CH 6 Internal Control and SOX
Business objectives - refers to
"SMART" tasks that the organization wants to achieve: Specific Measureable Achievable Results oriented Time based Examples for SMART: Specific: Secure customers' numbers to text appointment reminders Measureable: The number of "no-shows" by month will decrease Achievable: Controls are established and employees are trained Results oriented: If customers are reminded of appointments and the fee for not cancelling within 24 hours, they are more likely to either keep the appointment or cancel in time for the appointment time to be filled Time basis: After one month, we will reassess the processes involved to see if this objective really works
The "limitations of a system of internal controls" is a critical
"inherent risk" that management should always be aware.
The 5 components of Internal Control are? Note: Components are similar among frameworks like COSO, Turnbull, etc
- Control Environment - Risk Assessment - Control Activities - Information and Communication - Monitoring Activities
Examples of transaction-level controls include:
-Authorizations. -Documentation (such as source documents). -Segregation of duties. -IT application controls (input, processing, output).
Simplified: 3 recognized IC frameworks:
-COSO (USA) -Coco (Canada) -Turnbull (United Kingdom)
Risk analysis processes vary depend- ing on many factors specific to an organization, but typically they include:
-Estimating the impact (or severity) of a risk -Assessing the likelihood (or frequency) of the risk occurring (probability) -Considering how to manage the risk-that is, assessing what actions to take. *The results of the risk analysis allow management to consider how best to respond to the risks threatening achievement of the organization's objectives. Risks that are not significant and do not have a high likelihood of occurring will receive little attention. Risks that are significant and/or are likely to occur will receive much greater attention. The risks that fall somewhere in the middle, however, generally require further analysis as care in judgment is necessary to adequately mitigate these risks without using resources inefficiently.
Consequences of Implementing ExcessiveInternal Control
-Increased bureaucracy -Excess cost -Unnecessary complexity of controls -Increased cycle time -Non-value-added activities
Consequences of Accepting Excessive Risk
-Potential loss of assets -Poor or ineffective business decision-making -Potential noncompliance with laws and regulations -Potential for fraud to occur
Examples of process-level controls include:
-Reconciliations of key accounts. -Physical verifications of assets (such as inventory counts) -Process employee supervision and performance evaluations. -Process-level risk assessments. -Monitoring/oversight of specific transactions.
SOX was passed by Congress and signed by the President with the intent to? *List the 5 intents
-Restore public trust and confidence in public markets. -Improve corporate governance and promote ethical business practices. -Create transparency in financial reporting and disclosures. -Promote and ensure a recognized internal control framework. -Hold company management accountable for material information that is filed with the SEC and released to investors
All 3 IC frameworks include what 4 things:
1) A definition of internal control. 2) A process description that provides reasonable assurance for achieving the objectives of an organization in three specific categories: a. Effectiveness and efficiency of operations, b. Reliability of reporting, and c. Compliance. 3) A responsibility matrix for internal control. 4) Components of internal control (which are called by different titles than used in COSO)
COSO titles for each component are:
1) Control Environment 2) Risk Assessment 3) Control Activities 4) Information and Communication 5) Monitoring
What are the 3 types of frameworks?
1) Enterprise risk management (ERM) frameworks 2) Frameworks more specifically designed to address internal control (ch.6 focus) 3) other globally recognized frameworks dealing with governance, risk management, and internal control Notes: -Both frameworks deal with risk mitigation and aspects of internal control -Internal Control frameworks is more narrowly defined and tend to be less strategic in nature.
What are currently the only 4 internal control frameworks recognized globally by management, independent outside accountants/auditors, and internal audit professionals?
