Internal Controls & IT General Controls 1 (Part 2)

Question 1

Name the 5 elements under the “COSO Model of Internal Controls” (bottom up):

Answer 1

ERAIM

(1) Control Environment
(2) Risk Assessment
(3) Control Activities
(4) Information and Communication
(5) Monitoring

Question 2

Under the “COSO Model of Internal Controls”, describe the “Control Environment” element:

Answer 2

• Set of control activities and policies that sets tone of org and provides foundation for the other 4 elements

Question 3

Under the “COSO Model of Internal Controls”, what factors are included in the “Control Environment” element?

Answer 3

• Communication
• Enforcement of integrity and ethical
  values (ethics / fraud policy)
• Employees’ Competency
• Mgmt philosophy and style
• Assigning authority and responsibility
• Org structure
• Professional development of employees
• BoD involvement

Question 4

Under the “COSO Model of Internal Controls”, describe the “Risk Assessment” element:

Answer 4

• Set of activities and policies used to ID

and assess risks, significant enough to impair entity’s ability to achieve business goals or control objectives

Question 5

Under the “COSO Model of Internal Controls”, what factors are involved in the “Risk Assessment” element?

Answer 5

• Risk Assessment is fundamental to effective control activities, monitoring elements, and successful mitigation of risks, including IT-related risks.
• A critical element of the system of ICs
• Mgmt document risk assessment to ID, assess and manage (mitigate) risk
• 2 key roles of risk assessment are financial reporting risks and IT risks

Question 6

Under the “COSO Model of Internal Controls”, what factors are involved in the “Control Activities” element?

Answer 6

• Control activities should be integrated w/ Risk Assessment
• The risks ID’d in risk assessment are assigned controls where level of control is linked to level of risk (high-power control for high risk)
• Polices needed to ensure mgmt’s guidelines for IC
• Controls subject to cost-benefit analysis

Question 7

What is a “Control”?

Answer 7

• A control is a task or action that has the intent to mitigate a particular risk for the respective control objective

Question 8

Under the “COSO Model of Internal Controls”, “Control Activities” are generally what 2 categories?

Answer 8

(1) Physical Controls
- Include controls whose objective addresses independent verification, transaction authorization, segregation of duties, supervision, accounting records and audit trail, and physical access controls
(2) Computer Controls are subdivided to:
(a) General Controls
- ITGC
(b) Application Controls

Question 9

Under the “COSO Model of Internal Controls”, what factors are involved in the “Information and Communication” element?

Answer 9

• Involves timely ID’ing, recording and
  communicating relevant info necessary for employees and stakeholders to carry out their responsibilities
• Include financial reporting systems and their ability to properly capture data, report info and assist mgmt in decision making and managing the business
• Includes both internal and external reporting parties

Question 10

Under the “COSO Model of Internal Controls”, what factors are involved in the “Monitoring” element?

Answer 10

• Involves control activities about controls themselves
• Involves regular reviews of controls to assess quality of control over time
• Primary goal is to
  ID changes in IC system, when control needs to be changed or deleted, or when new control is needed
• Monitoring would ID IC deficiencies and communicate them timely to
  appropriate party
• Ex: Regular mgmt review, supervisory activities, technology to monitor controls