[DOCUMENT TITLE]

Chapter (3)
Internal Control System

Part two

1
 Chapter (3)
Internal Control & COSO Framework

Objective (3): COSO components of internal control

 COSO’s Internal Control:

- Developed in 1992 and updated in 2013.
- The COSO Framework describes five components of internal control:
1. Control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring.

1. Control Environment:
- Consists of the actions, policies, and procedures that reflect the overall attitudes
of top management, directors, and owners of an entity about internal control and
its importance to the entity. The control environment is an umbrella over the
other four components of internal control, as illustrated in Figure

- There are 5 subcomponents (factors) to assess whether the control

environment is good or not:
A. Integrity and Ethical Values. They include management's actions to remove
or reduce incentives and temptations that might prompt personnel to engage in
dishonest, illegal, or unethical acts.

B. Board of Director or Audit Committee Participation.

2
C. Commitment to competence:

D. Organizational structure: It defines the existing lines of responsibility &

authority. It can be consist of the entity levels, divisions, operation units,
functions within those units.
E. Accountability: Management and BOD are responsible for communicating
expectations and holding individuals accountable for IC duties. It depends
mainly on the other subcomponents discussed above.
\

2. Risk Assessment:
- Process for identifying and analyzing risks that may prevent the organization
from achieving its objectives.
- it is management`s identification & analysis of risks relevant to the preparation
of financial statements in accordance with GAAP.
- To assess risk we must follow the following 4 steps:
1. Identify factors that may increase risk.
2. Estimate the significance of the risk.
3. Assess the likelihood of the risk occurring.
4. Determine actions necessary to manage the risk.(To reduce the risk to
acceptable level).
- For example, if a company frequently sells products at a price below inventory cost
because of rapid technology changes, introduction of new information technologies
and entrance of new competitors are examples of factors that may lead to increased
risk.
3. Control Activities:

3
- Control activities are the policies and procedures, in addition to those included
in the other four control components that help ensure that necessary actions are
taken to address risks to the achievement of the entity's objectives.

4
 4. Information and Communication:
- Set of manufacturing & computerized procedures, the purpose of an accounting
information and communication system is to initiate, record, process, and
report the transactions  to maintain accountability for the related assets.

5. Monitoring:
- Monitoring activities deal with management’s ongoing and periodic
assessment of the quality of internal control performance.
- To determine whether controls are operating as intended and modified when
needed.
- For many companies, an internal audit department is essential for effective
monitoring of the operating performance of internal controls

Questions Part
1. Multiple Choice Questions (MCQs)
1) Which of the following activities would be least likely to strengthen a company's internal
control?
A) Separating accounting from other financial operations
B) Maintaining insurance for fire and theft
C) Fixing responsibility for the performance of employee duties
D) Carefully selecting and training employees
Answer: B
2) Which of the following components of the control environment define the existing lines of
responsibility and authority?
A) organizational structure
B) management philosophy and operating style
C) human resource policies and practices
D) management integrity and ethical values
Answer: A

3) Which of the following factors may increase risks to an organization?

A)
Geographic dispersion of Presence of new information
company operations technologies
Yes Yes

5
 B)
Geographic dispersion of Presence of new information
company operations technologies
No No
C)
Geographic dispersion of Presence of new information
company operations technologies
Yes No
D)
Geographic dispersion of Presence of new information
company operations technologies
No Yes
Answer: A
4) Which of the following statements is most correct with respect to separation of duties?
A) A person who has temporary or permanent custody of an asset should account for that asset.
B) Employees who authorize transactions should not have custody of related assets.
C) Employees who open cash receipts should record the amounts in the subsidiary ledgers.
D) Employees who authorize transactions should have recording responsibility for these transactions.
Answer: B
5) Authorizations can be either general or specific. Which of the following is not an example of a
general authorization?
A) automatic reorder points for raw materials inventory
B) a sales manager's authorization for a sales return
C) credit limits for various classes of customers
D) a sales price list for merchandise
Answer: B
6) Which of the following is correct with respect to the design and use of business documents?
A) The documents should be in paper format.
B) Documents should be designed for a single purpose to avoid confusion in their use.
C) Documents should be designed to be understandable only by those who use them.
D) Documents should be prenumbered consecutively to facilitate control over missing documents.
Answer: D
7) Which of the following best describes the purpose of control activities?
A) the actions, policies and procedures that reflect the overall attitudes of management
B) the identification and analysis of risks relevant to the preparation of financial statements
C) the policies and procedures that help ensure that necessary actions are taken to address risks to the
achievement of the entity's objectives
D) activities that deal with the ongoing assessment of the quality of internal control by management
Answer: C
8) Which of the following deals with ongoing or periodic assessment of the quality of internal
control by management?
A) verifying activities
B) monitoring activities
C) oversight activities
D) management activities
Answer: B
9) Which of the following best describes an entity's accounting information and communication
system?