1) Internal Control Frameworks: Internal Control - Integrated Framework, issued by COSO (Committee of Sponsoring Organizations of the Treadway Commission), originally in 1992 and updated in 2013; Guidance on Control (often referred to as the CoCo framework), published in 1995 by the Canadian Institute of Chartered Accountants (CICA) Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (this report replaced Internal Control: Revised Guide for Directors on the Combined Code, referred to as the Turnbull Report), published by the FRC (Financial Reporting Council) in 2014. COBIT 5, information technology (IT) Governance Institute, United States, 2012 2) Governance Frameworks Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury), England, 1992 King Committee on Corporate Governance, Institute of Directors, South Africa, 2009 3) Enterprise Risk Management Frameworks Enterprise Risk Management - Aligning Risk with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission, United States, 2016 Risk Management - Principles and Guidelines (ISO 31000) of International Organisations for Standardisation (ISO), Switzerland, 2009 4) Other Globally Recognized Risk Mitigation Frameworks International Convergence of Capital Measurement and Capital Standards (Basel Accord), Basel Committee on Banking Supervision, 1988 International Convergence of Capital Measurement and Capital Standards: A Revised Framework (Basel II& Ill), Basel Committee on Banking Supervision, 2005 & 201
The COSO cube has 3 sections. What are they?
1) Objectives 2) Components 3) Entity structure COSO explains, ''A direct relationship exists between objectives, which are what an entity strives to achieve, components [and principles], which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube."
The 3 COSO categories of objectives are
1) Operations: These pertain to effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss. 2) Reporting:These pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity's policies. 3) Compliance: These pertain to adherence to laws and regulations to which the entity is subject.
A secondary control is one that is designed to either
1) mitigate risks that are not key to business objectives, or 2) partially reduce the level of risk when a key control does not operate effectively. Secondary controls reduce the level of residual risk when key controls do not operate effectively, but they are not adequate, by them- selves, to mitigate a particular key risk to an acceptable level. They are typically a subset of compensating controls.
COSO was originally released in
1992, and subsequently revised in 2013.
Entity-Level Control:
A control that operates across an entire entity and, as such, is not bound by, or associated with, individual processes. *Entity-level controls are very broadly focused and often deal with the organizational environment or atmosphere. They are designed to directly mitigate risks that exist at the organizationwide level, including those that arise internally as well as externally, and may indirectly mitigate risks at the process and transaction levels.
What is a framework?
A framework is a body of guiding principles that form a template against which organizations can evaluate a variety of business practices. These principles are comprised of various concepts, values, assumptions, and practices intended to provide a benchmark against which an organization can assess or evaluate a particular structure, process, or environment, or a group of practices or procedures. Specific to the practice of internal auditing, various frameworks are used to assess the design adequacy and operating effectiveness of controls.
WorldCom
A large telecommunications company with $103.9B in assets. Employed fraudulent accounting methods to mask its declining financial condition and paint a false picture of profitability: o$3.8 billion fraud was discovered in June 2002 during routine examination of capital expenditures. Conviction - Bernard Ebbers, CEO. -25 years prison sentence. -Wife left with house and $50,000 out of $45 million.
Enron
A multi-national energy trading company w/ $63.4B in assets Employed complicated business structures and accounting policies that reflected huge increases to income (40% growth in three years). Conviction - Jeffrey Skilling, CEO. -24 years prison sentence. -$50 million fine.
The final rules do not mandate use of what?
A particular framework, such as the COSO framework in recognition of the fact that other evaluation standards exist outside the United States
Why is it important for the 5 components of internal control (COSO cube) to be functioning?
All 5 COMPONENTS of internal control should be present and functioning for internal control to be considered designed adequately and operating effectively. *catch all variable - helps support 3 objectives
All organizations encounter what?
All organizations encounter risks aka threats to the achievement of their objectives.
LIMITATIONS OF INTERNAL CONTROL -
Although management, the board of directors, internal auditors, and other personnel work together to facilitate internal control, no internal control system can ensure that objectives will be achieved. This is due to the inherent limitations of internal control. Specifically, COSO "...recognizes that while internal control provides reasonable assurance of achieving the entity's objectives, limitations do exist. Internal control cannot prevent bad judgments or decisions, or external events that can cause an organization to fail to achieve its operational goals. In other words, even an effective system of internal control can experience a failure. Limitations may result from the: -Suitability of objectives established as a precondition to internal control. -Reality that human judgment in decision-making can be faulty and subject to bias. -Breakdowns that can occur because of human failures such as simple errors. -Ability of management to override internal control. -Ability of management, other personnel, and/or third parties to circumvent controls through collusion. -External events beyond the organization's control.
