AUD1206 OPERATIONS AUDITING COSO’s Internal Control Integrated

Framework (IC-IF)
FINALS REVIEWER
- Arguably the most widely known
internal controls framework in the
SESSION 8: CONTROL FRAMEWORKS world.
- COSO’s goal was to improve the quality
SESSION 9, 10, and 11: COMPONENTS OF of financial reporting through a focus
INTERNAL CONTROL on corporate governance, ethical
Control (Internal Control) - A process, practices, and internal controls.
effected by those charged with governance, Emphasis is also given to ERM and
management, and other employees, designed fraud deterrence.
to provide reasonable assurance regarding the
achievement of the entity’s objectives. - Three (3) Categories of
Organization’s Objectives
Entity’s Objectives: 1. Operations
2. Reporting
1. Reliability of Financial Reporting
3. Compliance
2. Efficiency and effectiveness of
operations
- Structure
3. Compliance with laws and regulations
1. Entity
2. Division
Framework - The noun framework, for 3. Operating Unit
example, can be any underlying structure 4. Function
something is built on, so you will see examples
like: a framework for solving the problem, a - Components of Internal Control
framework for the computer program, and a (C – R – I – M – E)
framework for a new relationship.
1. Control Activities
Control activities are the policies
Control Frameworks - underlying structure, and procedures that help ensure
principles, and concepts in which Internal that management directives are
Controls are built or developed on. carried out

• Selects and develops control (manual

National Commission was sponsored by or automated) activities that help
five (5) professional associations: mitigate risks
• Selects and develops general controls
1. The Institute of Internal Auditors (IIA) over technology
2. American Institute of Public • Bases controls on thorough policies
Accountants (AICPA) and procedures
3. American Accounting Association
(AAA) Categories of Control Activities:
4. Institute of Management Accountants • Preventive - Act before the error or
(IMA) omission can occur.
5. Financial Executives Institutes (FEI) • Detective - Identify errors or
anomalies after they have occurred.
• Directive - Temporary controls that
are implemented to redirect employee
actions.
• Compensating - Controls put in place
when a control is not where it is
expected as proper design would
implement.

3. Information and
Communication
Refers to the flow of information in
an organization. Ideally, there are
clear, consistent, timely and
purposeful directions emanating
from the top of the organization
providing direction and
establishing the criteria to
measure performance result.

• Uses relevant, high-quality

information
• Communicates internally to support
controls
• Communicates externally

4. Monitoring Activities
Consist of ongoing, separate or
combination of evaluations used to
determine whether each of the five
components of internal control is
present and functioning. On going
evaluations are built into the
business process at different levels
of the organization and provide
2. Risk Assessment timely information on how well or
Is the process of identifying, poorly these activities are
assessing, and measuring risk to performing.
the organization, program or
process. 5. Control Environment
The tone at the top and the degree
• Specifies suitable, specific objectives to which there is a congruence
• Identifies and analyzes risks between management’s “talk” and
• Assesses fraud risk its “walk”. The tone at the top is set
• Identifies and analyzes significant and promoted by the board of
changes directors and senior management,
 and it refers to the general attitude, 10. Selects and develops control
integrity and ethical practices of activities that help mitigate risks
these individuals. 11. Selects and develops general
controls over technology
• Demonstrates commitment to 12. Bases controls on thorough
integrity and values policies and procedures
• Demonstrates independence and
exercises oversight responsibility
Information and Communication
• Establishes structure, authority and
responsibility 13. Uses relevant, high-quality
• Demonstrates commitment information
(recruitment to training) to attracting,
developing and retaining competent 14. Communicates internally to
staff support controls
• Enforces accountability 15. Communicates externally

- 17 Principles representing the

fundamental concepts associated
Monitoring Activities
with each components of Internal
Control 16. Conducts ongoing and/or
separate evaluations
Control Environment
1. Demonstrates commitment to 17. Evaluates and communicates
integrity and values deficiencies
2. Demonstrates independence and
exercises oversight responsibility
3. Establishes structure, authority
and responsibility
4. Demonstrates commitment to
attracting, developing and
retaining competent staff
5. Enforces accountability

Risk Assessment
6. Specifies suitable, specific
objectives
7. Identifies and analyzes risks
8. Assesses fraud risk
9. Identifies and analyzes significant
changes

Control Activities