Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
23 Cards in this Set
- Front
- Back
|
Know the primary differences between an internal control framework and an enterprise risk management framework.
|
Are more narrowly defined and less stringent in nature. In contrast to the Enterprise Risk Management framework that encompasses strategic governance .
|
|
|
Know how the SEC defines a suitable internal control framework
|
US SEC requires: places responsibility for the design, maintenance, and effective operation of internal control squarely on The CEO and CFO of publically traded companies to opine on the design adequacy and operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report substantial changes in ICFR, if any on a quarterly basis.
Evidence of compliance, ruling that, “…management must base its evaluation [or, opinion] of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. SEC final ruling defines a suitable framework as being: Free from bias. Permit reasonably consistent qualitative and quantitative measurements of a company’s internal control. Be sufficiently complete so that those relevant factors that would alter a conclusion [or opinion] about the effectiveness of a company’s internal control are not omitted. Be relevant to an evaluation of internal control over financial reporting. |
|
|
what framework is generally used in the United States and why.
|
The US primary framework is COSO because it is suitable for organizations to compare their system of internal controls against in order to be compliant with section 404 of the U.S Sarbanes-Oxley act of 2002 which governs all entities foreign and domestic that wishes to access the USA
“The COSO framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. |
|
|
Know what the SEC final rules require of management in order to comply with the US SOX Act of 2002.
|
“The COSO framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.
However, the final rules do not mandate use of a particular framework, such as the COSO framework, in recognition of the fact that other evaluation standards exist outside the United States The final rules require management’s reports to identify the evaluation framework used by management to assess the effectiveness of the company’s internal control over financial reporting. |
|
|
Know how the internal control frameworks contributed to the shift in thinking about controls, and widened the spectrum of controls addressed by internal auditors.
|
COSCO and CoCo frameworks contributed to the shift in thinking about controls in terms of their alignment with the organizations objectives: Has evaluated the internal auditors focus from financial and compliance-oriented controls to management controls and governance processed that address broad organizational risk . Closely aligns their control activates with an organizations objectives and core value-creating processes. The emergence of broad management control frameworks has elevated the internal auditor’s focus:
From primarily financial and compliance-oriented controls To also include risk management and governance processes that address broad organizational risks. The frameworks focus has: Widened the spectrum of controls addressed by internal auditors. More closely aligned their control activities with an organization’s objectives and core value-creating processes. |
|
|
Know who assumes primary responsibility for the system of internal controls
|
Governing boards do not design policies but their job is oversight. They rely on management especially the chief executive officer (CEO) to create the policies. Then CEO relies on management and department heads to recommend and implement procedures.
|
|
|
definitions for: (i) COSO internal control
|
a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of operation, reliability of financial reporting, and compliance with applicable laws and regulations.
|
|
|
definitions for (ii) a key control
|
Effectiveness and efficiency of operations
Reliability of financial reporting Compliance with applicable laws and regulations |
|
|
definitions forcontrol deficiency
|
when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
|
|
|
COSO’s internal control framework(i) purpose
|
to evaluate the internal control system that management has designed
|
|
|
COSO’s internal control framework 5 components
|
Control environment- permeates all areas of the organization and influences the way individuals approach internal control.
Risk assessment Control Activities Information and Communication Monitoring |
|
|
COSO’s internal control framework 3 objectives
|
Objectives: Part of Risk assessment : The organizations objectives achieved in part by control environment
Operations objectives refer to the effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding resources against loss. They may vary based on management’s choices about structure and performance. Financial reporting objectives relate to the preparation of reliable published financial statements, including prevention of fraudulent public financial reporting. They are driven primarily by eternal requirements. Compliance objectives refer to adherence to laws and regulations to which the entity is subject. They are dependent on external factors, such as environmental regulations, and tend to be similar across all entities in some cases and across an industry in others. |
|
|
how objectives cascade from the mission statement and down through the organization.
|
objectives flow together with the mission statementAn organization’s mission statement drives entity-level (strategic) objectives.
|
|
|
why every organization has its own set of business objectives and implementation strategies.
|
Because each organization is managed by different people who use individual judgments in unique operating environments with varying complexity, no two organizations have the same set of control activities, even though they might have very similar business strategies.
|
|
|
why segregation of duties is a critical element of effective internal control
|
An employee who is assigned incompatible duties may be able to override internal controls without detection, misuse assets, or perpetrate and conceal an error or fraud
The essential feature of segregation of duties is that no single person shall have responsibility for internal controls over an entire transaction. |
|
|
the basic considerations of segregation of duties
|
These three categories of duties are broadly defined as follows:
Authorization Record-keeping Custody of assets |
|
|
Segregation of duties categories
Authorization |
the dated approval) of transactions refers to the responsibility for ensuring that transactions affecting assets are only executed in accordance with management’s directives and intentions.
|
|
|
Segregation of duties categories
Record-keeping |
refers to the responsibility for recording, processing, or reporting of transactions affecting assets.
|
|
|
Segregation of duties categories
Custody of assets |
refers to the responsibility for the safeguarding of assets against unauthorized acquisition, use, or disposition.
|
|
|
examples of segregation of duties are
|
Employees who authorize employee time shall not also be able to process payroll.
Employees who authorize purchase orders shall not be able to voucher invoices. Employees who process disbursements shall not be able to sign (authorize) checks. |
|
|
Why information is important
|
Relevant, accurate, and timely information must be available to individuals at all levels of an organization who need such information to run the business effectively.
|
|
|
Why communication is important
|
Equally important is communication with external parties – including, but limited to customers, suppliers, service providers, regulators, external auditors, and shareholders
|
|
|
Actions speak louder than words
|
refers to that in addition to hardcopy, electronic, and oral communication formats, “management’s actions” powerfully communicate what is important to the organization. (page 6-13)
|
