1
Q
COSO stands for
A
Committee of Sponsoring Organization.
2
Q
The COSO internal control framework serves as guide that helps organizations with
A
risk
assessments, internal control and fraud prevention
3
Q
COSO Components may be divided into two categories:
A
Entity-level controls
Transaction-level controls
4
Q
impact is indirect; pervasive to the financial statement.
A
Entity-level controls
5
Q
All component of the COSO
framework except for __ are considered entity-level controls
A
Control Activities
6
Q
impact is direct; affects specific transactions and processes.
A
Transaction-level controls
7
Q
is the only component in the COSO framework that is considered as transaction-level control
A
Control Activities
8
Q
CATEGORIES OF INTERNAL CONTROL OBJECTIVES
A
Operating objectives
Reporting objectives
Compliance objectives
9
Q
pertain to the achievement of an entity’s basic mission and vision- the fundamental
reason for its existence.
A
Operations objectives
10
Q
These objectives vary based on management’s choices relating to the management
operating model, industry considerations, and performance.
A
Operations objectives
11
Q
Operations objectives relate to improving
A
financial performance, productivity, quality, environmental practices, innovation, and customer and employee
satisfaction.
12
Q
pertain to the preparation of reports for use by organizations and stakeholders.
A
Reporting objectives
13
Q
may relate to financial or non-financial reporting and to internal or external reporting.
A
Reporting objectives
14
Q
are driven by internal requirements in response to a variety of potential needs
such as the entity’s strategic directions, operating plans, and performance metrics at various levels.
A
Internal reporting objectives
15
Q
are driven primarily by regulations and/or standards established by regulators,
and standard-setting bodies.
A
External
reporting objectives
16
Q
Entities must conduct activities, and often take specific actions, in accordance with applicable laws and
regulations
A
Compliance objectives
17
Q
As part of specifying __, the organization needs to understand which laws
and regulations apply across the entity.
A
compliance objectives
18
Q
Many laws and regulations are generally well known, such as those
relating to taxation and environmental compliance, but others may be more obscure, such as those that
apply to an entity conducting operations in a remote foreign territory.
A
Compliance objectives
19
Q
COMPONENTS OF INTERNAL CONTROL SYSTEM
A
Control environment
Risk assessment
Control activities
Information and communication
Monitoring activities
20
Q
is the set of standards, processes, and structures that provide the basis for carrying
out internal control across the organization
A
control environment
21
Q
involves a dynamic and iterative process for identifying and analyzing risks to achieving the
entity’s objectives and determining how risks should be managed.
A
Risk assessment
22
Q
considers possible changes
in the external environment and its own business model that may impede its ability to achieve its objectives.
A
Management
23
Q
are the actions established by policies and procedures to help ensure that management
directives to mitigate risks to the achievement of objectives are carried out.
A
Control activities
24
Q
are performed
at all levels of the entity and at various stages within business processes the technology environment.
A
Control activities
25
is necessary for the entity to carry out internal control responsibilities in support of achievement
of its objectives.
Information
26
provides the organization with the information needed to carry out day-today internal control activities and enables personnel to understand internal control responsibilities and their
importance to the achievement of objectives.
Communication
27
Ongoing and/or separate evaluations are done to ascertain whether each of the five components of
internal control are present and functioning. Findings are evaluated and deficiencies are communicated in a timely manner, with serious matters reported to those charge with governance.
Monitoring activities
28
REQUIREMENTS FOR EFFECTIVE INTERNAL CONTROL
All internal control
components are present
and functioning
Internal control components
are operating together in
an integrated manners
Deficiencies are timely
identified and addressed
29
refers to the determination that components and relevant principles exist in the design and
implementation of the system of internal control.
Present
30
refers to the determination that components
and relevant principles continue to exist in the operation and conduct of the system of internal control.
Functioning
31
refers to a shortcoming in a relevant principle or associated component that has
the potential to adversely affect the ability of the entity to achieve its objectives.
Internal control deficiency
32
demonstrates independence from management and exercises oversight
of the development and performance of internal control.
