Acco 360 Coso framework 17 principles exercise for final PDF

Preview

Summary

Acco 360 coso framework 17 principles.match phrase (32) with one or many of the 17 principles of the coso framework. Helpful for the final...

Description

Column 1 COSO Component

Control Environment

Column 2 COSO Principle 1. The organization demonstrates a commitment to integrity and ethical values.

Column 3 Points of Focus The board of directors and senior management set the proper tone at the top

Column 4 Controls Present 15

Column 5 Missing or inadequate internal controls (i.e., gaps) There should be evidence that the board of directors is involved in, or reviews the results of, the annual Code of Conduct update.

Establishes standards of conduct Management or internal audit should test to ensure that all employees complete the annual re-assessment.

Evaluates adherence to standards of conduct

There should be a timeframe specified for addressing deviations from the standards of conduct.

Addresses deviations in a timely manner

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Establishes oversight responsibilities

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Considers all structures of the entity

4. The organization

Establishes policies and practices

Applies relevant expertise Operates independently

1, 3 (experts, independent), 17 (quarterly meetings), 27 (board oversees CEO)

No gaps however but - Something changed, there should be annual assessment for board members

Provides oversight for the system of internal control

Establishes reporting lines

19 , 20 (defines assigns and responsibilities)

NA

2, 16, 21 (policies),

There should be a proper procedure

Defines, assigns, and limits authorities and responsibilities

1

demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Evaluates competence and addresses shortcomings Attracts, develops, and retains individuals  experts at what they do CIA, CPA

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Plans and prepares for succession Enforces accountability through structures, authorities, and responsibilities Establishes performance measures, incentives, and rewards Evaluates performance measures, incentives, and rewards for ongoing relevance

22 (succession planning but nt document), 24 (employee evaluation), 26

20, 23 (performance goals are established), 24 (employee performance is reviewed), 25, 26, 27

to address the succession for C-level officer The succession planning should be done by BOD

There has to be evidence that compensation and performance objectives consider the impact of excessive pressures. Performance measures  ong oign relevance

Same thing in green

Considers excessive pressures Evaluates performance and rewards or disciplines individuals

2

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Complies with applicable accounting standards Considers materiality

7 (u need objectives to talk about risks), 9 (reflect entity activities)

Materiality and is not being considered

7 (#2), 9 (#3), 29

Documentation of estimation of significance of risk

32

Create procedures in place consider the fraud triangle

7 , 29 (management changes etc.) for number 29

NA

Reflects entity activities Includes entity, subsidiary, division, operating unit, and functional levels  risk in every level / across the organization

Consider the objectives and risks related to financial reporting (Accounting standards)

Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control.

Determines how to respond to risks key controls Considers various types of fraud  hotline, yes Assesses incentive and pressures Assesses opportunities Assesses attitudes and rationalizations - Assesses changes in the external environment - Assesses changes in the business model - Assesses changes in leadership

3

Control Activities

10. Selects and Develops Control Activities

Establishes controls responsive to the identified risk Controls are performed at the appropriate level within the business process  reviewing by authorities

5, 10, 7 (establishes controls responses to identified risks), 11, 12, 13, 14, 30, 31

The precision of controls is appropriate (i.e., aligned with risk tolerance)

11. Selects and Develops General Controls over Technology

12. Deploys through Policies and Procedures

Segregation of duties is properly established with respect to controls  only It personnel Security is managed  all three

13. The organization obtains or generates

Integrating segregation of duties that should be implemented beyond sakes recording and IT Should be documented the exception reports

13, 6, 14

Establish controls over technology development and acquisition

Controls over technology development & acquisition are present

Establish controls over technology maintenance

Controls over technology maintenance are present

Passwords!!  update passwords periodically

Control activities are documented and establish responsibility and accountability by an individual with appropriate skills and knowledge Controls are performed on a timely basis and the timing is appropriate

Information and

Performance of Risks should be aligned with risk tolerance

Controls include procedures for any necessary follow-up corrective actions  exception report Identifies information requirements  what is the quality of information

4, 10, 11, 12, revenue  controller Gl  gl person Sale amanger  sales so #1 good

Should be documented the exception reports

Monthly, weekly (#2) yes

5, 10 (generating exception controls),

Should be documented the exception reports

4

Communication

and uses relevant, quality information to support the functioning of internal control. = data collection

required

11, 18 , 30 Quality of information should be considered

Captures internal and external sources of data  sales data, sales price, minutes. no external

External data should be used

Processes relevant data into information exception reports

Cost and benefits should be considered

Maintains quality throughout processing  exception reports 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.

Considers costs and benefits Communicates internal control documentation

8, 9, 17, 20, 32,

There should be evidence of investigation of whistleblower reports.

Communicates with the board of directors Provides separate communication lines  whistleblower Selects relevant method of communication  phone line Communicates to external parties  whistle blower (customer and vendors) Enables inbound communications  coming in company

17, 32 There should be evidence of investigation of whistleblower reports.

Communicates with the board of directors  #17 Provides separate communication lines  phoneline Selects relevant method of communication  bod and everything

5

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Considers a mix of ongoing and separate evaluations  annual assessment so not good

8

Company should be performing ongoing evaluations in addition to annual ones

Considers rate of change Establishes baseline understanding

The frequency of evaluations should be updated

Uses knowledgeable personnel Integrates with business processes (process lvl control)

The company should consider prior risk assessments and controls evaluation

Adjusts scope and frequency (u only do once a year)

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Objectively evaluates  management and internal auditors internal auditors are objective Assesses results  budget to real, assessment of key controls, 8, 9, 17, 18, 28

Process for monitoring corrective actions

Communicates deficiencies  presenting to board Monitors corrective actions

6...