coso internal control integrated framework
TRANSCRIPT
Enterprise Risk ServicesDecember 2011
COSOInternal Control–Integrated FrameworkExposure Draft
December 2011
What is COSO?
The COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by:
• American Accounting Association (AAA)
• American Institute of Certified Public
Accountants (AICPA)
• Financial Executives International (FEI)
• Institute of Management Accountants (IMA)
• The Institute of Internal Auditors (IIA)
2
Internal Control-Integrated Framework
• First published in 1992
• Gained wide acceptance following financial control failures of early 2000’s
• Most widely used framework in the US
• Also widely used around the world
3
Original COSO Cube
Methodology
• Background
‒ Project announced in November 2010
‒ To make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment
‒ PricewaterhouseCoopers as the original author conducted this project.
‒ not intended to change how internal control is defined, assessed, or managed, but rather provide greater clarity and a more comprehensive and relevant conceptual guidance
• Project Structure‒ Advisory Council comprising
representatives from industries, academia, government agencies, and non-profit organizations updated Framework is being exposed to the public to capture additional input
• Approach‒ Assess and Envision‒ Build and Design‒ Preparation for Public Exposure‒ Finalization
• Applies a principles-based approach
• Clarifies the role of objective-setting in internal control
• Reflects the increased relevance of technology
• Enhances governance concepts
• Expands the reporting category of objectives
• Enhances consideration of anti-fraud expectations
• Considers different business models and organizational
structures
Summary of Changes to the 1992 Version
5
Internal Control is a _______ effected by an entity’s _______ ____________________________________ designed to provide _________ assurance regarding the achievements of ________ in the following categories:
• Effectiveness & efficiency of operations.• Reliability of financial reporting.• Compliance with applicable laws and regulations.
board of directors, management and other personnel, process reasonable
What is internal control?
6
objectives
Categories of Objectives
7
Operations
Reporting
Compliance
• Improving Quality• Reducing Costs• Reducing
Production Time • Improving
Innovation• Improving Customer
Satisfaction• Improving Employee
Satisfaction• etc
• External Financial Reporting Objectives
• External Non-Financial Reporting Objectives
• Internal Financial Reporting Objectives
• Internal Non-Financial Reporting Objectives
• Identifying Applicable Laws and Regulations
• Ensuring Compliance with Applicable Laws and Regulation
Components of Internal Control
8
Monitoring
Control Environment
Risk Assessment
Control Activities
Info
rmat
ion a
nd C
omm
unica
tion Inform
ation and Comm
unication
A Principal Based Approach
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
Five Components
5 principles
4 principles
3 principles
3 principles
2 principles
17 principles
21 Attributes
19 Attributes
16 Attributes
14 Attributes
11 Attributes
81 Attributes
A Principal Based Approach
10
Operations
Objectives
Reporting Objectives
Compliance
Objectives
Apply to17 Principals
Principles and Attributes Relating to Components of Internal Control
Principles Relating to Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
12
Attributes Relating to Control Environment
1. Sets the Tone at the Top
2. Establishes Standards of Conduct
3. Evaluates Adherence to Standards of Conduct
4. Addresses Deviations in a Timely Manner
13
1. Demonstrates Commitment to Integrity and Ethical Values
Attributes Relating to Control Environment
1. Establishes Board of Directors Oversight Responsibilities
2. Retains or Delegates Oversight Responsibilities
3. Applies Relevant Expertise
4. Operates Independently
5. Provides Oversight
14
2. Exercises Oversight Responsibility
Attributes Relating to Control Environment
1. Considers All Structures of the Entity
2. Establishes Reporting Lines
3. Defines, Assigns, and Limits Authorities and Responsibilities
15
3. Establishes Structure, Authority, and Responsibility
Attributes Relating to Control Environment
1. Establishes Policies and Practices
2. Attracts, Develops, and Retains Individuals
3. Evaluates Competence and Addresses Shortcomings
4. Plans and Prepares for Succession
16
4. Demonstrates Commitment to Competence
Attributes Relating to Control Environment
1. Enforces Accountability through Structures, Authorities, and Responsibilities
2. Establishes Performance Measures, Incentives, and Rewards
3. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance
4. Considers Excessive Pressures
5. Evaluates Performance and Rewards or Disciplines Individuals
17
5. Enforces Accountability
Principles Relating to Risk Assessment
1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. The organization identifies and assesses changes that could significantly impact the system of internal control.
