Chapter 6 Internal Control
What does risk assessment involve?
According to COSO, "...Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established tolerance levels. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity...Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective."
How does internal auditors' perspective of internal control differ from management's perspective?
Because management is responsible for setting the organization's objectives, they naturally view internal control from that perspective. Management must consider internal control in terms of the related costs and benefits and allocate the resources necessary to achieve those objectives. Whereas management is responsible for the system of internal controls itself, internal auditors are charged with independently verifying that the organization's controls are designed adequately and operating effectively as management intends.
What are the two broad types of information systems (technology) controls?
IT general controls. These apply to many if not all application systems and help ensure their continued, proper operation. IT application controls. These include computerized steps within the application software and related manual procedures to control the processing of various types of transactions.
What are the five components of internal control covered in the COSO framework?
- Control Environment. - Risk Assessment. - Control Activities. - Information and Communication. - Monitoring Activities.
What is the difference between a preventive and a detective control?
A preventive control is designed to deter unintended events from occurring in the first place. Conversely, a detective control is designed to discover undesirable events that have already occurred.
What does "limitations of internal control" mean? Provide examples of limitations that are inherent to internal control.
Although management, the board of directors, internal auditors, and other personnel work together to facilitate internal control, no internal control system can absolutely ensure that objectives will be achieved, due to the inherent limitations of internal control. Specifically, COSO "... recognizes that while internal control provides reasonable assurance of achieving the entity's objectives, limitations do exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals."
How does COSO define internal control? How does it compare to how the IPPF defines control?
COSO broadly defines internal control as: ... a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Note that while COSO defines achievement of compliance objectives strictly as "adherence to laws and regulations to which the entity is subject," The IIA's International Professional Practices Framework (IPPF) defines it more broadly as "adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements." COSO considers compliance with those additional governance-related requirements a part of the achievement of operations objectives instead of compliance objectives.
What are objectives? What three categories of objectives are set forth in the COSO framework?
COSO explains, "A direct relationship exists between objectives, which are what an entity strives to achieve, components [and principles], which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube." 3 categories of objectives: -Operations Objectives—These pertain to effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss. -Reporting Objectives—These pertain to internal and external financial and nonfinancial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard-setters, or the entity's policies. -Compliance Objectives—These pertain to adherence to laws and regulations to which the entity is subject.
What does the control environment comprise?
COSO indicates that "the control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization...The control environment comprises the integrity and ethical values of the organization, the parameters enabling the board of directors to carry out its governance oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process for attracting, developing, and retaining competent individuals, and the rigor around performance measures, incentives, and rewards to drive accountability for performance..."
What are control activities? What types of control activities are present in a well-designed system of internal controls?
Control activities are the actions taken by management, the board, and other parties to mitigate risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Like the critical success factors described above, control activities are present at all levels of the organization. And, like the objectives they are designed to help achieve, control activities can be separated into the three categories of operations, reporting, and compliance. However, control activities often are designed to mitigate multiple risks that may threaten objectives in more than one category.
How do entity-level controls differ from process-level and transaction-level controls?
Entity-level controls are very broadly focused and often deal with the organizational environment or atmosphere. They are designed to directly mitigate risks that exist at the organization-wide level, including those that arise internally as well as externally, and may indirectly mitigate risks at the process and transaction levels.
What is a framework? What are the internal control frameworks recognized globally by management, independent outside accountants/auditors, and internal audit professionals?
Framework: A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. IC Frameworks: -Internal Control - Integrated Framework, issued by COSO originally in 1992 and updated in 2013; -Guidance on Control (often referred to as the CoCo framework), published in 1995 by the Canadian Institute of Chartered Accountants (CICA), and -Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (this report replaced Internal Control: Revised Guide for Directors on the Combined Code, referred to as the Turnbull Report) published by the Financial Reporting Council (FRC) in 2014.
What must the CEO and CFO of a publicly traded company do to comply with the U.S. Sarbanes-Oxley Act of 2002?
In the United States, the U.S. Sarbanes-Oxley Act of 2002 legislation put responsibility for the design, maintenance, and effective operation of internal control squarely on the shoulders of senior management, specifically, the CEO and the chief financial officer (CFO).
What is inherent risk? What is controllable risk? What is residual risk?
Inherent Risk: The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place Controllable Risk: That portion of inherent risk that management can directly influence and reduce through day-to-day business activities. Residual Risk: The portion of inherent risk that remains after mitigating all controllable risks is defined as residual risk.
How is the system of internal controls evaluated?
Initially, management performs the primary assessment of internal controls using a formalized process developed for that purpose. The internal audit function then independently validates management's results. Additionally, a report is typically submitted to the audit committee by either senior management or the chief audit executive (CAE) outlining the results of management's assessment regarding the design adequacy and operating effectiveness of the organization's system of internal controls.
What is a key control? What is a secondary control? What is a compensating control?