Secondary Control:
An activity designed to either reduce risk associated with business objectives that are not critical to the organization's survival or success or serve as a backup to a key control.
Process-Level Control:
An activity that operates within a specific process for the purpose of achieving process-level objectives.
Transaction-Level Control:
An activity that reduces risk relative to a group or variety of operational- level tasks or transactions within an organization.
Inherent Risk, Controllable Risk, and Residual Risk
An organization's ability to achieve established entity objectives is affected by both internal and external risks. The combination of internal and external risks in their pure, uncontrolled state is referred to as inherent risk. Said another way, inherent risk is the gross risk that exists assuming there are no internal controls in place. Acknowledgement of the existence of inherent risk and that certain events or conditions are simply outside of management's control (external risks) is critical to recognizing the inherent limitations of internal control.
g. Ch.11 - Auditor's Sampling
Auditor's sampling draws conclusions from evidence sample gathered by the internal auditor. It addresses risk using a statistical approach and can be costly but it saves valuable time for a company by drawing conclusions from the statistical sample and not the evidence population.
f. Ch.10 - Auditor's Workpapers
Auditor's workpapers aid in planning and performing the audit engagement therefore resulting in a better, higher quality of assurance work Auditor's workpapers aid the audit engagement objectives in better addressing risk.
Every organization has its own set of business objectives and implementation strategies.
Because each organization is managed by different people who use individual judgments in unique operating environments with varying complexity, no two organizations have the same set of control activities, even though they might have very similar business strategies. Control activities, therefore, serve a vital role in the management process of an organization by ensuring that its uniquely identified risks are mitigated, allowing the organization to achieve its business objectives.
Why will we be focusing on the COSO (USA) framework and not the other IC frameworks?
Because of the similarities among the internal control frameworks, the COSO framework will be used to study the various components of the system of internal controls.
Note difference between COSO monitoring activity and a control activity`
COSO further explains, "When distinguishing between a monitoring activity and a control activity, organizations need to consider underlying details of the activity, especially where the activity involves some level of supervisory review.
Why does COSO broadly define Internal Control?
COSO indicates, "This definition of internal control is intentionally broad for two reasons. First, it captures important concepts that are fundamental to how organizations design, implement, and conduct internal control and assess effectiveness of their system of internal control[s], providing a basis for application across various types of organizations, industries, and geographic regions. Second, the definition accommodates subsets of internal control. COSO also indicates, "Those who want to may focus separately, for example, on internal control over reporting or controls relating to complying with laws and regulations"
Which of the 5 components sets the "tone at the top" for an organziation?
COSO says "control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization, the parameters enabling the board of directors to carry out its governance oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process for attracting, developing, and retaining competent individuals, and the rigor around performance measures, incentives, and rewards to drive accountability for performance.
COSOS updated framework provides what?
COSO's updated framework provides significantly more detail regarding the use of monitoring activities to support conclusions on internal control effectiveness, including ICFR, which is of particular importance for smaller public companies working to comply with Section 404 of Sarbanes-Oxley.
Segregation of Duties:
Dividing control activities among different people to reduce the risk of error or inappropriate actions taken by any single individual.
Arthur Andersen, LLP
Enron's external independent auditors. Was amongst the most prestigious and reputable CPA firms. June 2002 - Andersen was convicted of obstruction of justice for shredding documents related to its audit of Enron. August 2002 - Anderson surrendered its licenses and rights to practice before the SEC because the SEC does not allow convicted felons to audit public companies. Conclusion: Eventually, the conviction was overturned, but it was too late, as these events effectively ended the company's operations
Criminal Sentences under SOX law
Escaping from Prison 1 to 2 years Kidnapping involving ransom 3 to 5 years Second degree murder 11 to 14 years Sarbanes-Oxley related 10 to 20 years Air piracy 20 to 25 years
e. Ch. 6 - System of Internal Control
Every organization is going to have a different internal control framework but each framework aims to identify and mitigate risks and assess the adequacy of controls currently in place that are designed to mitigate the business's risks and help an organization reach its desired standard of performance.
