1. Internal Control Framework Flashcards
(42 cards)
What does COSO stand for?
Committee of Sponsoring Organization
Who created COSO?
Fiver organization:
AICPA, The Institute of Internal Auditors, the Institute of Management Accountants, the American Accounting Association, the Financial Executive Institute.
When and Why COSO created?
In 1987 to develop an integrated internal control model.
What are 4 COSO contents?
the COSO integrated framework.
Internal control - Integrated framework.
Enterprise Risk Management (ERM) - integrated framework.
COSO elements from additional documents, relating to recent changes in IT.
The original COSO cube: what is internal control?
- Control environment (core, management philosophy, organizational structure, system of authority, personnel practices, policies, procedures)
- Risk assessment (identify, analyze, manage risks)
- Information and communication
- Monitoring
- Control activities
The original COSO cube: Why do we have IC?
Operation (effectiveness/efficiency), Reporting (reliability), Compliance
The original COSO cube: Where do we have IC?
Entity, division, operating unit, function
The original COSO cube: what are 4 types of why?
Financial and Non-financial, External and internal.
The original COSO cube: what are 3 examples of external financial reporting?
Annual FS, Interim FS, Earning Release
The original COSO cube: what are 3 examples of external non-financial reporting?
IC, Report sustainability report, Supply chain/custody assets
The original COSO cube: what are 3 examples of internal financial reporting?
Divisional financial reporting, cash flow/budget, bank covenant calculations
The original COSO cube: what are 4 examples of internal non-financial reporting?
Staff/asset utilization, customer satisfaction survey, key risk indicator dashboards, board reporting.
What are 5 principles of control environment?
- A commitment to integrity and ethical values - management.
- Board of directors operate independent of management, oversees IC
- Management establishes structures, reporting lines, authorities, responsibilities, including those outsourced service providers.
- Competence
- Accountability
What are 4 principles of Risk assessment?
- Objectives
- Assessment
- Fraud
- Change management
What are 3 principles of control activities?
- Risk reduction
- Technology controls
- Policies
What are 3 principles of information and communication?
- Quality
- Internal
- External
What are 2 principles of monitoring activity?
- Ongoing and periodic
2. Address deficiencies
What are 6 limitations of IC?
- Unsuitable management objectives
- Dependence on people
- Management override
- Collusion
- External event beyond control
- Inherent limitations
What are 3 types of IC deficiencies?
- Control deficiency (in design or operation)
- Significant deficiency
- Material weakness
What are 3 categories of controls?
- Preventive, detective, and corrective control
- Feedback and feed-forward controls
- General controls and application controls
Who are 4 responsible parties for IC?
- The board of directors: oversight
- Managers
- Support functions
- Internal auditors.
Who is responsible for oversight?
The board of director and audit committee
To whom belongs ownership of IC?
Senior management, including CEO and FRO
Who are support function personnels?
Personnel in law, compliance , risk management, IT
