What the purpose of the COSO Internal Control Framework? What does the acronym COSO stand for?
COSO: Committee of Sponsoring Organizations
To create and then assess the effectiveness of internal controls to maximize the entity's ability to achieve its objectives.
Define Internal Control
A process to provide reasonable assurance that the organization will achieve its objectives.
At what level are internal controls expected to be applied?
At the divisional (operating unit) or functional level.
What are the three categories of objectives for the COSO Internal Control Framework and their general focus?
Operations: effectiveness and efficiency of an entity's operations.
Reporting: reliability, timeliness, and transparency of an entity's internal and external financial and nonfinancial reporting.
Compliance: adherence to all applicable laws and regulations.
What are the five internal control components of the COSO Internal Control Framework?
C-R-I-M-E
Control Activities
Risk Assessment
Information and Communication
Monitoring Activities
Environment of Control
What is the focus of the Control Environment? What are its principles?
Sets the "tone at the top" approach taken by the senior management and board of directors.
EBOCA
Ethical Values
Board Independence and Oversight
Organizational Structure
Commitment to Competence
Accountability
What is the focus of Risk Assessment? What are its principles?
Identification and analysis of internal and external influences, and establishing a response to the risks.
SAFR
Specify Objectives
Assess Change
Fraud
Risks, Identify and Analyze
What is the focus of Information and Communication? What are its principles?
Identification, capture and exchange of information
OIE
Obtain and use info (better be facts)
Internal Communication
External Communication
What is the focus of Monitoring Activities? What are its principles?
Assessing the quality of internal control performance over time
SOD
Separate Evaluations
Ongoing Evaluations
Deficiencies, Communicate
What is the focus of Control Activities? What are its principles?
The policies and procedures to ensure that the directives iniatiated by management to mitigate risks are performed
CaT-Pee
Control Activities, select and develop
Technology Controls
Policies and Procedures Deployment
True/False: The COSO Internal Control Framework is a prescriptive checklist and the entity's Board is expected to have a procedure in each category?
False
The framework requires judgment (not prescription) to create, develop and review an Internal Control system
Which of the following terms is used by COSO regarding the Internal Control Framework? (1) Major deficiency, (2) Significant deficiency, (3) Material weakness?
Major Deficiency: a material internal control deficiency (or combo of deficiencies) that significant reduce the likelihood that an organization can achieve its objectives.
What are strategic objectives?
High level goals aligned with the mission of the organization. Critical to the success of the company (e.g., achieving 60% market share)
What are operational objectives?
The effective and efficient use of resources. (Ex: defect rate <5%, overtime <2%)
What are internal and external reporting objectives?
Internal, such as monitoring to enable management to take action
External, meet the needs of the stakeholders
What are compliance objectives?
Meeting specific laws, requirements and regulations
When are internal controls present, functioning, and effective?
When all the principles and components are included, operationally working, and risks of not meeting objectives are reduced to an acceptable level.
What types of control activities are included in demonstrating a commitment to ethics and integrity?
Establishing standards of conduct
Evaluating adherence to these standards
What types of control activities are included in establishing an organizational structure?
Defining, assigning and limiting authorities and responsibilities
What types of control activities are included in supporting individual accountability?
Establishing performance measures, incentives, and rewards
Evaluating performance against these measures
Determining if excessive pressure exists that would motivate someone to break the rules
What areas of concern must be considered when analyzing for risk due to fraud?
Look for the following issues that would encourage the behavior
incentives or pressures
opportunities
employee attitudes
types of rationalizations
Which of the following is the best method to reduce the risk of kiting? (1) review and approval of checks & support, (2) bank reconciliation, (3) segretation of duties.
(3) segregation of duties.
Kiting occurs when the same person writes the checks and makes the deposits. Separating these duties will limit the opportunity.
What 3 elements help to enable fraud?
Financial pressure (a motive0
Opportunity (to commit the act)
Rationalization (justification of the act)
What are several types of internal control methods utilized to reduce risk?
PREVENTIVE
Separation of Duties: no one person should be able to initiate a transaction and then approve it; record the information in the accting records and then control the proceeds that result.
Supervisory Review: ensure someone separate from the person performing the function verifies the transaction
Separate Department Review: someone in another dept verifies the transaction