Key Control An activity designed to reduce risk associated with a critical business objective. Secondary Control An activity designed to either reduce risk associated with business objectives that are not critical to the organization's survival or success or serve as a backup to a key control. Compensating Control An activity that, if key controls do not fully operate effectively, may help to reduce the related risk. A compensating control will not, by itself, reduce risk to an acceptable level.
What responsibilities do the following groups of people have regarding internal control? a. Management. b. The board of directors. c. Internal auditors. d. Others in the organization. e. The independent outside auditor.
Management: tone at the top; The CEO assumes primary responsibility for the system of internal controls. BOD: oversees management, provides direction regarding internal control, and ultimately has responsibility for overseeing the system of internal controls. IAs: assurance and advisory support on internal controls Others: everyone is responsible Independent outside auditors: Contribute independence and objectivity through their opinions covering the fairness of the financial statements and the effectiveness of internal control over financial reporting for organizations operating in countries requiring such oversight
When are monitoring activities most effective? Who performs monitoring activities? What distinguishes separate evaluations from ongoing monitoring activities?
Monitoring activities are most effective when a layered approach is implemented. 1st - Management of a given area 2nd - Separate (non-independent) 3rd - Independent assessment by an outside area or function, frequently the internal audit function (the third line). As COSO indicates, monitoring activities consist of "ongoing evaluations built into business processes at different levels of the entity [that] provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations..."
What is high-quality information? Why must high-quality information be communicated?
Relevant, accurate, and timely information must be available to individuals at all levels of an organization who need such information to run the business effectively. Information must be provided to specific personnel as appropriate to support achievement of their operating, reporting, and compliance responsibilities. Additionally, communication must take place more broadly relative to expectations, responsibilities of individuals and groups, and other important matters.
The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Compensating control. d. Monitoring control.
a. Preventive control.
Which of the following best exemplifies a control activity referred to as independent verification? a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions. b. Identification badges and security codes used to restrict entry to the production facility. c. Accounting records and documents that provide a trail of sales and cash receipt transactions. d. Separating the physical custody of inventory from inventory accounting.
a. Reconciliation of bank accounts by someone who does not handle cash or record cash transactions.
Appropriate internal control for a multinational corporation's branch office that has a department responsible for the transfer of money requires that: a. The individual who initiates wire transfers does not reconcile the bank statement. b. The branch manager must receive all wire transfers. c. Foreign currency rates must be computed separately by two different employees. d. Corporate management approves the hiring of employees in this department.
a. The individual who initiates wire transfers does not reconcile the bank statement.
COSO's internal control framework has five internal control components and 17 principles for achieving effective internal control. Which of the following is/are (a) principle(s)? I. The organization demonstrates a commitment to integrity and ethical values. II. Monitoring activities. III. A level of assurance that is supported by generally accepted auditing procedures and judgments. IV. A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices. V. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. a. II only. b. I and V only. c. II and IV only. d. I, II, III, IV, and V.
b. I and V only.
When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. Update the risk management process based on risk exposures. d. Design controls to mitigate the identified risks.
b. Provide assurance on the management of the risk.
An effective system of internal controls is most likely to detect a fraud perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.
b. Single employee.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? a. Determine whether policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may invest. b. Determine the extent of management oversight over investments in sophisticated instruments. c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations. d. Determine the nature of monitoring activities related to the investment portfolio.
c. Determine whether the treasurer is getting higher or lower rates of return on investments than treasurers in comparable organizations.
Reasonable assurance, as it pertains to internal control, means that: a. The objectives of internal control vary depending on the method of data processing used. b. A well-designed system of internal controls will prevent or detect all errors and fraud. c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved. d. Management cannot override controls, and employees cannot circumvent controls through collusion.
c. Inherent limitations of internal control preclude a system of internal control from providing absolute assurance that objectives will be achieved.
The risk assessment component of internal control involves the: a. Independent outside auditor's assessment of residual risk. b. Internal audit function's assessment of control deficiencies. c. Organization's identification and analysis of the risks that threaten the achievement of its objectives. d. Organization's monitoring of financial information for potential material misstatements.
c. Organization's identification and analysis of the risks that threaten the achievement of its objectives.
The control that would most likely ensure that payroll checks are written only for authorized amounts is to: a. Conduct periodic floor verification of employees on the payroll. b. Require the return of undelivered checks to the cashier. c. Require supervisory approval of employee time cards. d. Periodically witness the distribution of payroll checks.
c. Require supervisory approval of employee time cards.
What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.
c. Risk that is not managed.
Who has primary responsibility for the monitoring component of internal control? a. The organization's independent outside auditor. b. The organization's internal audit function. c. The organization's management. d. The organization's board of directors.
c. The organization's management.
Which of the following best describes an internal auditor's purpose in reviewing the organization's existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
c. To provide reasonable assurance that the processes will enable the organization's objectives and goals to be met efficiently and economically.
Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.
d. CAE.