SOX law was the
Government's response to public outrage at Corporate Improprieties: -Enron -Arthur Andersen -World Com -others
d. Ch.5 - Business Process Risk
Helps management and the internal audit function develop a risk profile for the organization. Gives management an idea about how well it will be able to fulfill its mission and add value to the company
4th Internal Control Component: Information and Communication
High-quality information must be communicated appropriately. This interdependency is why COSO combines information and communication in this component. Relevant, accurate, and timely information must be available to individuals at all levels of an organization who need such information to run the business effectively.
Beginning challenges of implementing SOX back in '02
Implementation Challenges - A Change in Approach In the early stages, SOX was believed to be "an administrative burden" and 'full employment act for auditors." CPA firms were following the PCAOB AS2, a bottom up approach. Now, after some revision, it is also perceived as "an opportunity to better run the company." Current: CPA firms are now following -PCAOB AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements a risk based, top down approach.
b. Ch.4 - Enterprise Risk Assessment
It recognizes culture and capabilities across an organization. ERM is not a separate business process but is attached to each business process of an organization to help identify, understand, and mitigate risks through strategy
Commonly recognized control activities that are present in a well-designed system of internal controls, include:
Most notable one is Segregation of duties.
Is COBIT a comprehensive IC framework?
No, COBIT is not a comprehensive IC framework. But it: -Provides guidance on IT governance -Supplements COSO, CoCo & Turnbull
Is there much variation between the 3 frameworks?
No, but most US companies use COSO Ex: There are no substantive differences between COSO and CoCo. Both frameworks include definitions of internal control that describe a process that provides reasonable assurance for achieving the objectives of an organization in three specific categories: 1) effectiveness and efficiency of operations 2) reliability of reporting 3) compliance. Both frameworks also agree regarding responsibility for internal control, specifically putting responsibility on the board of directors, senior management, internal auditors, and also on each individual within the organization. Note: However, Although the frameworks use different titles for them, the components of each internal control framework are basically the same and can be examined using the COSO titles for each component. They are: Control Environment, Risk Assess- ment, Control Activities, Information and Communication, and Monitoring.
Is there 1 type of internal control?
No, there are several different types of controls employed to mitigate the many varieties of risks facing an organization.
Preventive and Detective Controls
Often, the many different controls that exist are referred to by labels that describe what they are intended to do in an attempt to differentiate between them. Included here is a short list of these types of controls and their definitions.
In addition to segregation of duties, there are many commonly recognized control activities that are present in a well-designed system of internal controls, including:
Performance reviews and follow-up activities Authorizations (approvals) IT access control activities. Documentation (rigorous and comprehensive) Physical access control activities. IT application (input, processing, output) control activities Independent verifications and reconciliations.