Board of Directors
33
Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
CONTROL ENVIRONMENT
34
The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives
CONTROL ENVIRONMENT
35
The organization holds individuals accountable for their internal control responsibilities in the
pursuit of objectives
CONTROL ENVIRONMENT
36
Set the tone
at the top
Board of Directors (BoD)
and management
37
shows
through their directives,
actions, and behavior the
importance of integrity and
ethical values to support the
internal control system.
Board of Directors (BoD)
and management
38
The expectations of the BoD
and senior management on
integrity and ethical values
are defined in the entity’s
standards of conduct and
understood at all levels of the
organization and external
parties.
Establish standard of
conduct
39
Processes are in place to
evaluate the performance of
individuals and teams against
the entity’s established
expected standards of
conduct.
Evaluate adherence
to conduct standards
40
Deviations of the entity’s
expected standards of conduct
are identified and remedied
in a timely and consistent
manner.
Timely addresses
deviation
41
EXERCISE OVERSIGHT RESPONSIBILITY
Establish oversight
responsibility
Applies relevant
expertise
Operates
independently
Provide oversight of
internal control system
42
BOD identifies and accepts
its oversight responsibilities in
relation to established
requirements and
expectations.
Establish oversight
responsibility
43
BOD defines, maintains,
and periodically evaluates the
skills and expertise needed
among its members to enable
them to ask probing questions
of senior management and
take commensurate actions.
Applies relevant
expertise
44
The BOD has enough members
that are independent from
management and objective in
evaluations and decision
making.
Operates
independently
45
Majority of the BoD should not
have a personal or
professional relationship with
the entity.
Operates
independently
46
The BoD retains oversight
responsibility for
management’s design,
implementation, and conduct
of internal control.
Provide oversight of
internal control system
47
ESTABLISH STRUCTURE, AUTHORITY AND
RESPONSIBILITY
Consider all structures
of the entity
Establish reporting lines
Define, assign and limits
authorities and responsibilities
48
(Consider all structures
of the entity)
consider the
multiple structures used (including
operating units, legal entities, geographic
distribution, and outsourced service
providers) to support the achievement of
objectives.
Management and the BoD
49
(Establish reporting lines)
designs and evaluates lines
of reporting for each entity structure to
enable execution of authorities and
responsibilities and flow of information to
manage the activities of the entity.
Management
50
(Define, assign and limits
authorities and responsibilities)
delegate
authority, defines responsibilities, and use
appropriate processes and technology to
assign responsibility and segregate duties
as necessary at the various levels of the
organization.
Management and the BoD
51
DEMONSTRATE COMMITMENT TO COMPETENCE
Establishes policies
and practices
Performance evaluation
Employee retention
Succession planning
52
(Succession planning)
develop contingency
plans for assignments of
responsibility important for
internal control.
Senior management and the
BoD
53
The organization provides the
mentoring and training
needed to attract, develop,
and retain sufficient and
competent personnel and
outsourced service providers
to support the achievement of
objectives.
Employee retention
54
The BoD and management evaluate competence across
the organization and in
outsourced service providers in
relation to established policies
and practices, and acts, as
necessary to address
shortcomings.
Performance
evaluation
55
establish the mechanisms
to communicate and hold
individuals accountable
for performance of
internal control
responsibilities across the
organization and
implement corrective
action, as necessary.
Management and the BoD
56
Management and the BoD
establish the mechanisms
to communicate and hold
individuals accountable
for performance of
internal control
responsibilities across the
organization and
implement corrective
action, as necessary
Enforces Accountability
through Structures,
Authorities, and
Responsibilities
57
Management and the
BOD establish
performance measures,
incentives, and other
rewards appropriate for
responsibilities throughout
the entity, reflecting
appropriate performance
measure and expected
standards of conduct, and
considers the achievement
of both short-term and
longer-term objectives.
Establishes Performance
Measures, Incentives, and
Rewards
58
Management
and the BoD evaluate
performance of internal
control
responsibilities, including
adherence to standards of
conduct and expected
levels of competence and
provide rewards or
exercise disciplinary
action as appropriate.
Evaluates Performance
and Rewards or
Disciplines Individuals
59
Management and the BoD
evaluate and adjust
pressures associated with
the achievement of
objectives as they assign
responsibilities, develop
performance measures,
and evaluate
performance.
