Understanding IC and COSO 2013

Institute of Internal Auditors Philippines
Centre for Professional Development
UNDERSTANDING
INTERNAL CONTROL AND
COSO 2013
Myrna E. Amahan, CPA, CIA, CISA, CGEIT, MPM

First Vice President
Unionbank of The Philippines
November 2016
www.iia-p.org
Objectives of the Session

This seminar aims to:
• facilitate participant’s understanding of internal controls as well

as of the new COSO 2013 Framework, its basic concepts &
principles;
• discuss how its principles-based approach can be used as a guide
for both external & internal audit function;
• better understand the internal audit function & how it can help
facilitate COA external auditors’ work.
After the seminar, participants will have a better understanding on

internal control and updated COSO framework to be able to facilitate
efforts to improve on COA auditors’ service delivery function.
www.iia-p.org
1
PART 1 – INTERNAL
CONTROLS
www.iia-p.org
Perspectives, Myths, and Realities on

Internal Control
• “Control … support(s) people in the achievement of
the organization’s objectives.”
• “Control is simply the process that keeps the
money coming in and going out in the proper
amounts in line with the ever-changing ways we do
business.”
• Internal control gets us where we want to go,
without surprises along the way.”
www.iia-p.org
2
Internal Control
• is a process
• effected by an entity’s board of directors, management, and

other personnel
• designed to provide reasonable assurance regarding the

achievement of objectives relating to operations, reporting,
and compliance.
www.iia-p.org
5
COSO Definition of Internal Controls

Internal control is:
• Geared to the achievement of objectives
• A process of ongoing tasks and activities
• Effected by people
• Able to provide for reasonable assurance
• Adaptable to the entity structure
www.iia-p.org
3
Limitations of Internal Controls

• Judgment
• Breakdowns
• Management override
• Collusion
• Cost vs. benefits
www.iia-p.org
Roles and Responsibilities

• Management is responsible for internal controls
• Other personnel all play a role in the process of internal control.
• The board of directors provide guidance and oversight.
• The internal audit function does not have primary responsibility
for establishing and maintaining internal controls.
• Internal auditors play an important role in evaluating the
effectiveness of control systems and thereby contribute to
ongoing effectiveness.
• External parties may have a significant effect on an entity’s
internal control process.
www.iia-p.org
4
Control Categories
• Preventive
• Detective
• Directive
• Mitigating or Compensating
www.iia-p.org
Preventive Controls
• Preventive controls are “built into, not onto” the system.
• In a redesigned process, controls that require an employee
to expend time and effort are generally viewed as “non-
value added.”
www.iia-p.org
5
Detective Controls
• Detective controls are ”deferred” to the end of the process
or at some key point in the process.
• In longer and more complex processes, there will be controls
at key points in the process.
• In high-volume, small-item processing systems, a reasonable
level of control can often be achieved without time-
consuming processing controls.
www.iia-p.org
Control Tools
• A control-conscious environment
• Policies, procedures, standards
• Separation of incompatible duties
• Authorization/approval
• Physical and data security
• Monitoring
www.iia-p.org
6
PART II – The Updated COSO

Framework
www.iia-p.org
COSO Framework
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) is a joint initiative of the
five private sector organizations listed below and is
dedicated to providing thought leadership through the
development of frameworks and guidance on enterprise
risk management, internal control and fraud
deterrence.
COSO:
COSO Internal Control Integrated Framework
(1992)
www.iia-p.org
14
7
New COSO Framework

Launching of the original The updated COSO’s Internal
COSO’s Internal Control – Control – Integrated Framework
Integrated Framework is in effect (Dec 15). The original
framework is superseded.
1992 2014
T R A N S I T I O N P E R I O D*
2013
Launching of the updated
COSO’s Internal Control –
Integrated Framework (May 14)
www.iia-p.org
15
COSO Framework Context and

