coso’s new internal control—integrated framework … · internal control deficiencies in a...
Post on 17-Sep-2018
215 Views
Preview:
TRANSCRIPT
Helen Y. Painter, CPA Audit Partner
Purvis, Gray & Co., LLP
COSO’s New Internal Control—Integrated
Framework-(Exposure Draft)
1
What is the Status? Exposure Draft Stage
Comments Due November 16, 2012 Written comments will be available on-line March 31, 2013 www.ic.coso.org
Framework and Appendices IC over External Financial Reporting: A Compendium of
Approaches and Examples Illustrative Tools for Assessing Effectiveness of a System of
Internal Control Executive Summary & Feedback Questions
2
Do You Remember COSO?
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
1992 released the original framework Gained Broad Acceptance Leading framework for
Designing Implementing Conducting internal control Assessing the effectiveness of internal Control
3
Twenty Years Latter Business and Organizational Changes
Technology Complex Transactions Global
Stakeholders-Want More Assurance Taxpayers Shareholders Owners
4
Mission of COSO Dedicated to providing thought leadership
through the development of comprehensive frameworks and guidance
on internal control, enterprise risk management, and fraud deterrence designed to improve organizational
performance and oversight and to reduce the extent of fraud in organizations. 5
Help For External Stakeholders Greater confidence in the Board’s Oversight of
IC Greater confidence in achieving Entity’s goals Greater confidence to identify risks Greater understanding of the requirement of
effective system of IC Greater understanding that management can
eliminate ineffective or redundant controls 8
COSO’s Structure Private Sector Initiative
Sponsored and Funded by: American Accounting Association American Institute of Certified Public Accountants Financial Executives International Institute of Management Accountants The Institute of Internal Auditors
9
COSO’s Participants Board Members – 8 Principal Contributors (From PwC) – 9 Advisory Council – 5 Members at Large – 9 Regulatory Observers and Other
Observers - 6 10
Defining Internal Control Internal control is a process, effected by
an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance
12
Core of Original Framework Remains
5 Components of Internal Control (C ) Control Activities (R) Risk Assessment (I) Information & Communication (M) Monitoring Activities (E) Control Environment
Management’s Judgment Designing, implement and conduct IC AND assessing
effectiveness of a system of IC 14
Quick Course on CRIME (C) Control Activities-actions established
through policies and procedures. Preventive or Detective Manual or automated Examples
Authorizations and approvals Reconciliations
Segregation of Duties is built into the selection and development of control activities
15
(R)Risk Assessment Definition-possibility that an event will
occur and adversely affect the achievement of objectives
Precondition to Risk Assessment is the establishment of Objectives
Consideration of the impact of possible changes externally that may effect IC
16
(I) Information and Communication Information-necessary to carry out IC
responsibilities Communication-continual process of
providing, sharing, and obtaining necessary information
17
(M) Monitoring Activities Ongoing evaluations to ensure IC are
present and functioning Findings are evaluated Deficiencies are communicated to
management and Board
18
(E) Control Environment Set of standards, processes and structures
–basis for carrying out IC Tone at the top regarding importance Integrity and ethical values of organization Governance oversight responsibilities Provides for a pervasive impact on the overall
system of IC 19
What This Framework Provides Means to apply IC to any type of entity
New Departments, Blended Component Units Principals-based approach (not RULES)
Allows for Judgment Requirements for an Effective System Means to identify and analyze risk
Responses to risks within acceptable levels Greater focus on anti-fraud measures
Opportunity to Expand application of IC Opportunity to eliminate redundant or inefficient controls
20
IC Definition-Fundamental Concepts
Geared to the achievement of objectives Operations, reporting, and compliance
A process consisting of ongoing tasks and activities-a means to an end, not an end
Effected by people and the actions they take Able to provide reasonable (not absolute) assurance to senior
management and Boards Adaptable to the entity structure
21
Objectives Framework provides for 3 categories of objectives
Operations Efficiencies Financial performance goals Safeguarding assets against loss
Reporting Internal and external financial and non-financial reporting
Reliability, timeliness, transparency Compliance-adherence to laws and regulations
22
Enhancements Expanding financial Reporting Objectives
Non-financial Internal Reporting
Considerations of changes in doing business Expectations for Governance Oversight Globalization of markets and operations Changes and Greater Complexity in business Demands and complexities in laws, regulations… Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud
23
Wrapping Our Minds Around It! Three Volumes
Executive Summary-high-level overview Boards, CEOs, Senior Management
Framework and Appendices Defines IC Describes Components Provides Direction
Illustrative Tools for Assessing Effectiveness Templates and scenarios useful for application
In addition-Compendium of Approaches and Examples Provide practical approaches and examples how Framework can be applied in preparing
external financial statements
TOO GOOD TO BE TRUE??!
