Internal Control and Auditing
Learn
Practice Test
Spaced Repetition
Match
FlashcardsOperations
Reporting
Compliance
What are the 3 Internal Control Objectives?
Governing Body
Oversight Body
Management
Who is responsible for Internal Control?
1/199
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
200 Terms
Operations
Reporting
Compliance
What are the 3 Internal Control Objectives?
Governing Body
Oversight Body
Management
Who is responsible for Internal Control?
Governing Body
Refers to the city council, board of alderman, commissioners, directors, controls; they cannot transferor surrender the responsibility
Oversight Body
Refers to an appointed body designated to perform oversight at the direction of the governing body
Management
Refers to an employee or elected official who has direct responsibility for the day-to-day operations of the entity including implementation of internal controls (city managers, mayors, city administrators, finance officers, department heads)
control environment
risk assessment
control activities
information and communication
monitoring
What are the 5 components of internal control?
control environment
is the tone of the organization, and serves as the foundation for all other controls. It provides discipline and structure, which affect the overall quality of internal control by influencing how objectives are defined, and activities are structured
Integrity and Ethical Values
the oversight body and management should demonstrate a commitment to _________________.
Tone at the Top
The largest factor influencing the control environment in any organization is the_______________. This term is used to define managements commitment towards openness, honesty, integrity and ethical behavior.
Five components
Seventeen relevant principles
Under the Green Book standards, a system of internal control is based on_____________ and ______________.
Standards of Conduct
Clear_______________ should be established and communicated throughout the entity.
Oversight of theInternal control system
The oversight body should oversee the entity’s internal control system.
Organizational Structure
Management should establish an __________ assign responsibility, and delegate authority to achieve the entity’s objectives.
clear lines of authority and communication
It is important to have ________________ and document them in written policies and procedures. Municipal employees at all levels must have a clear understanding of the organizational structure and to whom they report for day-to-day operations, as well as management and administrative issues.
Commitment to competence
Management should demonstrate a commitment to recruit, develop, and retain_____________ individuals.
Recruitment
determine organizational fit and competence for proposed role.
Training
allow development of competencies needed for key role; reinforce standards of conduct, and tailor training based on needs of the role.
Mentorship
provide guidance on standards of conduct and expectations of competence; align skills and expertise with entity’s objectives, and assist personnel in adapting to the entity’s environment
retain
To_______ personnel, provide incentives to motivate and reinforce positive performance and desired conduct.
succession plans
address the need to replace competent key personnel over the long term.
contigency plans
address the sudden change in key personnel that could jeopardize the internal control system.
A succession plan
defines key personnel, then a candidate is chosen and cross training is performed.
A contingency plan
management defines the plan for assigning responsibilities if a key position is vacated without advance notice; the importance of the key position in the internal control system, and the impact to the entity if vacant.
Enforce accountability
Management should evaluate and hold individuals accountable for their internal control responsibilities.
Red Flag
is a pattern, practice, or specific activity that indicates the possible existence of identity theft.
Define objectives and risk tolerances
Management should define objectives clearly to enable the identification of risks and define risk tolerances
When are controls are weak
*increase supervision and monitoring
*institute additional or compensating controls
*accept the risk that comes with the weakness of a control with managements acknowledgement that he weakness exists and that there is risk of loss involved
operational objectives
reflect managements focus on how each function of the organization will utilize resources to achieve the goals of each component, without a clear understanding of its purpose, resources may be underutilized.
Reporting and Compliance Objectives
include external and internal applications
External reporting
requires compliance with laws, rules, and regulations of governments, regulators, and standard setting bodies based on a purpose of the report.
