Internal Auditing - CH6 - Internal Control Framework

Card Set Information

Internal Auditing - CH6 - Internal Control Framework
2014-10-26 01:51:35
Internal Auditing CH6 Control Framework

Internal Auditing - CH6 - Internal Control Framework
Show Answers:

  1. Framework
    • refers to body of guiding principles that form a template against which organizations can
    • evaluate a multitude of business practices.
  2. SEC
    nUS Sarbanes-Oxley Act of 2002 legislation put responsibility for the design, maintenance, and effective operation of internal control on senior management, specifically, the CEO and the chief financial officer (CFO). 

    • nUS SEC requires the CEO and CFO of publically traded companies to opine on the
    • design adequacy and operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of financial statements, as well as report substantial changes in ICFR on a quarterly basis.

    • nSEC requires evidence of compliance, ruling that, “…management must base its evaluation [or, opinion] of the effectiveness of the company’s internal control over financial
    • reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.”
  3. SEC framework must be
    nFree from bias,

    • nPermit reasonably consistent qualitative and quantitative measurements of a company’s
    • internal control,

    nBe sufficiently complete so that those relevant factors that would alter a conclusion [or opinion] about the effectiveness of a company’s internal control are not omitted, and

    nBe relevant to an evaluation of internal control over financial reporting.
  4. Definition of Internal Control
    designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance
  5. Internal Control is
    Geared toward the achievement of objectives

    A Process

    Effected by People

    Provide Reasonable Assurance

    Adaptable to the entity structure
  6. Coso Objectives (TOP)

    Reporting Compliance
  7. Coso Objectives (TOP)
    • pertain to the effectiveness and efficiency of the entity’s operations, including operational
    • and financial performance goals, and safeguarding of assets against loss.
  8. Coso Objectives (TOP)
    • pertain to internal and external financial and non-financial reporting and may encompass
    • reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity’s policies
  9. Coso Objectives (TOP)
    pertain to adherence to laws and regulations to which an entity is subject
  10. Coso Five Components (Front)
    nControl Environment

    nRisk Assessment

    nControl Activities

    nInformation and Communication

    nMonitoring Activities
  11. Coso Five Components (Front)
    Control Environment
    nPermeates all areas of the organization and influences the way individuals approach internal control

    nCreates the context within which the other components of internal control exist

    • nSet of standards, processes and structures that provide the basis for carrying out
    • internal control across the organization

    • nComprises 
    • nIntegrity and
    • ethical values of the company
    • nParameters enabling the board of directors to carry out its governance responsibilities
    • nProcess for attracting, developing and retaining competent individuals
    • nRigor around performance measures, incentives, and rewards to drive accountability
  12. Coso Five Components (Front)
    Risk Assessment
    nEvery entity faces a variety of risks from external and internal sources

    • nRisk is defined as the possibility that an event will occur and adversely affect the
    • achievement of objectives

    • nRisk assessment involves a dynamic and iterative process for identifying and
    • assessing risks to the achievement of objectives

    nRisks are considered relative to established risk tolerance

    nRisk assessment forms the basis for determining how risks will me managed
  13. Coso Five Components (Front)
    Control Activites
    • nPerformed at all levels of the organization. At various stages within business processes and
    • over the technology environment.  They
    • may be preventative or detective in nature and may encompass a range of manual
    • and automated activities, such as authorizations and approvals, verifications,
    • reconciliations and business performance reviews. (COSO)

    nAre actions taken by management, the board, and other parties to mitigate risk and increase the likelihood that objectives and goals will be achieved

    Three categories include operations, reporting and compliance; however, control activities are often designed to mitigate multiple risks that may threaten objectives in more than one category
  14. Coso Five Components (Front)
    Information and Communication
    nHigh quality information must be communicated appropriately

    • nRelevant, accurate and timely information must be available to individuals at all levels
    • of the organization that need such information to run the business effectively

    nCommunication with external parties is important

    nThere are many way an organization can choose to communicate (e.g., hardcopy, face-to-face, etc.)

    nThe culture of an organization plays an important role in communicating its priorities.
  15. Monitoring versus control activity
    nBusiness Performance Reviews

    • nSupervisory controls assess whether other transaction control activities (for example, a
    • reconciliation) are being performed completely, accurately and according to
    • policy and procedure.

    nA supervisor may review whether an accounting clerk performs a reconciliation according to policy.  This may be a:

    nHigh level review (checking if the reconciliation spreadsheet has been completed)

    nDetailed review (checking if any reconciling items have been followed up on and corrected)

    nIn the above example, the high level review is a monitoring activity and the detailed review is a control activity
  16. Types of Control Activites
    nPerformance reviews and follow-up activities

    nAuthorizations (approvals)

    nIT access controls

    nDocumentation (rigorous and comprehensive)

    nPhysical access control activities

    nIT application (input, processing, output) control activities

    nIndependent verifications and reconciliations

    nSegragation of Duties
  17. Coso Five Components (Front)
    Monitoring Activites
    nTo remain reliable, internal control systems must be monitored.

    • nMonitoring activities consist on ongoing evaluations built into business processes at
    • different levels of the entity that provide timely information.