SOX Mandates
Public Company Accounting and Oversight Board (PCAOB) oAuditor Independence and Ethics 302 Corporate Responsibility: oExecutive Certification - CEO & CFO oResponsible for designing ICOFR & GAAP financials oMaterial changes, and reasons why 404 Management's Report on ICOFR: oMaintain ICOFR in accordance with GAAP oAssess ICOFR effectiveness annually and report results oMaintain evidential matter to support its assessment Claim management's responsibility for internal control over financial reporting (ICOFR) Confirm its opinion is based on a suitable, recognized control framework Identify the framework used Annually, in 10K report: -Opine annually on the design and operating effectiveness of ICOFR -Disclose all material weaknesses; If one or more exists, ICOFR is "not" effective -Refer to external auditor ICOFR attestation report In 10Qs, report quarterly substantial changes to ICOFR: -Disclose remediation activities on material weaknesses reported on previous 10k
Q: Know what the SEC final rules require management to report ($404) in order to comply with the U.S SOX Act of 2002
Report the design and management of the ICOFR. Disclose all material weakness if it exists. Refer to external auditor ICOFR report. 10Qs are required to report quarterly substantial changes to ICOFR Detail: The final rules require management's report to identify the evaluation framework used by management to assess the effectiveness of the company's internal control over financial reporting (ICOFR). Specifically, a suitable framework must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company's internal control; be sufficiently complete so that those relevant factors that would alter a conclusion [or opinion] about the effectiveness of a company's internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting [ICFR]" (SECfinal ruling 33-8238).4
Once relevant risks are identified/ assessed, management determines how it will respond. The 4 responses are
Responses include: -Risk avoidance -Reduction -Sharing -Acceptance *In considering its response, management selects a response that brings "residual risk" within desired risk tolerances (for their area of responsibility.)
The 5 components of internal control carry what?
Risk of failure
a. Ch 4 - Entity Objectives
Risk starts here at entity objectives. Strategy formulation and the setting of business objectives determines an organization's risk appetite and identifies risk. Every organization is different, so risks will therefore be different across various organizations. Risk is the barrier to achieving an organization's business objectives.
Q: Know what an understandable and measurable objective is, what it established, and why that's important in regards to meeting objectives
SMART
What supports an organization's objectives?
Supporting the organization in its efforts to achieve objectives are the 5 components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities
1st Internal Control Component: Control Environment
The US Public Company Accounting Oversight Board (PCAOB) states in its Auditing Standard No. 5 "Entity level controls include: -Controls related to the control environment. -Controls over management override. -The company's risk assessment process. -Centralized processing and controls, including shared service environments. -Controls to monitor results of operations, -Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs. -Controls over the period-end financial reporting process, and -Policies that address significant business control and risk management practices.
Tolerance:
The boundaries of acceptable out- comes related to achieving business objectives *There are many factors management must consider when determining the specific actions (controls) they should take to manage inherent risks to an acceptably low level and establish tolerance parameters. To begin with, management must consider controllable risk.
Inherent Risk:
The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place
The final rules require management's report to identify what?
The evaluation framework used by management to assess the effectiveness of the company's internal control over financial reporting. Detail: a suitable framework must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company's internal control; be sufficiently complete so that those relevant factors that would alter a conclusion [or opinion] about the effectiveness of a company's internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting [ICFR]" (SECfinal ruling 33-8238).4
The 3 layers of monitoring approaches
The first layer includes the everyday activities performed by management of a given area as described above. T he second layer is a separate (nonindependent) evaluation of the area's internal controls performed by management on a regular basis to ensure that any deficiencies that exist are identified and resolved timely. The third layer is an independent assessment by an outside area or function, frequently the internal audit function, performed to validate the results (accuracy and reliability) of management's self-assessment of the effectiveness of controls in their area. This layered approach provides the organization with a higher level of confidence that the system of internal controls remains effective and helps ensure internal control deficiencies are identified and addressed timely. Often this strategy is referred to as a "multiple lines of defense" model.
Controllable Risk:
The portion of inherent risk that management can reduce through day to day operations and management activities
Residual Risk:
The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk)
The 17 COSO supporting principles represent what section out of the 3?
The section is 2) 5 components *the fundamental concepts associated with each component of internal control. These 17 principles are outlined in exhibit 6-9
Risk Appetite:
The types and amount of risk. on a broad level, an organization is willing to accept in pursuit of value.
Internal Control and auditees personell roles relation
There are specific roles and responsibilities each group of people in the organization (auditee) has, including management's process for evaluating the organization's system of internal controls. There are also specific roles that the internal audit function of an organization has relative to evaluating the system of internal controls.
c. Ch.4 - Audit Engagement Objectives
These set the stage for internal auditors to address how to deal with risk. Ultimately helping the auditee achieve their business objectives. Risk exists in every business and business process so the audit engagement objectives serve as a systematic approach for auditors to "remove" or deal with risk barriers and obstacles.
