Professional Documents
Culture Documents
Coso Overview Redo Compressed PDF
Coso Overview Redo Compressed PDF
Your Facilitator
• Past CAE and current consultant
and trainer in aspects of Internal
Audit, SOX, ERM, Fraud,
Governance and Compliance.
• Over 30 years experience in the
accounting, finance and
compliance industries.
• Recognized author, trainer and
speaker.
• www.lynnfountain.net
• fountainlynn1@gmail.com
3
Introduction
• In today’s business world, the term,
internal control, is assumed a well-
known and understood concept.
• Companies utilizing COSO framework
should have transitioned from the
1992 original framework to the
updated 2013 framework.
4
Introduction
• This transition should have resulted
in a re-evaluation of internal
controls.
• This includes evaluation of how
roles and responsibilities for
controls are deployed through the
organization.
5
Agenda
• Explore the definition of IC and its
importance in today’s business.
• Examine the basic tenants of IC.
• Explore reason for COSO update and
dissect key changes.
• Examine the keys to the COSO 17
principles.
• Explore how to perform a needs
impact assessment and compliance
plan.
6
DEFINITION AND
BENEFITS OF IC
7
Internal Control
• Key definition: A means by
which an organization's
resources are directed,
monitored, and measured.
• Plays an important role in
preventing and detecting fraud
and protecting the organization's
resources, both physical and
intangible.
8
Internal Control
• IC is a process affected by an
organization's structure, work
and authority flows, people and
information systems
• Designed to help the
organization accomplish
specific goals or objectives.
• Concepts date back to Egyptian
times and the process of tax
collection.
9
… A good thing?
• Internal control IS a good thing.
• How does your organization view IC?
• Is it considered as a necessary evil?
• Do you know management’s view?
• Are control findings aligned with
management tolerances?
• How do you communicate with
management related to IC importance?
• How much does your management and
the Board really know about the COSO
internal control framework?
10
Advantages
• Leads to a more efficiently run
organization.
• Ensures a company's resources are
utilized only for their intended
purposes.
• Minimizes the risk of resource misuse.
• Prevents financial irregularities by
detecting them quickly.
• Prevents employees from being
accused of any irregularities or
misappropriations of funds.
11
Disadvantages
• Poorly designed/executed controls can
create employee frustration/ apathy.
• System too rigidly designed to allow for
adaptation may be difficult to sustain.
• Design may cause auditor’s to become
over-dependent on the internal control
system.
• May lead to relaxation on measures of
checking for fraud.
12
IC BASIC TENETS
13
IC Basics
• Difficulty with IC concepts is one
person’s view of IC may be different
than another’s.
• Consider how we learn about a new
topic?
• How are we taught?
• Personal beliefs and values impact
what is taught.
• Will a professional will do the right
thing when no one is looking?
14
IC Basics
• Psychological components impact
how people view ICs and their
perception of the “so called” black
and white line.
• COSO 2013 attempts to provide a
clearer definition of IC through the
listing of principles and points of
focus.
• It requires a more stringent focus
when thinking about ICs.
15
Responsibility
• Internal control is management’s
responsibility.
• The five components are discussed in
the context of the management of the
entity.
• A board that comprises directors with
sufficient independence is part of IC.
• The process of IC highlights two
important components:
• Specify
• Use
16
IC Process
• Specify
• ICs should be specific, measurable,
observable, attainable, relevant and
time-based objectives.
• The suitability of ICs must be based
on the organizations objectives,
facts surrounding the process and
established laws, rules.
• ICs must be specifically
communicated along with
objectives through the entity.
17
IC Process
• Use
• Use specified objectives as a
measure to determine level of
risk assessment.
• Consider how your organization
identifies or specifies the need
for an IC.
• A board that comprises directors
with sufficient independence is
part of IC.
18
Control Identification
• If you asked an employee to name
the control within their process,
what would they say?
• Would they recite process steps?
• Could they differentiate between
steps and controls? Example:
• Invoices are received by the
receptionist, opened and
passed to the controller.
• Is this a process step in a task or
a control?
19
Benefits
• Benefits
• Updates will help strengthen
systems of internal control.
• Provides important considerations
of effective IC through
formalization of concepts
introduced in the original
framework.
• Appropriately expands the
reporting objective.
