Internal Control Fundementals: COSO Framework

1
ACG 4671 Internal Auditing
2

• CHAPTER 5
• Internal Control

3
Internal Controls

• Definition and Legal Requirements
• Internal and External Auditor Responsibilities
• IC Key Concepts and Fundamentals
• COSO Framework

4
Definition

• Internal control is the most important and
  fundamental concept for an Internal Auditor
  
• Internal control defined per COSO
• Processes, effected by an entitys board of
  directors, management, and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objective in the
  following categories
• Financial reporting reliability
• Operating efficiency and effectiveness
• Compliance with applicable laws and standards

5
Definition

• SOX (2002) requires the CEO and CFO of publicly
  traded companies to opine on
  
• The adequate design and effective operation of
  internal control over financial reporting as part
  of the annual filing
  
• Report any substantial changes in internal
  control over financial reporting on a quarterly
  basis
  
• IC frameworks
• The SEC does not specify a particular IC
  framework but notes three suitable frameworks
  
• COSO Internal Control Framework
• CICA Guidance on Assessing Control (CoCo)
• ICAEW Turnbull Report

6
Section 404 Certification

• Managements Assertions
• includes the understanding that there is a
  remote likelihood that material misstatements
  will not be prevented or detected on a timely
  basis.
• Management Representations
• Declare responsibility for establishing and
  maintaining internal controls over financial
  reporting
  
• Identify and disclose framework used to evaluate
  effectiveness of internal control
  
• Assess effectiveness of internal controls as of
  the end of the period
  
• State an auditor issued an attestation report on
  managements assessment
  
• Actions
• Document processes internal controls
  (process/activity, risk, controls,
  responsibility)
  
• Management evaluation of effectiveness (audits
  self-assessments)

7
Section 404 Assessment

• Compliance with COSO control standards (or other
  accepted standards)
  
• Clear documentation of internal controls as well
  as the testing processes
  
• Evidence that management evaluated the adequacy
  of the design and the effectiveness of operation
  of the procedures and controls
  
• Evidence that the audit committee and/or
  disclosure committee have taken a keen interest
  in the effectiveness of controls

8
Section 404 Assessment

• Managements assessment must be based on
  procedures sufficient both to evaluate design and
  test operating effectiveness
  
• Management must maintain evidential matter,
  including documentation, to provide reasonable
  support for the assessment (both design and
  testing) of effectiveness

9
Auditor Responsibility

• A control deficiency
• exists when the design or operation of a
  control does not allow management or employees to
  prevent or detect misstatements on a timely
  basis.
• A deficiency in design exists when
• A control necessary to meet the control objective
  is missing, OR
  
• An existing control is not properly designed so
  that, even if the control operates as designed,
  the control objective is not always met

10
Auditor Responsibility

• Control deficiency (cont.)
• A deficiency in operation exists when
• a properly designed control does not operate as
  designed, OR
  
• when the person performing the control does not
  possess the necessary authority or qualifications
  to perform the control effectively.

11
Auditor Responsibility

• A significant deficiency
• is a control deficiency, or combination of
  control deficiencies, that adversely affects the
  companys ability to initiate, authorize, record,
  process, or report external financial data
  reliably in accordance with GAAP such that there
  is a more than a remote likelihood that a
  misstatement of the companys annual or interim
  financial statements that is more than
  inconsequential will not be prevented or
  detected.

12
Auditor Responsibility

• A material weakness
• a significant deficiency, or combination of
  significant deficiencies, that results in more
  than a remote likelihood that a material
  misstatement of the annual or interim financial
  statements will not be prevented or detected.

13
Fundamentals

• Internal Controls
• Protect assets
• Ensure records are accurate
• Promote operational efficiency
• Encourage adherence to policies, rules,
  regulations, and laws.

14
Fundamentals

• Control Objectives are
• Desired goals or conditions for a specific event
  cycle or process which, if achieved, minimize the
  potential that waste, loss, unauthorized use or
  misappropriation will occur. 
• Conditions which we want the system of internal
  control to satisfy.
  
• Measurable and observable.
• Important to the audit process.
• Typically categorized by a principal business
  process/activity or technology.

15
Fundamentals

• Control Objectives Example
• The company only pays bills for goods actually
  ordered and received.
  
• Control Activity Example
• Accounts payable clerks perform a three-way match
  of original purchase orders, goods receipt
  information, and invoices received prior to
  payment to vendors.