The COSO definition of Internal Control emphasizes what 5 things?
This definition emphasizes that internal control is: • Geared to the achievement of objectives in one or more separate but overlapping categories-operations, reporting, and compliance. • A process consisting of ongoing tasks and activities-a means to an end, not an end in itself. • Effected by people-not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control. • Able to provide reasonable assurance, but not absolute assurance, to an entity's senior management and board of directors. • Adaptable to the entity structure-flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process
How does the SEC make sure companies comply with U.S. Sarbanes-Oxley Act of 2002 legislation?
To comply with this legislation, the U.S. Securities and Exchange Commission (SEC) requires CEO and CFO of publicly traded companies over a certain size to express opinions on the design adequacy and operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of financial statements with the SEC, as well as report substantial changes in ICFR, if any, on a quarterly basis. Specifically, the SEC requires evidence of compliance, ruling that " ... management must base its evaluation [or, opinion] of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment."
Were organizations able to successfully apply these 3 frameworks?
Yes, many organizations were able to successfully apply these frameworks in their efforts to comply with Section 404 of Sarbanes-Oxley, despite encountering significant unanticipated costs. Smaller publicly held companies did struggle to comply due to the prohibitive costs as well as several other challenges unique to smaller organizations, including: -Obtaining sufficient resources to achieve adequate segregation of duties -Balancing management's ability to dominate activities, with significant opportunities for improper management override of processes in order to appear that business performance goals have been met [management override of control] -Recruiting individuals with requisite expertise to serve effectively on the board of directors and committee, -Recruiting and retaining personnel with sufficient experience and skill in operations, reporting, compliance, and other disciplines -Taking critical management attention from running the business in order to provide sufficient focus on internal control -Controlling information technology and maintaining appropriate general and application controls over computer information systems with limited technical resources.5
Risk assessment involves
a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
Controls also can be categorized in terms of their importance. Therefore, a control can be categorized either as
a key control or as a secondary control.
Control activities are present at
all levels of the organization.
Key Control:
an activity designed to reduce risk associated with a critical business objective
Secondary controls and compensating controls are necessary when
an effective key control cannot be created or designed to adequately mitigate a risk or group of risks within management's established risk appetite. This may be a result of economic constraints or operational complexity or both. No matter the reason, secondary and compensating controls are required for which no effective key control exists. Often, compensating controls work concurrently with related or overlapping key controls, while serving as a secondary control for a specific key control.
The COSO and CoCo Frameworks are used by
an increasing number of organizations to evaluate the entire system of internal controls, not just internal controls over financial reporting.
A preventive control is designed to
deter unintended events from occurring in the first place. Because of the dynamic nature and complexity of day-to-day business operations, it is difficult to design a preventive control that is both economical and efficient. As a result, most organizations use a combination of preventive controls and detective controls when designing both an effective and efficient system of internal controls. Examples of preventive controls include physical and logical access controls, such as locked doors and user IDs with unique passwords.
Risk assessment forms the basis for
determining how risks will be managed
A detective control is designed to
discover undesirable events that have already occurred. A detective control must occur timely (before the undesirable event has had an unacceptably negative impact on the organization) to be considered effective. Examples of detective controls include security cameras to identify unauthorized physical access and review of computer logs listing unauthorized access attempts.
Segregation of duties is the concept of
dividing, or segregating, control activities related to the authorization of transactions from the processing of those transactions from physical access to the assets related to those underlying transactions. The primary purpose of segregating duties (dividing control activities) among different people is to reduce the risk of error or inappropriate actions taken by any single individual.