6
 A)
Record and
Monitor process Initiate
transactions transactions transactions
Yes Yes Yes

B)
Record and
Monitor process Initiate
transactions transactions transactions
No No No

C)
Record and
Monitor process Initiate
transactions transactions transactions
Yes No No

D)
Record and
Monitor process Initiate
transactions transactions transactions
No Yes Yes
Answer: D
10) Which of the following is a risk assessment principle?
A) accountability
B) use relevant, quality information to support the functioning of internal controls
C) consider the potential for fraud
D) develop general controls over technology
Answer: C
11) Which of the following is not an underlying principle related to risk assessment?
A) The organization should have clear objectives in order to be able to identify and assess the risks relating
to the objectives.
B) The auditors should determine how the company's risks should be managed.
C) The organization should consider the potential for fraudulent behavior.
D) The organization should monitor changes that could impact internal controls.
Answer: B
12) Which of the following is not one of the subcomponents of the control environment?
A) management's philosophy and operating style
B) organizational structure
C) adequate separation of duties
D) commitment to competence
Answer: C
13) It is important for the CPA to consider the competence of the clients' personnel because their
competence has a direct impact upon the
A) cost/benefit relationship of the system of internal control.
B) achievement of the objectives of internal control.
C) comparison of recorded accountability with assets.
D) timing of the tests to be performed.

7
 Answer: B
14) Proper segregation of functional responsibilities calls for separation of
A) authorization, execution, and payment.
B) authorization, recording, and custody.
C) custody, execution, and reporting.
D) authorization, payment, and recording.
Answer: B
15) Without an effective ________, the other components of the COSO framework are unlikely to
result in effective internal control, regardless of their quality.
A) risk assessment policy
B) monitoring policy
C) control environment
D) system of control activities
Answer: C
16) Which of the following is an accurate statement regarding control activities?
A) As the level of complexity of IT systems increases, the separation of duties often becomes blurred.
B) Segregation of duties would be violated if the same person authorizes the payment of a vendor's invoice
and also approves the disbursement of funds to pay the bill.
C) The most important type of protective measure for safeguarding assets and records is the us of physical
precautions.
D) all of the above
Answer: D
17) If a company has an effective internal audit department,
A) the internal auditors can express an opinion on the fairness of the financial statements.
B) their work cannot be used by the external auditors per PCAOB Standard 5.
C) it can reduce external audit costs by providing direct assistance to the external auditors.
D) the internal auditors must be CPAs in order for the external auditors to rely on their work.
Answer: C
18) To promote operational efficiency, the internal audit department would ideally report to
A) line management.
B) the PCAOB.
C) the Chief Accounting Officer.
D) the audit committee.
Answer: D
19) Hanlon Corp. maintains a large internal audit staff that reports directly to the accounting
department. Audit reports prepared by the internal auditors indicate that the system is
functioning as it should and that the accounting records are reliable. An independent auditor will
probably
A) eliminate tests of controls.
B) increase the depth of the study and evaluation of administrative controls.
C) avoid duplicating the work performed by the internal audit staff.
D) place limited reliance on the work performed by the internal audit staff.
Answer: D
20) External financial statement auditors must obtain evidence regarding what attributes of an
internal audit (IA) department if the external auditors intend to rely on IA's work?
A) integrity
B) objectivity
C) competence
D) all of the above

8
 Answer: D
21) To obtain an understanding of an entity's control environment, an auditor should
concentrate on the substance of management's policies and procedures rather than their form
because
A) management may establish appropriate policies and procedures but not act on them.
B) the board of directors may not be aware of management's attitude toward the control environment.
C) the auditor may believe that the policies and procedures are inappropriate for that particular entity.
D) the policies and procedures may be so weak that no reliance is contemplated by the auditor.
Answer: A
22) The ________ is helpful in preventing classification errors if it accurately describes which
type of transaction should be in each account.
A) general ledger
B) general journal
C) trial balance
D) chart of accounts
Answer: D
2. True or False Questions:
1) Control activities are a subcomponent of the information and communication component of
internal control.
Answer: FALSE
2) Adequate documents and records is a subcomponent of the control environment.
Answer: FALSE
3) The chart of accounts is helpful in preventing classification errors if it accurately describes
which type of transaction should be in each account.
Answer: TRUE
4) Auditing standards prohibit reliance on the work of internal auditors due to the lack of
independence of the internal auditors.
Answer: FALSE
5) If an auditor wishes to rely on the work of internal auditors (IA), the auditor must obtain
satisfactory evidence related to the IA's competence, integrity, and objectivity.
Answer: TRUE
6) An example of a specific authorization is management setting a policy authorizing the
ordering of inventory when less than a one-week supply is on hand.
Answer: FALSE
7) Personnel responsible for performing internal verification procedures must be independent of
those originally responsible for preparing the data.
Answer: TRUE