Non Financial external reports
often address economic, environmental and social performance issues and must comply with criteria established by third parties based on external standards and frameworks.
risk tolerances
Management must define the level of risks or__________ it will accept in relation to the achievement of goals and objectives in specific and measurable terms as it formulates appropriate internal control policies. May include acceptance, avoidance, reduction, or sharing identified risks.
risk
is anything that may jeopardize the achievement of an objective.
risk analysis
assess the likelihood and frequency of the risk occurring
estimate the potential impact if the risk were to occur, considering both quantitative (dollar impact) and qualitative ( bad publicity, low employee morale) costs
determine how to manage the risk and decide what actions are necessary
prioritize and manage significant risks (risks most likely to occur and that have the biggest negative impact
Identify, analyze and respond to risks
Management should_______ related to achieving the defined objectives.
excessive risks
accepting______ can cause the following problems:
loss of assets or grants
poor business decisions
noncompliance
public scandals
excessive controls
exercising______ can cause the following problems:
increased bureaucracy
reduced productivity
increased complexity
increase of no-value activities
Fraud Risks
management should consider the potential for fraud when identifying, analyzing, and responding to risks
Incentive pressure
opportunity
attitude rationalization
management must be aware of the fraud risk factors:
Quantitative Costs
include such items as the cost of property, equipment, or inventory, cash dollar loss, fines associated with violation of laws or rules, damage and repair costs, cost of defending a lawsuit etc.
Qualitative Costs
are usually related to loss of public trust, loss of future grants, injury to the municipality’s reputation, increased legislation or regulatory oversight, default on a project, bad publicity, and poor employee morale.
Significant Changes
Management should identify, analyze and respond to _______ that could impact the internal control system.
control activities
are policies and procedures that ensure implementation of management directives.
Design control activities
management should __________ to achieve objectives and respond to risks
Preventive Controls
deter of prevent undesirable events from occuring, they are proactive controls that help prevent a loss. Are proactive and emphasize quality. Examples are segregation of duties, proper authorization, adequate documentation, and physical control over assets. May be automated or manual.
Detective Controls
reveal undesirable acts they provide evidence that a loss has occurred but not to prevent a loss from occurring. Examples are reviews, variance analyses, reconciliations, physical inventories, and audits.
segregation of duties
preventative control that is a deterrent of fraud, because it requires two or more people working together to circumvent the segregation process (collusion) responsibilities for authorizing transactions(accounting) and handling the related asset( custody) are divided.
at least two sets of eyes
segregation of duties reduces the risk of both erroneous and inappropriate actions. its key objective is to have ________ involved in the process. Managers are to identify transactions that pose the most risk of loss and ask whether at least two employees have a role in executing them.
Authorization
is the delegation of authority it may be general or specific. An example is giving a department permission to spend funds from an approved budget.
Approval
of a transaction means that the approver has reviewed the supporting documentation to ensure all necessary information is present to justify the transaction and has questioned any unusual items.
Approvals
authorizations
and verifications
examples of preventative controls
Reconciliations
relate different sets of data to one another, identify and investigate differences, and take corrective action when necessary. An example
Information systems design and controls
Management should design the entity’s __________ to achieve objectives and respond to risks
General Controls
commonly apply to entire information systems- data center operations, system software acquisition and maintenance, access security, and application system development and maintenance for all the applications that reside on the systems.
Application Controls
refer to the mechanisms in place over each separate computer system for the complete and accurate processing of authorized data. ex. word processing, desktop publishing, spreadsheets, database management systems, graphics programs, electronic mail,project management software, scheduling software, and mainframe based query systems to generate reports.
end-user computing
special application control , responsible for segregation of duties within its information systems environment, backup and recovery procedures, program development and documentation controls, hardware controls, and access controls.
Implement and document internal control system
Management should ________through policies.
use quality information
Management should _______ to achieve the entity’s objectives
quality information
effectiveness of communication
timeliness of information
Managers always need to evaluate their communications on 3 levels
True
Managers design and implement internal controls and auditors assess and report them
Control Environment
integrity and ethical values
oversight responsibility
organizational structure
commitment to competence
accountability
Tone at the Top
is management’s commitment to openness, honesty, integrity and ethical behavior
Internal Control
is a process that is developed by the municipality to provide reasonable assurance that objectives will be achieved
Staff at all organizational levels
all categories of objectives (operations, reporting, compliance)
Five components of internal control applies to:
Control Environment
The oversight body and management should demonstrate a commitment to integrity and ethical values
set the tone at the top
establish standards of conduct
evaluate adherence to standards of conduct
Fundamental concepts of internal control
geared to the achievement of objectives in one or more separate but overlapping categories
compromises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals and objectives of the entity
an integral part of the organization, not a separate system within the organization
a process. it is a means to an end, not an end in itself.