24
The Framework and 17 Principles
Control Environment 1. Commitment to integrity and ethical values 2. BOD is independent from management and exercises
oversight of IC 3. Management (with BOD) establishes structures,
reporting lines and responsibilities 4. Commitment to attract, develop and retain competent
individuals 5. Holds individuals accountable for their IC responsibilities
27
Framework and 17 Principals (cont)
Risk Assessment 6. Organization specifies objectives with sufficient
clarity to enable identify risks. 7. Organization identifies risks and analyzes how risks
should be managed. 8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes
that could significantly impact the system of internal control.
28
Framework and 17 Principals (cont)
Control Activities 10. The organization selects and develops control
activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
29
Framework and 17 Principals (cont)
Information and Communication 13. The organization obtains or generates and uses relevant,
quality information to support the functioning of other components of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control
15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
30
Framework and 17 Principals (concluded)
Monitoring Activities 16. The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
31
Roles and Responsibilities Who should be responsible?
Board of Directors, School Boards, City Council, County Commissioners, Owners Overseeing system of internal control Defines expectations
Integrity and Ethical Values Transparency Accountability
Objective Form Subcommittees
Audit Committee
32
Roles and Responsibilities (cont)
Audit Committees Audit and Risk Committee Audit Committees request corrective and
timely actions to issues Should be independent from management Interacts with external Auditors
Scope of Planned Audit Procedures Results of Audit Procedures 33
Roles and Responsibilities (cont)
Chief Executive Director, President, Superintendent of Schools Sets tone at the top
Control environment Accountable to the Board Responsible for designing , implementing, and
conducting an effective system of internal control
34
Roles and Responsibilities (cont)
Chief Financial Officer Supports the CEO Front-line responsibilities for IC over financial
reporting
35
Roles and Responsibilities (cont) Senior Management
Guides the development and implementation of IC policies and procedures within their operating unit
Assigns responsibilities for establishing more specific IC procedures to those personnel within the departments.
Each manager should be accountable to the next higher level for their portion of the internal control system
36
Roles and Responsibilities (cont)
Other Personnel Internal Control is the responsibility of
everyone in an entity-part of everyone’s job
37
Roles and Responsibilities (cont)
Internal Auditors Provide assurance and advisory support on IC
Required or optional Internal or Outsourced
Evaluates the adequacy and effectiveness of controls
Should provide an impartial review Should be objective 38
Roles and Responsibilities (cont) Outsource Service Providers
Examples Human Resource Companies Payroll Companies Internal Audit Function Grant Administration
Management is STILL responsible for oversight Must assess the effectiveness of the system of IC over these
activities Service Organization Control (SOC) reports
39
Roles and Responsibilities (concluded)
Independent Auditors Provide information useful to management
Audit findings Analytical Information Recommendations Findings regarding deficiencies in IC
40
What About Small Entities? Fewer lines of business and fewer products within lines Concentration of marketing focus by channel or geography Leadership by management with significant ownership interest or
rights Fewer levels of management with wider spans of control Less complex transaction processing systems Fewer personnel, many having a w ider range of duties Limited ability to maintain deep resources in line as well as
support staff positions such as legal, human resources, accounting, and internal auditing
41
Smaller Entities-Meeting Challenges
Sufficient resources to achieve adequate Segregation of Duties
Balancing improper management override of processes to met goals
Recruiting and retaining experienced personnel Running the organization vs. providing sufficient
focus on IC Controlling information technology with limited
resources 42
Solutions-Segregation of Duties “Management” Could Randomly
Review Reports of Detailed Transactions Review Selected Transaction Take Periodic Asset Counts (physical
inventory, equipment) and compare with accounting records
Review random reconciliations (cash, investments, revenues, accounts receivable)
43
Solutions-Mitigating the Risk of Management Override
Maintain a corporate culture where integrity and ethical values are held in high esteem
Implement a whistle-blower program Establish an internal audit function that reports
directly to an audit committee Attract and retain qualified board members
44
top related