control models[1]
TRANSCRIPT
Frameworks For Frameworks For Evaluating Internal Evaluating Internal
ControlsControls
COCOCOCO
WESTINGHOUSEWESTINGHOUSE
MALCOLM BALDRIGEMALCOLM BALDRIGE
Deming
Deming
COSOCOSO
ISO 9000ISO 9000
Peter Senge’s
Peter Senge’s Deep Learning Framework
Deep Learning Framework
Cadbury Cadbury
Twelve Attributes
Twelve Attributes
Many Models To Chose AmongMany Models To Chose Among
COSO COSO COCO COCO Cadbury ReportCadbury Report Deming AwardDeming Award TQMTQM 12 Attributes12 Attributes
Deep Learning Deep Learning Framework Framework
Baldrige AwardBaldrige Award ISO 9000ISO 9000 Westinghouse Westinghouse
AwardAward Northrop AwardNorthrop Award
Who Developed Models?Who Developed Models? COSO: COSO: The major accounting and audit The major accounting and audit
professional organizations issued COSO in 1992.professional organizations issued COSO in 1992. 12 Criteria12 Criteria: The Canadian Comprehensive : The Canadian Comprehensive
Auditing Foundation published Auditing Foundation published Effectiveness Effectiveness Reporting and Auditing in the Public SectorReporting and Auditing in the Public Sector in in 1987. 1987.
COCO: COCO: In November 1995, The Canadian In November 1995, The Canadian Institute of Chartered Accountants (CICA) Institute of Chartered Accountants (CICA) published published Guidance on ControlGuidance on Control..
Who Developed Models? Who Developed Models? (Continued)(Continued)
ISO 9000 ISO 9000 developed by the International developed by the International Organization for Standardization (ISO)Organization for Standardization (ISO)
Deep Learning Framework: Deep Learning Framework: In 1990, Peter In 1990, Peter Senge published the now classic Senge published the now classic The Fifth The Fifth DisciplineDiscipline and then in 1995 published and then in 1995 published The Fifth The Fifth Discipline FieldbookDiscipline Fieldbook..
Different Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same Goals
Frameworks provide a way of understanding Frameworks provide a way of understanding our organizations.our organizations.
By having different groupings, each highlights By having different groupings, each highlights some aspects of control more than others.some aspects of control more than others.
The criteria in the frameworks provide a basis The criteria in the frameworks provide a basis for understanding control in an organization for understanding control in an organization and for making judgment about the and for making judgment about the effectiveness of control.effectiveness of control.
Different Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same GoalsDifferent Frameworks: Same Goals
Frameworks provide a systematic step by step Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of method of evaluating and addressing the adequacy of controls in multiple dimensions of a business. controls in multiple dimensions of a business.
Frameworks provide a standard review process. Frameworks provide a standard review process. Frameworks provide a tool that helps management Frameworks provide a tool that helps management
and audtiors evaluate the adequacy of controls in and audtiors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the picture of how well all of the controls in all of the dimensions are working.dimensions are working.
Using These FrameworksUsing These Frameworks
Paints a picture that focuses on what is Paints a picture that focuses on what is important to users, that keeps things in important to users, that keeps things in perspective, and that is sensitive to ‘shades of perspective, and that is sensitive to ‘shades of gray’.gray’.
Flexibility is allowed and creativity is required. Flexibility is allowed and creativity is required. Nothing magical about them--but they can allow Nothing magical about them--but they can allow
you to have seemingly magical insights.you to have seemingly magical insights.
One More Tool in the Tool boxOne More Tool in the Tool box
CSACSA Questionnaires Questionnaires Unobtrusive Measures Unobtrusive Measures Structure Interviews Structure Interviews Document Reviews Document Reviews Regression Analysis Regression Analysis Integrated Control FrameworksIntegrated Control Frameworks And many more!And many more!
