Approaches for Optimizing Your ICFR in the Context of the New COSO 2014 v5 - 2014 - SAV ASSOCIATES - PowerPoint PPT Presentation

Loading...

PPT – Approaches for Optimizing Your ICFR in the Context of the New COSO 2014 v5 - 2014 - SAV ASSOCIATES PowerPoint presentation | free to download - id: 89bb2e-YWM3O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Approaches for Optimizing Your ICFR in the Context of the New COSO 2014 v5 - 2014 - SAV ASSOCIATES

Description:

Enterprise-Wide Internal Controls Integration With Specific Reference To COSCO Framework Selection, Development And Integration Of Control Activities To Mitigate Risk – PowerPoint PPT presentation

Number of Views:10
Slides: 57
Provided by: savassociates
Category:
Tags: business | coso | finance

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Approaches for Optimizing Your ICFR in the Context of the New COSO 2014 v5 - 2014 - SAV ASSOCIATES


1
Enterprise-Wide Internal Controls
Integration with specific reference to COSO
Framework Selection, Development and Integration
of Control Activities to Mitigate Risk
  • Sanjay Chadha
  • CPA, CA, LPA, CIA, CISA, CFE
  • SAV Associates
  • Chartered Professional Accountants
  • 3M 4773 Yonge Street, Toronto

2
Agenda
  • COSO 2013 Internal Controls - Integrated
    Framework - Overview
  • COSO Framework 2013 Internal Controls over
    External Financial Reporting
  • Enterprise Risk Management Integrated Framework
  • Understanding business objectives and risks, and
    ensuring audit's and Controls alignment with
    them
  • Selection, Development and Deployment of Control
    Activities
  • Tools and templates for assessing effectiveness
    of a system of internal controls
  • Considerations and Next Steps

3
COSO 2013 Internal Controls - Integrated
Framework - Overview
4
COSO Integrated Framework What has Changed
  • COSO NEW integrated framework was first
    introduced in May 2013. Five components of the
    original internal control framework remains
    relatively unchanged Control Environment, Risk
    Assessment, Control Activities, Information and
    Communication and Monitoring.
  • Summary of Changes to COSO Internal Controls
    Integrated Framework - 1992
  • Applies a Principles based approach
  • Clarifies requirements for effective Internal
    Controls
  • Expands the reporting category of objectives
  • Clarifies the role of objective-setting in
    Internal Controls
  • Considers globalization of markets and operations
  • Enhances governance concepts
  • Considers different business models and
    organization structures
  • Considers demands and complexities in laws,
    rules, regulations and standards
  • Considers expectations for competencies and
    accountabilities
  • Reflects the increased relevance of technology
  • Enhances considerations of anti-fraud
    expectations
  • COSO Cube Changes and Rationale
  • COSO Component Order Emphasizes the importance
    of the tone at the top through a strong control
    environment.
  • Reporting Removal of financial from the header
    to broaden the application of the framework to
    include internal and external reporting as well
    as reporting of non-financial measures.
  • Organization Structure Highlights the need for
    internal controls to permeate across all
    functional levels of the organization to be
    effective.
  • In addition, the new framework codified 17
    principles that support the 5 components of
    internal controls to increase managements
    understanding on what constitutes them to be
    effective. Within the 17 principles, the
    framework expanded its guidance on areas such as
  • Corporate Governance and Oversight (i.e.
    governance expectations from the Board and its
    committees)