16
Fundamentals

• Control Classifications
• Directive designed to give explicit direction
  regarding what actions need to take place to
  cause or encourage a desirable event
  
• Preventative built to prevent an error or
  undetected event from occurring
  
• Detective designed to alert management of
  errors or problems shortly after they occur
  
• Corrective used with detective controls to
  recover from the consequences of undesired events

17
Fundamentals

• Control Classifications
• Entity Level Very broadly focused and deal with
  organizational environment or atmosphere
  
• Process Level more detailed in focus should
  reduce risk relative to a group or variety of
  operational level activities or transactions
  within an organization
• Key Controls a control activity designed to
  reduce risk associated with a critical business
  objective
  
• Secondary Controls designed to either reduce
  risk associated with a business objectives that
  are not critical or serve as a back-up to key
  controls

18
Fundamentals

• Control Classifications (cont)
• Compensating Controls redundant controls
  designed to supplement key controls that are
  either ineffective or cannot fully mitigate a
  risk or group of risks by themselves
• Complementary Controls not directly related to
  the risk it mitigates, and is not enough to fully
  mitigate the risk by itself but when taken
  together with other control activities that are
  in place, does contribute to risk reduction.

19
COSO Framework

• COSO Internal Control Model

20
Control Environment

• Description
• Sets the tone of an organization by establishing
  attitude standardization.
  
• The foundation for all other components of
  internal control, providing discipline and
  structure.
  
• Factors include the integrity, ethical values and
  competence of the corporations people,
  management philosophy and operating style.

21
Control Environment

• Components
• Integrity and Ethical Values
• Tone at the Top, Strong Code of Conduct
• Board of Directors and Audit Committee
• Set the Tone at the Top
• Commitment to Competence
• Adequate and appropriate skills and training
• Organizational Structure
• Reporting relationships
• Human Resources Policies and Practices
• Staffing, Training, Evaluation, Disciplinary
  Actions

22
Risk Assessment

• Description
• Recall that risk is the possibility of loss
  risk can be divided into risk (downside) or
  opportunity (upside) and may be internal,
  external or both. Organizations/divisions/busines
  s units/subsidiaries/ etc. must manage risk, on
  an ongoing basis, to achieve organizational
  objectives.

23
Risk Assessment

• Risk Assessment Process
• Estimate the significance of the risk
• Assess the likelihood or frequency of the risk
  occurring
  
• Consider how the risk should be managed and
  assess what actions must be taken
  
• Types of Risks
• Organizational risks from external factors
• Organizational risks from internal factors
• Specific activity-level risks

24
Control Activities

• Description
• The policies and procedures that help ensure that
  management directives are carried out.
  
• Help ensure that the necessary actions are taken
  to address risks during the achievement of
  company objectives.
  
• Also ensure that control activities occur
  throughout the organization, at all levels and in
  all functions.
  
• Include a range of activities as diverse as
  approvals, authorizations, verifications,
  reconciliations, reviews of operating
  performance, security of assets, and segregation
  of duties.

25
Control Activities

• Policies and procedures to ensure actions
  addressing risks are carried out
  
• Types of Control Activities (small subset)
• Top-level reviews
• MBO/performance appraisal
• Direct functional or activity management
• Supervision
• Information processing
• Secure from outsider/insider manipulation
• Physical controls over assets and records
• Locks and restricted accesses
• Adequate documents and records
• Pre-numbered forms
• Performance indicators
• Variance (DMQV)
• Segregation of duties
• Initiation, recording, and custody are separate
• Proper authorization of transactions and
  activities
  
• General and specific authorization

26
Information Communication

• Description
• Pertinent information must be identified,
  captured, and communicated in a form and
  timeframe that enables people to carry out their
  responsibilities.
• Information systems produce reports containing
  financial related information that make it
  possible to control the reliability of financial
  reporting.

27
Information Communication

• IC spans all level of the organization and
  facilitates creation and sharing of knowledge and
  awareness
  
• Information can be generated automatically,
  obtained manually, or reside conceptually
  
• Information systems can be formal or informal
• Communication methods vary including bulletin
  boards, mass emails, webcasts, meetings,
  procedural manuals, etc.

28
Monitoring

• Description
• Internal control systems need to be monitored.
  This is accomplished through ongoing monitoring
  activities, separate evaluations or a combination
  of the two.
• Internal control deficiencies should be reported
  upstream, with serious matters reported to top
  management and the board.

29
Monitoring

• Ongoing Monitoring Activities (examples)
• Normal management functions
• External communication
• Supervisory activities
• Physical inventories
• Periodic Internal Control Evaluations
• Self-assessments
• Benchmarking
• Reporting Internal Control Deficiencies
• Individual responsible for function
• Individual in position to correct AND
• One level of management above responsible
  individual

30
Fundamentals

• Why dont Internal Controls always work?
• Inadequate knowledge of policies and procedures
  by employees.
  
• Lack of segregation of duties due to trust in
  employees.
  
• Inappropriate access to assets.
• Form over substance.
• Control override.
• Inherent limitations.