Internal Controls Flashcards
(20 cards)
What is internal control? (3)
a process designed to provide reasonable assurance of achieving the following: COG
- generating reliable financial accounting information
- complying with applicable laws and regulations
- operating efficiently and effectively
Why is internal control important?
The client’s internal control system exists to: III
- identify and manage risks
- implement corporate governance (maps out responsibilities and accountabilities
- implement and maintain corporate strategy (are top management’s goals, initiatives carried out by employees)
5 COSO cube main ideas (provides reasonable, but not absolute assurance)
MIRCC
- Monitoring activities
- Information and communication
- Risk assessment
- Control activities
- Control environment
What is the foreign corrupt policies act?
- if you’re a corporation, you cannot bribe foreign government
- if you’re a foreign corp registered in the US, you must follow this also
What are the common control activities (6)?
- segregation of duties
- authorization procedures
- documentation
- physical controls to safeguard assets
- reconciliations
- competent trustworthy employees
Some important IT controls…
- authorization for users
- input controls
- self-checking digits
What is effective internal control?
- reduces the risk of failing to achieve an objective to a reasonable level
- does not eliminate risk
- reduces risk to the organization’s risk appetite
- the five components must be operating together
Is enterprise risk management separate from internal controls?
YES, yet we still use IC to support goals/policies that are set
How do auditor reports on internal control differ?
They differ based on the type of company (small, big, public, private)
When was reporting on internal controls required?
In 2002, after the sarbanes oxley act
How did auditors used to handle internal controls?
They assumed the largest control risk (assumed that controls were bad)
Then, had to make sure that detection risk was low by increasing substantive testing (need more tests, bigger sample size, specific staff members)
Inspecting doesn’t involve improvement aspect, shows the big picture but not the details
How must we implement total quality management (TQM)?
Check for quality and internal control each step of the way. Auditors pre-SOX did not realize they cannot see via inspection alone
What is the cost of control?
- control is not free, we might have to forgo a sale because of controls
- their is a cost to developing, implementing, and monitoring controls
- these costs GENERALLY DO NOT INCREASE REVENUE
- benefits are hard to see
- also a strategic cost (a competitor could spend the money on something else and beat you out of business)
What must management’s report include according to SOX?
- statement of management’s responsibility
- identify the framework used (usually COSO)
- assessment of the effectiveness of the company’s internal controls
- description of any material deficiencies in internal controls
Why mandate internal controls?
Addresses the problem of some business implementing internal controls and others not investing.
All are forced to have minimum controls, so no one has a short-term cost advantage.
Who must have an audit of their internal controls? (this can be an integrated audit with financial reporting)
Large public companies must have an audit of their internal controls (>75 million in public float)
Small public companies must still have a management report, but it does not have to be audited
What did the Jobs Act of 2012 do?
- said that large IPO companies do not have to have an audit of internal controls
- these companies with less than 1 billion in sales do not have to have an audit if IC for the first 5 years
- gives short term advantage to little companies to start up
- frees up cash for investing in other things
- we need IPOs to grow our economy (some companies might volunteer the IC report to get more investors)
Why mandate manager and auditor IC reports?
- protect the capital markets
- forces managers to take responsibility for internal controls
- audit report gives teeth to management report because of its third party objectivity
Are private company internal control reports available to third parties?
NO, only available to management and those responsible for corporate governance.
What is a deficiency according to the SEC? What are the indicators of a deficiency?
There are a combination of deficiency in internal control such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis?
Indicators: nature of account, susceptibility to fraud, subjectivity, complexity, relationship with other controls, future consequences