Then.
2
Now.
3
1
5
COSO Integrated Framework 2013 - Update considers
changes in business and operating environments
Not limited to FINANCIAL
Environments changes... have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
The evaluation of internal and external factors
that impact an organizations performance and
objectives
Objectives
The control conscience of an organization. The
tone at the top
The policies and procedures that help ensure that
actions identified to manage risk are executed
and timely
Components
The process to determine whether internal control
is adequately designed, executed, effective and
adaptive
The process which ensures that relevant
information is identified and communicated in a
timely manner
COSO Cube (2013 Edition)
6
COSO Integrated Framework 2013 - Transition
Impact
  • Framework transition timelines
  • Updated Framework will supersede original
    Framework at the end of the transition period
    (i.e., December 15, 2014)
  • Users are encouraged to transition applications
    and related documentation to the updated
    Framework as soon as feasible.
  • During the transition period, external reporting
    should disclose whether the original or updated
    version of the Framework was used
  • The principles-based approach provides
    flexibility in applying the Framework to
    multiple, overlapping objectives across the
    entity
  • Easier to see what is covered and what is missing
  • Focus on principles may reduce likelihood of
    considering something thats irrelevant
  • Potential benefits
  • Understanding the importance of specifying
    suitable objectives may focus managements
    attention on those risks and controls most
    important to achieving these objectives.
  • Focusing on areas of risk that exceed acceptance
    levels or need to be managed across the entity
    may reduce efforts spent mitigating risks in
    areas of lesser significance.
  • Coordinating efforts for identifying and
    assessing risks across multiple, overlapping
    objectives may reduce the number of discrete
    risks assessed and mitigated.
  • Selecting, developing, and deploying controls to
    effect multiple principles may also reduce the
    number of discrete, layered-on controls.
  • Applying an integrated approach to internal
    control - encompassing operations, reporting, and
    compliance may lessen complexity.
  • In assessing severity of internal control
    deficiencies, use only the relevant
    classification criteria as set out in the
    Framework or by regulators, standard-setting
    bodies, and other relevant third parties, as
    appropriate.

7
Impact and the Opportunities
  • Impact
  • Impact of adopting the updated Framework will
    vary by organization
  • Does your system of internal control need to
    address changes in business?
  • Does your system of internal control need to be
    updated to address all principles?
  • Does your organization apply and interpret the
    original framework in the same manner as COSO?
  • Is your organization considering new
    opportunities to apply internal control to cover
    additional objectives?
  • Opportunities
  • COSO 2013 provides great opportunity for the
    organizations to create value by refreshing the
    Internal Controls System.
  • COSO 2013 among other changes highlights the
    consideration of fraud, strong corporate
    governance, technology, third party outsourcing
    contracts and cloud computing. Using this
    opportunity organizations can revisit these
    critical areas to strengthen the Internal
    Controls and improve operations, compliance and
    reporting

2013 Framework
8
COSO Publications
Project deliverable 1 Internal
Control-Integrated Framework (2013 Edition)
Project deliverable 2 Internal Control over
External Financial Reporting A Compendium....
  • Illustrates approaches and examples of how
    principles are applied in preparing financial
    statements
  • Considers changes in business and operating
    environments during past two decades
  • Provides examples from a variety of entities
    public, private, not-for-profit, and government
  • Aligns with the updated Framework
  • Consists of three volumes
  • Executive Summary
  • Framework and Appendices
  • Illustrative Tools for Assessing Effectiveness of
    a System of Internal Control
  • Sets out
  • Definition of internal control
  • Categories of objectives
  • Components and principles of internal control
  • Requirements for effectiveness

You can purchase the books from -
http//www.coso.org/IC.htm or books stores of IIA
and AICPA
Note - These documents have been extensively used
to prepare this presentation
9
COSO Integrated Framework Objectives
The Framework sets forth three categories of
objectives, which allow organizations to focus on
separate aspects of internal control
10
COSO Integrated Framework Components and
Principles
Control Environment
  • Demonstrates commitment to integrity and ethical
    values
  • Exercises oversight responsibility
  • Establishes structure, authority and
    responsibility
  • Demonstrates commitment to competence
  • Enforces accountability

Risk Assessment
  1. Specifies suitable objectives
  2. Identifies and analyzes risk
  3. Assesses fraud risk
  4. Identifies and analyzes significant change

