ACCT 427 - Chapter 10 Internal Controls Framework

What is the Foreign Corrupt Practices Act?

• First major US regulation in 1970’s

• Required US companies to maintain good systems of internal controls

• However, it DID NOT require audits of controls

What is Sarbanes-Oxley (SOX)?

New Rules for Management (internal controls and personal liability)

New Rules for External Auditors (opinion on controls, rotate, only perform audit)

New Rules for Audit Committees (independence rules, one expert)

Created PCAOB (oversees auditors)

What is COSO?

Committee of Sponsoring Organizations - volunteers that drafted both ERM and IC frameworks for controls

Explain the ERM framework. 

• Focused on the whole enterprise (more broad)

• Newer framework

• a broader focus on strategic planning, setting the level of risk the company is willing to accept OVERALL 

• Not as commonly used as IC

Explain Internal Control (IC) - Integrated Framework.

“The Cube”

• more narrow view of internal controls than ERM

• Follows 5 components for controls

  • Control Environment

  • Risk Assessment

  • Control Activities

  • Information & Communication

  • Monitoring Activities

Explain Control Environment component of the Cube.

• MGMT shows “tone at the top”

• emphasizing integrity, ethical values, and competence

• define organizational structure

• Establish written policies and procedures and communicate them

Explain Risk Assesment component of the Cube.

• Event Identification - identify good and bad events that will impact company goals

• Risk Assessment - ‘Bad’ events are risks, companies should caregoriza and rank risks using Impact and Likelihood

Explain Control Activities component of the Cube.

• Risk Response - a cost/benefit analysis to determine extend of controls needed to address risks. 

• Implement the control when:

  • Net benefit of control = Benefit of control - Cost of control

  • Inherent Risk > Cost of Control

  • Residual Risk = Minimal

Define Inherent and Residual risk.

Inherent - cost potential if the risk is not controlled

Residual - remaining risk after controls are put in place

Explain Information and Communication component of the Cube.

• System through which management gathers, processes, and stores information with accuracy and reliability

• Ensures that vital data can be effectively communicated and accessed when needed

• Maintain data integrity and access levels

Explain Monitoring component of the Cube.

• Internal and external auditors monitor managements ability to manage the cube elements

• Not a detective control. 

What 3 terms are on the top of the Cube framework? and explain them.

1. Operations: achieving business objectives (performance, profit, safeguarding)

2. Reporting: reliability of public reports (complete, accurate and timely)

3. Compliance: adherence to laws that govern the organization.

What 4 terms are on the right side of the Cube framework? how are they organized?

1. Entity level

2. Division

3. Operating Unit

4. Function

From broad to granular level to consider the whole organization.