Professional Documents
Culture Documents
Understanding IC and COSO 2013
Understanding IC and COSO 2013
Understanding IC and COSO 2013
UNDERSTANDING
INTERNAL CONTROL AND
COSO 2013
www.iia-p.org
www.iia-p.org
1
Institute of Internal Auditors Philippines
Centre for Professional Development
PART 1 – INTERNAL
CONTROLS
www.iia-p.org
www.iia-p.org
2
Institute of Internal Auditors Philippines
Centre for Professional Development
Internal Control
• is a process
www.iia-p.org
5
www.iia-p.org
3
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
4
Institute of Internal Auditors Philippines
Centre for Professional Development
Control Categories
• Preventive
• Detective
• Directive
• Mitigating or Compensating
www.iia-p.org
Preventive Controls
• Preventive controls are “built into, not onto” the system.
• In a redesigned process, controls that require an employee
to expend time and effort are generally viewed as “non-
value added.”
www.iia-p.org
5
Institute of Internal Auditors Philippines
Centre for Professional Development
Detective Controls
• Detective controls are ”deferred” to the end of the process
or at some key point in the process.
• In longer and more complex processes, there will be controls
at key points in the process.
• In high-volume, small-item processing systems, a reasonable
level of control can often be achieved without time-
consuming processing controls.
www.iia-p.org
Control Tools
• A control-conscious environment
• Policies, procedures, standards
• Separation of incompatible duties
• Authorization/approval
• Physical and data security
• Monitoring
www.iia-p.org
6
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
COSO Framework
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) is a joint initiative of the
five private sector organizations listed below and is
dedicated to providing thought leadership through the
development of frameworks and guidance on enterprise
risk management, internal control and fraud
deterrence.
COSO:
COSO Internal Control Integrated Framework
(1992)
www.iia-p.org
14
7
Institute of Internal Auditors Philippines
Centre for Professional Development
1992 2014
T R A N S I T I O N P E R I O D*
2013
Launching of the updated
COSO’s Internal Control –
Integrated Framework (May 14)
www.iia-p.org
15
www.iia-p.org
PG Page 17 Screen 3 of 11
8
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
PG Page 20 Screen 6 of 11
9
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
PG Page 25 Screen 2 of 19
10
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 26 Screen 3 of 19
www.iia-p.org
PG Page 26 Screen 4 of 19
11
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 27 Screen 5 of 19
www.iia-p.org
PG Page 28 Screen 6 of 19
12
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 30 Screen 8 of 19
www.iia-p.org
PG Page 30 Screen 9 of 19
13
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 31 Screen 10 of 19
www.iia-p.org
PG Page 33 Screen 12 of 19
14
Institute of Internal Auditors Philippines
Centre for Professional Development
Monitoring Activities
Principles
16. The organization selects, develops, and performs ongoing
and/or separate evaluations to ascertain whether the
components of internal control are present and
functioning.
17. The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
www.iia-p.org
PG Page 33 Screen 13 of 19
15
Institute of Internal Auditors Philippines
Centre for Professional Development
17. The organization evaluates and You should be evaluating a) what constitutes
communicates internal control deficiencies, b) the parties for taking corrective
deficiencies in a timely manner to action, and c) whether there is evidence that the
those parties responsible for taking corrective action was taken in a timely manner.
corrective action, including senior
management and the board of
directors, as appropriate.
www.iia-p.org
PG Page 34 Screen 14 of 19
Soft Controls
Soft and Strong: A Best-practice Paradox
“The corporate culture is the most powerful control in any
organization.”
—Jim Roth, author of Best Practices: Evaluating the Corporate
Culture
Formal Informal
Objective Subjective or Intangible
Measurable Enablers or Root Causes
www.iia-p.org
PG Page 36 Screen 16 of 19
16
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
33
Framework used to
manage risk and
control to accomplish
objectives.
Organizational
structure to execute
risk and control duties.
www.iia-p.org
17
Institute of Internal Auditors Philippines
Centre for Professional Development
COSO Components
Elements of Control
• Integration: Internal Controls is an integrated concept that
encompasses COSO’s 5 framework components
• Judgment: Judgment on the presence and functioning of
internal control is required, as is judgment on all 17
principles as they relate to the 5 components
• Control Testing and Evaluation: Evaluation and testing of
internal controls starts with objectives and risks, not with
controls
www.iia-p.org
Integration
All five components are important and necessary in achieving
an organization’s objective. For example, the control activities
would not be sufficient if the organization did not articulate
and communicate policies, monitor activities, and required
meaningful report. Overall control effectiveness is dependent
on the components working together as a whole.