Activities
RiskAssessment
Environment
COSO
Coso ERM Framework
OH 3-19
COSO - CadburyCOSO - Cadbury
COSOCOSO• Control Environment Control Environment • Risk AssessmentRisk Assessment• Control Activities Control Activities • Information and Information and
CommunicationCommunication• MonitoringMonitoring
Cadbury Cadbury • Control EnvironmentControl Environment• Identification of Identification of
Risks, Control Risks, Control Priorities and Priorities and Objectives Objectives
• Control Activities Control Activities • Monitoring and Monitoring and
Corrective ActionCorrective Action
Control Environment Control Environment
Provides an atmosphere in which people Provides an atmosphere in which people conduct their activities and carry out their conduct their activities and carry out their control responsibilities. It serves as the control responsibilities. It serves as the foundation for the other components (COSO) foundation for the other components (COSO)
Management must send a clear message to all Management must send a clear message to all personnel that control responsibilities are to be personnel that control responsibilities are to be taken seriously, that each personal has a taken seriously, that each personal has a particular role in the control system and that particular role in the control system and that each role relates to the role of others. each role relates to the role of others. (Cadbury)(Cadbury)
Risk Assessment Risk Assessment
Management must assess risks to the Management must assess risks to the achievement of specified objectives. achievement of specified objectives. (COSO)(COSO)
Is the process by which executive Is the process by which executive management identifies the risks arising management identifies the risks arising from the organization’s business and, since from the organization’s business and, since resources are always limited, establishes resources are always limited, establishes the priorities for control and particular the priorities for control and particular control objectives. (Cadbury)control objectives. (Cadbury)
Control ActivitiesControl Activities
Are implemented to help ensure that Are implemented to help ensure that management directives to address the risks are management directives to address the risks are carried out. (COSO)carried out. (COSO)
Are the detailed polices and procedures Are the detailed polices and procedures designed to achieve the company’s control designed to achieve the company’s control objectives and to provide management with objectives and to provide management with reasonable assurance that their priorities for reasonable assurance that their priorities for internal control are being addressed. They internal control are being addressed. They operate throughout the organization, potentially operate throughout the organization, potentially covering all levels. (Cadbury)covering all levels. (Cadbury)
Information and CommunicationInformation and Communication
Relevant information is captured and Relevant information is captured and communicated throughout the communicated throughout the organization.organization.
MonitoringMonitoring
The entire process is monitored and modified as The entire process is monitored and modified as conditions warrant. (COSO)conditions warrant. (COSO)
Monitoring and corrective action should produce Monitoring and corrective action should produce sufficient evidence that the financial control sufficient evidence that the financial control system for which they are responsible is effective system for which they are responsible is effective in practice. Monitoring is performed at a higher in practice. Monitoring is performed at a higher level than the routine checks built into the day-to-level than the routine checks built into the day-to-day routine and involves a greater degree of day routine and involves a greater degree of independence from those who operate the independence from those who operate the procedures. (Cadbury) procedures. (Cadbury)
CRIMECRIME
CControl Activityontrol Activity
RRisksisks
IInformationnformation
MMonitoringonitoring
EEnvironmentnvironment
COSO MatrixCOSO Matrix
Operations FinancialReporting
ComplianceWith Laws andRegulations
ControlEnvironmentRisk
Control Activities
Information andCommunicationMonitoring
PurposeA sense of direction.
What are we here for?
CommitmentA sense of identity
and values.Do we want to do
a good job?
CapabilityA sense of competence.
What action do we need totake?
Monitoring andLearning
A sense of evolution.What Progress?
What Next?
ACTION
COCO
COCO Criteria: COCO Criteria: PurposePurpose
Objectives should be established and communicated. Objectives should be established and communicated. The significant internal and external risks faced by an The significant internal and external risks faced by an
organization in the achievement of its objectives should be organization in the achievement of its objectives should be identified and assessed. identified and assessed.
Policies designed to support the achievement of an organization’s Policies designed to support the achievement of an organization’s objectives and the management of its risks should be established, objectives and the management of its risks should be established, communicated and practiced so that people understand what is communicated and practiced so that people understand what is expected of them and the scope of their freedom to act.expected of them and the scope of their freedom to act.
Plans to guide efforts in achieving the organization’s objectives Plans to guide efforts in achieving the organization’s objectives should be established and communicated.should be established and communicated.