Identifying external and internal risks at an entity and activity (process and transaction) level is fundamental to
effective risk assessment
Management has primary responsibility for the
effectiveness of the organization's system of internal controls, including monitoring activities. As responsibility for performing certain controls rises in the organization to higher levels of management, traditional supervisory monitoring becomes more challenging. Monitoring activities performed by subordinates in an organization are much less effective than those performed by superiors. In those situations in which senior management performs controls, it might be appropriate for other members of senior management to monitor those controls. In cases that carry the risk of management override, board-level monitoring might be necessary
Transaction-level controls are designed to
ensure that individual operational activities, tasks, or transactions, as well as related groups of operational activities (tasks) or transactions, are accurately processed timely.
All controls are designed to mitigate risk either at the
enterprise level or at the operational level within an organization.
The COSO framework acknowledges that control activities exist at all levels of an organization and can generally be classified as either
entity wide control activities or business process control activities. The COSO internal control framework also includes transaction or application controls as a part of business process control activities, which represent "...the most fundamental control activities in an [organization] since they directly address risk responses in the business processes in place to meet management's objectives." Note - the COSO frame- work uses the terms "entitywide" and "business process" control activities to generally describe these controls. Although it is not uncommon for organizations within the internal audit profession to use different terminology such as "companywide" or "entitywide," the more common term "entity-level" is used in this chapter.
Risks to the achievement of these objectives from across the organization are considered retaliative to
established tolerance levels. Tolerance level: is used to set an upper limit of how much of something can be tolerated.
It is important to note that monitoring activities occur in each of the
five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities), not just as a stand-alone component. Embedding monitoring activities into processes performed during day-to-day business operations allows monitoring activities to occur regularly, catching problems before they become unmanageable. Separate evaluations lack this advantage due to the timing of their performance, which is later in the process, and because they are performed less frequently. Separate evaluations provide for a supplemental look at the system of internal controls, catch problems that might have been missed during ongoing monitoring activities, and evaluate the effectiveness of the ongoing monitoring activities embedded in the day-to-day activities of the area.
Process-level controls are more detailed in their
focus than entity-level controls. They are established by process owners to reduce the risk that threatens the achievement of process objectives. While consistent in nature, these controls may vary in their execution between processes.
Entity-level controls can be divided into two categories:
governance controls and management-oversight controls. Governance controls are established by the board and executive management to institute the organization's control culture and provide guidance that supports strategic objectives. Management-oversight controls are established by management at the business unit and line level of the organization to reduce risks to the business unit and increase the probability that business unit objectives are achieved.
Once entity-level and activity-level risks have been identified, they must be assessed in terms of
impact and likelihood.
Risks can be either
internal and/or external *Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives.
Everybody within an organization has responsibility towards
internal control
When considering a top-down, risk based review of internal control over financial reporting (ICOFR), the Procure-to-Pay process is generally a *see worksheets
key financial process.
A key control (often referred to as the "primary" control) is designed to reduce
key risks associated with business objectives. Failure to implement adequately designed and effectively operating key controls can result in the failure of the organization not only to achieve critical business objectives but to survive.
An adequately designed and effectively operating system of internal controls, by definition, is designed to
manage risk within the organization's established risk appetite. It should mitigate inherent risk related to the three COSO categories of objectives (operations, reporting, and compliance) within management's risk appetite.
Control activities can be separated into the three categories of operations, reporting, and compliance. However, control activities often are designed to
mitigate multiple risks that may threaten objectives in more than one category.
The 2nd Internal Control Component - Risk Assessment is linked to
objectives *Setting clear objectives is a precondition to risk identification, assessment and response
The U.S. Sarbanes-Oxley Act of 2002 legislation put responsibility for the design, maintenance, and effective operation of internal control on who?
on the shoulders of senior management, CEO and chief financial officer (CFO)
BOD is responsible for
overseeing whether management has implemented an effective system of internal controls. This responsibility is fulfilled by the board through an understanding of the risks to the organization and by understanding how management mitigates those risks to an acceptable level.
Deficiencies in an organization's system of internal controls might be identified during the
performance of either ongoing monitoring activities or separate evaluations There are many potential sources for identifying internal control deficiencies, including the entity's monitoring activities, other components, and external parties that provide input relative to the presence and functioning of components and relevant principles.
