Section 1 ERM, Internal Control, & Business Processes

Question 1

What are the 4 categories of entity objectives in the ERM framework?

Answer 1

SOCR

Strategic – High-level goals aligned with and support of the entity’s mission

Operations – Effective and efficient use of the entity’s resources

Compliance – Compliance with applicable laws and regulations

Reporting – Reliability of reporting

GRIPS - Components of ERM

Governance & Culture
Review & Revision
Information, Communication, & Reporting
Performance
Strategy & Objective Setting

Question 2

5 Components of COSO Internal Control Framework

Answer 2

COSO’s Objectives to produce ORCs and ORCs Commit CRIME.

CRIME

Control Activities

Risk Assessment

Information

Monitoring

Control Environment

ORC - Operations, Reporting, & Compliance

Question 3

3 Main Objectives of COSO - Internal Control Framework

Answer 3

COSO’s Objectives to produce ORCs and ORCs Commit CRIME.

Operations Objectives - Effectiveness and Efficiency of operations

Reporting Objectives - Reliability, timeliness, transparency, standards over internal and external financial reporting.

Compliance Objectives - Adherence to laws and regulations

CRIME - Control Activities, Risk Assessment, Information, Monitoring, & Control Environment.

Question 4

Limitations of COSO

Answer 4

Human Judgment

Breakdowns and Failures due to humans being involved

Management Override

Collusion

External Events

Unrealistic or Improbable Objectives

Question 5

Flow of Information in Financial Reporting System

Answer 5

Data is Received

Transaction is recorded in book of prime entry

Summary totals from books of prime entry are posted to General Ledger accounts

Ledger Accounts are summarized trial balance

Trail Balances are used to generate financial statements.

Question 6

System and Organization Controls (SOC)

Answer 6

Security

Availability

Confidentiality

Processing Integrity

Privacy

Question 7

SOC Reports

Answer 7

2 Levels

Level 1 - describes a service organization’s systems and whether the design of specified controls meet the relevant trust principles.

Level 2 - Everything in Level 1 and the operational effectiveness of the specified controls over a period of time.

3 Types

SOC 1 — Internal Control over Financial Reporting (ICFR)
SOC 2 — Trust Services Criteria
SOC 3 — Trust Services Criteria for General Use Report

SOC 1 & 2 Contain Specific Information and are intended for a limited audience. SOC 3 contains general info and is intended for a public audience.

Question 8

Segregation of Duties

Answer 8

The business would have appropriate segregation of duties over key functions, roles, and processes:

○ Authorization
○ Custody of assets
○ Record keeping

Question 9

5 Components of ERM

Answer 9

GRIPS

Governance & Culture

Review & Revision

Information, Communication, & Reporting

Performance & Risk

Strategy & Objective Setting