Objectives and related plans should include measurable Objectives and related plans should include measurable performance targets and indicators. performance targets and indicators.
COCO Criteria: COCO Criteria: CommitmentCommitment
Shared ethical values, including integrity, should be established, Shared ethical values, including integrity, should be established, communicated and practiced throughout the organization. communicated and practiced throughout the organization.
Human resource policies and practices should be consistent Human resource policies and practices should be consistent with an organization’s ethical values and with the achievement with an organization’s ethical values and with the achievement of its objectives. of its objectives.
Authority, responsibility, and accountability should be clearly Authority, responsibility, and accountability should be clearly defined and consistent with an organization’s objectives so that defined and consistent with an organization’s objectives so that decisions and actions are taken by the appropriate people. decisions and actions are taken by the appropriate people.
An atmosphere of mutual trust should be fostered to support the An atmosphere of mutual trust should be fostered to support the flow of information between people and their effective flow of information between people and their effective performance toward achieving the organization’s objectives. performance toward achieving the organization’s objectives.
COCO Criteria: COCO Criteria: Capability Capability
People should have the necessary knowledge, skills and tools People should have the necessary knowledge, skills and tools to support the achievement of the organization’s objectives. to support the achievement of the organization’s objectives.
Communication processes should support the organization’s Communication processes should support the organization’s values and the achievement of its objectives. values and the achievement of its objectives.
Sufficient and relevant information should be identified and Sufficient and relevant information should be identified and communicated in a timely manner to enable people to perform communicated in a timely manner to enable people to perform their assigned responsibilities. their assigned responsibilities.
The decisions and actions of different parts of the organization The decisions and actions of different parts of the organization should be coordinated. should be coordinated.
Control activities should be designed as an integral part of the Control activities should be designed as an integral part of the organization, taking into consideration its objectives, the risks to organization, taking into consideration its objectives, the risks to their achievement, the inter-relatedness of control elements. their achievement, the inter-relatedness of control elements.
COCO Criteria: COCO Criteria: Monitoring and LearningMonitoring and Learning
Environment should be monitored to obtain information that may signal a Environment should be monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls need to re-evaluate the organization’s objectives or controls
Performance should be monitored against the targets and indicators Performance should be monitored against the targets and indicators identified in the organization’s objectives and plans. identified in the organization’s objectives and plans.
The assumptions behind an organization’s objectives should be The assumptions behind an organization’s objectives should be periodically challenged. periodically challenged.
Information needs and related information systems should be reassessed Information needs and related information systems should be reassessed as objectives change or as reporting deficiencies are identified. as objectives change or as reporting deficiencies are identified.
Follow-up procedures should be established and performed to ensure Follow-up procedures should be established and performed to ensure appropriate change or action occurs.appropriate change or action occurs.
Management should periodically assess the effectiveness of control in its Management should periodically assess the effectiveness of control in its organization and communicate the results to those to whom it is organization and communicate the results to those to whom it is
accountable.accountable.
COCO: COCO: Sample Assessment QuestionsSample Assessment Questions
PurposePurpose Do we understand our objectives? Do we understand our objectives? Are our plans responsive and adequate to change? Are our plans responsive and adequate to change?
CommitmentCommitment Are critical decisions made by people with the necessary expertise, Are critical decisions made by people with the necessary expertise,
knowledge and authority?knowledge and authority?
CapabilityCapability Is there adequate information to allow us to perform our tasks? Is there adequate information to allow us to perform our tasks?
Monitoring and Learning Monitoring and Learning Do we challenge the assumptions behind our objectives?Do we challenge the assumptions behind our objectives?
COSO and COCO’s Definition of COSO and COCO’s Definition of Internal ControlInternal Control
Per COSO, Internal Control is: Per COSO, Internal Control is: a process, a process, effected by an entity’s board of directors, management, and effected by an entity’s board of directors, management, and
other personnel, other personnel, designed to provide reasonable assurance regarding the designed to provide reasonable assurance regarding the
achievement of objectives.achievement of objectives.
