Providing user documentation, maintaining fire suppression equipment in the File Library, and using usernames and passwords to control access to the system are all examples of what type of Control?
Definition of Feedback Controls
A procedure in which the results of a process are evaluated and, if the results are undesirable, the process is adjusted to correct the results; most detective controls are also feedback controls.
After the fact control designed to detect an error after it has occurred. Examples of detective controls include data entry edits (field checks, limit tests) and reconciliation of batch control totals.
Controls over specific data input, data processing, and data output activities. Designed to ensure the accuracy, completeness, and validity of transaction processing. As such, application controls have a relatively narrow focus on those accounting applications that are involved with data entry, update, and reporting.
Paired with detective controls, they attempt to reverse the effects of the error or irregularity which has been detected. Examples of corrective controls include maintenance of backup files, disaster recovery plans, and insurance.
Sarbanes Oxley of 2002, the CEO and CFO may be penalized for misrepresenting the company's finances by being?
Fined and Imprisoned
17 Components of Internal Control - Risk Assessment Section
- Organizational Objectives
- Change Management
TRUE OR FALSE - SOX stated that one member of the Audit Committee must be a "financial expert."
FALSE The Sarbanes-Oxley Act provides that at least one member should be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation.
Which of the following committees of the board of directors generally has the responsibility of overseeing CEO succession?
The nominating/corporate governance committee
Control Environment as a Component of Internal Control has 5 principals
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. It may be viewed as the foundation for the other components of internal control.
- Ethics at the top of organization
- Independent Management
- Management establishes oversight
- Competent talent in organization
Director's Duty of Loyalty
The directors' duty of loyalty means that they must put the interest of the corporation before their personal interest. Assume a director is approached with a business opportunity that would be of interest to and benefit the corporation. However, the director is also interested in the opportunity. The director must first offer the opportunity to the corporation before pursuing it on his or her own behalf.
Auditing Standards divide internal control into five interrelated components (elements) as follows:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communication, and
ERM - Risk Response
- Avoidance - exiting activity to avoid risk
- Reduction - taking steps to reduce risk likelihood or impact
- Sharing - transfers risk via insurance, hedging or outsourcing
- Acceptance - no action taken
Three Objectives of Internal Control (ROC)
- Reliability of reporting (financial statements)
- Efficiency and effectiveness of operations (significant events, safeguarding assets)
Compliance with applicable laws and regulations.
Internal Control Components of COSO & ERM
ERM has 8 Components (5 of which are same as COSO Components of IC)
- Internal Environment (COSO)
- Strategic Objective Setting
- Event Identification
- Risk Assessment (COSO)
- Risk Response - ERM's main focus for corporations
- Control Activities (COSO)
- Information and Communication (COSO)
- Monitoring (COSO)
SOX Act of 2002 did three things:
- SOX directed public company audit committees to install procedures for ensuring that whistleblowers' complaints are properly directed.
- SOX provided a civil damages action for public company whistleblowers who suffer retaliation for providing information in an investigation or participating as a witness or otherwise in a proceeding involving federal securities law violations.
- SOX made it a crime punishable by fine and/or imprisonment of not more than 10 years to retaliate against an informant who provided truthful information relating to the commission of any federal offense to a law enforcement officer (not just federal securities law violations).
Dodd-Frank created an entirely new anti-retaliation provision that whistleblowers are likely to use instead of the SOX provision (even as amended), because:
- Whistleblowers may sue directly in federal district court without going through the Department of Labor complaint process.
- Whistleblowers may recover two times the amount of back pay owed with interest and attorneys' fees if they establish that they are victims of retaliation.
- The SOL is much longer - whistleblowers must file within three years of when they knew, or should have known, they had the right to sue and within six years of the violation.
- Note that the SEC can also sue to punish such retaliation.
If an accountant learns such "original information" (i.e. whistleblower related) while acting as an internal auditor, or while working for a public accounting firm performing a mandated audit, he or she is disqualified from receiving a bounty?
Yes. Auditors are already duty-bound to report such information and as such they are viewed as not needing the incentive of a bounty to fulfill their obligation.
However, there are a few exceptions where the auditor could claim a bounty.
COSO Model Pyramid Structure
COSO ERM Model Cube
Attribute Standards - Internal Audit Charter
"The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval."
Attribute Standards - Organizational Independence
- "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.
- The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity."
Attribute Standards - Quality Assurance and Improvement Program
- "The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity."
- "The quality assurance and improvement program must include both internal and external assessments."
Requirements of the Quality Assurance and Improvement Program - Internal Assessments
"Internal assessments must include:
- Ongoing monitoring of the performance of the internal audit activity; and
- Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices."
A related Interpretation states, "Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework."
Requirements of the Quality Assurance and Improvement Program - External Assessments
"External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:
- The need for more frequent external assessments; and
- The qualifications and independence of the external reviewer or review team, including any potential conflict of interest."
High Level Attribute Standards
- Purpose, Authority, and Responsibility (Standard 1000)
- Independence and Objectivity (Standard 1100)
- Proficiency and Due Care (Standard 1200)
- Quality Assurance & Improvement Program (Standard 1300)
High Level Performance Standards
- Managing the Internal Audit Activity (Standard 2000)
- Nature of Work (Standard 2100)
- Engagement Planning (Standard 2200)
- Performing the Engagement (Standard 2300)
- Communicating Results (Standard 2400)
- Monitoring Progress (Standard 2500)
- Resolution of Senior Management's Acceptance of Risks (Standard 2600)
Performance Standards: Managing the Internal Audit Activity - Planning
The chief audit executive should consider the entity's risk management framework, including established risk appetites set by management.
Performance Standards: Nature of Work - Risk Management
Determining that the risk management processes are effective is a judgment as to whether
- the organization's mission and objectives are aligned;
- significant risks are identified/assessed;
- risk responses are appropriate relative to risk appetites; and
- relevant risk information is captured and communicated in a timely manner.