COSO stands for?
Committee of Sponsoring Organization
This framework serves as a guide that helps organizations with risk assessments, internal control, and fraud prevention
COSO Internal Control Framework
Impact is indirect; pervasive to the financial statement. All component of the COSO framework except for Control Activities are considered entity-level controls.
Entity-level Control
Impact is direct; affects specific transactions and processes. Control Activities is the only component in the COSO framework that is considered as transaction-level control.
Transaction-level controls
The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Control Environment Principles
Deviations of the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
Timely addresses deviation
The BoD identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
Establish Oversight Responsibility
Management and the BoD consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
Consider all structure of the entity
Senior management and the BoD develop contingency plans for assignments of responsibility important for internal control.
Succession Planning
Management and the BoD establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action, as necessary.
Enforces Accountability through Structures, Authorities, and Responsibilities
The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Risk Assessment Principle
Specifies Suitable Objectives (All of the above)
OpExInCo
1. Operational
2. External Financial Reporting
3. Internal Reporting
4. Compliance
Identifies and Analyzes Risk (All of the above)
- Includes Entity and its Sub-units
- Analyzes Internal and External Factors
- Involves Appropriate Levels of Management
- Estimates Significance of Risk Identified
- Determines How to Respond to Risk
The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
Considers different types of fraud
The organization communicates with external parties regarding matters affecting the functioning of other components of internal control
Information and Communication Principle
Communicates Internally (All of the above)
- Communicates Internal Control Information
- Communicates with the BOD
- Provides Separate Communication Lines
- Selects Relevant Method of communication
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Monitoring Activities Principles
Evaluate and Communicates Deficiencies (all of the above)
- Assess Results
- Communicates Deficiencies
- Monitors Corrective Actions
The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Control Activities Principles
Management selects and develops control activities that are designed and
implemented to restrict technology access rights
Establishes Relevant Security Management Process Control Activities
Internal Control Components
CoRiCIM
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities
Types of Transaction Control Activities
TrIPReSSup
1. Transaction Authorization
2. Independent Verification
3. Physical Controls
4. Reconciliation Procedures
5. Standing Data Control
6. Supervisory Control