Considers
Excessive Pressures
60
Management and the
BOD aligns incentives and
rewards with the
fulfillment of internal
control responsibilities in
the achievement
of objectives.
Evaluates Performance
Measures, Incentives, and
Rewards for Ongoing
Relevance
61
The organization specifies objectives with sufficient clarity to enable the identification
and assessment of risks relating to objectives.
* The organization identifies risks to the achievement of its objectives across the entity
and analyzes risks as a basis for determining how the risks should be managed.
* The organization considers the potential for fraud in assessing risks to the
achievement of objectives.
* The organization identifies and assesses changes that could significantly impact the
system of internal control.
RISK ASSESSMENT
62
SPECIFIES SUITABLE OBJECTIVES
Operational
objectives
Compliance objectives
Internal reporting
objectives
External financial
reporting objectives
63
reflect
management’s choices about
structure, industry considerations,
and performance of the entity.
Management considers the
acceptable levels of variation
relative to the achievement of
operations objectives.
Operations objectives
64
The
organization reflects the desired
level of operations and financial
performance for the entity within
operations objectives. Lastly,
management uses operations
objectives as a basis for allocating
resources needed to attain desired
operations and financial
performance.
Operational
objectives
65
are
consistent with accounting principles
suitable and available for that
entity
Financial reporting objectives
66
reflects the underlying
transactions and events to show
qualitative characteristics and
assertions.
External
reporting
67
provides
management with accurate and
complete information regarding
management’s choices and
information needed in managing
the entity.
Internal reporting
68
Management reflects the
required level of precision and
accuracy suitable for user needs in
non-financial reporting objectives
and materiality within financial
reporting objectives. Internal
reporting reflects the underlying
transactions and events within a
range of acceptable limits.
Internal reporting
objectives
69
Laws and regulations establish
minimum standards of conduct which
the entity integrates into compliance
objectives. Additionally,
management considers the
acceptable levels of variation
relative to the achievement of
compliance objectives.
Compliance objectives
70
IDENTIFIES AND ANALYZES RISK
Includes Entity and its Sub-units
Analyzes Internal and External Factors
Estimates Significance of Risks Identified
Involves Appropriate Levels of Management
Determines How to
Respond to Risks
71
The organization identifies
and assesses risks at the
entity, subsidiary, division,
operating unit, and
functional levels relevant
to the achievement
of objectives.
Includes Entity and its
Sub-units
72
Risk identification
considers both internal
and external factors and
their impact on the
achievement of objectives.
Analyzes Internal and
External Factors
73
The organization puts into
place effective risk
assessment mechanisms
that involve appropriate
levels of management.
Involves Appropriate
Levels of Management
74
are
analyzed through a
process that includes
estimating the potential
significance of the risk.
Identified risks
75
includes
considering how the risk
should be managed and
whether to accept, avoid,
reduce, or share the risk.
Risk assessment
76
ASSESS FRAUD RISK
Considers different types of fraud
Assesses attitude and rationalization Assesses opportunity
Assesses incentives and pressure
77
The assessment of fraud
considers fraudulent
reporting, possible loss of
assets, and corruption
resulting from the various
ways that fraud and
misconduct can occur.
Considers different
types of fraud
78
The assessment of fraud risk
considers incentives and
pressures.
Assesses incentives
and pressure
79
The assessment of fraud risk
considers opportunities
for unauthorized acquisition,
use, or disposal of assets,
altering of the entity’s
reporting records, or
committing other
inappropriate acts.
Assesses opportunity
80
The assessment of fraud risk
considers how management
and other personnel might
engage in or justify
inappropriate actions.
Assesses attitude and
rationalization
81
IDENTIFIES AND ANALYZES SIGNIFICANT CHANGE
Assesses Changes in the External Environment
Assesses Changes in the Business Model
Assesses Changes in Leadership
82
The risk identification process considers
changes to the regulatory, economic,
and physical environment in which the
entity operates.
