Frameworks For Frameworks For Evaluating Internal Evaluating Internal

ControlsControls

COCOCOCO

WESTINGHOUSEWESTINGHOUSE

MALCOLM BALDRIGEMALCOLM BALDRIGE

Deming

Deming

COSOCOSO

ISO 9000ISO 9000

Peter Senge’s

Peter Senge’s Deep Learning Framework

Deep Learning Framework

Cadbury Cadbury

Twelve Attributes

Twelve Attributes

Many Models To Chose AmongMany Models To Chose Among

COSO COSO COCO COCO Cadbury ReportCadbury Report Deming AwardDeming Award TQMTQM 12 Attributes12 Attributes

Deep Learning Deep Learning Framework Framework

Baldrige AwardBaldrige Award ISO 9000ISO 9000 Westinghouse Westinghouse

AwardAward Northrop AwardNorthrop Award

Who Developed Models?Who Developed Models? COSO: COSO: The major accounting and audit The major accounting and audit

professional organizations issued COSO in 1992.professional organizations issued COSO in 1992. 12 Criteria12 Criteria: The Canadian Comprehensive : The Canadian Comprehensive

Auditing Foundation published Auditing Foundation published Effectiveness Effectiveness Reporting and Auditing in the Public SectorReporting and Auditing in the Public Sector in in 1987. 1987.

COCO: COCO: In November 1995, The Canadian In November 1995, The Canadian Institute of Chartered Accountants (CICA) Institute of Chartered Accountants (CICA) published published Guidance on ControlGuidance on Control..

Who Developed Models? Who Developed Models? (Continued)(Continued)

ISO 9000 ISO 9000 developed by the International developed by the International Organization for Standardization (ISO)Organization for Standardization (ISO)

Deep Learning Framework: Deep Learning Framework: In 1990, Peter In 1990, Peter Senge published the now classic Senge published the now classic The Fifth The Fifth DisciplineDiscipline and then in 1995 published and then in 1995 published The Fifth The Fifth Discipline FieldbookDiscipline Fieldbook..

Different Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same Goals

Frameworks provide a way of understanding Frameworks provide a way of understanding our organizations.our organizations.

By having different groupings, each highlights By having different groupings, each highlights some aspects of control more than others.some aspects of control more than others.

The criteria in the frameworks provide a basis The criteria in the frameworks provide a basis for understanding control in an organization for understanding control in an organization and for making judgment about the and for making judgment about the effectiveness of control.effectiveness of control.

Different Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same Goals

Frameworks provide a systematic step by step Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of method of evaluating and addressing the adequacy of controls in multiple dimensions of a business. controls in multiple dimensions of a business.

Frameworks provide a standard review process. Frameworks provide a standard review process. Frameworks provide a tool that helps management Frameworks provide a tool that helps management

and audtiors evaluate the adequacy of controls in and audtiors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the picture of how well all of the controls in all of the dimensions are working.dimensions are working.

Using These FrameworksUsing These Frameworks

Paints a picture that focuses on what is Paints a picture that focuses on what is important to users, that keeps things in important to users, that keeps things in perspective, and that is sensitive to ‘shades of perspective, and that is sensitive to ‘shades of gray’.gray’.

Flexibility is allowed and creativity is required. Flexibility is allowed and creativity is required. Nothing magical about them--but they can allow Nothing magical about them--but they can allow

you to have seemingly magical insights.you to have seemingly magical insights.

One More Tool in the Tool boxOne More Tool in the Tool box

CSACSA Questionnaires Questionnaires Unobtrusive Measures Unobtrusive Measures Structure Interviews Structure Interviews Document Reviews Document Reviews Regression Analysis Regression Analysis Integrated Control FrameworksIntegrated Control Frameworks And many more!And many more!

