Internal Audit - Internal Controls

Control

Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established goals and objectives will be acheived

Control Processes

The policies, procedures, and activities designed and operated to manage risks to be within the level of an organization's risk tolerance

What are the four types of objectives?

Strategic

Operations

Reporting

Compliance

What is the starting point for a control?

Objectives

What are the control functions?

- Preventive

- Detective

- Directive

- Corrective

- Compensating

- Complementary

- Redundant

Preventive control

Deter the occurrence of unwanted/undesirable events

Preventive control examples

- Physical security/screening

- Cybersecurity

- Segregation of duties

- Authorization

- Prenumbered documents

Detective controls

Uncovers an error or irregularity that has already occurred and alerts the proper people after the unwanted event

Detective controls examples

- Reviews

- Monitoring

- Audits

- Reconciliations

- Alarms

Directive Controls

cause or encourage the occurrence of a desirable event

Directive Controls examples

- Policies and procedures

- training

- coaching

- signs

- reminders

Corrective Controls

Remedy the negative effects of unwanted events

Corrective control examples

- Rework

- Revisions

- Returns

- Refunds

- Escalations

Compensating controls

An alternative control measure implemented to supplement a primary control, essentially acting as a "Plan B" to prevent disruption in case of a primary failure

Compensating controls examples

- MFA

- Increased monitoring of critical systems

- Additional encryption of sensitive data

- Manual reviews in addition to automated checks

Complementary controls

Work in tandem with one or more other controls to reduce risk to an acceptable level

Complementary controls examples

- Encrypted financial data

- Security monitoring

Redundant controls

A form of compensating control that repeats or duplicates the primary control

Redundant control examples

- Secondary reviews

- Entering a new password twice

- Back up generators in case of a power outage

What are the three levels of control?

- Entity-Level

- Process-Level

- Transaction-Level

Entity-Level controls

Apply to the entire organization and are designed to ensure that organizational objectives are achieved and to mitigate entity-wide risks

Entity-level control examples

- Governance (code of conduct/policies)

- Management oversight (financial statement period end controls)

Process Level control

Designed to achieve process objectives and address process risks

Process-level control examples

- revenue and cost center reports

- production reports

Transaction-level controls

Designed to achieve transaction objectives and address risks specific to transactions

Transaction-level controls examples

- Independent checks on performance

- application controls

- exception reports

- segregation of duties

What are the two levels of human interaction for internal controls?

- Active/manual

- Passive/automated

Active/manual controls

People based controls dependent on the intervention of humans. More suitable for large, unusual, or nonrecurring transactions

Example of an active/manual control

Month end closing checklists

Passive/automated controls

System based controls executed whenever needed with no human intervention. Suitable for high-volume transactions that require additional calculations, circumstances that require a high degree of accuracy, and situations with routine errors that can be predicted and corrected

Example of a passive/automated control

Automatic purchase order quantity or monetary threshold

What are the two types of tangibility of controls?

- Hard Controls

- Soft Controls

Hard Controls

Refer to tangible, formal systems and procedures within an organization. These controls can be easily observed and documented. Set clear guidelines and expectations for employees to follow

Soft controls

Intangible, informal aspects of compnay culture that influence behavior and decision making rather than being explicitly defined rules. These controls are based on employee mindset, making them harder to measure

What are the two types of essentiality of controls?

- Key

- Secondary

Key controls

Essential procedures that directly mitigate significant risks, prevent fraud, and are vital for ensuring accuracy and reliability. They must operate effectively to reduce a significant risk to an acceptable level

Examples of key controls

- Approving

- Examining

- Matching

- Monitoring

- Restricting

- Supervising

Secondary controls

Supplementary controls that assist and support the key controls. They help maintain process efficiency but are not critical for risk mitigation. They also provide additional oversight for less significant issues.

Secondary control examples

- Routine checks and balances

- Minor reconciliations

- Periodic reviews by mid level management

The Foreign Corrupt Practices Act of 1977

Prohibits US entities from bribing foreign government officials to benefit their business interests

What does the Foreign Corrupt Practices Act of 1977 require for internal controls for all corporations under the jurisdiction of the SEC?

- Transactions are executed with knowledge and authorization of management

- Transactions are recorded as necessary to permit the preparation of reliable financial statements and maintain accountability for assets

- Access to assets is limited to authorized individuals

- Accounting records of assets are compared to existing assets at reasonable intervals and appropriate action taken with respect to any differences

What are the organizations in COSO?

- AICPA

- AAA

- IMA

- Institute of Internal Auditors

- Financial Executives International

What is a framework?

A body of guiding principles that form a template against which organizations can evaluate a multitude of business practices

How many principles in the COSO Cube?

17

Which framework is used to manage reporting compliance with SOX?

The COSO framework

What are the three categories of objectives according to COSO?

- Operations

- reporting

- Compliance

Operations objectives

Pertain to effectiveness and efficiency of operations, including operational and organizationsal performance goals, and safeguarding assets against loss

Reporting Objectives

Pertain to internal and external financial statement and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or the entity's policy

Compliance Objectives

Pertain to adherence to laws and regulations to which the entity is subject

What are the five components of internal control?

- Control Environment

- Risk Assessment

- Information and communication

- Monitoring activities

- Existing control activities

What are the two types of monitoring?

Ongoing and periodic

Ongoing Monitoring (internal)

Day to day review of control activities through routine processes like data analytics, system reports, and management oversight to identify potential issues as they arise

Periodic Assessments (external)

Regular, more comprehensive assessments of the internal control system are conducted to evaluate its effectiveness in mitigating key risks, often involving detailed testing and analysis

What are the elements of the control environment?

- Integrity and ethical values

- Management's philosophy and operating style

- Organizational structure

- Assignment of authority and responsibility

- Human resources policies and practices

- Competence of personnel

What does IPASS describe?

The categories of control activities

Categories of control activities (IPASS)

- Independent checks on performance

- Proper documentation

- Authorization

- Safeguarding of assets

- Segregation of duties

What are the three elements of the fraud triangle?

- Pressure

- Opportunity

- Rationalization

Risk Analysis Processes

- Estimating the impact (or severity) of a risk

- Assessing the likelihood (or frequency) of the risk occuring (probability)

- Considering how to manage the risk, assessing what actions to take

What are the criteria for assessing management's control assertions?

- Authorization

- Validity

- Accuracy

- Timeliness

- Confidentiality

- Integrity

- Availability

What are the criteria for assessing management's financial statement assertions?

- Existence/occurence

- Completeness

- Rights and obligations

- Valuation or obligation

- Presentation and disclosure

Control Objective

Why the control has been designed and implemented

Control Activities should be documented to include

- Who performs the control

- What exactly is performed

- How the performance of the control activity is evidenced

- Control frequency

What does standard 13.2 say?

To perform the engagement risk assessment, internal auditors should use gathered information to understand and document objectives, risks, and controls intended to manage each risk