“Whys”
• COSO IC-IF (1992)
• “need for effective internal control”
• “to provide a common understanding of internal control among all parties and
to assist management to exercise better control over the enterprise”
• COSO ERM (2004)
• “the need exists for a robust framework to effectively identify, address, and
manage risk”
• “readily useable by management to evaluate and improve their enterprise risk
management”
• COSO IC-IF (2013)
• “Since the inception of the original Framework, business and operating environments
have changed dramatically.”
• “will enable organizations to effectively and efficiently develop and maintain systems of
internal control that can enhance the likelihood of achieving the entity’s objectives and
adapt to changes in the business and operating environments”
www.iia-p.org
PG Page 17 Screen 3 of 11
8
Factors Affecting The Need to

Update The COSO Framework
• Changes in technology and their associated risks
• Changes in corporate governance and expectations of those
charged with governing
• Increased interdependence of organizations, ranging from
joint ventures to supply-chain dependencies
• Increased demand for internal control information – some in
public reports, some in contracts
• An expanded demand for new forms of reporting on
organizational performance
• Increased importance/operations activities
www.iia-p.org
COSO IC-IF 2013

• Significant broad-based changes include:
• Articulates fundamental concepts underlying the five
components as principles.
• Provides additional approaches and examples relevant to
operations, compliance, and non-financial reporting
objectives.
• Considers changes in business and operating
environments.
• Enhances governance concepts.
• Enhances consideration of anti-fraud expectations.
www.iia-p.org
9
More changes noted

• IT controls
• Professional judgment
• Supplemental guidance on external financial reporting
www.iia-p.org
The COSO Pyramid
www.iia-p.org
10
Control Environment and Principles

The control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal
control across the organization. The board of directors and
senior management establish the tone at the top regarding the
importance of internal control and expected standards of
conduct.
www.iia-p.org
Control Environment and Principles

1. The organization demonstrates a commitment to integrity and
ethical values.
2. The board of directors demonstrates independence from
management and exercises oversight of the development and
performance of internal control.
3. Management establishes, with board oversight, structures,
reporting lines, and appropriate authorities and responsibilities
in the pursuit of objectives.
4. The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment with
objectives.
5. The organization holds individuals accountable for their internal
control responsibilities in the pursuit of objectives.
www.iia-p.org
11
Turning Control Environment

Principles into Positive Actions
Principles Implications for Internal Audit
1. The organization How does my organization demonstrate a

demonstrates a commitment to integrity and ethical values?
commitment to integrity How do I assess whether it has that
and ethical values. commitment? How might it be improved?
www.iia-p.org
Implications for Internal Audit

How does my organization demonstrate a commitment to
integrity and ethical values?
How do I assess whether it has that commitment?
How might it be improved?
www.iia-p.org
12
Risk Assessment Principles

6. The organization specifies objectives with sufficient clarity
to enable the identification and assessment of risks relating
to objectives.
7. The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.
8. The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could
significantly impact the system of internal control.
www.iia-p.org
Control Activities Principles

10. The organization selects and develops control activities
that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
11. The organization selects and develops general control
activities over technology to support the achievement of
objectives.
12. The organization deploys control activities through policies
that establish what is expected and procedures that put
policies into action.
www.iia-p.org
13
Turning Risk and Control Principles

into Positive Actions
6. The organization specifies objectives Risk analysis always relates to
with sufficient clarity to enable the objectives. Too often, organizations
identification and assessment of risks start with a list of risks instead of
relating to objectives. considering what objectives are
threatened by the risk, and then what
controls are necessary.
10. The organization selects and develops Neither the organization, nor internal
control activities that contribute to the audit, should begin an analysis of
mitigation of risks to the achievement of control activities with a list of controls
objectives to acceptable levels. and check off whether they are
present or not present. Rather,
controls should be assessed in
relationship to the risks being
mitigated.
www.iia-p.org
Information and Communication