Activities

RiskAssessment

Environment

COSO

Coso ERM Framework

OH 3-19

COSO - CadburyCOSO - Cadbury

COSOCOSO• Control Environment Control Environment • Risk AssessmentRisk Assessment• Control Activities Control Activities • Information and Information and

CommunicationCommunication• MonitoringMonitoring

Cadbury Cadbury • Control EnvironmentControl Environment• Identification of Identification of

Risks, Control Risks, Control Priorities and Priorities and Objectives Objectives

• Control Activities Control Activities • Monitoring and Monitoring and

Corrective ActionCorrective Action

Control Environment Control Environment

Provides an atmosphere in which people Provides an atmosphere in which people conduct their activities and carry out their conduct their activities and carry out their control responsibilities. It serves as the control responsibilities. It serves as the foundation for the other components (COSO) foundation for the other components (COSO)

Management must send a clear message to all Management must send a clear message to all personnel that control responsibilities are to be personnel that control responsibilities are to be taken seriously, that each personal has a taken seriously, that each personal has a particular role in the control system and that particular role in the control system and that each role relates to the role of others. each role relates to the role of others. (Cadbury)(Cadbury)

Risk Assessment Risk Assessment

Management must assess risks to the Management must assess risks to the achievement of specified objectives. achievement of specified objectives. (COSO)(COSO)

Is the process by which executive Is the process by which executive management identifies the risks arising management identifies the risks arising from the organization’s business and, since from the organization’s business and, since resources are always limited, establishes resources are always limited, establishes the priorities for control and particular the priorities for control and particular control objectives. (Cadbury)control objectives. (Cadbury)

Control ActivitiesControl Activities

Are implemented to help ensure that Are implemented to help ensure that management directives to address the risks are management directives to address the risks are carried out. (COSO)carried out. (COSO)

Are the detailed polices and procedures Are the detailed polices and procedures designed to achieve the company’s control designed to achieve the company’s control objectives and to provide management with objectives and to provide management with reasonable assurance that their priorities for reasonable assurance that their priorities for internal control are being addressed. They internal control are being addressed. They operate throughout the organization, potentially operate throughout the organization, potentially covering all levels. (Cadbury)covering all levels. (Cadbury)

Information and CommunicationInformation and Communication

Relevant information is captured and Relevant information is captured and communicated throughout the communicated throughout the organization.organization.

MonitoringMonitoring

The entire process is monitored and modified as The entire process is monitored and modified as conditions warrant. (COSO)conditions warrant. (COSO)

Monitoring and corrective action should produce Monitoring and corrective action should produce sufficient evidence that the financial control sufficient evidence that the financial control system for which they are responsible is effective system for which they are responsible is effective in practice. Monitoring is performed at a higher in practice. Monitoring is performed at a higher level than the routine checks built into the day-to-level than the routine checks built into the day-to-day routine and involves a greater degree of day routine and involves a greater degree of independence from those who operate the independence from those who operate the procedures. (Cadbury) procedures. (Cadbury)

CRIMECRIME

CControl Activityontrol Activity

RRisksisks

IInformationnformation

MMonitoringonitoring

EEnvironmentnvironment

COSO MatrixCOSO Matrix

Operations FinancialReporting

ComplianceWith Laws andRegulations

ControlEnvironmentRisk

Control Activities

Information andCommunicationMonitoring

PurposeA sense of direction.

What are we here for?

CommitmentA sense of identity

and values.Do we want to do

a good job?

CapabilityA sense of competence.

What action do we need totake?

Monitoring andLearning

A sense of evolution.What Progress?

What Next?

ACTION

COCO

COCO Criteria: COCO Criteria: PurposePurpose

Objectives should be established and communicated. Objectives should be established and communicated. The significant internal and external risks faced by an The significant internal and external risks faced by an

organization in the achievement of its objectives should be organization in the achievement of its objectives should be identified and assessed. identified and assessed.

Policies designed to support the achievement of an organization’s Policies designed to support the achievement of an organization’s objectives and the management of its risks should be established, objectives and the management of its risks should be established, communicated and practiced so that people understand what is communicated and practiced so that people understand what is expected of them and the scope of their freedom to act.expected of them and the scope of their freedom to act.

Plans to guide efforts in achieving the organization’s objectives Plans to guide efforts in achieving the organization’s objectives should be established and communicated.should be established and communicated.