Control Activities
  • Selects and develops control activities
  • 11. Selects and develops general controls over
    technology
  • Deploys through policies and procedures

Information Communication
  1. Uses relevant information
  2. Communicates internally
  3. Communicates externally

Monitoring Activities
  1. Conducts ongoing and/or separate evaluations
  2. Evaluates and communicates deficiencies

11
effective internal control Requirements
clarified
  • Effective internal control provides reasonable
    assurance regarding the achievement of
    objectives and requires that
  • Each of the five components of internal control
    and relevant principles are present and
    functioning
  • The five components are operating together in an
    integrated manner
  • Each principle is suitable to all entities all
    principles are presumed relevant except in rare
    situations where management determines that a
    principle is not relevant to a component (e.g.,
    governance, technology) - Principles are
    fundamental concepts associated with components
    and the Framework implies a rebuttable
    presumption that the seventeen principles are
    relevant and therefore apply to all entities. If
    management decides that a principle is not
    relevant, management must support that
    determination, including the rationale of how, in
    the absence of that principle, the associated
    component could be present and functioning. When
    a relevant principle is deemed not to be present
    and functioning, a material weakness exists in
    the system of internal control.
  • Components operate together when all components
    are present and functioning and internal control
    deficiencies aggregated across components do not
    result in one or more major deficiencies -
    Evaluating whether each component of internal
    control is present and functioning and whether
    the components are operating together requires
    judgment. However, when a component is deemed not
    to be present and functioning, or when components
    do not operate together, a material weakness
    exists.
  • A major deficiency represents an internal control
    deficiency or combination thereof that severely
    reduces the likelihood that an entity can achieve
    its objectives - Management considers controls in
    conjunction with its assessment of components and
    relevant principles. Absence of, or ineffective
    operation of one or more controls associated with
    principles and components may represent a
    potential internal control deficiency. Judgment
    is required in assessing the potential impact of
    a deficiency on the presence and functioning of a
    relevant principle, whether alternative controls
    exit that compensate for the identified
    deficiency and its overall impact on the system
    of internal control.

12
COSO Integrated Framework Additional
Considerations
  • Judgement The Framework requires judgement in
    designing, implementing and conducting internal
    control and assessing its effectiveness. For
    Example, in preparing Financial Statements,
    management exercises judgement in complying with
    external financial reporting requirements.
  • Point of Focus In addition to the principles,
    the framework introduced 81 points of focus. The
    points of focus are typically important
    characteristics of principles that can be used to
    facilitate designing, implementing, and
    conducting internal controls. These are items
    management can consider to determine if the
    principles are present and functioning. The 2013
    Framework is explicit that management is not
    required to separately evaluate whether each of
    the point of focus are in place to determine if
    the principles are present and functioning.
  • Organizational Boundaries Many organizations
    chose to shift some business processes and
    activities to outside service providers. The
    dependence on outsourced service providers
    changes the risks of business activities,
    increases the importance of the quality of
    information and communication from outside the
    organization, and creates greater challenges in
    overseeing its activities and related controls.
    While others can execute business processes
    management retains responsibility for the system
    of internal controls.
  • Technology Technology innovation creates both
    opportunities and risks. It can enable the
    development of new business markets and models,
    generate efficiencies through automation, and
    enable entities to do things that were previously
    hard to imagine. It may increase complexity,
    which makes identifying and managing risks more
    difficult. Technology may help organizations to
    design, implement and conduct internal control
    considering availability of information and
    automated procedure, but the same principles
    remain suitable and relevant.
  • Larger versus Smaller Entities The principles
    underlying components are just as applicable for
    smaller entities as larger ones. However,
    implementation approaches may vary for smaller
    entities.