21
Challenges
• Challenges
• Sets a higher threshold for
attaining effective IC.
• May impose additional burden
on entities’ reporting on IC.
• Should incorporate aspects of
ERM.
22
BASIC FRAMEWORK
23
1992 Framework
• COSO formed in 1985 to sponsor the National
Commission on Fraudulent Financial
reporting (Treadway Commission).
• A joint initiative of five private sector
organizations:
• American Accounting Association (AAA)
• American Institute of Certified Public
Accountants (AICPA)
• Financial Executives International (FEI)
• Institute of Internal Auditors (IIA)
• Institute of Management Accountants
(IMA)
24
1992 Framework
• Framework developed in response to
need for effective ways to control
enterprises and to help ensure
objectives are achieved related to:
• Operations
• Financial reporting
• Compliance
• Provided principles-based guidance
for designing and implementing
effective ICs.
25
1992 Components
• Includes-five interrelated
components derived from how
management runs a business.
• Control environment: sets the
tone of an organization,
influencing the control
consciousness of its people.
• The foundation for all other
components.
29
1992 Components
• Risk assessment: Every entity
faces a variety of risks that must be
assessed.
• RA is the identification and analysis
of relevant risks to the
achievement of assigned
objectives.
• Prerequisite for determining
how risks should be managed.
30
1992 Components
• Control activities:
Policies/procedures that help
ensure management directives are
carried out.
• Occur throughout the
organization, at all levels and in
all functions.
• Must be identified separate
from daily tasks.
31
1992 Components
• Includes a range of activities:
• Approvals
• Authorizations
• Verification controls
• Reconciliations
• Reviews of operating
performance
• Security of assets
• Segregation of duties
32
1992 Components
• Information and communication:
Systems produce reports that make
it possible to run and control the
business.
• Effective communication must
ensure information flows down,
across and up the organization and
include external parties.
33
1992 Components
• Monitoring: assesses quality of
system's performance over time.
• Accomplished through ongoing
activities or separate evaluations.
• Deficiencies detected should be
reported and corrective actions
taken to ensure continuous
improvement of the system.
34
COSO Update
• It has been 20 years since the original
COS0.
• Business has changed dramatically.
• Stakeholders more engaged, seek
greater transparency/accountability for
the integrity of internal control.
• Key aspects have been added to mandate:
• Knowledge of business strategy.
• Understanding of regulatory changes.
• Increased focus on information
technology controls.
• Control attributes must work in synergy.
36
Changes to Reporting
Philosophy
COSO 1992
COSO 2013
New Concepts
• Formalizes fundamental concepts
underlying five components of
internal control as principles.
• Clarifies role of objective-setting as
a pre-condition to internal control.
• Reflects the increased relevance of
technology.
• Enhanced governance concepts and
anti-fraud expectations.
39
New Concepts
• Considers changes in business,
operating, regulatory
environments.
• Expands financial reporting
objective to include other
important forms of reporting.
• Provides additional approaches
relevant to compliance, financial
and non-financial reporting
objectives.
40
Operating Environment
• Updated framework considers
changes in business, operating, and
regulatory environments:
• Expectations for governance
oversight
• Globalization of markets and
operations
• Changes in business models
41
Operating Environment
• Demands/complexity in laws,
rules, regulations and
standards,
• Expectations for competencies
and accountabilities,
• Expectations for preventing
and detecting fraud.
42
Clarifies Deficiencies
• Control Deficiency: shortcoming in
component(s) and relevant
principle(s) that reduces likelihood
that the entity can achieve
objectives.
• If a deficiency in control is
identified - management must
assess severity of impact.
43
Clarifies Deficiencies
• Major deficiency in internal control:
precludes effective internal control.
• Points of focus (POF), formerly
attributes, are important
considerations to determine whether
a principle is present and functioning.
44
Working Together
• Effective IC requires each of the 5
components.
• Principles must be present, functioning,
operating together.
• Present is about effective design and
implementation
• Function is about effective operation.
45
Working Together
• Present - Components and relevant
principles exist in the design and
implementation of IC.
• Functioning – Requires
determination that all five
components collectively reduce, to
an acceptable level, the risk of not
achieving objectives.
46
KEYS TO COSO 17
PRINCIPLES
47
Principles
• Attributes under categories are
“formalized” into 17 various
principles.