Objectives and related plans should include measurable Objectives and related plans should include measurable performance targets and indicators. performance targets and indicators.

COCO Criteria: COCO Criteria: CommitmentCommitment

Shared ethical values, including integrity, should be established, Shared ethical values, including integrity, should be established, communicated and practiced throughout the organization. communicated and practiced throughout the organization.

Human resource policies and practices should be consistent Human resource policies and practices should be consistent with an organization’s ethical values and with the achievement with an organization’s ethical values and with the achievement of its objectives. of its objectives.

Authority, responsibility, and accountability should be clearly Authority, responsibility, and accountability should be clearly defined and consistent with an organization’s objectives so that defined and consistent with an organization’s objectives so that decisions and actions are taken by the appropriate people. decisions and actions are taken by the appropriate people.

An atmosphere of mutual trust should be fostered to support the An atmosphere of mutual trust should be fostered to support the flow of information between people and their effective flow of information between people and their effective performance toward achieving the organization’s objectives. performance toward achieving the organization’s objectives.

COCO Criteria: COCO Criteria: Capability Capability

People should have the necessary knowledge, skills and tools People should have the necessary knowledge, skills and tools to support the achievement of the organization’s objectives. to support the achievement of the organization’s objectives.

Communication processes should support the organization’s Communication processes should support the organization’s values and the achievement of its objectives. values and the achievement of its objectives.

Sufficient and relevant information should be identified and Sufficient and relevant information should be identified and communicated in a timely manner to enable people to perform communicated in a timely manner to enable people to perform their assigned responsibilities. their assigned responsibilities.

The decisions and actions of different parts of the organization The decisions and actions of different parts of the organization should be coordinated. should be coordinated.

Control activities should be designed as an integral part of the Control activities should be designed as an integral part of the organization, taking into consideration its objectives, the risks to organization, taking into consideration its objectives, the risks to their achievement, the inter-relatedness of control elements. their achievement, the inter-relatedness of control elements.

COCO Criteria: COCO Criteria: Monitoring and LearningMonitoring and Learning

Environment should be monitored to obtain information that may signal a Environment should be monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls need to re-evaluate the organization’s objectives or controls

Performance should be monitored against the targets and indicators Performance should be monitored against the targets and indicators identified in the organization’s objectives and plans. identified in the organization’s objectives and plans.

The assumptions behind an organization’s objectives should be The assumptions behind an organization’s objectives should be periodically challenged. periodically challenged.

Information needs and related information systems should be reassessed Information needs and related information systems should be reassessed as objectives change or as reporting deficiencies are identified. as objectives change or as reporting deficiencies are identified.

Follow-up procedures should be established and performed to ensure Follow-up procedures should be established and performed to ensure appropriate change or action occurs.appropriate change or action occurs.

Management should periodically assess the effectiveness of control in its Management should periodically assess the effectiveness of control in its organization and communicate the results to those to whom it is organization and communicate the results to those to whom it is

accountable.accountable.

COCO: COCO: Sample Assessment QuestionsSample Assessment Questions

PurposePurpose Do we understand our objectives? Do we understand our objectives? Are our plans responsive and adequate to change? Are our plans responsive and adequate to change?

CommitmentCommitment Are critical decisions made by people with the necessary expertise, Are critical decisions made by people with the necessary expertise,

knowledge and authority?knowledge and authority?

CapabilityCapability Is there adequate information to allow us to perform our tasks? Is there adequate information to allow us to perform our tasks?

Monitoring and Learning Monitoring and Learning Do we challenge the assumptions behind our objectives?Do we challenge the assumptions behind our objectives?

COSO and COCO’s Definition of COSO and COCO’s Definition of Internal ControlInternal Control

Per COSO, Internal Control is: Per COSO, Internal Control is: a process, a process, effected by an entity’s board of directors, management, and effected by an entity’s board of directors, management, and

other personnel, other personnel, designed to provide reasonable assurance regarding the designed to provide reasonable assurance regarding the

achievement of objectives.achievement of objectives.