13
COSO Framework 2013 Consideration for Internal
Controls over External Financial Reporting
14
Relationship within Reporting Category of
Objective
The overall relationship between the four
sub-categories of reporting objectives is
depicted in the graphic below.
15
Consideration for external financial reporting
  • Financial Statements for External Purposes
  • Financial statements for external purposes are
    prepared in accordance with applicable accounting
    standards, rules and regulations. These financial
    statements include annual and interim financial
    statements, condensed financial statements, and
    selected financial information derived from such
    statements. These statements may, for instance,
    be publicly filed with a regulator, distributed
    through annual meetings, posted to an entitys
    website, or distributed through other electronic
    media.
  • Another form of financial statements prepared for
    external purposes may be financial reports
    prepared in accordance with other comprehensive
    basis of accounting, such as those by taxing
    authorities, regulatory agencies, or requirements
    established through contracts and agreements.
    These financial reports are typically distributed
    to specified external users (e.g., reporting to a
    bank on financial covenants established in a loan
    agreement, to a taxing authority in connection
    with filing tax returns, reporting on financial
    information to an energy regulatory commission)).

Other External Financial Reporting Other
external financial reporting derived from an
entitys financial and management accounting
books and records rather than from financial
statements for external purposes may include
earnings releases, selected financial information
posted to an entitys website, and selected
amounts reported in regulatory filings. External
financial reporting objectives relating to such
other financial information may not be driven
directly by standard setters and regulators, but
are typically expected by stakeholders to align
with such standards and regulations.
16
Consideration for external financial reporting
  • Documentation - Two levels of documentation
    requirements should be considered for financial
    and non financial statements for external
    purposes.
  • In cases where management asserts to regulators,
    shareholders, or other third parties on the
    design and operating effectiveness of its overall
    system of internal control, management has a
    higher degree of responsibility. Typically this
    will require documentation to support the
    assertion that all components of internal control
    are in place and functioning. The nature and
    extent of the documentation may be influenced by
    the entitys regulatory requirements. This does
    not necessarily mean that all documentation will
    or should be more formal, but that sufficient
    evidence that the components of internal control
    are present and operating together is available
    and suitable to satisfy the entitys objectives.
  • In cases where an external auditor attests to
    the effectiveness of the overall system of
    internal control, management will likely be
    expected to provide the auditor with support for
    its assertion on the effectiveness of internal
    control. That support would include evidence that
    the system of internal control is properly
    designed and operating effectively. In
    considering the nature and extent of
    documentation needed, management should also
    remember that the documentation to support the
    assertion will likely be used by the external
    auditor as part of his or her audit evidence.
    Management may also document significant
    judgments, how such decisions were considered,
    and the final decisions reached.

17
Suitable objectives of financial statements for
external purposes
18
Risks to achieving suitable objectives
  • Risk of Material Omission or Misstatement
  • Risk of Material Omission or Misstatement due to
    Fraud
  • Fraudulent External Financial Reporting
  • Misappropriation of assets
  • Management Override
  • Risk of Material Omission or Misstatement due to
    Illegal Acts and corruption
  • Risk Response

