3- Risk Management & Internal Controls
a software that captures and records accounting business events
Application
ensures that the organization is operating in accordance with management's plan
Assurance
comprised of company's board of directors and outside board members with special qualifications in finance or accounting, objective is to oversee a company and internal audit has a direct line of communication with
Audit Commitee
COSO
Committee of Sponsoring Organizations of the Treadway Commission
internal control goals for adhering to laws and regulations
Compliance Objectives
Disclosure of instances of internal control not in compliance
External audit
Disclosure of significant internal control deficiencies
External audit
assess and identify risks and respond to risks at a portfolio-view level. Report results to key stakeholders
Performance
prevent problems from happening
Preventive Controls
-risk appetite -risk identifications -risk categorization -risk prioritization -heat maps
key course concepts risk assessment
Selects and develops control activities
related principles control activities
new publication with five interrelated components that highlight the importance of risk in creating strategies and driving a company's performance
Enterprise Risk Management Framework
Evaluates management's assessment of effectiveness of internal control and audit opinion of management's report
External audit
apply to the entire operation of the full system and its environment such as; all corporate applications, email, web browsers, time keeping software, benefits management systems, etc.
IT General Controls
a. Some defined processes b. Some defined controls c. Lack of documentation d. Primarily manual controls e. Inconsistencies f. Reliance on key individuals
Informal
continually obtain and share necessary information from both internal and external sources, flowing up, down, and across the company
Information Communication & Reporting
discovers improvements for policies, procedures, controls, and risk management
Insights
adds value to a business by providing assurance, insight, and objectivity to the company
Internal Audit
Defines internal control and gives criteria for developing, implementing, and monitoring and effective internal control system
Internal Control- Integrated Framework
controls-based approach to risk management that is widely accepted as the authoritative guidance on internal controls and SOX compliance
Internal Control- Integrated Framework
the process that specifically mitigates risks to the company's financial information
Internal Controls
An independent function of the company that has a unique reporting relationship in an organization
Internal audit
Included in annual financial statements
Internal control report
Includes assessment of effectiveness of internal control system
Internal control report
Management is responsible for implementing and maintain adequate internal controls
Internal control report
shows how far along a company is on its journey to reach the ideal state by comparing the current state to a predetermined set of best practices
Maturity Model
assesses the company through an independent consulting point of view
Objectivity
Framework required for:
1. Publicly traded companies in the U.S. and their subsidiaries 2. Foreign companies that are publicly traded and do business in the U.S. 3. Private companies planning their IPO to become a publicly traded company 4. Accounting firms performing audits of the above SOX regulated companies
when a control only applies to a specific application - including all the business processes and accounts that are linked to it
Application Controls
use technology to implement a control activity
Automated Controls
when two employees work together to circumvent controls
Collusion
Committed to fighting corporate fraud, is comprised of 5 private organizations that focus on providing guidance to executions and government entities on fraud prevention and response
Committee of Sponsoring Organizations of the Treadway Commission
Comprised of: American Accounting Association, American Institute of Certified Public Accountants, Institute of Internal Auditors, Institute of Management Accountants, and Financial Executives Institute
Committee of Sponsoring Organizations of the Treadway Commission
technology to create detective controls that use rules-based programming to monitor the business' data for red flags of risks
Continuous Monitoring
5 key steps to implementing an effective system of internal controls
Control Components
the three areas focused on achieving results
Control Objectives
the mechanisms, like rules, policies, or procedures, that make up the process of internal controls
Controls
change undesirable outcomes and occur after a risk has occurred
Corrective Controls
a. Clearly defined processes b. Clearly defined controls c. Formal documentation d. Mix of manual and automated controls e. No reliance on key individuals
Defined optimized
alert management to an issue once it has occurred
Detective Controls
effectiveness and efficiency of firm's daily functions, allocation of resources, operation and financial performance and prevention of losses
Operations Objectives
a. Enterprise-wide risk management b. Enterprise-wide control environment c. Top-down proactive approach d. Clearly defined processes e. Clearly defined controls f. Formal documentation g. Clear communication throughout organization h. More automated controls than manual controls i. Internal audit provides strategic value
Optimized
type of preventive control that lessens the risk of error and fraud by ensuring that different employees are responsible for the separate parts of a business activity of authorizing, recording, and having custody
Segregation/ Separation of Duties
measures the residual risk for technology attacks by comparing the relationship of the three control functions
Time-Based Model of Controls
