11 - internal Control and COSO Framework Verified
Quizzes + Top-Scoring Assignments | A+
Guaranteed| 100% correct
Internal Control - A process designed to provide reasonable assurance regarding the
achievement of management's objectives in the following categories:
1. Reliability of reporting
- Relates to internal and external financial reporting as well as nonfinancial reporting
-- Management responsible for preparing F/S, management has both a legal and professional
responsibility to be sure info is fairly presented in accordance with reporting requirements of
accounting frameworks
2. Effectiveness and efficiency of operation
- Important objective of these controls is accurate financial/nonfinancial info about the
company's operations for decision making
3. Compliance with applicable laws and regulations
- Section 404 requires management of all public companies to issue a report about the
operating effectiveness of internal control over financial reporting
- Public, private, and not-for-profit orgs are required to follow many laws and regulations
Auditor's focus in both the audit of F/S and the audit of internal controls is on controls over the
reliability of financial reporting plus those controls over operations and compliance w/ laws and
regulations that could materially affect financial reporting
Management's responsibilities - Establishing & maintaining entity's internal controls
Required by section 404 to publicly report on operating effectiveness of controls
,Auditor's responsibilities - Understanding and testing internal controls over financial
reporting
Two key concepts underlie management's design and implementation of internal controls -
1. Reasonable Assurance
- A company should develop internal controls that provide reasonable, but not obsolete,
assurance that the F/S are fairly stated
- Reasonable assurance is high level of assurance that allows for only a low likelihood that
material misstatements will not be prevented, or detected and corrected, on a timely basis by
internal controls
- IC are developed by management after considering both costs and benefits of the controls
2. Inherent Limitations
- IC can never be completely effective → its effectiveness depends on the competency and
dependability of the people using it
Collusion - An act of two or more employees who conspire to steal assets or misstate
records
Management's Section 404 Reporting Responsibilities - (for public companies) Section
404 of SOX requires management of all public companies to issue an internal control report that
includes:
- A statement that management is responsible for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
- An assessment of the effectiveness of the internal control structure and procedures for
financial reporting as of the end of the company's fiscal year
(big company is $75 million)
Management must also identify the framework used to evaluate the effectiveness of internal
control → the IC framework used by most U.S. companies is the Committee of Sponsoring
Organizations of the Treadway Commission Internal Control - Integrated Framework (COSO)
, updated original 1992 framework in 2013 (reflects major changes that have occurred the last 20
years)
- Management's assessment of internal control over financial reporting consists of two key
aspects:
1. Design (and implementation) of Internal Control (understanding)
2. Operating Effectiveness of Controls (testing for effectiveness)
SEC requires management to include its report on IC in its annual Form 10-K report
(1) Design (and implementation) of Internal Control (understanding) - Management must
evaluate whether the controls are designed and put in place to prevent or detect material
misstatements in the F/S
Management's focus is on controls that address risks related to all relevant assertions for all
significant accounts, transactions, and disclosures in the F/S → includes evaluating how
significant transactions are initiated, authorized, recorded, processed, and reported to identify
points in the flow of transactions where material misstatements due to error or fraud could
occur
(2) Operating Effectiveness of Controls (testing for effectiveness) - To determine whether
the controls are operating as designed and whether the person performing the control
possesses the necessary authority and qualifications to perform the control effectively
Management's test results, which must be documented, for basis for management's assertion
at the end of the fiscal year about the controls' operating effectiveness
Must disclose any material weakness in internal control → must conclude that company's IC
over financial reporting is not effective
Auditor Responsibilities for Understanding Internal Control - Auditing standards require
the auditor to obtain an understanding of IC relevant to the audit on every audit engagement
Primarily concerned about:
Quizzes + Top-Scoring Assignments | A+
Guaranteed| 100% correct
Internal Control - A process designed to provide reasonable assurance regarding the
achievement of management's objectives in the following categories:
1. Reliability of reporting
- Relates to internal and external financial reporting as well as nonfinancial reporting
-- Management responsible for preparing F/S, management has both a legal and professional
responsibility to be sure info is fairly presented in accordance with reporting requirements of
accounting frameworks
2. Effectiveness and efficiency of operation
- Important objective of these controls is accurate financial/nonfinancial info about the
company's operations for decision making
3. Compliance with applicable laws and regulations
- Section 404 requires management of all public companies to issue a report about the
operating effectiveness of internal control over financial reporting
- Public, private, and not-for-profit orgs are required to follow many laws and regulations
Auditor's focus in both the audit of F/S and the audit of internal controls is on controls over the
reliability of financial reporting plus those controls over operations and compliance w/ laws and
regulations that could materially affect financial reporting
Management's responsibilities - Establishing & maintaining entity's internal controls
Required by section 404 to publicly report on operating effectiveness of controls
,Auditor's responsibilities - Understanding and testing internal controls over financial
reporting
Two key concepts underlie management's design and implementation of internal controls -
1. Reasonable Assurance
- A company should develop internal controls that provide reasonable, but not obsolete,
assurance that the F/S are fairly stated
- Reasonable assurance is high level of assurance that allows for only a low likelihood that
material misstatements will not be prevented, or detected and corrected, on a timely basis by
internal controls
- IC are developed by management after considering both costs and benefits of the controls
2. Inherent Limitations
- IC can never be completely effective → its effectiveness depends on the competency and
dependability of the people using it
Collusion - An act of two or more employees who conspire to steal assets or misstate
records
Management's Section 404 Reporting Responsibilities - (for public companies) Section
404 of SOX requires management of all public companies to issue an internal control report that
includes:
- A statement that management is responsible for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
- An assessment of the effectiveness of the internal control structure and procedures for
financial reporting as of the end of the company's fiscal year
(big company is $75 million)
Management must also identify the framework used to evaluate the effectiveness of internal
control → the IC framework used by most U.S. companies is the Committee of Sponsoring
Organizations of the Treadway Commission Internal Control - Integrated Framework (COSO)
, updated original 1992 framework in 2013 (reflects major changes that have occurred the last 20
years)
- Management's assessment of internal control over financial reporting consists of two key
aspects:
1. Design (and implementation) of Internal Control (understanding)
2. Operating Effectiveness of Controls (testing for effectiveness)
SEC requires management to include its report on IC in its annual Form 10-K report
(1) Design (and implementation) of Internal Control (understanding) - Management must
evaluate whether the controls are designed and put in place to prevent or detect material
misstatements in the F/S
Management's focus is on controls that address risks related to all relevant assertions for all
significant accounts, transactions, and disclosures in the F/S → includes evaluating how
significant transactions are initiated, authorized, recorded, processed, and reported to identify
points in the flow of transactions where material misstatements due to error or fraud could
occur
(2) Operating Effectiveness of Controls (testing for effectiveness) - To determine whether
the controls are operating as designed and whether the person performing the control
possesses the necessary authority and qualifications to perform the control effectively
Management's test results, which must be documented, for basis for management's assertion
at the end of the fiscal year about the controls' operating effectiveness
Must disclose any material weakness in internal control → must conclude that company's IC
over financial reporting is not effective
Auditor Responsibilities for Understanding Internal Control - Auditing standards require
the auditor to obtain an understanding of IC relevant to the audit on every audit engagement
Primarily concerned about:
