Title: COSO 19921994 Internal Control Framework Developed by Brian Shapiro, modified by Joe Komar
1COSO (1992/1994) Internal Control Framework
(Developed by Brian Shapiro, modified by Joe
Komar)
2Five Components of Internal Control
- Control environment tone at the top
- Risk assessment identification and analysis
- Control activities policies and procedures
- Information and communication timely processing
and communication of information to enable people
to do their jobs - Monitoring assess the quality of internal
controls over time, and take remedial action if
necessary
3Risk Assessment
- Identification and analysis of relevant risks to
achievement of the entitys objectives
(operating, financial reporting, legal
compliance) - Provides a basis for managing risks
- Mechanisms are needed to identify and address
special risks associated with change (e.g., in
economic, industry, regulatory, and operating
conditions)
4Risk AssessmentObjective Setting
- Objective setting is a precondition of risk
assessment - A hierarchy of linked and integrated objectives
- Top level Entitys broad mission and value
statements - Lower levels Pertain to activities
5Risk AssessmentLinkages Among Objectives
- Entity-wide objectives must be
- consistent with the entitys capabilities and
objectives of its business units and functions - Sub-objectives linked to them
- Objectives must be prioritized
- Objectives that are critical for achieving
entity-wide objectives should be identified and
closely monitored
6Risk AssessmentAchievement of Objectives
- An effective internal control system provides
reasonable assurance that the entitys financial
reporting and compliance objectives are achieved - But operations objectives lack external standards
and are influenced by factors outside the
entitys control - Nevertheless, identification of key success
factors and timely reporting can provide
reasonable assurance that management will be
alerted when operations objectives are at risk of
not being achieved
7Risk AssessmentOperations Objectives
- Effectiveness and efficiency of operations
performance and profitability goals - Safeguarding resources against loss
- Vary based on managements choices about
structure and performance
8Risk AssessmentFinancial Reporting Objectives
- Appropriate accounting principles and disclosures
- Managements assertions
- Existence or occurrence
- Completeness
- Rights and obligations
- Valuation or allocation
- Presentation and disclosure
9Risk AssessmentCompliance Objectives
- These will vary depending on the applicable laws
and regulations - Examples include special regulations and
requirements relating to markets, pricing, taxes,
the environment, employee welfare, and
international trade - Compliance can affect the entitys reputation in
the community
10Risk AssessmentEnterprise Risk Management
- In the next section we will more thoroughly
discuss COSOs (2004) Enterprise Risk Management
Framework
11Control Activities
- Policies and procedures for achieving the
entitys objectives - Policies establish what should be done
- Procedures implement the policy
- Include approvals, authorizations, verifications,
reconciliations, reviews of operating
performance, safeguarding of resources, and
segregation of duties - Integrated with managements risk assessments
12Types of Control Activities
- Top Level Reviews
- Actual performance vs. budgets, forecasts, prior
periods, and competitors - Tracking of major initiatives to measure the
extent to which they are achieved - Management analyzes and follows up on the reports
it receives
13Types of Control Activities
- Direct Functional or Activity Management
- Managers receive the necessary performance and
other reports to effectively and efficiently run
their activities - Information Processing
- Approvals, edit checks, numerical sequences
accounted for, comparisons, reconciliations,
adequate documentation
14Types of Control Activities
- Physical Controls
- For equipment, inventories, securities, cash, and
other assets - Periodically counted and compared with accounting
records
15Types of Control Activities
- Performance Indicators
- Can relate to operational, financial reporting,
and/or compliance objectives - Management must receive appropriate reports to
enable them to investigate problems and take
corrective action - Segregation of Duties
- Authorization asset custody record keeping
segregation of information systems duties
16Control ActivitiesControls over Information
Systems
- General controls
- Data center operations controls, systems software
controls, access security controls, application
system development and maintenance controls - Application controls
- Control information processing to ensure
completeness, accuracy, authorization, and
validity
17Information and Communication
- Relevant information must be identified,
captured, and communicated in a timely manner to
enable the entitys people to carry out their
responsibilities - Communication must occur down, up, and across the
organization - The entity also must communicate effectively with
external parties (e.g., customers, suppliers of
goods and services, regulators, stock analysts,
and capital suppliers)
18Information and Communication
- Information from internal and external sources,
both financial and nonfinancial, is relevant to
all objectives (operations, financial reporting,
and compliance) - Integrated information systems encompass not only
purely financial systems (e.g., inventory
reporting) but also operations (e.g., all phases
of a manufacturing entitys production)
19Information and Communication
- All personnel must receive a clear message from
top management that they are expected to take
their control responsibilities seriously - Specific duties must be made clear
- People need to know how their activities relate
to the work of others
20Monitoring
- Monitoring is a process that assesses the quality
of a systems performance over time - Monitoring can be ongoing, involve separate
evaluations, or both - Scope and frequency of separate evaluations
depend on risk assessments and the effectiveness
of the ongoing monitoring - SOX Section 404 and the related SEC and PCAOB
rules require annual testing, evaluation, and
remediation
21Monitoring
- The internal control system itself may be the
best source of information on control
deficiencies - Internal control deficiencies must be reported
upstream, with serious matters reported to top
management, the audit committee, and the board of
directors
22Ongoing Monitoring
- Integration of operating and financial reports
can give operations managers a basis to identify
significant exceptions and resolve them on a
timely basis. - External parties can corroborate or challenge the
systems quality (e.g., customer payments vs. and
complaints about billing procedures) - Supervisory activities
- Segregation of duties
- Reconciliations
- Input from internal and external auditors
- Meetings and periodic feedback from managers and
other personnel
23MonitoringSeparate Evaluations
- Normally performed by internal auditors
- Evaluators must understand how the system is
designed and determine how it actually works - Evaluation methods in this course
- Organization charts
- Data flow diagrams
- Systems flowcharts
- Control matrices
24WorldCom, Inc.
- How did WorldComs control environment and
governance mechanisms enable its executives to
perpetrate the massive accounting fraud? - What steps would you propose to improve
WorldComs control environment? - What documentation requirements would you propose
to prevent CEOs such as Bernie Ebbers from
adopting the I-didnt-know or
It-wasnt-my-job to know legal defense when
confronted with wrongdoing at their firms? - Who was harmed by WorldComs fraud?