19
Control Environment Principles and Approaches
Principles Approaches
1. The organization demonstrates a commitment to integrity and ethical values. Establishing Standards of Conduct Leading by Example on Matters of Integrity and Ethics Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
2. The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control. Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors Establishing Policies and Practices for Meetings between the Board of Directors and Management Identifying and Reviewing Board of Director Candidates Reviewing Managements Assertions and Judgments Obtaining an External View Considering Whistle-Blower Information about Financial Statement Errors and Irregularities
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Defining Roles and Reporting Lines and Assessing Them for Relevance Defining Authority at Different Levels of Management Maintaining Job Descriptions and Service-Level Agreements Defining the Role of Internal Auditors
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with the objectives. Establishing Required Knowledge, Skills, and Expertise Linking Competence Standards to Established Policies and Practices in Hiring, Training, and Retention Decisions Identifying and Delivering on Financial Reporting Related Training as Needed Selecting Appropriate Outsourced Service Providers Evaluating Competence and Behavior Evaluating the Capacity of Finance Personnel Developing Alternate Candidates for Key Financial Reporting Roles
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Defining and Confirming Responsibilities Developing Balanced Performance Measures, Incentives, and Rewards Evaluating Performance Measures for Intended Influence Linking Compensation and Other Rewards to Performance
20
Sample Approach and Example (Principle 2)
Approach Establishing Policies and Practices for
Meetings between the Board of Directors and
Management The board of directors reviews and
approves policies and practices that support the
performance of internal control across the
business in regular meetings between management
and the board. The processes and structures
particularly relevant to the audit committee of
the board are those that provide Appropriate
forums to enable board members to ask probing
questions of management A calendar that
establishes the timing and frequency of
meetings with management Expected practices to
keep board members current on both emerging and
adopted accounting standards and their impact on
the entitys financial statements Procedures to
review managements development and performance
of internal control over external financial
reporting Authority to engage experts as needed
and oversight to ensure that management
appropriately resolves matters raised by the
board Criteria and procedures for calling
special and/or urgent meetings Allocation of
time in board meetings for discussions with
external advisors, internal and external
auditors, and legal counsel without management
being present The policies and practices are
updated as needed to reflect changes in internal
and external expectations, including rules and
regulations.
  • The Meeting Calendar activities / agenda items
  • Audit Committee Issues
  • Report of results of annual independent audit to
    the board
  • Appointment of the external auditor
  • Approval of external auditor fees for upcoming
    year
  • Review of annual proxy statement audit committee
    report
  • Assessment of the adequacy of audit committee
    charter
  • Approval of audit committee meeting plan for the
    upcoming year, confirm mutual expectations with
    management and the auditor
  • Audit committee self-assessment
  • Approval of guidelines for engagements of
    external auditors for other services
    (pre-approval policy)
  • Approval of any non-audit services provided by
    outside auditors
  • Report of external auditor pre-approval
    status/limits
  • Review of procedures for handling financial
    reporting errors or irregularities
  • Oversees fraud risk assessment process
  • Review of charter of the internal audit function
    and plan
  • Approval of minutes of previous meeting
  • Report quarterly matters to the board (chair)
  • Schedule executive session of committee members
  • Schedule executive sessions with the chief audit
    executive

Example Establishing an Audit Committee Meeting
Calendar The audit committee of Outer Limits
Innovations, an aerospace control systems
supplier, uses its charter as guidance when
setting its meeting dates and agendas. Fred
Krahn, the chair of the committee, plans for at
least one meeting during the year at which each
responsibility set forth in the charter is
discussed. This practice helps the audit
committee cover all relevant responsibilities,
and helps management anticipate and plan for the
committees expectations. The meeting calendar,
which is shown, is periodically reassessed to
adjust for emerging regulatory and technical
matters that could affect the company or the
industry.
21
Sample mapping of approaches to environment
changes
Note - For details refer to ICEFR Compendium of
Approaches and Examples by COSO
22
Enterprise Risk Management Integrated Framework
23
Enterprise Risk Management Integrated Framework
  • Enterprise Risk Management Defined - Enterprise
    Risk Management deals with risks and
    opportunities affecting value creation or
    preservation, defined as follows
  • Enterprise risk management is a process, effected
    by an entitys board of directors, management and
    other personnel, applied in strategy setting and
    across the enterprise, designed to identify
    potential events that may affect the entity, and
    manage risk to be within its risk appetite, to
    provide reasonable assurance regarding the
    achievement of entity objectives.
  • The definition reflects certain fundamental
    concepts. Enterprise risk management is
  • A process, ongoing and flowing through an
    entity
  • Effected by people at every level of an
    organization
  • Applied in strategy setting
  • Applied across the enterprise, at every level
    and unit, and includes taking an entity level
    portfolio view of risk
  • Designed to identify potential events that, if
    they occur, will affect the entity and to manage
    risk within its risk appetite
  • Able to provide reasonable assurance to an
    entitys management and board of directors
  • Geared to achievement of objectives in one or
    more separate but overlapping categories
  • This definition is purposefully broad. It
    captures key concepts fundamental to how
    companies and other organizations manage risk,
    providing a basis for application across
    organizations, industries, and sectors. It
    focuses directly on achievement of objectives
    established by a particular entity and provides a
    basis for defining enterprise risk management
    effectiveness.
  • Achievement of Objectives
  • Within the context of an entitys established
    mission or vision, management establishes
    strategic objectives, selects strategy, and sets
    aligned objectives cascading through the
    enterprise. This enterprise risk management
    framework is geared to achieving an entitys
    objectives, set forth in four categories
  • Strategic high-level goals, aligned with and
    supporting its mission
  • Operations effective and efficient use of its
    resources

