Flashcards in COSO (Committee of Sponsoring Organizations) Deck (39):
Define "control activities" (according to the COSO internal control and ERM frameworks).
One of five components of internal control. Relates to the policies and procedures that ensure that organizational actions address key risks related to the achievement of management's objectives.
Define "monitoring" (according to the COSO internal control framework).
One of five components of internal control. This component ensures the ongoing reliability of information and control processes by monitoring and testing the control system.
Define "information and communications" (according to the COSO internal control framework).
One of five components of internal control. Enable an organization's personnel to identify, process, and exchange the information needed to manage and control operations.
Define "risk assessment" (according to the COSO internal control framework).
One of five components of internal control. The process of identifying, analyzing and managing the risks related to achieving the organization's objectives.
Define "control environment" (according to the COSO internal control framework).
One of five components of internal control. Encompasses management's philosophy towards controls, organizational structure, system of authority and responsibility, personnel practices, and policies and procedures. The core or foundation of any system of internal control.
Define inbound communications.
Communications with outsiders to the organization, including customers, suppliers, external auditors, regulators, financial analysts and others.
Define organizational policies.
The organization's control activities that establish stakeholder expectations regarding conduct and operations.
Define risk assessment materiality.
The determination of how large of a risk poses a threat to objectives.
Define risk assessment precision.
Whether, and the extent to which, risk can be quantified.
Define accountability in the context of designing internal control.
Holding individuals accountable for their internal control responsibilities.
Define competence in the context of designing internal control.
A commitment to attract, develop, and retain highly qualified individuals consistent with achieving organizational objectives. Includes establishing policies, assessing competencies, and planning for turnover and succession.
Define "risk response" (according to the COSO ERM model).
Management's response to risk. Depends on management's risk appetite. May include risk avoidance, reduction, sharing, or acceptance.
Define "event identification" (according to the COSO ERM model).
Identifying events that might affect—either positively or negatively—the organization's ability to meet its objectives.
Define "objective setting" (according to the COSO ERM model)
A company must establish objectives at four levels (strategic, operational, reporting, and compliance).
Define "compliance objectives" (according to the COSO ERM model).
One of four organizational objectives. These are designed to ensure that the organization meets legal and regulatory requirements.
Define "reporting objectives" (according to the COSO ERM model).
One of four organizational objectives. Information system goals related to the accuracy, completeness, timeliness, and reliability of internal and external reporting.
Define "operations objectives" (according to the COSO ERM model).
One of four organizational objectives. Goals concerned with day-to-day operating activities (i.e. sales activities, warehousing, manufacturing, etc.).
Define "strategic objectives" (according to the COSO ERM model).
One of four organizational objectives. High-level goals that support the organization's overall mission.
Define "enterprise risk management."
According to COSO, the methods and processes used by organizations to identify and manage the events and circumstances that influence the organization's ability of achieve its objectives.
What is meant by "the tone at the top?"
The extent to which top management is ethical and pro-active in establishing an ethical and moral tone and culture. Consider a counter-example: Kenneth Lay urged Enron employees to buy more Enron stock at the same time that he was selling millions of dollars in Enron stock options (called a "pump and dump" scheme).
According to COSO, what four critical accounting activities should be segregated?
1. Authorizing, 2. recording, 3. safeguarding, 4. reconciling, oversight and auditing.
Define "risk appetite."
According to COSO, the amount of risk exposure, or potential adverse impact from an event, that an organization chooses to accept or retain, as opposed to sharing, avoiding, reducing or eliminating the risk.
Define "cross-enterprise risk."
A risk that occurs in multiple units in an organization. For example, a security breach that allowed unauthorized access to a system could occur at multiple sites or units within an organization. Hence, it is a "cross-enterprise" risk.
Define "key performance indicators."
Metrics that reflect critical success factors. They help organizations measure progress towards critical goals and objectives.
How does monitoring benefit corporate governance?
Monitoring is the core, underlying control component in the COSO ERM model. Controls degrade over time, technologies change, and people forget or get lazy. Because of this, monitoring is essential to maintaining strong internal control and effective risk management.
Define "key controls."
Controls that are most important to monitor in order to support a conclusion about the internal control system's ability to manage or mitigate meaningful risks.
An individual who monitors internal control. Must have skills, knowledge, and authority sufficient to understand risks and identify the controls needed to manage those risks. Two most important attributes are competence and objectivity.
Define "control objectives."
These provide specific targets for evaluating the effectiveness of internal control. Typically stated in terms that describe the nature of the risk to be managed or mitigated.
Define "competence" in relation to a control evaluator.
Competence refers to the evaluator's knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency.
Define "compensating controls."
Controls that accomplish the same objective as another control and will "compensate" for deficiencies in the first control.
Define "key risk indicators."
Forward-looking metrics that identify critical potential problems, thus enabling an organization to take timely action, if necessary.
Either the person responsible for a control, or that person's peer or supervisor, assesses control effectiveness.
Person responsible for a control (but not that person's peer or supervisor) assesses control effectiveness. The least objective type of "self assessment."
Define "ongoing monitoring."
Activities to monitor the effectiveness of internal control in the ordinary course of operations.
What are the three elements of establishing a foundation for control?
The tone at the top, organizational structure, baseline understanding of control effectiveness.
Define an internal control deficiency.
A condition requiring attention. May represent a perceived, potential or real shortcoming, or an opportunity to strengthen the system to increase the likelihood of achieving objectives.
Define "control baseline."
A starting point for control monitoring. A control assessment that provides sufficient, persuasive information to support a conclusion about control effectiveness, either across the entire organization or in a given area.
List the four activities that comprise the design and execution of control monitoring.
Prioritize risks, identify controls, identify persuasive information about controls, implement monitoring procedures.