Per COCO, Internal Control isPer COCO, Internal Control is those elements of an organization (including its resources, those elements of an organization (including its resources,
systems, processes, culture, structure and tasks) that, taken systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the objectives.together, support people in the achievement of the objectives.
Objectives of Internal ControlsObjectives of Internal ControlsObjectives of Internal ControlsObjectives of Internal Controls
Per COSO, organization’sPer COSO, organization’s effectiveness and efficiency of operations; effectiveness and efficiency of operations; reliability of reliability of financialfinancial reporting; and reporting; and compliance with applicable laws and regulations.compliance with applicable laws and regulations.
Per COCO Per COCO effectiveness and efficiency of operationseffectiveness and efficiency of operations reliability of reliability of internal and externalinternal and external reporting; and reporting; and compliance with applicable laws and regulations compliance with applicable laws and regulations
and and internalinternal policies. policies.
Key COSO and COCO Concepts Key COSO and COCO Concepts
Internal Control is a process.Internal Control is a process. Internal Control is effected by Internal Control is effected by
people. people. Internal Control can be expected to Internal Control can be expected to
provide only reasonable assurance. provide only reasonable assurance. Internal Control is geared to the Internal Control is geared to the
achievement of objectives.achievement of objectives.
Hard Controls - Soft ControlsHard Controls - Soft Controls
Policy and Policy and ProceduresProcedures
Organizational Organizational Structure Structure
Bureaucracy Bureaucracy Restrictive formal Restrictive formal
processes processes
Competence Competence Trust Trust Shared Values Shared Values Leadership Leadership Expectations Expectations CommitmentCommitment
What’s More Important?What’s More Important?
Segregation of duties or ethical employees? Segregation of duties or ethical employees? Well written and thorough policy and Well written and thorough policy and
procedures manuals or competent procedures manuals or competent employees? employees?
Clear delineation of roles and Clear delineation of roles and responsibilities or a group of employees responsibilities or a group of employees dedicated to accomplishing the dedicated to accomplishing the organization’s mission?organization’s mission?
Soft ControlsSoft Controls
In the past, auditors have focused exclusively on the hard controls.As the Savings and Loan crises demonstrated, this has meant that auditors have often missed the really important issues that will dictate whether an organization succeeds and is operating at the most efficient and effective manner. COSO, COCO, Cadbury, the Baldrige Award and the other control models highlight the need to examine soft controls and provide the analytical tools to do so.
“Soft”Factors
lntegrity and ethical valuesCommitment to competenceManagement's philosophy and
operating styleManaging changeCommunication
Soft Control
a useful, though not precisely definableterm
best explained with common
characteristics and examples
Common Characteristics
Hard controls Soft controlstend to be: tend to be:
formal informal
objective subjective
Quantitatively intangiblemeasurable
the 'map" the real terrain
Examples
Hard Controls Soft Controls
Policy/procedure Competence
Organizational Truststructure
Shared Values
Bureaucracy Strong Leadership
Restrictive formalprocesses High expectations
Openness
Centralized decision High ethicalmaking standards
FrameworkFramework
Baldrige COCO12Attributes
LearningFrame-work COSO ISO 9000
Major Areas:7
ExaminationItems: 28
Areas toAddress: 93
Majorgroupings:4
Criteria: 20
Attributes:12
Domains: 3
Two of thedomains eachhave 3 areas
MajorElements: 5
Numerousissues toconsider
MajorElements:20
Major EmphasisMajor Emphasis
Note: COCO defines control as those elements of an organization Note: COCO defines control as those elements of an organization (including its resources, systems, processes, culture, structure, and (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of tasks) that, taken together, support people in the achievement of the organization’s objectives.the organization’s objectives.
COSO defines control as a process, effected by an entity’s board of COSO defines control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide directors, management, and other personnel, designed to provide reasonable assurance regarding internal controlsreasonable assurance regarding internal controls
Baldrige COCO 12 AttributesLearningFramework COSO ISO 9000
Results andcontinuousimprovement
Control Effectiveness Continuoslearning
Control QualityControl
Baldrige COCO 12Attributes
COSO Senge’sDeepLearningFramework
ISO 9000
Used in theprivate sectorin the U.S.Similarframeworks,such as thePresidentialAward, is usedin the publicsector. Stateof Washingtonjust adopted it.
