COSO 19921994 Internal Control Framework Developed by Brian Shapiro, modified by Joe Komar - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

COSO 19921994 Internal Control Framework Developed by Brian Shapiro, modified by Joe Komar

Description:

Information and communication: timely processing and communication of ... External parties can corroborate or challenge the system's quality (e.g. ... – PowerPoint PPT presentation

Number of Views:145
Avg rating:3.0/5.0
Slides: 24
Provided by: brians59
Category:

less

Transcript and Presenter's Notes

Title: COSO 19921994 Internal Control Framework Developed by Brian Shapiro, modified by Joe Komar


1
COSO (1992/1994) Internal Control Framework
(Developed by Brian Shapiro, modified by Joe
Komar)
  • Continued

2
Five Components of Internal Control
  • Control environment tone at the top
  • Risk assessment identification and analysis
  • Control activities policies and procedures
  • Information and communication timely processing
    and communication of information to enable people
    to do their jobs
  • Monitoring assess the quality of internal
    controls over time, and take remedial action if
    necessary

3
Risk Assessment
  • Identification and analysis of relevant risks to
    achievement of the entitys objectives
    (operating, financial reporting, legal
    compliance)
  • Provides a basis for managing risks
  • Mechanisms are needed to identify and address
    special risks associated with change (e.g., in
    economic, industry, regulatory, and operating
    conditions)

4
Risk AssessmentObjective Setting
  • Objective setting is a precondition of risk
    assessment
  • A hierarchy of linked and integrated objectives
  • Top level Entitys broad mission and value
    statements
  • Lower levels Pertain to activities

5
Risk AssessmentLinkages Among Objectives
  • Entity-wide objectives must be
  • consistent with the entitys capabilities and
    objectives of its business units and functions
  • Sub-objectives linked to them
  • Objectives must be prioritized
  • Objectives that are critical for achieving
    entity-wide objectives should be identified and
    closely monitored

6
Risk AssessmentAchievement of Objectives
  • An effective internal control system provides
    reasonable assurance that the entitys financial
    reporting and compliance objectives are achieved
  • But operations objectives lack external standards
    and are influenced by factors outside the
    entitys control
  • Nevertheless, identification of key success
    factors and timely reporting can provide
    reasonable assurance that management will be
    alerted when operations objectives are at risk of
    not being achieved

7
Risk AssessmentOperations Objectives
  • Effectiveness and efficiency of operations
    performance and profitability goals
  • Safeguarding resources against loss
  • Vary based on managements choices about
    structure and performance

8
Risk AssessmentFinancial Reporting Objectives
  • Appropriate accounting principles and disclosures
  • Managements assertions
  • Existence or occurrence
  • Completeness
  • Rights and obligations
  • Valuation or allocation
  • Presentation and disclosure

9
Risk AssessmentCompliance Objectives
  • These will vary depending on the applicable laws
    and regulations
  • Examples include special regulations and
    requirements relating to markets, pricing, taxes,
    the environment, employee welfare, and
    international trade
  • Compliance can affect the entitys reputation in
    the community

10
Risk AssessmentEnterprise Risk Management
  • In the next section we will more thoroughly
    discuss COSOs (2004) Enterprise Risk Management
    Framework

11
Control Activities
  • Policies and procedures for achieving the
    entitys objectives
  • Policies establish what should be done
  • Procedures implement the policy
  • Include approvals, authorizations, verifications,
    reconciliations, reviews of operating
    performance, safeguarding of resources, and
    segregation of duties
  • Integrated with managements risk assessments

12
Types of Control Activities
  • Top Level Reviews
  • Actual performance vs. budgets, forecasts, prior
    periods, and competitors
  • Tracking of major initiatives to measure the
    extent to which they are achieved
  • Management analyzes and follows up on the reports
    it receives

13
Types of Control Activities
  • Direct Functional or Activity Management
  • Managers receive the necessary performance and
    other reports to effectively and efficiently run
    their activities
  • Information Processing
  • Approvals, edit checks, numerical sequences
    accounted for, comparisons, reconciliations,
    adequate documentation

14
Types of Control Activities
  • Physical Controls
  • For equipment, inventories, securities, cash, and
    other assets
  • Periodically counted and compared with accounting
    records

15
Types of Control Activities
  • Performance Indicators
  • Can relate to operational, financial reporting,
    and/or compliance objectives
  • Management must receive appropriate reports to
    enable them to investigate problems and take
    corrective action
  • Segregation of Duties
  • Authorization asset custody record keeping
    segregation of information systems duties

16
Control ActivitiesControls over Information
Systems
  • General controls
  • Data center operations controls, systems software
    controls, access security controls, application
    system development and maintenance controls
  • Application controls
  • Control information processing to ensure
    completeness, accuracy, authorization, and
    validity

17
Information and Communication
  • Relevant information must be identified,
    captured, and communicated in a timely manner to
    enable the entitys people to carry out their
    responsibilities
  • Communication must occur down, up, and across the
    organization
  • The entity also must communicate effectively with
    external parties (e.g., customers, suppliers of
    goods and services, regulators, stock analysts,
    and capital suppliers)

18
Information and Communication
  • Information from internal and external sources,
    both financial and nonfinancial, is relevant to
    all objectives (operations, financial reporting,
    and compliance)
  • Integrated information systems encompass not only
    purely financial systems (e.g., inventory
    reporting) but also operations (e.g., all phases
    of a manufacturing entitys production)

19
Information and Communication
  • All personnel must receive a clear message from
    top management that they are expected to take
    their control responsibilities seriously
  • Specific duties must be made clear
  • People need to know how their activities relate
    to the work of others

20
Monitoring
  • Monitoring is a process that assesses the quality
    of a systems performance over time
  • Monitoring can be ongoing, involve separate
    evaluations, or both
  • Scope and frequency of separate evaluations
    depend on risk assessments and the effectiveness
    of the ongoing monitoring
  • SOX Section 404 and the related SEC and PCAOB
    rules require annual testing, evaluation, and
    remediation

21
Monitoring
  • The internal control system itself may be the
    best source of information on control
    deficiencies
  • Internal control deficiencies must be reported
    upstream, with serious matters reported to top
    management, the audit committee, and the board of
    directors

22
Ongoing Monitoring
  • Integration of operating and financial reports
    can give operations managers a basis to identify
    significant exceptions and resolve them on a
    timely basis.
  • External parties can corroborate or challenge the
    systems quality (e.g., customer payments vs. and
    complaints about billing procedures)
  • Supervisory activities
  • Segregation of duties
  • Reconciliations
  • Input from internal and external auditors
  • Meetings and periodic feedback from managers and
    other personnel

23
MonitoringSeparate Evaluations
  • Normally performed by internal auditors
  • Evaluators must understand how the system is
    designed and determine how it actually works
  • Evaluation methods in this course
  • Organization charts
  • Data flow diagrams
  • Systems flowcharts
  • Control matrices

24
WorldCom, Inc.
  • How did WorldComs control environment and
    governance mechanisms enable its executives to
    perpetrate the massive accounting fraud?
  • What steps would you propose to improve
    WorldComs control environment?
  • What documentation requirements would you propose
    to prevent CEOs such as Bernie Ebbers from
    adopting the I-didnt-know or
    It-wasnt-my-job to know legal defense when
    confronted with wrongdoing at their firms?
  • Who was harmed by WorldComs fraud?
Write a Comment
User Comments (0)
About PowerShow.com