Assesses Changes in the
External Environment
83
The organization considers the
potential impacts of new business lines,
dramatically altered compositions
of existing business lines, acquired or
divested business operations on the
system of internal control, rapid
growth, changing reliance on foreign
geographies, and new technologies.
Assesses Changes in the
Business Model
84
The organization considers changes in
management and respective attitudes
and philosophies on the system of
internal control.
Assesses Changes in
Leadership
85
The organization obtains or generates and uses relevant, quality information
to support the functioning of other components of internal control.
* The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
other components of internal control.
* The organization communicates with external parties regarding matters
affecting the functioning of other components of internal control.
INFORMATION AND COMMUNICATION
86
USES RELEVANT INFORMATION
Identifies information needs
Capture internal and external data
sources
Processes relevant data to information
Maintains quality throughout
processing
Considers costs and benefits
87
A process is in place to
identify the
information required
and expected to
support the
functioning of the
other components of
internal control and
the achievement of the
entity’s objectives.
Identifies
information needs
88
Information systems
capture internal and
external sources of
data.
Capture internal
and external data
sources
89
Information systems
process and transform
relevant data into
information.
Processes relevant
data to information
90
Information systems
produce information
that is timely, current,
accurate, complete,
accessible, protected,
and verifiable and
retained. Information
is reviewed to assess
its relevance in
supporting the internal
control components.
Maintains quality
throughout
processing
91
The nature, quantity,
and precision of
information
communicated are
commensurate with
and support the
achievement of
objectives.
Considers costs
and benefits
92
COMMUNICATES INTERNALLY
Communicates Internal Control Information
Selects Relevant Method of Communication
Provides Separate Communication Lines
Communicates with the Board of Directors
93
A process is in place to
communicate required
information to enable all
personnel to understand and
carry out their internal control
responsibilities.
Communicates Internal
Control Information
94
Communication exists between
management and the BoD
directors so that both have
information needed to fulfill
their roles with respect to the
entity’s objectives.
Communicates with the
Board of Directors
95
Separate communication
channels, such as whistleblower hotlines, are in place
and serve as fail-safe
mechanisms to enable
anonymous or confidential
communication when
normal channels are
inoperative or ineffective.
Provides Separate
Communication Lines
96
The method of communication
considers the timing, audience,
and nature of the information.
Selects Relevant Method
of Communication
97
COMMUNICATES EXTERNALLY
Communicates to External Parties
Enables Inbound Communications
Provides Separate Communication Lines
Selects Relevant Method of
Communication
Communicates with
the Board of
Directors
98
Processes are in place
to communicate
relevant and timely
information to external
parties including
shareholders, partners,
owners, regulators,
customers, and
financial analysts and
other external parties.
Communicates to
External Parties
99
Open communication
channels allow input
from customers,
consumers, suppliers,
external auditors,
regulators, financial
analysts, and others,
providing
management and the
BoD with relevant
information.
Enables Inbound
Communications
100
Relevant information
resulting from
assessments conducted
by external parties is
communicated to the
BoD.
Communicates with
the Board of
Directors
101
Separate communication
channels, such as
whistle-blower hotlines,
are in place and serve
as fail-safe mechanisms
to enable anonymous or
confidential
communication when
normal channels are
inoperative or
ineffective.
Provides Separate
Communication Lines
102
The method of
communication
considers the timing,
audience, and nature
of the communication
and legal, regulatory,
and fiduciary
requirements and
expectations.
Selects Relevant
Method of
Communication
103
The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are
present and functioning.
* The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate.
MONITORING ACTIVITIES
104
CONDUCT ON-GOING AND/OR SEPARATE
EVALUATION
Considers a Mix of
Ongoing and Separate
Evaluations
Uses Knowledgeable
Personnel
Establishes Baseline
Understanding
Considers Rate of
Change
Integrates with Business
Processes
Adjusts Scope and
Frequency
Objectively Evaluates
105
Management includes a
balance of ongoing and
separate evaluations.
Considers a Mix of
Ongoing and Separate
Evaluations
106
Management considers the
rate of change in business and
business processes when
selecting and developing
ongoing
Considers Rate of
Change
107
The design and current state
of an internal control system
are used to establish a
baseline for ongoing and
separate evaluations
Establishes Baseline
Understanding
108
Evaluators performing ongoing
and separate evaluations have
sufficient knowledge to
understand what is being
evaluated.
