answers Graded A+
Framework
a body of guiding principles that form a template against which organizations can evaluate a multitude
of business practices
- provide a structure within which a body of knowledge and guidance fit together
- used to assess the design adequacy and operating effectiveness of controls
Globally Recognized Frameworks (Diagram)
Internal Control (COSO Definition)
a process that provides reasonable assurance for achieving the objectives of an organization in three
specific categories: effectiveness and efficiency of operations, reliability of reporting, and compliance
What does the COSO definition emphasize that internal control is?
- Geared to the achievement of objectives in one or more separate but overlapping categories—
operations, reporting, and compliance
- A process consisting of ongoing tasks and activities—a means to an end, not an end in itself
- Affected by people—not merely about policy and procedure manuals, systems, and forms, but about
people and the actions they take at every level of an organization to effect internal control
- Able to provide reasonable assurance, but not absolute assurance, to an entity's senior management
and board of directors
- Adaptable to the entity structure—flexible in application for the entire entity or for a particular
subsidiary, division, operating unit, or business process
What are the five components of the COSO internal control framework?
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
a voluntary private-sector organization dedicated to improving the quality of financial reporting through
business ethics, effective internal controls, and corporate governance
Who did the Sarbanes-Oxley Act of 2002 legislation put responsibility for the design, maintenance, and
effectively operation of internal control on?
the shoulders of senior management, specifically, the CEO and the chief financial officer (CFO)
- To comply with this legislation, the U.S. Securities and Exchange Commission (SEC) requires the CEO
and CFO of publicly traded companies greater than a certain size to opine on the design adequacy and
, operating effectiveness of internal control over financial reporting (ICFR) as part of the annual filing of
financial statements with the SEC, as well as report substantial changes in ICFR, if any, on a quarterly
basis
What must a suitable internal control framework have, according to the SEC?
- be free from bias
- permit reasonably consistent qualitative and quantitative measurements of a company's internal
control
- be sufficiently complete so that those relevant factors that would alter a conclusion [or opinion] about
the effectiveness of a company's internal controls are not omitted
- be relevant to an evaluation of internal control over financial reporting [ICFR]
What are challenges unique to smaller organizations?
- Obtaining sufficient resources to achieve adequate segregation of duties
- Balancing management's ability to dominate activities, with significant opportunities for improper
management override of processes in order to appear that business performance goals have been met
[management override of control]
- Recruiting individuals with the requisite expertise to serve effectively on the board of directors and
committee
- Recruiting and retaining personnel with sufficient experience and skill in operations, reporting,
compliance, and other disciplines
- Taking critical management attention from running the business in order to provide sufficient focus on
internal control
- Controlling information technology and maintaining appropriate general and application controls over
computer information systems with limited technical resources
What are characteristics of "smaller" entities?
- Fewer lines of business and fewer products within lines
- Concentration of marketing focus, by channel or geography
- Leadership by management with significant ownership interests or rights
- Fewer levels of management, with wider spans of control
- Less complex transaction processing systems and protocols
- Fewer personnel, many having a wider range of duties
- Limited ability to maintain deep resources in line as well as support staff positions, such as legal,
human resources, accounting, and internal auditing
Who are the COSO and CoCo frameworks used by?
an increasing number of organizations to evaluate the entire system of internal controls, not just
internal controls over financial reporting
COSO Cube (Diagram)
What are the three categories of objectives outlined by the COSO framework?