Principles
13. The organization obtains or generates and uses relevant,
quality information to support the functioning of internal
control.
14. The organization internally communicates information,
including objectives and responsibilities for internal
control, necessary to support the functioning of internal
control.
15. The organization communicates with external parties
regarding matters affecting the functioning of internal
control.
www.iia-p.org
14
Monitoring Activities
Principles
16. The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and
functioning.
17. The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
www.iia-p.org
Turning Principles into Positive Actions

13. The organization obtains or Has my organization considered what constitutes
generates and uses relevant, quality quality information (e.g., correct, timely, protected,
information to support the functioning etc.)? Is the information being used correctly and in a
of internal control. timely fashion? What improvements can be made?
14. The organization internally Does everyone in the organization understand the
communicates information, including objectives of internal control and their responsibility
objectives and responsibilities for for the effective functioning of the internal control
internal control, necessary to support system? (Note: These principles are especially
the functioning of internal control. pertinent to the operations and compliance
objective.)
15. The organization communicates External communication is not limited to reports on
with external parties regarding matters internal control over financial reporting. For example,
affecting the functioning of internal many organizations communicate with their suppliers
control. regarding their ethics codes and suggest how the
suppliers can and should use a hotline, or direct
reporting to internal audit of any attempt to solicit
www.iia-p.org
favors for ordering from their firm.
15
Turning Principles into Positive Actions

16. The organization selects, develops, Monitoring should include ongoing or continuous
and performs ongoing and/or separate monitoring whenever such monitoring is reliable,
evaluations to ascertain whether the timely, and cost effective. Has internal audit
components of internal control are evaluated the effectiveness of continuous
present and functioning. monitoring? Further, are there lessons that can be
learned from operations monitoring, i.e., quality
control that can be applied to the compliance and
reporting objectives?
17. The organization evaluates and You should be evaluating a) what constitutes
communicates internal control deficiencies, b) the parties for taking corrective
deficiencies in a timely manner to action, and c) whether there is evidence that the
those parties responsible for taking corrective action was taken in a timely manner.
corrective action, including senior
management and the board of
directors, as appropriate.
www.iia-p.org
Soft Controls
Soft and Strong: A Best-practice Paradox
“The corporate culture is the most powerful control in any
organization.”
—Jim Roth, author of Best Practices: Evaluating the Corporate
Culture
Hard Controls Soft Controls
 Formal  Informal
 Objective  Subjective or Intangible
 Measurable  Enablers or Root Causes
www.iia-p.org
16
COSO Components and Principles

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
Control
3. Establishes structure, authority, and responsibility
Environment
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies suitable objectives
7. Identifies and analyzes risk
Risk Assessment
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
Control Activities 11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
Information and
14. Communicates internally
Communication
15. Communicates externally
Monitoring 16. Conducts ongoing and/or separate evaluations
Activities 17. Evaluates and communicates deficiencies
For an effective internal control:
• Each of the five components and 17 principles must be present and functioning
• The five components must operate together in an integrated manner
www.iia-p.org
33
Internal Control Framework Policy

Collectively establish
Board of Directors objectives, define
high-level strategies to
KEY POLICY PRINCIPLES achieve objectives,
Senior Management and establish
governance
structures.
Framework used to
manage risk and
control to accomplish
objectives.
COSO Internal Control

Integrated Framework
(2013)
Organizational
structure to execute
risk and control duties.
Basis for allocation of

roles and
responsibilities.
www.iia-p.org
17
COSO Components
Elements of Control
• Integration: Internal Controls is an integrated concept that
encompasses COSO’s 5 framework components
• Judgment: Judgment on the presence and functioning of
internal control is required, as is judgment on all 17
principles as they relate to the 5 components
• Control Testing and Evaluation: Evaluation and testing of
internal controls starts with objectives and risks, not with
controls
www.iia-p.org
Integration
All five components are important and necessary in achieving
an organization’s objective. For example, the control activities
would not be sufficient if the organization did not articulate
and communicate policies, monitor activities, and required
meaningful report. Overall control effectiveness is dependent
on the components working together as a whole.
www.iia-p.org
18
Judgment
The need for judgment when assessing control effectiveness is
emphasized throughout the document. Before, the need for
judgment was implicit, now, it is required. The framework’s
points of focus provide additional guidance to help address the
issue of judgment as it relates to each of the framework’s 17
principles.
www.iia-p.org
Control Testing and Evaluation