• Framework views all principles are
suitable to all entities.
• A principle is a law /rule that
should be followed.
• Effective operation would be
impossible if any one of the
principles was to be ignored.
48
Points of Focus
• POF may assist in evaluating IC and
determining whether principles are
present/ functioning.
• Not required for assessing
effectiveness of IC.
• Management may determine that
some POF are not suitable and may
identify and consider others.
49
Points of Focus
• COSO uses “points of focus” (POF)
as important characteristics of the
principles.
• “Focus” – formal definition: a
central point of attraction,
attention, or activity.
50
CONTROL
ENVIRONMENT
51
Control Environment
• The set of standards and processes
that provide the basis for carrying
out IC.
• Principle 1: Organization
demonstrates a commitment to
integrity and ethical values.
• Principle 2: Board demonstrates
independence from management
and exercises oversight of IC.
52
Control Environment
• Principle 3: Management establishes,
with board oversight, structures,
reporting lines, and appropriate
authorities and responsibilities.
• Principle 4: Organization
demonstrates commitment to attract,
develop, and retain competent
individuals.
• Principle 5: Organization holds
individuals accountable for their IC
responsibilities.
53
Control Environment
• What things are in place to
Establish a sound “control
structure” ?
• Policies and procedures
• Management philosophy and
operating style
• Tone at the top
• HR policies
• Segregation of duties
• Ethics controls, code of conduct
54
RISK ASSESSMENT
55
Risk Assessment
• RA involves a dynamic and iterative
process.
• Considers changes in the external
environment/business model that
may impede achievement of
objectives.
• Framework includes four principles
under the RA component.
56
Risk Assessment
• Principle 6: Objectives stated with
sufficient clarity to enable the
identification/assessment of risks.
• Principle 7: Identify/analyze risks to
determine how to manage.
• Principle 8: Management assesses the
potential for fraud related to
achievement of objectives.
• Principle 9: Identify and assesses
changes that could significantly impact
the system of IC.
57
Risk Assessment
• What occurs within processes to
continually assess and evaluate
inherent risks?
• KPIs
• Business objectives
• Goals and strategies
• Emerging risk assessment
• Assessment of changing business
environment
58
CONTROL ACTIVITIES
59
Control Activities
• CA are actions established by
policies/procedures to help
ensure that management
directives to mitigate risks are
carried out.
• CA are performed at all levels of
the entity and at various stages.
• Includes three separate
principles.
60
Control Activities
• Principle 10: Select and develops
control activities.
• Principle 11: Select and develops
general controls over technology.
• Principle 12: Deploy through
policies and procedures.
61
Control Activities
• What specific CA occur to ensure
proper execution of the process and
keep the “bad thing” from
happening.
• Check and balances/reconciliations
• Sign-offs/tie outs
• Receipting/purchase orders
• Inventory/cash counts
• Estimate and judgments
• Procedure compliance
62
INFORMATION AND
COMMUNICATION
63
I&C
• Necessary for the entity to carry
out IC responsibilities.
• Occurs both internally/externally.
• Enables personnel to understand
IC responsibilities.
• Informs external parties regarding
the organization’s position on IC.
64
I&C
• Principle 13: Obtain or generate/use
relevant, information to support the
functioning of IC.
• Principle 14: Internally
communicate information, including
objectives and responsibilities for IC.
• Principle 15: Communicate with
external parties matters affecting
the functioning of IC.
65
I&C
• How is information in the
organization communicated through
systems and personnel?
• What focus is placed on IT general
and application controls?
• How does the company
communicate ICs with investors and
employees?
66
MONITORING
67
Monitoring
• Principle 16: Ongoing evaluations,
separate evaluations, or some
combination of the two are used to
ascertain whether each of the five
components of IC are working.
• Principle 17: Findings are evaluated
and deficiencies are communicated in
a timely manner.
• Serious matters reported to senior
management and to the board.
68
Monitoring
• Monitoring involves both internal
and external monitoring.
• It does not mean that all monitoring
is the responsibility of the auditors.
• Management must establish
appropriate procedures to monitor
their own activities.
69
Monitoring
• What processes are in place to
evaluate overall effectiveness?
• Who owns the task of monitoring
effective processing?
• Does management take
responsibility or do they wait for the
checks and balances?
