Upgrade to remove ads
Only $2.99/month

IIA Chapter 6

Terms in this set (47)

Framework
a body of guiding principles that form a template against which organizations can evaluate a multitude of business practices
COSO Internal Control Framework
Internal Control -- Integrated Framework
CoCo Internal Control Framework
Guidance on Control
Turnbull Report
Internal Control: Revised guide for Directors on the Combined Code
COSO definition of internal control
A process effected by an entity's board of directors, management, and other personnel, designed to provided reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations
COSO Components of Internal Control
Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring
ICFR
Internal Control over Financial Reporting
COSO Internal Control Over Financial Reporting - Guidance for Smaller Public companies
A supplement to the original COSO framework that was designed to provide guidance to smaller public companies as a cost effective means to comply with SOX
COSO's Monitoring Guidance
An additional supplement to the original COSO framework that is designed to help organizations improve the effectiveness and efficiency of their internal control systems and provide practical guidance that illustrates how monitoring can be incorporated into an organizations internal control processes
Categories for Internal Controls
Effectiveness and efficiency of operations, Reliability of financial reporting, compliance with applicable laws and regulations
Control Environment
The foundation of internal control exists here. It contains the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; and organizes and develops its people; and the attention and direction provided by the board of directors
Critical Success Factors
Successes that must be accomplished for objectives to be achieved
Risk assessment
the identification and analysis of relevant risks to achievement of the objectives, formulating a basis for determining how the risks should be managed. Precondition is setting up objects
Types of objectives
Operations(effectiveness & efficiency)
Financial reporting
Compliance
Control Activities
actions taken by management, the board, and other parties to mitigate risk and increase the likelihood that established objectives and goals will be achieved.
Segregation of Duties
dividing control activities among different people to reduce the risk of error or inappropriate actions taken by any single individual
Information and Communication
Relevant, accurate, and timely information must be available to individuals at all levels of an organization who need such information to run the business effectively.
Monitoring
a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Most effective in a layered approach
Layered approach of monitoring
Monitor everyday activities performed by management of an area
Separate evaluation of the area by management on a regular basis to detect deficiencies
Independent review of the evaluation to verify accuracy and reliability
Deficiency
A condition within an internal control system worth of attention that may represent a perceived, potential, or real shortcoming, or opportunity to strengthen the internal control system to provide a greater likelihood that the entity's objectives will be achieved.
Management
Who has primary responsibility for internal controls
Board of Directors
Who is ultimately responsible for making sure management has implemented an effective system of internal controls
Tone at the top
The entity-wide attitude of integrity and control consciousness, as exhibited by the most senior executives of an organization
Monitoring process
Establish a foundation(Tone at the top)
Design & execute
Assess & Report
Role of Management in Internal Control
The CEO assumes primary responsibility for internal controls and sets the tone at the top that trickles down throughout the organization.
Role of the Board in Internal Control
The board oversees management and provides direction regarding internal control. An effective board is objective, capable, and inquisitive with knowledge of the activities and environment. The board ultimately has the responsibility for ensuring management has established an effective system of internal controls
Role of Internal Auditors in Internal Control
Internal Auditors have the responsibility to verify that management has met its responsibility of adequately designing the system of internal controls. COSO states that internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of its organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.
inherent limitations of internal control
the confines that relate to the limits of human judgment, resource constraints, and the need to consider the cost of controls in relation to expected benefits, the reality that breakdowns can occur, and the possibility of collusion or management override.
Inherent risk
the combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk that exists assuming there are no internal controls in place.
Controllable risk
the portion of inherent risk that management can directly influence and reduce through day to day business activities.
Residual Risk
the portion of inherent risk that remains after mitigating all controllable risks. Must not exceed the organization's risk appetite or controls will need to be reevaluated
Entity-level control
a control that operates across an entire entity and, as such, is not bound by, or associated with, individual processes. These controls are for risks that affect the entire entity such as the control environment risks, management override, etc. Can be divided into governance controls and management-oversight controls.
Process-level control
A type of activity level control that operates within a specific process for the purpose of achieving process-level objectives. More specific than entity level controls, but less than transaction level controls.
Transaction-level control
A type of activity level control that reduces risk relative to a group or variety of operational-level tasks or transactions within an organization. Most specific type of control. Individual tasks inside of a process are what these control.
Governance control
These entity level controls are established by the board and executive management to institute the organization's control culture and provide guidance that support strategic objectives.
Management-oversight control
these entity level controls are established by management at the business unit and line level of the organization to reduce risks to the business unit and increase the probability that business unit objectives are achieved.
key control
an activity designed to reduce risk associated with a critical business objective
secondary control
an activity designed to either reduce risk associated with business objectives that are not critical to the organization's survival or success or serve as a backup to a key control. Required when a key control does not cover a risk
Compensating control
an activity that, if key controls do not fully operate effectively, may help to reduce the related risk. A compensating control will not, by itself, reduce risk to an acceptable level. Required when a key control does not cover the risk.
Complementary Control
an activity that, when taken together with other controls, contributes to the overall effective mitigation of risk. Frequently, complementary controls operate across multiple processes and risks.
Preventative control
this control is designed to deter unintended events from occurring in the first place. Examples would be both physical and logical access controls. Control that detects the issue before it happens.
Detective control
this control is designed to discover undesirable events that have already occurred. An example includes security camera to identify unauthorized personnel after something has happened.
Corrective control
this control is one in which detected omissions and errors are corrected. An example is the resolution of duplicate payments flagged by the cash disbursement system.
Directive control
this control gives explicit direction regarding what actions need to take place to cause or encourage a desirable event to occur. An example is the instructions for product assembly provide direction to the person assembling it to get to the desired end point
General computing controls
these controls are considered entity-level because they apply across the organization and are in regards to the general usage of computing technologies.
Application controls
These controls are on the process and transaction level and include steps within applications and related manual procedure to control the processing of various types of transactions
PCAOB
The U.S. Public Company Accounting Oversight Board that was established because of SOX legislation and set guidelines for internal auditors/management to follow for reporting requirements
THIS SET IS OFTEN IN FOLDERS WITH...