The updated COSO Framework’s one central element is the
continued emphasis on the linkage among objectives, risks and
controls. The only reason that controls exist is to mitigate risks
and thereby increase the probability that the organization will
accomplish its objectives. Control, therefore, is subservient to
risk – and to the objectives they help achieve.
www.iia-p.org
19
Part III – Impact of Updated COSO

Framework on Internal Audit
Internal Audit should:
• Study the framework
• Expand internal audit coverage to include compliance
and operations objectives
• Use the updated COSO Framework to evaluate the
organization’s internal controls
• Communicate it to management, process owners and the
audit committee
• Use the updated COSO Framework to improve the
organization’s internal control
www.iia-p.org
Opportunities for Internal Audit to add value

using the updated COSO Framework
• Internal Audit is often viewed as the control experts in
organizations. The updated COSO Framework provides a
springboard for Internal Audit to take that leadership a step
further.
• Internal Audit should take a leadership role to leverage
COSO 2013’s significant advantages in any of the following:
• Training
• Independent assessments
• Consultative activities
www.iia-p.org
20
Research results show that

organizations with sound internal
control will:
- perform better
- reduce uncertainty about earnings
- enjoy higher stock prices
www.iia-p.org
Moreover, organizations with better

internal controls will
• Reduce fraud risk
• Avoid financial reporting surprises
• Support sustained business performance
over the long run
www.iia-p.org
21
The Revised 2013 COSO Framework is more user-friendly and

applicable since it provides more guidance for implementation.
If implemented correctly, COSO 2013 will help establish more
effective controls at lower costs to the organization.
Towards this end, organizations need Internal Audit leadership
to leverage 2013 COSO Framework’s significant advantages.
www.iia-p.org
To add value, Internal Audit participation is key

to the successful implementation of COSO 2013
and to helping all areas across the organization
realize its benefits.
www.iia-p.org
22
Part III – COSO-Based Internal

Audit
www.iia-p.org
Definition of Internal Auditing

Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes.
www.iia-p.org
23
www.iia-p.org
47
A COSO-Based Internal Audit Process
www.iia-p.org
24
A COSO-Based Internal Audit

Process: HR Example
• Strategic Alignment: Attract and retain the human capital
needed to achieve the entity’s mission and objectives.
• Supporting Objectives (hiring process example)
• Efficient and effective hiring process (O)
• Timely and reliable management (e.g., hiring decision)
information (R)
• Comply with employment laws and regulations (C)
www.iia-p.org

Process: HR Example
Objective Measures Risks
Efficient Cycle Time 1. Lack of qualified candidates

hiring
Cost 2. Inaccurate hiring requirement
Effective Onboarding Time 3. “Marginal” candidate hired
hiring 4. HR doesn’t understand the
Retention
business
www.iia-p.org
25

Process: HR Example
Risk # Principles (Control)
1. Lack of 9 (identify changes), 16 (ongoing evaluation), 17 (corrective

qualified action)
candidates
2. Inaccurate 14 (internal communication – HR and management), 10 (control
hiring activities), 12 (policies and procedures)
requirement
3 . “Marginal” 10 (control activities), 12 (policies and procedures), 4 (develop
candidate hired individuals),13 (quality information)
4. HR doesn’t 4 (competent individuals), 14 (internal communication)

understand the
www.iia-p.org
business
Design Skills
Internal auditors need control design skills when they:
• Perform internal consulting reviews.
• Participate in systems development projects.
• Are asked for advice about control issues.
• Help management in any other way to build the right
controls into a system or process.
www.iia-p.org
26
Design During Normal Activities