18
Attributes Relating to Risk Assessment
1. Considers Tolerance for Risk / Required Level of Precision / Materiality
2. Complies with Externally Established Standards, and Frameworks / Complies with Applicable Accounting Standards / Reflects External Laws and Regulations
3. Reflects Management’s Choices
4. Reflects Entity Activities
5. Includes Operations and Financial Performance Goals
6. Forms Basis for Committing of Resources
19
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
Attributes Relating to Operations Objectives
• Considers Tolerances for Risk
• Reflects Management’s Choices
• Includes Operations and Financial Performance Goals
• Forms Basis for Committing of Resources
20
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
Attributes Relating to Reporting Objectives
External Financial Reporting
• Considers Materiality
• Complies with Applicable Accounting Standards
• Reflects Entity Activities
21
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
Attributes Relating to Reporting Objectives
External Non-financial Reporting Objectives
• Complies with Externally Established Standards and Frameworks
• Reflects Entity Activities
• Considers the Required Level of Precision
22
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
Attributes Relating to Reporting Objectives
Internal Reporting Objectives (financial and/or non-financial)
• Considers the Required Level of Precision
• Reflects Management’s Choices
• Reflects Entity Activities
23
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
Attributes Relating to Compliance Objectives
• Considers Tolerances for Risk
• Reflects External Laws and Regulations
24
6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment
1. Involves Appropriate Levels of Management
2. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
3. Analyzes Internal and External Factors
4. Estimates Significance of Risks Identified
5. Determines How to Respond to Risks
25
7. Identifies and Analyzes Risks
Attributes Relating to Risk Assessment
1. Considers Various Ways That Fraud Can Occur
2. Considers Risk Factors
3. Assesses Incentive and Pressures
4. Assesses Opportunities
5. Assesses Attitudes and Rationalizations
26
8. Assesses Fraud Risk
Attributes Relating to Risk Assessment
1. Assesses Changes in the External Environment
2. Assesses Changes in the Business Model
3. Assesses Changes in Leadership
27
9. Identifies and Analyzes Significant Change
Principles Relating to Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11.The organization selects and develops general control activities over technology to support the achievement of objectives.
12.The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
28
Attributes Relating to Control Activities
1. Integrates with Risk Assessment
2. Determines Relevant Business Processes
3. Considers Entity-Specific Factors
4. Evaluates a Mix of Control Activity Types
5. Considers at What Level Activities Are Applied
6. Addresses Segregation of Duties
29
10. Selects and Develops Control Activities
Attributes Relating to Control Activities
1. Determines Dependency between the Use of Technology in Business Processes and Technology General Controls
2. Establishes Relevant Technology Infrastructure Control Activities
3. Establishes Relevant Security Management Process Control Activities
4. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities
30
11. Selects and Develops General Controls over Technology
Attributes Relating to Control Activities
1. Establishes Policies and Procedures to Support Deployment of Management’s Directives
2. Establishes Responsibility and Accountability for Executing Policies and Procedures
3. Performs Using Competent Personnel
4. Performs in a Timely Manner
5. Takes Corrective Action
6. Reassesses Policies and Procedures
31
12. Deploys through Policies and Procedures
Principles Relating to Information and Communication13. The organization obtains or generates and uses relevant, quality
information to support the functioning of other components of internal control.
14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
15.The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
32
Attributes Relating to Information and Communication
1. Identifies Information Requirements
2. Captures Internal and External Sources of Data
3. Processes Relevant Data into Information
4. Maintains Quality Throughout Processing
5. Considers Costs and Benefits
33
13. Uses Relevant Information
Attributes Relating to Information and Communication
1. Communicates Internal Control Information with Personnel
2. Communicates with the Board of Directors
3. Provides Separate Communication Lines
4. Selects Relevant Method of Communication
34
14. Communicates Internally
Attributes Relating to Information and Communication
1. Communicates to External Parties
2. Enables Inbound Communications
3. Provides Separate Communication Lines
4. Selects Relevant Method of Communication
5. Communicates with the Board of Directors
35
15. Communicates Externally
Principles Relating to Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
36
Attributes Relating to Monitoring Activities
1. Considers a Mix of Ongoing and Separate Evaluations
2. Establishes Baseline Understanding
3. Uses Knowledgeable Personnel
4. Integrates with Business Processes
5. Objectively Evaluates
6. Adjusts Scope and Frequency
7. Considers Rate of Change
37
16. Conducts Ongoing and/or Separate Evaluations
Attributes Relating to Monitoring Activities
1. Assesses Results
2. Communicates Deficiencies to Management
3. Reports Deficiencies to Senior Management and the Board of Directors
4. Monitors Corrective Actions
38
17. Evaluates and Communicates Deficiencies
Roles and Responsibilities
Roles - Three Lines of Defense
• Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives
• Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice.
40
Roles - Three Lines of Defense
• Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review.
41
Responsible Parties - The Board of Directors and its CommitteesThe Board:
• has a key role in defining expectations on integrity and ethical values and internal control responsibilities.