24
Enterprise Risk Management Integrated Framework
  • COSO explains that all entities face uncertainty,
    and the challenge for management is to determine
    how much uncertainty to accept as it strives to
    grow stakeholder value. Uncertainty presents both
    risk and opportunity, with the potential to erode
    or enhance value. Enterprise risk management
    enables management to effectively deal with
    uncertainty and associated risk and opportunity,
    enhancing the capacity to build value.
  • Value is maximized when management sets strategy
    and objectives to strike an optimal balance
    between growth and return goals and related
    risks, and efficiently and effectively deploys
    resources in pursuit of the entitys objectives.
    Enterprise risk management encompasses

Aligning risk appetite and strategy
Management considers the entitys risk appetite
in evaluating strategic alternatives, setting
related objectives, and developing mechanisms to
manage related risks. Enhancing risk response
decisions Enterprise risk management provides
the rigor to identify and select among
alternative risk responses risk avoidance,
reduction, sharing, and acceptance. Reducing
operational surprises and losses Entities gain
enhanced capability to identify potential events
and establish responses, reducing surprises and
associated costs or losses. Identifying and
managing multiple and cross-enterprise risks
Every enterprise faces a myriad of risks
affecting different parts of the organization,
and enterprise risk management facilitates
effective response to the interrelated impacts,
and integrated responses to multiple risks.
Seizing opportunities By considering a full
range of potential events, management is
positioned to identify and proactively realize
opportunities. Improving deployment of capital
Obtaining robust risk information allows
management to effectively assess overall capital
needs and enhance capital allocation.
These capabilities inherent in enterprise risk
management help management achieve the entitys
performance and profitability targets and prevent
loss of resources. Enterprise risk management
helps ensure effective reporting and compliance
with laws and regulations, and helps avoid damage
to the entitys reputation and associated
consequences. In sum, enterprise risk management
helps an entity get to where it wants to go and
avoid pitfalls and surprises along the way.
25
Enterprise Risk Management Integrated Framework
  • Components of Enterprise Risk Management
  • Enterprise risk management consists of eight
    interrelated components. These are derived from
    the way management runs an enterprise and are
    integrated with the management process. These
    components are described below.
  • Enterprise risk management is not strictly a
    serial process, where one component affects only
    the next. It is a multidirectional, iterative
    process in which almost any component can and
    does influence another.

Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entitys people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entitys mission and are consistent with its risk appetite.
Event Identification Internal and external events affecting achievement of an entitys objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to managements strategy or objective-setting processes.
Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entitys risk tolerances and risk appetite.
Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
26
Understanding business objectives and risks,
ensuring audit's and Controls alignment with
them
27
Risk Management, Internal Audit and Internal
Controls
The 3 departments must work together so as to get
comprehensive view of risks, stakeholder
expectations and knowledge sharing. The alignment
also helps in constructive discussion when
facilitating ERM discussions because IA and IC
can provide inputs based on assurance and
consulting work completed in the past.
28
Risk Management Process
RISK MANAGEMENT PROCESS - The risk management
process is a structured approach to identifying,
assessing, managing and monitoring risks in the
business that can have an impact on the
achievement of business objectives. This process
will be formally and explicitly embedded into
significant business processes on an ongoing
basis, including strategic planning, business
planning, operations, new business initiatives,
product development and project management.
Risk Identification Significant risks that may
have an adverse effect on the achievement of
business objectives should be identified and
defined on an ongoing basis. The use of standard
risk categories (see section VI) improves the
ability to analyze exposures and make risk
mitigation decisions.
Risk Assessment
  • The risk management process has the following
    elements
  • Risk Identification
  • Risk Assessment
  • Risk Response (Management and Control)
  • Risk Monitoring
  • Risk Reporting

