COSO (Committee of Sponsoring Organizations)

Question 1

Define “control activities” (according to the COSO internal control and ERM frameworks).

Answer 1

One of five components of internal control. Relates to the policies and procedures that ensure that organizational actions address key risks related to the achievement of management’s objectives.

Question 2

Define “monitoring” (according to the COSO internal control framework).

Answer 2

One of five components of internal control. This component ensures the ongoing reliability of information and control processes by monitoring and testing the control system.

Question 3

Define “information and communications” (according to the COSO internal control framework).

Answer 3

One of five components of internal control. Enable an organization’s personnel to identify, process, and exchange the information needed to manage and control operations.

Question 4

Define “risk assessment” (according to the COSO internal control framework).

Answer 4

One of five components of internal control. The process of identifying, analyzing and managing the risks related to achieving the organization’s objectives.

Question 5

Define “control environment” (according to the COSO internal control framework).

Answer 5

One of five components of internal control. Encompasses management’s philosophy towards controls, organizational structure, system of authority and responsibility, personnel practices, and policies and procedures. The core or foundation of any system of internal control.

Question 6

Define inbound communications.

Answer 6

Communications with outsiders to the organization, including customers, suppliers, external auditors, regulators, financial analysts and others.

Question 7

Define organizational policies.

Answer 7

The organization’s control activities that establish stakeholder expectations regarding conduct and operations.

Question 8

Define risk assessment materiality.

Answer 8

The determination of how large of a risk poses a threat to objectives.

Question 9

Define risk assessment precision.

Answer 9

Whether, and the extent to which, risk can be quantified.

Question 10

Define accountability in the context of designing internal control.

Answer 10

Holding individuals accountable for their internal control responsibilities.

Question 11

Define competence in the context of designing internal control.

Answer 11

A commitment to attract, develop, and retain highly qualified individuals consistent with achieving organizational objectives. Includes establishing policies, assessing competencies, and planning for turnover and succession.

Question 12

Define “risk response” (according to the COSO ERM model).

Answer 12

Management’s response to risk. Depends on management’s risk appetite. May include risk avoidance, reduction, sharing, or acceptance.

Question 13

Define “event identification” (according to the COSO ERM model).

Answer 13

Identifying events that might affect—either positively or negatively—the organization’s ability to meet its objectives.

Question 14

Define “objective setting” (according to the COSO ERM model)

Answer 14

A company must establish objectives at four levels (strategic, operational, reporting, and compliance).

Question 15

Define “compliance objectives” (according to the COSO ERM model).

Answer 15

One of four organizational objectives. These are designed to ensure that the organization meets legal and regulatory requirements.

Question 16

Define “reporting objectives” (according to the COSO ERM model).

Answer 16

One of four organizational objectives. Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting.

Question 17

Define “operations objectives” (according to the COSO ERM model).

Answer 17

One of four organizational objectives. Goals concerned with day-to-day operating activities (i.e. sales activities, warehousing, manufacturing, etc.).

Question 18

Define “strategic objectives” (according to the COSO ERM model).

Answer 18

One of four organizational objectives. High-level goals that support the organization’s overall mission.

Question 19

Define “enterprise risk management.”

Answer 19

According to COSO, the methods and processes used by organizations to identify and manage the events and circumstances that influence the organization’s ability of achieve its objectives.

Question 20

What is meant by “the tone at the top?”

Answer 20

The extent to which top management is ethical and pro-active in establishing an ethical and moral tone and culture. Consider a counter-example: Kenneth Lay urged Enron employees to buy more Enron stock at the same time that he was selling millions of dollars in Enron stock options (called a “pump and dump” scheme).

Question 21

According to COSO, what four critical accounting activities should be segregated?

Answer 21

1. Authorizing, 2. recording, 3. safeguarding, 4. reconciling, oversight and auditing.

Question 22

Define “risk appetite.”

Answer 22

According to COSO, the amount of risk exposure, or potential adverse impact from an event, that an organization chooses to accept or retain, as opposed to sharing, avoiding, reducing or eliminating the risk.

Question 23

Define “cross-enterprise risk.”

Answer 23

A risk that occurs in multiple units in an organization. For example, a security breach that allowed unauthorized access to a system could occur at multiple sites or units within an organization. Hence, it is a “cross-enterprise” risk.

Question 24

Define “key performance indicators.”

Answer 24

Metrics that reflect critical success factors. They help organizations measure progress towards critical goals and objectives.

Question 25

How does monitoring benefit corporate governance?

Answer 25

Monitoring is the core, underlying control component in the COSO ERM model. Controls degrade over time, technologies change, and people forget or get lazy. Because of this, monitoring is essential to maintaining strong internal control and effective risk management.

Question 26

Define "key controls."

Answer 26

Controls that are most important to monitor in order to support a conclusion about the internal control system's ability to manage or mitigate meaningful risks.

Question 27

Define "evaluator."

Answer 27

An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.

Question 28

Define "control objectives."

Answer 28

These provide specific targets for evaluating the effectiveness of internal control. Typically stated in terms that describe the nature of the risk to be managed or mitigated.

Question 29

Define "competence" in relation to a control evaluator.

Answer 29

Competence refers to the evaluator's knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency.

Question 30

Define "compensating controls."

Answer 30

Controls that accomplish the same objective as another control and will "compensate" for deficiencies in the first control.

Question 31

Define "key risk indicators."

Answer 31

Forward-looking metrics that identify critical potential problems, thus enabling an organization to take timely action, if necessary.

Question 32

Define "self-assessment."

Answer 32

Either the person responsible for a control, or that person's peer or supervisor, assesses control effectiveness.

Question 33

Define "self-review."

Answer 33

Person responsible for a control (but not that person's peer or supervisor) assesses control effectiveness. The least objective type of "self assessment."

Question 34

Define "ongoing monitoring."

Answer 34

Activities to monitor the effectiveness of internal control in the ordinary course of operations.

Question 35

What are the three elements of establishing a foundation for control?

Answer 35

The tone at the top, organizational structure, baseline understanding of control effectiveness.

Question 36

Define an internal control deficiency.

Answer 36

A condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the system to increase the likelihood of achieving objectives.

Question 37

Define "control baseline."

Answer 37

A starting point for control monitoring. A control assessment that provides sufficient, persuasive information to support a conclusion about control effectiveness, either across the entire organization or in a given area.

Question 38

List the four activities that comprise the design and execution of control monitoring.

Answer 38

Prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures.

Question 39

Name the three activities that comprise assessing and reporting on control monitoring.

Answer 39

Prioritize findings, report results as appropriate, follow up to implement corrective actions.