Transaction-level controls are even more detailed in their focus than
process-level controls and reduce risk relative to a group or variety of operational-level activities (tasks) or transactions within an organization.
The SOX laws purpose(reason it was enacted) was to
protect investors from -accounting errors. -fraudulent reporting. Note: The Sarbanes-Oxley Act (SOX) is LAW. -Passed by Congress and signed by the President on July 30, 2002. -George W. Bush referred to it as, "The most far reaching reform of American business practice since the time of Franklin D. Roosevelt."
A system of internal control is expected to provide an organization with what?
reasonable assurance that those objectives relating to external reporting and compliance with laws and regulations will be achieved. Achieving those objectives, which are based largely on laws, rules, regulations, or standards established by legislators, regulators, and standard setters, depends on how activities within the organization's control are performed.
Controls are risk responses management takes to
reduce the impact and/or likelihood of threats to objective achievement. *Management must consider its overall risk appetite and tolerance levels
If residual risk exceeds the organization's established risk appetite, it is necessary to
reevaluate the system of internal controls to determine if additional cost-effective controls can be implemented to further reduce residual risk to a level within management's risk appetite.
Internal Control (COSO Definition -broadly defined)
refers to a process, effected by an entity's (auditees) board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of operation, reliability of financial reporting, and compliance with applicable laws and regulations
Every organization has business objectives that it intends to achieve, and every organization has
risks that threaten the achievement of those objectives.
While management, under the leadership of the CEO, has ultimate responsibility for the adequate design and effective operation of the system of internal controls, internal auditors play a
significant role in verifying that management has met its responsibility. *Initially, management performs the primary assessment of the system of internal controls, and then the internal audit function independently validates management's assertions. The internal audit function provides reason- able assurance that the system of internal controls is designed adequately and operating effectively, increasing the likelihood that the organization's business objectives and goals will be met.
COSO:
stands for Committee of Sponsoring Organizations of the Treadway Commission it is a a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.
Frameworks provide a
structure within which a body of knowledge and guidance fit together. This system facilitates consistent development, interpretation, and application of concepts, methodologies, and techniques useful to a discipline or profession
Controllable risk:
that portion of inherent risk that management can directly influence and reduce through day-to-day business activities. Once management has implemented cost-effective controls to address controllable risks, then and only then can they determine if the organization is operating within the overall risk appetite established by senior management and the board of directors. The portion of inherent risk that remains after mitigating all controllable risks is defined as residual risk. If the remaining uncontrolled risk (residual risk) is less than the established risk appetite, then the system of internal controls is operating at an acceptable level and within an organization's defined risk appetite.
SOX Law used to be called
the "US Sarbanes-Oxley Act of 2002"
Control Activities are
the actions taken by management, the board, and other parties to mitigate risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
Control Environment sets the tone for
the atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as the foundation for the other components. Within this environment, management assesses risks to the achievement of specified objectives. Control activities are implemented to help ensure that management directives to address the risks are carried out. The control environment of an organization permeates all areas of the organization and influences the way individuals approach internal control. This foundational component of internal control creates the context within which the other 4 components of internal control exist.
When internal control categories are looked at as a whole, and NOT individually then they are collectively referred to as
the system of internal controls.
COSO's Enterprise Risk Management - Align- ing Risk with Strategy and Performance describes risk appetite as
the types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value, and tolerance as acceptable variation in performance, which are the bound- aries of acceptable outcomes related to achieving a business objective (both the boundary of exceeding the target and the boundary of trailing the target). Those boundaries must align with the risk appetite.
Ch.6 discusses
the various components of the system of internal controls that organizations develop to mitigate and manage those risks. You'll understand what is meant by internal control and be able to identify a variety of frameworks that consider internal control. As well as being able to identify the components that must be present for an adequately designed and effectively operating system of internal controls.
Adequately designed and effectively operating entity-level, process-level, and transaction-level controls work in
unison and serve as an organization's defense against the risks that threaten the achievement of business objectives.