70
FRAMEWORK
APPLICATION
71
Application
• COSO recommends:
• Document responses for each
“principle”.
• Responses should support
managements conclusions that
controls actually exist and are
effectively functioning.
72
Application
• Response should generally not
be a “yes” or a “no”
• Should address specific
internal control and what
the entity does to address
the point of focus.
73
Application
• Management should conclude to
effectiveness of controls for each
of the five attributes.
• The responses must provide
information with respect to the COSO Template
Application
• An overall conclusion should be
reached with respect to each COSO
component.
• The conclusion is supported by the
collective weight of the individual
conclusions of the relevant attributes.
• Management formulates a conclusion
as to the effectiveness of the control
environment.
75
Application
• A response of “ineffective” or
“requires improvement” for a given
attribute does not necessarily
warrant a conclusion that the
related component is ineffective at
the entity level.
• There may be compensating
controls in other areas.
76
Needs Impact
• Impact of COSO and
requirements for efforts will vary
for each organization.
• What should your organization
do?
• Are you a publically traded
entity?
• Does your company utilize
COSO for its IC framework?
78
Needs Impact
• Is your company considering an IPO?
• How have your past SOX efforts
been managed?
• What is the company history with
significant deficiencies and material
weakness?
• How robust has your program of
evaluation of the control
environment elements been?
• Does your company which to reflect
compliance with COSO regardless of
SEC filing status?
79
Needs Impact
• Companies should continually
assess their individual maturity
related to COSO compliance.
• Compliance with COSO 2013 will
continue to evolve and transition as
organizations further evaluate the
principles and POF.
• Company’s mapping processes and
diligence varies.
• Will it matter?
80
COMPLIANCE
81
Compliance
• Focus on all five COSO components and
related principles.
• 17 principles will require focus on
importance of components above ICFR.
• Consider:
• Manner in which other components
are being tested.
• Who performs the testing.
• Level of evidence/ documentation
required to conclude that each
principle/ component is present/
functioning.
82
Compliance
• Examine impact on board and AC.
• Framework contains more
prescriptive expectations on
governance.
• Boards/ committees should
consider POF and how their
current governance policies,
procedures and documentation
demonstrate the related
principles are
present/functioning.
83
Compliance
• Align RA and CA. Consider:
• Who, how and when is the RA
performed and how are
external/internal changes
impacting FR identified?
• RA should include understanding
processes from transaction
initiation to FS recognition.
• How do you know when a
process has/should change?
84
Compliance
• Ensure CA’s activities are
responsive to the assessed risk?
• Documentation should support
assertion that controls are
operating effectively and at the
appropriate level.
85
Compliance
• Apply the framework to meet
other objectives
• Assertions related to disclosure
controls and procedures.
• Regulatory assertions.
• Sustainability measures and
reporting.
86
Compliance
• Principle Mapping
• COSO suggests beginning with the
principle and determining if controls
exist that meet the principle.
• POF can be utilized in assessing
controls.
• Fresh look beginning with principles
will assist in re-evaluation of
efficiency/sufficiency of certain
controls.
87
Compliance
• Involve key stakeholders
• Active participation of operational,
compliance and finance functions
will be critical to ongoing success.
• Communicate and train
• Actively communicate the
framework and its intent and
importance.
88
Compliance
• Assess the risk of fraud continually,
both at an entity level and at the
transaction level.
• Consider opportunity for
management to override internal
controls without being detected.
•
89
Compliance
• Fraud transition considerations:
• Ensure proper personnel
performing fraud risk
assessments and evaluating
risk of management override.
• Ensure AC oversees assessment
and challenges management.
90
Compliance
• Fraud transition considerations:
• Validate procedures to
detect/deter fraud are
responsive to the CE and the
assessed risk.
• Ensure controls considered
important to detection
/deterrence of fraud are
monitored frequently and
robustly.
91
SUMMARY
92
Summary Overview
• Framework is not new!
• There are critical enhancements.
• Adequate ongoing compliance will
require focus and dedication.
• Management must understand
principles and POF.
• Audit Committee and board
understanding and involvement as
well as buy-in is critical.
• All organizations should have a basic
understanding of COSO.
93
Summary Overview
• Overall impact of the updated
framework may be dependent on
many variables.
• Remember the intent of the
framework update.
• Ongoing enhancement of internal
controls in all areas of business.