affected by people. it is not merely policy manuals and forms, but people at every level of organization.
increases the likelihood that an entity will achieve its objectives with reasonable assurance. (not absolute)
Standard Setting Entities of Internal control
Committee of Sponsoring Organizations (COSO)
US Government Accountability Office (GAO)
Committee of Sponsoring Organizations ( COSO)
Five major professional accounting associations and institutes
publishes Internal Control - Integrated Framework
US Government Accountability Office (GAO)
Publishes Standards for Internal Control in the Federal Government (Green Book)
Operations
Effectiveness and efficiency of operations
Reporting
Reliability of reporting for internal and external use
Compliance
Compliance with applicable laws and regulations
Operations
Reporting
Compliance
List the 3 categories of objectives
Organizational level (government wide) setting objectives
Strategic planning
create mission statement
identify broad objectives
Department Level Setting Objectives
Create Objectives supporting the organization’s mission and goals
Governing Body
Oversight Body
Management
Who is responsible for Internal Control?
True
Managers design and implement internal controls and auditors assess and report on them. Managers
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
List the 5 components of internal control
Integrity and Ethical Values
Standards of conduct -written -clear- formal adknowledgment- updates distributed
Management “plays by the rules”
Governing Body
Oversees the design, implementation, and operation
provide input to plan for remediation of deficiencies
Organizational Structure
Employees should know to whom they report and to whom their supervisors report
written policies and procedures promote a clear understanding of organizational structure
policy for reporting concerns/potential fraud
Delegate Key Roles of responsibility and authority
Commitment to Competence
Competence should be the guiding principle when hiring and promoting - qualifications to carry out assigned responsibilities- requires relevant knowledge, skills, and abilities
Criteria for promotion should be clear
Decision process for promotions should be transparent
Human Resources: Policies and procedures
Personnel policies= employee handbook= standard of conduct
keep the manual up to date
a dated manual creates confusion
lack of clarity provides opportunities for exploitation by management and employees
Performance, Accountability, and Excessive Pressures
Accountability for compliance must spread at all levels
Tools
performance evaluations
disciplinary actions
performance measures or incentives help hold individuals accountable
Beware of incentives that create unrealistic expectations
True
Internal Control is affected by the people. It is not merely policy manuals and forms, but people at every level of an organization
Reasonable Assurance
Which of the following is NOT apart of the control environment?
A. Integrity and Ethics
B. Organizational Structure
C. Reasonable Assurance
D. Assignment of Responsibilities
Know who to report concerns to through clear lines of authority
If an employee has concerns about the actions of the City Manager, They should:
Risk Assessment
Management should assess risks, as it seeks to achieve its objectives
set clear operating goals and objectives
identify risks
reduce exposure to those risks to acceptable levels
Errors
Omissions
Delay
Fraud
The primary categories of risk are
FACTA
Are the Red Flag Rules for Municipal utilities
Reasonable Assurance
An effective control system provides reasonable, but not absolute, assurance.
Appropriate balance between risk and a certain practice and level of control to ensure objectives
Cost of a Control should not exceed the derived benefit
Weak Control Alternatives
Increase supervision and monitoring'
Institute additional or compensating Controls
Accept the risk that comes with the weakness of the control
Define Clear Objectives
What
Who
How
When
Internal and External Requirements
Laws
Regulations
Standards
Risk
anything that may jeopardize the achievement of an objective
Risk Tolerance
level of risk management will accept in relation to the achievement of goals and objectives in specific and measurable terms
Economic
Regulatory
Social/Technology
Natural Disasters
Examples of External Risks
Infrastructure
Management structure
Personnel
Technology
Examples of Internal Risks
Risk Analysis
Assess the likelihood of the risk occurring and the potential impact if the risk were to occur
Consider risks at the entity level and transactional level
Determine how the risk should be managed
Prioritize and mange significant risks
Excessive Risks
Loss of assets or grants
Poor business decisions
Noncompliance
Public Scandals