Audit situations requiring these skills include:
• Evaluating the adequacy of control system design.
• Evaluating effectiveness of controls in relation to the risks
being managed.
• Recommending or helping management develop practical,
cost-effective solutions to control problems identified during
the audit.
www.iia-p.org
The Risk Assessment Thought Process
www.iia-p.org
27
Defining Objectives
• The risk assessment thought process begins with clearly
defined business objectives.
• An objective is a statement of a desired end result.
• Statements that describe specific actions, such as record,
review, verify, and reconcile, usually refer to controls.
• Objective statements usually begin with more general words
like minimize, improve, safeguard, and ensure.
www.iia-p.org
Control Frameworks and Objectives

• Effectiveness and Efficiency of Operations
• Reliability of Reporting
• Compliance
www.iia-p.org
28
Risk
Definition of Risk
• The possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms
of impact and likelihood.
Risk Identification
• For each objective, ask common sense questions.
www.iia-p.org
Ten Universal Business Risks

• Erroneous records and/or information
• Unacceptable accounting principles
• Business interruption
• Government criticism or legal action
• High costs
• Unrealized or lost revenue
• Loss or destruction of assets
• Competitive disadvantage and/or public dissatisfaction
• Fraud or conflict of interest
• Inappropriate management policy and/or decision-making process
www.iia-p.org
29
Working Inventory of Risks

External Risks Internal Risks
Competitor Technology
Regulatory Financial
Shareholder Operating
Environmental Vendor/Supplier Human Resources
Political Acquisition Financial/Regulatory/Management
Publicity Strategic
Capacity
Physical disaster
Capital availability
Cyber intrusion
www.iia-p.org
Improving Risk Identification
It is helpful to clarify our thinking by identifying both the cause

and the effect of the risk.
• The cause is the reason why the risk might be realized
• The effect is the ultimate consequence, the harm that is done
or opportunity lost when the risk is realized.
www.iia-p.org
30
Assessing Risk
Once we have clearly identified the risks in a business process,
we need to assess them. Risk is measured in terms of
significance (impact) and likelihood.
Category Likelihood Significance
Low Unlikely risk will occur Probably will not materially
impact the attainment of the
objective if the risk occurs
Medium Somewhat likely risk May impact the attainment of the
will occur objective if the risk occurs
High Likely risk will occur May significantly impact the

attainment of the objective if the
risk occurs
www.iia-p.org
Evaluation Matrix
www.iia-p.org
31
Managing Risk
Once we have clearly identified and assessed the
risks facing our business process, we can decide
how to manage each risk.
• Avoid
• Transfer
• Accept at existing level
• Reduce to acceptable level
www.iia-p.org
Controlling Risk
• Control Environment
• Control Tools
www.iia-p.org
32
Separation of Duties
Initiates Authorizes Records Reconciles Custody
Issues Approves P.O.

Purchase Accounting Budget report Receives goods
Requisition or Invoice
of Goods Department Person C Person A or C
Person A Person B
Opens mail, Bank acct. /

lists checks, budget report &
Cash Makes deposit Accounting and
restrictively deposits to N/A
Receipts Person B Person B
endorses checklist
Person A Person A or C
Approves time
report and Budget report Distributes
Employee’s Accounting review
Payroll payroll data payroll checks
time report Department
changes Person Person B Person B or C
A
www.iia-p.org
Traditional vs. Current Controls

Type of Control Traditional Current View
Directive Procedures, Close Guidelines, Training
supervision
Preventive Approvals System edits
Detective Lengthy activity reports Exception reports, Trend analysis,

Continuous Monitoring
www.iia-p.org
33
Cost-Effective Controls
Excessive Risks Excessive Controls
Loss of assets Increased bureaucracy
Poor business decisions Increased complexity
Noncompliance Increased cycle time
Increased regulations Increase of non-value-added activities
Public scandals Reduced productivity
www.iia-p.org
PART IV – INTERFACE
BETWEEN INTERNAL AND
EXTERNAL AUDIT
www.iia-p.org
34
Coordination between Internal Audit

and External Audit
• The Chief Audit Executive should share information and co-
ordinate activities with other internal and external providers of
assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.
• The external auditors’ performance may be enhanced by:

