ACC – Internal Control System

potential adverse occurrence
potential dollar loss
probability that the threat will happen
internal controls
processes implemented to provide reasonable assurance that control objectives are met
Internal control functions
– Preventive
– Detective
– Corrective
preventive controls
hiring qualified personnel, segregation of duties, controlling physical access
detective controls
(discover problems that are not prevented) duplicate checking of calculations and preparing bank reconciliations and monthly trial balances
corrective controls
maintaining backup copies of files, correcting data entry errors, resubmitting transactions
internal control categories
– general
– application
general controls
make sure an organization’s control environment is stable and well managed. Ex: security, IT infrastructure, software acquisition, development and maintenance controls
application controls
prevent, detect, and correct transaction errors and fraud in application programs. They’re concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.
-Prevent financial statement fraud
-Make financial reports more transparent
-Protect investors
-Strengthen internal controls in publicly-held companies
-Punish executives who perpetrate fraud
COSO’s Internal Control Framework
private sector group consisting of:
The American Accounting Association,
The Institute of Internal Auditors,
The Institute of Management Accountants,
The Financial Executives Institute
COBIT framework
framework of generally applicable information systems security and control practices for IT control.
COSO internal control framework
-Defines internal controls.
-Provides guidance for evaluating and enhancing internal control systems.
-Widely accepted as the authority on internal controls.
Enterprise Risk Management framework (ERM)
An enhanced corporate governance document.
Takes a risk-based, rather than controls-based, approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSO’s internal control framework
COSO’s components
– control environment
– risk assessment
– control activities
– information and communication
– monitoring
control environment
ethical values, responsibility, structure and authority, competence, accountability
risk assessment
suitable objectives, identify/analyze risk, change
control activities
control activities, technology controls, policies and procedures
information and communication
relevant information, external and internal communication
monitoring activities
evaluations, find deficiencies
risk appetite
amount of risk a company is willing to accept to achieve its goals and objectives
inherent risk
susceptibility of a set of accounts or transactions to significant control problems in the absence of internal controls
residual risk
risk that remains after management implements internal controls
expected loss
= impact ($ loss) * likelihood (probability)