Uses Knowledgeable
Personnel
109
Ongoing evaluations are built
into the business processes and
adjust to changing conditions.
Integrates with Business
Processes
110
Management varies the scope
and frequency of separate
evaluations depending on risk.
Adjusts Scope and
Frequency
111
Separate evaluations are
performed periodically to
provide objective feedback.
Objectively Evaluates
112
EVALUATES AND COMMUNICATES DEFICIENCIES
Assesses Results
Communicates Deficiencies
Monitors Corrective Actions
113
assess results of ongoing
and separate evaluations.
Management and the BoD,
114
Deficiencies are communicated to
parties responsible for taking
corrective action and to senior
management and the
BoD, as appropriate.
Communicates Deficiencies
115
Management tracks whether
deficiencies are remediated on a
timely basis
Monitors Corrective Actions
116
* The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
* The organization selects and develops general control activities over
technology to support the achievement of objectives.
* The organization deploys control activities through policies that establish what
is expected and procedures that put policies into action.
CONTROL ACTIVITIES
117
SELECTS AND DEVELOPS CONTROL ACTIVITIES
Integrates with Risk Assessment Determines Relevant Business Processes
Considers Entity-Specific Factors
Evaluates a Mix of Control
Activity Types
Considers at What Level
Activities Are Applied
Addresses Segregation
of Duties
118
Control activities help ensure that risk
responses that address and mitigate
risks are carried out.
Integrates with Risk Assessment
119
Management considers how the
environment, complexity, nature, and
scope of its operations, as well as the
specific characteristics of its organization,
affect the selection and development of
control activities.
Considers
Entity-Specific Factors
120
Management determines which
relevant business processes require
control activities
Determines Relevant
Business Processes
121
Control activities include a range and
variety of controls and may include a
balance of approaches to mitigate risks,
considering both manual and automated
controls, and preventive and detective
controls.
Evaluates a Mix of Control
Activity Types
122
Management considers control activities
at various levels in the entity.
Considers at What Level
Activities Are Applied
123
Management segregates incompatible
duties, and where such segregation is
not practical management selects and
develops alternative control activities.
Addresses Segregation
of Duties
124
SELECTS AND DEVELOPS GENERAL CONTROLS
OVER TECHNOLOGY
Determines Dependency between
the Use of Technology in Business
Processes and Technology General
Controls
Establishes Relevant Technology
Acquisition, Development, and
Maintenance Process Control
Activities
Establishes Relevant
Security Management
Process Control Activities
Establishes Relevant
Technology Infrastructure
Control Activities
125
DEPLOYMENT THROUGH POLICIES AND
PROCEDURES
Establishes Policies and
Procedures to Support Deployment
of Management’s Directives
Performs in a Timely Manner
Establishes Responsibility and
Accountability for Executing Policies and Procedures
Takes Corrective Action
Performs Using Competent
Personnel
Reassesses Policies and
Procedures
126
TYPES OF TRANSACTION CONTROL ACTIVITIES
Transaction authorization
Independent verification
Physical controls
Reconciliation procedures
Standing data control
Supervisory controls
127
is the assignment various activities in a business process to
different people.
Segregation of duties (SOD)
128
The aim of SOD is to ensure that __so
that error will be identified and fraud will require collusion between two or more individuals.
incompatible duties do not reside within a single person
129
* Duties that generally should be segregated include:
Transaction initiation
* Transaction authorization
* Record keeping
* Asset custody
130
are policies and procedures performed to
ensure the integrity of IT systems and processes.
Controls on information technology (IT)
131
There are two broad categories of IT controls:
General IT control
Application control
132
controls that apply to the entire IT system and affects all IT applications
used. Comprised by: IT governance, IT infrastructure, Security and Access to operating systems,
networks and and databases, application acquisition and development, and program change
procedures.
General IT control
133
application-specific controls that ensure the validity, completeness, and
accuracy of financial transactions.
Application control
ISM
flashcards
Decks in class (4)
# Cards
