question 12

Organizational structure (the O of EBOCA) is defined as:

Answer 12

Establishes reporting lines, as well as defining, assigning, and limiting authorities and responsibilities

Question 13

Commitment to competence (the C of EBOCA) is defined as:

Answer 13

Committed to hire, develop, and retain competent employees.

Question 14

Accountability (the A of EBOCA) is defined as:

Answer 14

Individuals are held accountable for their internal control responsibilities

Question 15

The risk assessment (R of CRIME) is:

Answer 15

An entity’s identification and analysis of risks to the achievement of it’s objectives. There are four principles related to the risk assessment (SAFR).

Question 16

The four principles related to risk assessment are:

Answer 16

Specify objectives, identify and analyze risks, consider potential for fraud, and identify and assess changes (SAFR).

Question 17

Specify objectives (the S of SAFR) is defined as:

Answer 17

Identification and assessment of the risks

Question 18

Identify and analyze risk (the R of SAFR) is defined as:

Answer 18

Analyzing internal and external factors, involving appropriate levels of management and determining how to respond to risks.

Question 19

Consider potential for fraud (F of SAFR) is defined as:

Answer 19

Assessing incentives and pressures, opportunities and attitudes, and rationalizations that could lead to potential fraud.

Question 20

Identify and assess changes (the A of SAFR) is defined as:

Answer 20

Assessing changes in the external environment, business model, and leadership that could affect the system of internal controls.

Question 21

The Information and communication (I of CRIME) is:

Answer 21

Information and communication systems support the identification, capture, and exchange of information on a timely and useful manner. There are three principles related to information and communication (OIE).

Question 22

The three principles related to information and communication are:

Answer 22

Obtain and use information, internally communicate information, and communicate with external parties (OIE).

Question 23

Obtain and use information (the O of OIE) is defined as:

Answer 23

Obtain and use relevant information to support the functioning of internal controls

Question 24

Internally communicate information (I of OIE) is defined as:

Answer 24

The flow of information up, down, and across the organization using a variety of methods and channels.

Question 25

Communicate with external parties (E of OIE) is defined as:

Answer 25

Management having an open, two-way external communication channels using a variety of methods and channels with external parties.

Question 26

Monitoring activities (the M of CRIME) is:

Answer 26

The process of assessing the quality of internal control performance overtime by assessing the design and operation of controls on a timely basis and taking corrective actions. There are two principles related to monitoring activities (SoD).

Question 27

The two principles related to monitoring activities are:

Answer 27

Ongoing and/or separate evaluations, and communication of deficiencies (SoD)

Question 28

Ongoing and/or separate evaluations (So of SoD) is defined as:

Answer 28

Ascertaining whether the components of internal controls are present and functioning and establishing a baseline understanding. Frequency of testing here is dictated by risk.

Question 29

Communication of deficiencies (D of SoD) is defined as:

Answer 29

Communicates internal control deficiencies on a timely manner to parties responsible for taking corrective action.

Question 30

Existing control activities (E of CRIME) is:

Answer 30

Set forth by an entity’s policies and procedures. These activities may be detective or preventative in nature. Segregation of duties is usually port of control activities. There are three principles related to existing control activities (CaT P).

Question 31

The three principles related to existing control activities are:

Answer 31

Select and develop central activities, select and develop technology controls, and deployment of policies and procedures (CaT P).

Question 32

Select and develops central activities (the Ca of CaT P) is defined as:

Answer 32

Selecting activities and considering entity-specific factors that contribute to the mitigation of risk.

Question 33

Select and develop technology controls (the T of CaT P) is defined as:

Answer 33

Determining dependencies between the use of technology in business processes and establishing relevant technology infrastructure to support the achievement of objectives.

Question 34

Deployment of policies and procedures (the P of CaT P) is defined as:

Answer 34

Establishing responsibility and accountability for executing policies and procedures and taking corrective action.

Question 35

All five components and seventeen principles are to be:

Answer 35

Present: included in the design and implementation of the internal control system
and
Functioning (operating effectively): operating as designed in the internal control system

Question 36

To be considered an “effective” system of internal controls, senior management and the board must have reasonable assurance that the entity:

Answer 36

Achieves effective and efficient operations; understands the extent to which operations are managed effectively and efficiently; complies with all applicable rules, regulations, and laws; and prepares reports in conformity with the entity’s reporting objectives, standards, rules, and regulations.

Question 37

A major deficiency represents:

Answer 37

A material internal control deficiency that significantly reduces the likelihood that an organization can achieve its objective.

When a major deficiency is identified, the entity may not conclude that it has met the requirements for an effective internal control system under the COSO framework.

U.S. GAAS - significant deficiency
COSO Framework - major deficiency

Question 38

Limitations to the Internal Control Framework:

Answer 38

There are NO guarantees

Internal control provides reasonable assurance that a firm will achieve objectives, but it does not prevent bad decisions or eliminate external events that may prevent the achievement of the entity’s operational goals.

Question 39

Some inherent limitations that may exist even in an effective internal control system:

Answer 39

Human failures/errors
Faulty or biased judgement
Suitability if the entity’s objectives
External events
Collusion of fraud
Management override of controls

Question 40

Management will compile and document the internal control assessment using the following steps of the COSO framework document (COPS):

Answer 40

Overall assessment
Component evaluation
Principle evaluation
Summary of internal control deficiencies

Question 41

Common risks identified using the COSO framework:

Answer 41

Material omission or misstatement (unintentional)
Fraud (intentional)
Management Override of Controls
Illegal acts (violation of government regulations)