Per COCO, Internal Control isPer COCO, Internal Control is those elements of an organization (including its resources, those elements of an organization (including its resources,

systems, processes, culture, structure and tasks) that, taken systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the objectives.together, support people in the achievement of the objectives.

Objectives of Internal ControlsObjectives of Internal ControlsObjectives of Internal ControlsObjectives of Internal Controls

Per COSO, organization’sPer COSO, organization’s effectiveness and efficiency of operations; effectiveness and efficiency of operations; reliability of reliability of financialfinancial reporting; and reporting; and compliance with applicable laws and regulations.compliance with applicable laws and regulations.

Per COCO Per COCO effectiveness and efficiency of operationseffectiveness and efficiency of operations reliability of reliability of internal and externalinternal and external reporting; and reporting; and compliance with applicable laws and regulations compliance with applicable laws and regulations

and and internalinternal policies. policies.

Key COSO and COCO Concepts Key COSO and COCO Concepts

Internal Control is a process.Internal Control is a process. Internal Control is effected by Internal Control is effected by

people. people. Internal Control can be expected to Internal Control can be expected to

provide only reasonable assurance. provide only reasonable assurance. Internal Control is geared to the Internal Control is geared to the

achievement of objectives.achievement of objectives.

Hard Controls - Soft ControlsHard Controls - Soft Controls

Policy and Policy and ProceduresProcedures

Organizational Organizational Structure Structure

Bureaucracy Bureaucracy Restrictive formal Restrictive formal

processes processes

Competence Competence Trust Trust Shared Values Shared Values Leadership Leadership Expectations Expectations CommitmentCommitment

What’s More Important?What’s More Important?

Segregation of duties or ethical employees? Segregation of duties or ethical employees? Well written and thorough policy and Well written and thorough policy and

procedures manuals or competent procedures manuals or competent employees? employees?

Clear delineation of roles and Clear delineation of roles and responsibilities or a group of employees responsibilities or a group of employees dedicated to accomplishing the dedicated to accomplishing the organization’s mission?organization’s mission?

Soft ControlsSoft Controls

In the past, auditors have focused exclusively on the hard controls.As the Savings and Loan crises demonstrated, this has meant that auditors have often missed the really important issues that will dictate whether an organization succeeds and is operating at the most efficient and effective manner. COSO, COCO, Cadbury, the Baldrige Award and the other control models highlight the need to examine soft controls and provide the analytical tools to do so.

“Soft”Factors

lntegrity and ethical valuesCommitment to competenceManagement's philosophy and

operating styleManaging changeCommunication

Soft Control

a useful, though not precisely definableterm

best explained with common

characteristics and examples

Common Characteristics

Hard controls Soft controlstend to be: tend to be:

formal informal

objective subjective

Quantitatively intangiblemeasurable

the 'map" the real terrain

Examples

Hard Controls Soft Controls

Policy/procedure Competence

Organizational Truststructure

Shared Values

Bureaucracy Strong Leadership

Restrictive formalprocesses High expectations

Openness

Centralized decision High ethicalmaking standards

FrameworkFramework

Baldrige COCO12Attributes

LearningFrame-work COSO ISO 9000

Major Areas:7

ExaminationItems: 28

Areas toAddress: 93

Majorgroupings:4

Criteria: 20

Attributes:12

Domains: 3

Two of thedomains eachhave 3 areas

MajorElements: 5

Numerousissues toconsider

MajorElements:20

Major EmphasisMajor Emphasis

Note: COCO defines control as those elements of an organization Note: COCO defines control as those elements of an organization (including its resources, systems, processes, culture, structure, and (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of tasks) that, taken together, support people in the achievement of the organization’s objectives.the organization’s objectives.

COSO defines control as a process, effected by an entity’s board of COSO defines control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide directors, management, and other personnel, designed to provide reasonable assurance regarding internal controlsreasonable assurance regarding internal controls

Baldrige COCO 12 AttributesLearningFramework COSO ISO 9000

Results andcontinuousimprovement

Control Effectiveness Continuoslearning

Control QualityControl

Baldrige COCO 12Attributes

COSO Senge’sDeepLearningFramework

ISO 9000

Used in theprivate sectorin the U.S.Similarframeworks,such as thePresidentialAward, is usedin the publicsector. Stateof Washingtonjust adopted it.

