Name: Internal Control Framework
Author: revfactory

搵技能.../

Internal Control Framework | Skills Pool

Method	Description	Best For
Inquiry	Interview the owner	Initial understanding, process mapping
Observation	Observe actual execution	Field control verification
Inspection	Review documents/records	Evidence verification, approval records
Reperformance	Execute the control procedure	Direct verification of control effectiveness

1. Identify audit target processes
2. Assess inherent risk (amount, complexity, change)
3. Assess control risk (control design, operating effectiveness)
4. Residual risk = Inherent risk × Control risk
5. Prioritize audit by highest residual risk

## Audit Scope

### In-Scope
- Period: [YYYY-MM-DD to YYYY-MM-DD]
- Target: [Department/Process/System]
- Criteria: [Regulations/Policies/Laws]

### Out-of-Scope
- [Excluded items and rationale]

### Audit Criteria
| Criteria | Source |
|----------|--------|
| [Criteria 1] | [Internal policy/Law] |
| [Criteria 2] | [Industry standard] |

## Control Item: [ID]-[Item Name]

- Category: [COSO component]
- Type: [Preventive/Detective/Corrective]
- Owner: [Department/Role]
- Frequency: [Daily/Weekly/Monthly/Quarterly/Annual]

### Control Description
[Specific control activity description]

### Test Procedure
1. [Test step 1]
2. [Test step 2]
3. [Verification criteria]

### Evidence
- [Required evidence list]

### Determination Criteria
- Effective: [Criteria]
- Partially effective: [Criteria]
- Ineffective: [Criteria]

Item	Criteria
COSO coverage	5 components reviewed
Risk-based	Residual risk-based prioritization
Control types	Preventive/detective/corrective balance
Test methods	2+ methods per item
Evidence	Required evidence specified per test
Determination	3-level determination criteria

Component	Description	Audit Points
Control Environment	Organizational culture, ethics, competence	Code of ethics, segregation of duties, training
Risk Assessment	Identification/analysis of risks to objectives	Risk assessment process, documentation
Control Activities	Policies/procedures responding to risks	Approvals, verification, physical controls
Information/Communication	Timely delivery of necessary information	Reporting structure, IT controls
Monitoring	Continuous evaluation of control effectiveness	Self-assessments, internal audit

Component	Description	Audit Points
Control Environment	Organizational culture, ethics, competence	Code of ethics, segregation of duties, training
Risk Assessment	Identification/analysis of risks to objectives	Risk assessment process, documentation
Control Activities	Policies/procedures responding to risks	Approvals, verification, physical controls
Information/Communication	Timely delivery of necessary information	Reporting structure, IT controls
Monitoring	Continuous evaluation of control effectiveness	Self-assessments, internal audit

Preventive	Block before occurrence	Approval procedures, access restrictions, training
Detective	Discover after occurrence	Audit logs, reconciliation, anomaly detection
Corrective	Rectify after discovery	Corrective actions, rollback, recovery

Internal Control Framework

COSO Internal Control Framework

5 Components

Control Types

Internal Control Framework

COSO Internal Control Framework

5 Components

Control Types

Control Testing Methods

Audit Scope Design Framework

Risk-Based Audit Approach

Audit Scope Definition Template

Checklist Design Patterns

Control Item Card

Quality Checklist

Update Skills

Eval Harness

Ecc Tools Cost Audit

Code Tour

Rules Distill

Design System