    • nSeparate evaluations, conducted periodically, will vary in scope and frequency depending
    • on the assessment of risks, effectiveness on ongoing evaluations, and other management considerations

    nFindings are evaluated against criteria established by regulators, standard-setting bodies or management and the board of directors

    nDeficiencies are communicated to management and the board of directors, as appropriate
  18. Monitoring Activities Layers
    nFirst layer – everyday activities performed by management of a given area

    • nSecond layer – separate evaluation of the area’s internal controls performed by management on a regular basis to ensure that any deficiencies that exist are identified and
    • resolved timely

    • nThird layer – independent assessment by an outside area or function (frequently internal
    • audit)
  19. COSO broadly defines a deficiency as
    • a shortcoming in a component or relevant principle that reduces the likelihood that the
    • entity can achieve its objectives
  20. Responsibilities
    • nCEO assumes primary responsibility for the system of internal controls. The “tone at the
    • top” is set by the CEO and rolls down from there to senior management, line management and ultimately to all individuals in an organization.

    nManagement has primary responsibility for the effectiveness of the organization’s system of internal controls, including monitoring activities.

    • nThe board of directors is responsible for overseeing whether management has implemented an effective system of internal controls. 
    • They provide direction regarding internal control, and ultimately have responsibility for overseeing the system of internal controls.

    • nInternal audit plays a significant role in verifying that management has met its
    • responsibility (provide reasonable assurance that the system of internal controls is operating effectively)

    nInternal control is the responsibility of everyone in an entity.
  21. Limitations of Internal Control
    nThere are inherent limitations of internal control.

    nInternal control cannot prevent bad judgment or decisions or external events that can cause an organization to fail to achieve its operational goals.

    • nLimitations may result from (as examples):
    • nReality that human judgment in decision-making can be faulty and subject to bias

    nAbility of management to override control

    nExternal events beyond the organization’s control

    nKey is to understand the linkage and interdependency of business objectives and risks that directly or indirectly affect an organization's ability to achieve its objectives.
  22. Inherent, Controllable and Residual Risk
    nInherent risk is the gross risk that exists assuming there are no internal controls in place.

    nControllable risk is the portion of inherent risk that management can directly influence and reduce through day-to-day business activities

    • nThe portion of inherent risk that remains after mitigating all controllable risks is defined
    • as residual risk.

    • nIf remaining uncontrolled risk (residual) is less than the established risk appetite, then
    • the system of internal controls is operating at an acceptable level (and within the defined risk appetite).

    nIf residual exceeds risk appetite it is necessary to reevaluate the system of internal controls to determine if additional cost-effective controls could be implemented.
  23. Types of Controls
    • Entitywide control activities
    • business process control activities.
    • Process-level controls 
    • Transaction-level controls
  24. Types of Controls
    nEntity-level controls can be divided into two categories:

    nGovernance controls - established by the board and executive management to institute the organization’s controls culture and provide guidance that supports strategic objectives

    • nManagement controls - established by management at the BU and line level of the
    • organization to reduce risks to the BU and increase probability that BU objectives are achieved.
  25. Types of Controls
    Process-level Controls
    • nProcess-level controls are more detailed in their focus than entity-level controls and
    • established by process owners to reduce risk to achievement of objectives.  Examples include:

    nReconciliation  of key accounts

    nPhysical verification of assets (such as inventory counts)

    nProcess employee supervision and performance evaluations

    nProcess-level risk assessments

    nMonitoring/oversight of specific transactions
  26. Types of controls
    Transaction-level Controls
    nTransaction-level controls are even more detailed in their focus and reduce risk relative to a group or variety of operational-level activities (tasks) or transactions.  Examples include:


    nDocumentation (such as source documents)

    nSegregation of duties

    nIT application controls (input, processing, output)
  27. Key control
    is designed to reduce key risks associated with business objectives.  Failure to implement adequately designed and effectively operating key controls can result in failure of the organization to achieve objectives (or worse).
  28. Secondary control
    • is one that is designed to either:
    • nMitigate risks that are not key to business objectives
    • nPartiallyreduce the level of risk when a key control does not operate effectively
  29. Compensating controls
    are designed to supplement key controls that are either ineffective or cannot fully mitigate a risk or groups of risks by themselves to an acceptable level (for example,close supervision when adequate segregation of duties cannot be achieved).
  30. Preventative control
    is designed to deter unintended events from occurring in the first pace (locked doors, usernames and passwords, etc.)
  31. Detective control
    is designed to discover undesirable events that have already occurred (review of computer logs)
  32. IT controls
    (that work together to ensure completeness, accuracy, and validity of financial and other information in the system):

    • nGeneral computing controls – apply to
    • many if not all application systems and help ensure their continued, proper operation

    nApplication controls – include computerized steps within application software and related manual procedures to control the processing of various types of transactions
  33. Evaluating the System of ICs
    • nInitially, management performs the primary assessment, testing, and certification of
    • internal controls.

    • n Internal audit independently validates management’s results and is responsible for
    • assessing and reporting on an organization’s controls.
  34. Three key considerations in reaching an evaluation of [conclusion on] the overall effectiveness of the organization’s risk management and control processes are
    nWere significant discrepancies or weaknesses [deficiencies] discovered from the audit work performed and other assessment information gathered?

    nIf so, were corrections or improvements made after the discoveries?

    • nDo the discoveries and their consequences lead to the conclusion that a pervasive
    • condition exists resulting in an unacceptable level of business risk [or operating effectiveness]?
  35. Financial Statement Assertions
    nExistence / occurrence


    nRights / obligations

    nValuation / allocation

    Presentation / disclosure