Used inthe publicandprivatesector inCanada.

PublicSector inCanada.

Widespreadin theprivatesector inEurope,increasinglyused by U.S.companies,especiallythoseinvolved ininternationaltrade.

U.S.Companiessuch asGeneralMotors andSprint

Over 40,000companiesaround theworld.Increasinglyused in theU.S.,especiallyby firmsinterested inEuropeantrade.

Used By:Used By:

Customer FocusCustomer Focus

Baldrige COCO12Attributes

LearningFramework COSO

majorfocus

very indirect,discusses meetingobjectives andevaluating externalenvironment

indirect indirect veryindirect

Monitoring

Baldrige COCO 12 AttributesLearningFramework COSO

in relationto resultsandcustomersatisfaction

in relation to(1) theeffectivenessof controls;(2) targetsandindicators

key matterspertaining toperformanceandorganizationalstrength

as part ofcontinuouslearning

MajorElement inrelation to theeffectivenessof the otherfour majorcontrolelements

CONTROL ENVIRONMENT

Management:

Management is aware of the importance of accountability controls, communicates this importance to employees at all levels, and displays a supportive attitude toward management controls.

Management did not adequately communicate the purpose and importance of implementing management control procedures to employees at all levels. For example, most of the control weaknesses which the State Auditor identified in a 1993 management letter to the City were not corrected.

Review of Freeway Park Garage Using COSO Model (1)

Review of Freeway Park Garage Using COSO Model (2)

Employees:

Employees understand the importance of implementing control procedures.

Garage employees did not always implement existing management control procedures. Although the old Freeway Park Garage manual instructed employees to enter all cash transactions into the cash register as they occurred, we found that parking attendants were not always implementing this policy. For instance, the revenue report for the evening shift on May 2, 1994 reported $372.00 more in sales than what was entered into the cash register. We also found that parking attendants did not always give customers a cash register receipt. For example, an auditor posing as a daily parking customer requested a receipt and received one that was retrieved from a garbage can.

Employees do not circumvent or ignore existing controls.

The Garage is a “pay as you enter” operation. Cashiers give each daily parking customer a validated, dated and time-stamped parking ticket which also shows the amount paid; $4 for daily parking. To exit the Garage, daily parking customers must enter the validated ticket into a card reader system, which sends a signal to open the gate. Although required to retain records for a minimum of six years, according to the retention schedule of the State of Washington, used daily parking tickets were thrown away. In addition, we found no evidence to support that the Garage supervisor or an independent party reviewed the daily tickets before they tossed them away. On March 10, 1995, auditors instructed staff to retain the daily tickets. We later reviewed the used tickets to ensure that they were all validated and stamped with a $4 sales price. As a result of our review, we found one daily ticket dated March 8, 1995 with a stamped sales price of $80, instead of $4.

Review of Freeway Park Garage Using COSO Model (3)

Review of Freeway Park Garage Using COSO Model (4)

Employees do not circumvent or ignore existing controls.

Employees were not clear about their job responsibilities. For example, the Garage supervisor did not understand that reviewing attendant’s work included reconciling totals on cash register tapes to revenue reports, deposit slips, refund report sheets, and documents recording sales of monthly parking permits. Also, job descriptions were not periodically reviewed or updated. (1) Employees at the Garage do not receive written performance evaluations on a regular basis. Parking attendants could not remember when they last received a written performance evaluation. (2) Garage staff received no formal training on how to use the Garage’s computer system and, although requested, employees have not attended any City sponsored computer training courses. (3) Although the Department of Finance required Finance’s cash handling training course for certification as a cash handler with the City, as of June 1995, only one of the three permanent parking attendants had taken this course.

Arguing with a COSO auditor is like wrestling with a pig in

mud . . .

Sooner or later you realize the pig enjoys it!