Used inthe publicandprivatesector inCanada.
PublicSector inCanada.
Widespreadin theprivatesector inEurope,increasinglyused by U.S.companies,especiallythoseinvolved ininternationaltrade.
U.S.Companiessuch asGeneralMotors andSprint
Over 40,000companiesaround theworld.Increasinglyused in theU.S.,especiallyby firmsinterested inEuropeantrade.
Used By:Used By:
Customer FocusCustomer Focus
Baldrige COCO12Attributes
LearningFramework COSO
majorfocus
very indirect,discusses meetingobjectives andevaluating externalenvironment
indirect indirect veryindirect
Monitoring
Baldrige COCO 12 AttributesLearningFramework COSO
in relationto resultsandcustomersatisfaction
in relation to(1) theeffectivenessof controls;(2) targetsandindicators
key matterspertaining toperformanceandorganizationalstrength
as part ofcontinuouslearning
MajorElement inrelation to theeffectivenessof the otherfour majorcontrolelements
CONTROL ENVIRONMENT
Management:
Management is aware of the importance of accountability controls, communicates this importance to employees at all levels, and displays a supportive attitude toward management controls.
Management did not adequately communicate the purpose and importance of implementing management control procedures to employees at all levels. For example, most of the control weaknesses which the State Auditor identified in a 1993 management letter to the City were not corrected.
Review of Freeway Park Garage Using COSO Model (1)
Review of Freeway Park Garage Using COSO Model (2)
Employees:
Employees understand the importance of implementing control procedures.
Garage employees did not always implement existing management control procedures. Although the old Freeway Park Garage manual instructed employees to enter all cash transactions into the cash register as they occurred, we found that parking attendants were not always implementing this policy. For instance, the revenue report for the evening shift on May 2, 1994 reported $372.00 more in sales than what was entered into the cash register. We also found that parking attendants did not always give customers a cash register receipt. For example, an auditor posing as a daily parking customer requested a receipt and received one that was retrieved from a garbage can.
Employees do not circumvent or ignore existing controls.
The Garage is a “pay as you enter” operation. Cashiers give each daily parking customer a validated, dated and time-stamped parking ticket which also shows the amount paid; $4 for daily parking. To exit the Garage, daily parking customers must enter the validated ticket into a card reader system, which sends a signal to open the gate. Although required to retain records for a minimum of six years, according to the retention schedule of the State of Washington, used daily parking tickets were thrown away. In addition, we found no evidence to support that the Garage supervisor or an independent party reviewed the daily tickets before they tossed them away. On March 10, 1995, auditors instructed staff to retain the daily tickets. We later reviewed the used tickets to ensure that they were all validated and stamped with a $4 sales price. As a result of our review, we found one daily ticket dated March 8, 1995 with a stamped sales price of $80, instead of $4.
Review of Freeway Park Garage Using COSO Model (3)
Review of Freeway Park Garage Using COSO Model (4)
Employees do not circumvent or ignore existing controls.
Employees were not clear about their job responsibilities. For example, the Garage supervisor did not understand that reviewing attendant’s work included reconciling totals on cash register tapes to revenue reports, deposit slips, refund report sheets, and documents recording sales of monthly parking permits. Also, job descriptions were not periodically reviewed or updated. (1) Employees at the Garage do not receive written performance evaluations on a regular basis. Parking attendants could not remember when they last received a written performance evaluation. (2) Garage staff received no formal training on how to use the Garage’s computer system and, although requested, employees have not attended any City sponsored computer training courses. (3) Although the Department of Finance required Finance’s cash handling training course for certification as a cash handler with the City, as of June 1995, only one of the three permanent parking attendants had taken this course.
Arguing with a COSO auditor is like wrestling with a pig in
mud . . .
Sooner or later you realize the pig enjoys it!