• considering and leveraging, as appropriate, the knowledge and
findings of an entity’s internal audit function in making risk
assessments in the external audit
• Strengthening the framework for the evaluation and, where
appropriate, use of the work of internal auditors in obtaining
audit evidence
www.iia-p.org
69
Interface Between Internal And

External Audit
The external auditor has sole responsibility for the audit
opinion expressed and that responsibility is not reduced by the
external auditor’s use of the work of the internal audit
function.
www.iia-p.org
70
35
Interface Between Internal And

External Audit
Although Supreme Audit Institutions (such as COA) and internal
auditors have differing and clearly defined roles, their collective
purpose is to promote good governance through contributions
to transparency in and accountability for the use of public
resources, as well as to promote efficient, effective and
economic public administration. Common areas of work
performed by SAIs and internal auditors offer opportunities for
coordination and cooperation. Through SAIs and internal
auditor coordination, the efficiency and effectiveness of both
parties work can be improved.
www.iia-p.org
71
Ways To Promote Effective Cooperation

Between Internal And External Audit
• Holding periodic meetings
• Scheduling of audit work
• Allowing access to each others’ working papers
• External audit’s review of internal audit reports
• Discussion of possible accounting and auditing issues
www.iia-p.org
72
36
Thoughts
The relationship between the two groups of auditors should be
seen as a relationship of equals and that any cost savings
achieved through the use by the external auditors of the
internal auditors’ work to be channeled back into funding the
internal audit activities.
Fostering a positive relationship between the two groups of

auditors is imperative if the organization is to achieve ‘value for
money’ from the total audit effort.
www.iia-p.org
73
Questions
www.iia-p.org
74
37

Understanding IC and COSO 2013

Uploaded by

Copyright:

Available Formats

You might also like

Understanding IC and COSO 2013

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding IC and COSO 2013

Uploaded by

Copyright:

Available Formats

Institute of Internal Auditors Philippines

Centre for Professional Development

Myrna E. Amahan, CPA, CIA, CISA, CGEIT, MPM

Objectives of the Session

• facilitate participant’s understanding of internal controls as well

After the seminar, participants will have a better understanding on

Perspectives, Myths, and Realities on

• effected by an entity’s board of directors, management, and

• designed to provide reasonable assurance regarding the

COSO Definition of Internal Controls

Limitations of Internal Controls

Roles and Responsibilities

PART II – The Updated COSO

New COSO Framework

COSO Framework Context and

Factors Affecting The Need to

COSO IC-IF 2013

More changes noted

The COSO Pyramid

Control Environment and Principles

Control Environment and Principles

Turning Control Environment

1. The organization How does my organization demonstrate a

Implications for Internal Audit

How do I assess whether it has that commitment?

How might it be improved?

Risk Assessment Principles

Control Activities Principles

Turning Risk and Control Principles

Information and Communication

Turning Principles into Positive Actions

Turning Principles into Positive Actions

Hard Controls Soft Controls

COSO Components and Principles

Internal Control Framework Policy

COSO Internal Control

Basis for allocation of

Control Testing and Evaluation

Part III – Impact of Updated COSO

Opportunities for Internal Audit to add value

Research results show that

Moreover, organizations with better

The Revised 2013 COSO Framework is more user-friendly and

To add value, Internal Audit participation is key

Part III – COSO-Based Internal

Definition of Internal Auditing

A COSO-Based Internal Audit Process

A COSO-Based Internal Audit

A COSO-Based Internal Audit

Efficient Cycle Time 1. Lack of qualified candidates

A COSO-Based Internal Audit

1. Lack of 9 (identify changes), 16 (ongoing evaluation), 17 (corrective

4. HR doesn’t 4 (competent individuals), 14 (internal communication)

Design During Normal Activities

The Risk Assessment Thought Process

Control Frameworks and Objectives

Ten Universal Business Risks

Working Inventory of Risks