• have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities.
• utilize resources as needed to investigate any issues, and have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel.
42
Responsible Parties - The Board of Directors and its CommitteesBoard-level committees include :
• Audit Committee
• Compensation Committee
• Nomination/Governance Committee
• Other Committees
43
Responsible Parties - Chief Executive Officer
Chief Executive Officer (CEO) :
• is ultimately responsible for the effectiveness of the entity’s internal control system
• sets the tone at the top that affects control environment factors and all other components of internal control.
44
Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Providing leadership and direction to senior management. With the support of management, the CEO shapes the values, principles, and major operating policies that form the foundation of the entity’s internal control system.
• Meeting periodically with senior management from each of the operating units (e.g., research and development, production, marketing, sales) and major business enabling functions (e.g., finance, human resources, legal, compliance, risk management).
45
Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Defining metrics, targets, or other measurable expectations with which to gauge the ongoing and long-term effectiveness of the system of internal control. The methods of designing, implementing, and assessing internal control are delegated to management at different levels.
46
Responsible Parties - Chief Executive Officer
The CEO fulfills this duty by:
• Directing all management and other personnel to proactively identify threats to the system of internal control. Given the ever-increasing pace of change and networked interactions of business partners, customers, and employees, the sources of threat to an ongoing effective internal control system are constantly changing. The CEO expects senior management in particular to beware of making assumptions based on the traditional sources of threats to an effective internal control system.
47
Responsible Parties - Chief Financial Officer
The Chief Financial Officer (CFO):
• supports the CEO in front-line responsibilities, including internal control over financial reporting.
• is integrally involved when the entity’s strategies are decided, objectives are established, risks are analyzed, and decisions are made on how changes will be managed.
• provides valuable input and direction and is positioned to focus on evaluating and following up on the actions decided by management.
• is an equal partner with the other functional heads.
48
Responsible Parties - Other Members of Senior ManagementSenior management comprises:
• Chief operating officer
• Chief administrative officer
• Chief risk officer
• Chief compliance officer
• Chief information officer
• Other senior leadership roles, depending on the nature of the business
49
Responsible Parties - Other Members of Senior ManagementSenior management:
• guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives.
• assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit’s functions or departments
50
Responsible Parties - Business-Enabling Functions
• support the business through their specialized skills.
• provide guidance and assessment of internal control related to their areas of expertise.
• keep the organization informed of relevant requirements as they evolve over time.
• Their efforts are coordinated and integrated as appropriate.
51
Responsible Parties - Risk and Control Personnel
• provide specialized skills and guidance to front-line management and other personnel and evaluating internal control.
• identify known and emerging risks.
• help management develop processes to manage relevant risks.
• communicate and provide education on these processes across the organization.
• evaluate and report on the effectiveness of such processes.
• not responsible for executing controls but support
52
Responsible Parties - Internal Auditors
The Internal Auditor:
• provide assurance and advisory services over internal control
• evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding:‒ Reliability and integrity of financial and operational information.‒ Effectiveness and efficiency of operations and programs.‒ Safeguarding of assets.‒ Compliance with laws, regulations, policies, procedures, and
contracts.
53
Responsible Parties - External Parties
External Parties includes:
• Outsourced Service Providers
• Business Partners and Other Parties Interacting with the Entity
• Independent Auditors
• External Reviewers
• Legislators and Regulators
• Financial Analysts, Bond Rating Agencies, and the News Media
54
Assessing Effectiveness
Assessing Effectiveness
When controls are effective; the organization:
• Understands the extent to which operations are managed effectively and efficiently.
• Prepares reliable reports.
• Complies with applicable laws and regulations
56
Assessing Effectiveness
• Each of the five components must be present and operate together.
• Effectiveness of internal control is assessed relative to the five components of internal Control.
• Effectiveness of internal control can also be assessed relative to a specific part of the organizational structure.
57
Assessing Effectiveness
Determining whether a principle is present and functioning implies that the organization:
• Understands the intent of the principle and how it is being applied.
• Applies the principle consistently across the entity.
• Works to help personnel understand and apply the principle across the entity.
• Views omission of or non-conformity with a principle as an exception (i.e., not applying the wording, intent, and spirit of the principle is the exception rather than the norm).
58
Limitations of Internal Control
• Quality and suitability of objectives
• Judgment
• Breakdowns
• Management Override
• Collusion
59
What is not of internal control?
• Many decisions reached by the board are not part of internal control
• Appropriateness of particular objectives selected
• Setting the overall level of acceptable risk and associated risk appetite
• setting risk tolerance levels in relation to specific objectives
• Choosing which risk response is preferred to address specific risks
60
Q & A Session
Thank You