INTERNAL CONTROL

avatar
Created by
NIKKI EVANS

Cards (121)

  • Control
    Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.
  • Control processes
    The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept.
  • Control environment
    The attitude and actions of the board and management regarding the importance of control within the organization. The control environment includes:
    1) Integrity and ethical values,
    2) Management's philosophy and operating style,
    3) Organizational structure,
    4) Assignment of authority and responsibility,
    5) Human resource policies and practices,
    6) Competence of personnel.
  • Components of the control environment
    • Commitment to integrity and ethical values
    • Management's philosophy and operating style
    • Organizational structure
    • The audit committee of the board of directors
    • Methods of assigning authority and responsibility
    • Human resources policies and practices
  • How the organization demonstrates a commitment to integrity and ethical values
    1. Setting the tone at the top
    2. Establishing standards of conduct
    3. Evaluating the performance of individuals and teams based on the established standards of conduct
    4. Correcting deviations in a timely and consistent manner
  • The board
    • Establishes oversight responsibility
    • Applies relevant experience by defining, maintaining, and periodically evaluating the skills and expertise needed among its members to ask difficult questions of management and take appropriate actions
    • Operates independently
    • Provides oversight
  • How management establishes structures, reporting lines, and appropriate authorities and responsibilities
    1. Considers all structures of the entity (nature of the business, size and geographic scope, risks, assignment of authority, reporting lines, reporting requirements)
    2. Establishes and evaluates reporting lines
    3. Designs, assigns, and limits authorities and responsibilities
  • How the organization demonstrates a commitment to attract, develop, and retain competent individuals
    • Policies and practices reflect expectations of competence
    • The board and management evaluate competence and address shortcomings
    • The organization attracts, develops, and retains individuals
    • Senior management and the board plan and prepare for succession
  • How the organization holds individuals accountable for their internal control responsibilities
    1. Enforce accountability through structures, authorities, and responsibilities
    2. Establish performance measures, incentives, and rewards
    3. Evaluate performance measures, incentives, and rewards for ongoing relevance
    4. Consider excessive pressures
    5. Evaluate performance and reward or discipline individuals
  • Categories of control procedures
    • Proper authorization of transactions and activities
    • Segregation of duties
    • Design and use of adequate documents and records
    • Adequate safeguards of assets and records
    • Independent checks on performance
  • Principles relating to control activities
    • The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
    • The organization selects and develops general control activities over technology to support the achievement of objectives
    • The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
  • Authorization
    The empowerment management gives employees to perform activities and make decisions
  • Digital signature or fingerprint

    A means of signing a document with a piece of data that cannot be forged
  • Specific authorization
    The granting of authorization by management for certain activities or transactions
  • Segregation of duties
    Good internal control demands that no single employee be given too much responsibility. An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.
  • How segregation of duties prevents problems
    1. If two of the three functions (authorization, custody, recording) are the responsibility of a single person, problems can arise
    2. Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them
    3. Segregation of duties prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts
    4. Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized
  • Design and use of adequate documents and records
    Helps ensure the accurate and complete recording of all relevant transaction data. Documents that initiate a transaction should contain a space for authorization.
  • Procedures to safeguard assets
    1. Effectively supervising and segregating duties
    2. Maintaining accurate records of assets, including information
    3. Restricting physical access to cash and paper assets
    4. Having restricted storage area
  • What can be used to safeguard assets
    • Cash registers
    • Safes, lockboxes
    • Safety deposit boxes
    • Restricted and fireproof storage areas
    • Controlling the environment
    • Restricted access to computer rooms, computer files, and information
  • Independent checks on performance
    Independent checks to ensure that transactions are processed accurately
  • Types of independent checks
    • Reconciliation of two independently maintained sets of records
    • Comparison of actual quantities with recorded amounts
    • Double-entry accounting
    • Batch totals
  • Batch totals used in computer systems
    • Financial total (sum of a currency unit field)
    • Hash total (sum of a field that would usually not be added)
    • Record count (number of documents processed)
    • Line count (number of lines of data entered)
    • Cross-footing balance test (compares the grand total of all the rows with the grand total of all the columns to check that they are equal)
  • Risk assessment
    The third component of COSO's internal control model. Companies must identify the threats they face: strategic, financial, information, and compliance.
  • Types of objectives for risk assessment
    • Operations
    • External financial reporting
    • External nonfinancial reporting
    • Internal reporting
    • Compliance
  • How the organization identifies and assesses risks
    1. Considers various types of fraud, assesses incentives and pressures, assesses opportunities, and assesses attitudes and rationalizations
    2. Identifies and assesses changes that could significantly affect the system of internal control
  • Threats pose a greater risk because the probability of their occurrence is more likely. A company is more likely to be the victim of a computer fraud rather than a terrorist attack.
  • Expected loss

    Risk x exposure
  • Information and communication
    The fourth component of COSO's internal control model. Accountants must understand how transactions are initiated, data are captured, computer files are accessed, data are processed, information is reported, and transactions are initiated.
  • Principles of information and communication
    • The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
    • The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the function of internal control
    • The organization communicates with external parties regarding matters affecting the functioning of internal control
  • Audit trail
    When individual company transactions can be traced through the system
  • Monitoring
    The fifth component of COSO's internal control model. A process that assesses the quality of internal control performance over time to ensure that controls continue to meet the needs of the organization.
  • Key methods of monitoring performance
    • Effective supervision
    • Responsibility accounting
    • Internal auditing
  • Stages in the monitoring-for-change continuum
    1. Control Baseline (understanding internal control's design and effectiveness)
    2. Change Identification (ongoing or separate evaluations to identify changes in process or risks)
    3. Change Management (verifying that the internal control system manages the changes and establishes a new control baseline)
    4. Control Revalidation (using monitoring procedures to confirm the conclusion that controls are effective)
  • The control process
    1. Establishing standards for the operation to be controlled
    2. Measuring performance against the standards
    3. Examining and analyzing deviations
    4. Taking corrective action
    5. Reappraising the standards based on experience
  • Internal control only provides reasonable assurance of achieving objectives. It cannot provide absolute assurance because of inherent limitations: 1) Human judgment is faulty, 2) Management may inappropriately override controls, 3) Controls can be circumvented by collusion, 4) The cost of internal control must not be greater than its benefits.
  • Control process
    1. Establishing standards for the operation to be controlled
    2. Measuring performance against the standards
    3. Examining and analyzing deviations
    4. Taking corrective action
    5. Reappraising the standards based on experience
  • An evaluation-reward system should be implemented to encourage compliance with the control system
  • Internal control only provides reasonable assurance of achieving objectives. It cannot provide absolute assurance because any system of internal control has inherent limitations
  • Inherent limitations of internal control
    Human judgment is faulty, and controls may fail because of simple errors or mistakes<|>Management may inappropriately override internal controls, e.g., to fraudulently achieve revenue projections or hide liabilities<|>Manual or automated controls can be circumvented by collusion<|>The cost of internal control must not be greater than its benefits
  • Internal control
    A process effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievements of objectives in the following categories: Effectiveness & efficiency of operations, Reliability of financial reporting, Compliance with applicable laws and regulations, Safeguarding of assets, Adherence to managerial policies