comes with serious criminal penalties with fines up to $5 million and/or imprisonment up to 20 years
Violation of internal control requirements
presents a higher risk for management override of internal controls, which can have a significant impact on an organization's internal control efforts
a lax control environment
strategic planning process combines ERM, strategy, and objective setting to determine the risk appetite and align it with the business objectives
Strategy & Objective Setting
it is the most important component because it sets the overall tone for the organization
control environment
recall that companies should adopt risk-aware culture that starts with leadership setting an example, and entity-level risk activities
control environment
this is a foundation for other components, and includes the attitude of management concerning integrity and ethical behavior
control environment
to ensure the control environment is regularly assessed, SOX compliance requires a routine test of how internal controls are monitored and an annual control review by external auditors
control environment
-risk responses -internal controls
key course concepts control activities
-risk appetite -enterprise-wide risk management -business process maturity model -management override -SOX regulations
key course concepts control environment
-Quality information -Reporting -Data analytics -Internal audit -Management -Internal audit -Audit committee -Financial statements
key course concepts information and communication
-Management assessments -Internal audits -Audit committee reporting
key course concepts monitoring
is held responsible for financial reporting misstatements
management
management monitors business processes with detective controls and ensures that the controls are working appropriately
monitoring
this component is about assessing internal controls and determining whether changes should be made
monitoring
Deploys through policies and procedures
related principles control activities
Selects and develops general controls over technology (ITGCs)
related principles control activities
Demonstrates commitment to competence
related principles control environment
Demonstrates commitment to integrity and ethical values
related principles control environment
Enforces accountability
related principles control environment
Establishes structure, authority, and responsibility
related principles control environment
Exercises oversight responsibility
related principles control environment
Communicates externally
related principles information and communication
Communicates internally
related principles information and communication
Uses relevant information
related principles information and communication
Conducts ongoing and/or separate evaluations
related principles monitoring
Evaluates and communicates deficiencies
related principles monitoring
Assess fraud risk
related principles risk assessment
Identifies and analyzes risk
related principles risk assessment
Identifies and analyzes significant change
related principles risk assessment
Specifies suitable control objectivies
related principles risk assessment
means an auditor is removed from the business process and has no stake or influence over the outcome of the business processes that they are auditing
Independent
Accuracy and documentation of financial statements
CEOs & CFOS
Financial statements reviewed by management
CEOs & CFOS
Informing external auditors of significant internal control issues and fraud concerns
CEOs & CFOS
Internal control structure reports provided to the SEC
CEOs & CFOS
Communicated and enforced throughout company
Formal data security policies
Ensure protection of all financial data in use and stored
Formal data security policies
published set of specification and criteria that defines a strategy to achieve certain objectives
Framework
sets company's tone and establishes oversight responsibilities for ERM
Governance & Process
a. Informal process b. Ad hoc controls c. Localized efforts d. Reactive management e. Reliance on key f. Reliance on key individuals
Limited
Ownership and the responsibility of enforcing mitigating measures to prevent identified risk from occurring
Management - business operations
Aids the first line of defense by ensuring controls are designed to adequately address risk, then monitors to ensure fist line is complying with internal control requirements
Management - risk management and compliance
Identifying and assessing organizational risks
Management - risk management and compliance
is when internal control activities don't work because management is not following policy or procedure, like telling a direct report to ignore a specific control
Management Override
might sound antiquated, but they play a significant role because they are used when human judgement or physical interaction is required
Manual Controls
reporting of financial information internally and externally and non-financial information to provide relevant, faithfully represented, timeliness and reliable financial information
Reporting Objectives
review performance to consider how well ERM is functioning and identify necessary revisions
Review & Revision
protects investors from fraud and other risks by improving the reliability and accuracy of financial statements; focuses on the internal control structure of a company
Sarbanes- Oxley Act 2002
this component consists of the internal and external communications, including financial reports, policies, and procedures
information and communication
identifies the potential for fraud and any changes that could impact the functionality of the internal controls
risk assessment
this component requires management to continuously identify, categorize, and prioritize risk by looking at both internal and external risks to the company
risk assessment
When the tone at the top- leadership- is poor, the control environment
suffers