www.iia-p.org
18
Institute of Internal Auditors Philippines
Centre for Professional Development
Judgment
The need for judgment when assessing control effectiveness is
emphasized throughout the document. Before, the need for
judgment was implicit, now, it is required. The framework’s
points of focus provide additional guidance to help address the
issue of judgment as it relates to each of the framework’s 17
principles.
www.iia-p.org
www.iia-p.org
19
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
20
Institute of Internal Auditors Philippines
Centre for Professional Development
- perform better
- reduce uncertainty about earnings
- enjoy higher stock prices
www.iia-p.org
www.iia-p.org
21
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
22
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
www.iia-p.org
23
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
47
www.iia-p.org
PG Page 58 Screen 4 of 12
24
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 59 Screen 5 of 12
www.iia-p.org
PG Page 59 Screen 6 of 12
25
Institute of Internal Auditors Philippines
Centre for Professional Development
Design Skills
Internal auditors need control design skills when they:
• Perform internal consulting reviews.
• Participate in systems development projects.
• Are asked for advice about control issues.
• Help management in any other way to build the right
controls into a system or process.
www.iia-p.org
PG Page 55 Screen 3 of 40
26
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
PG Page 61 Screen 9 of 40
www.iia-p.org
PG Page 65 Screen 12 of 40
27
Institute of Internal Auditors Philippines
Centre for Professional Development
Defining Objectives
• The risk assessment thought process begins with clearly
defined business objectives.
• An objective is a statement of a desired end result.
• Statements that describe specific actions, such as record,
review, verify, and reconcile, usually refer to controls.
• Objective statements usually begin with more general words
like minimize, improve, safeguard, and ensure.
www.iia-p.org
PG Page 67 Screen 14 of 40
www.iia-p.org
PG Page 69 Screen 16 of 40
28
Institute of Internal Auditors Philippines
Centre for Professional Development
Risk
Definition of Risk
• The possibility of an event occurring that will have an impact
on the achievement of objectives. Risk is measured in terms
of impact and likelihood.
Risk Identification
• For each objective, ask common sense questions.
www.iia-p.org
PG Page 71 Screen 18 of 40
www.iia-p.org
PG Page 73 Screen 20 of 40
29
Institute of Internal Auditors Philippines
Centre for Professional Development
Competitor Technology
Regulatory Financial
Shareholder Operating
Environmental Vendor/Supplier Human Resources
Political Acquisition Financial/Regulatory/Management
Publicity Strategic
Capacity
Physical disaster
Capital availability
Cyber intrusion
www.iia-p.org
PG Page 74 Screen 21 of 40
www.iia-p.org
PG Page 78 Screen 24 of 40
30
Institute of Internal Auditors Philippines
Centre for Professional Development
Assessing Risk
Once we have clearly identified the risks in a business process,
we need to assess them. Risk is measured in terms of
significance (impact) and likelihood.
Category Likelihood Significance
Low Unlikely risk will occur Probably will not materially
impact the attainment of the
objective if the risk occurs
Medium Somewhat likely risk May impact the attainment of the
will occur objective if the risk occurs
www.iia-p.org
PG Page 82 Screen 28 of 40
Evaluation Matrix
www.iia-p.org
PG Page 83 Screen 29 of 40
31
Institute of Internal Auditors Philippines
Centre for Professional Development
Managing Risk
Once we have clearly identified and assessed the
risks facing our business process, we can decide
how to manage each risk.
• Avoid
• Transfer
• Accept at existing level
• Reduce to acceptable level
www.iia-p.org
PG Page 85 Screen 31 of 40
Controlling Risk
• Control Environment
• Control Tools
www.iia-p.org
PG Page 86 Screen 32 of 40
32
Institute of Internal Auditors Philippines
Centre for Professional Development
Separation of Duties
Initiates Authorizes Records Reconciles Custody
Approves time
report and Budget report Distributes
Employee’s Accounting review
Payroll payroll data payroll checks
time report Department
changes Person Person B Person B or C
A
www.iia-p.org
PG Page 88 Screen 33 of 40
www.iia-p.org
PG Page 89 Screen 34 of 40
33
Institute of Internal Auditors Philippines
Centre for Professional Development
Cost-Effective Controls
Excessive Risks Excessive Controls
www.iia-p.org
PG Page 90 Screen 35 of 40
PART IV – INTERFACE
BETWEEN INTERNAL AND
EXTERNAL AUDIT
www.iia-p.org
34
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
69
www.iia-p.org
70
35
Institute of Internal Auditors Philippines
Centre for Professional Development
www.iia-p.org
71
www.iia-p.org
72
36
Institute of Internal Auditors Philippines
Centre for Professional Development
Thoughts
The relationship between the two groups of auditors should be
seen as a relationship of equals and that any cost savings
achieved through the use by the external auditors of the
internal auditors’ work to be channeled back into funding the
internal audit activities.
www.iia-p.org
73
Questions
www.iia-p.org
74
37