Risk Exposure Vulnerability x Impact
Impact
29
Risk Management Process
Risk Management and Risk Control Once the risk
exposure has been determined, the decision must
be made as to how to manage the risk utilizing
the following six techniques
Accept Risk Management decides to continue
operations as is with a consensus to accept the
inherent risks Transfer Risk Management decides
to transfer the risk from one business unit to
another or from one business area to a third
party (i.e. insurer) Eliminate Risk Management
decides to eliminate risk through the dissolution
of a key business unit or operating
area Increase Risk Management decides that
current return/risk ratio is attractive and
therefore increases exposure to achieve
anticipated corresponding returns Reduce
Risk Management decides to reduce current risks
through improvement in controls and
processes Mitigate Risk Management accepts the
current level of risk but undertakes key actions
to mitigate risks through changing the way it
conducts business
Risk Monitoring and Reporting Effective and
explicit monitoring and reporting is important to
ensure that Rogerss business activities are
being managed in accordance with overall
strategic objectives, risk management objectives
and risk tolerances. Key Risk Indicators (KRI)
should be identified and utilized. KRIs are
measures used by Management to indicate the
possibility of future adverse risk impact.
Effective measuring and monitoring of KRIs gives
us early warning to identify potential events
that may cause the materialization of a risk(s)
that could have an adverse effect on the
organization.
  • RISK MANAGEMENT LANGUAGE AND DEFINITIONS
  • In order to promote a common risk language,
    improve the understanding of Enterprise Risk
    Management and ensure complementary efforts
    throughout Rogers by Enterprise Risk Management,
    Internal Audit and the business units, standard
    risk and sub-risk categories have been developed.
    These categories are to be used throughout the
    organization to assist in the identification and
    assessment of risk.
  •  
  • The standard risk categories used by Rogers have
    been broken down into three groups
  •  
  • Strategic Risks
  • Operational Risks
  • Financial Risks

30
Sample Risk Categories and Examples
Strategic Risks
Risk Category Sub-Risk Category Examples
  Strategy Development   The risk of loss (financial or reputational) related to the development of business plans and strategies.   N/A   Failure to develop appropriate business plans and strategies  
Operational Risks
Risk Category Sub-Risk Category Examples
  Technology   The risk of loss (financial or reputational) due to deficiencies in data integrity or technological infrastructure.     Network IT/Cable/Wireless network failure/shutdown resulting in unavailability in services
  Technology   The risk of loss (financial or reputational) due to deficiencies in data integrity or technological infrastructure.   Security Inappropriate or unauthorized access to systems
  Technology   The risk of loss (financial or reputational) due to deficiencies in data integrity or technological infrastructure.   Hardware Inadequate or inappropriate hardware to handle present and/or future business requirements (capacity planning) 
Financial Risks
Risk Category Sub-Risk Category Examples
  Market   The risk of loss (financial or reputational) resulting from adverse changes in market factors.     Interest Rates   The risk of loss due to interest rate fluctuations.   Inappropriate interest rate strategy/policy  
  Market   The risk of loss (financial or reputational) resulting from adverse changes in market factors.     Foreign Exchange   The risk of loss due to currency rate movements.   Inappropriate foreign exchange strategy/policy  
  Market   The risk of loss (financial or reputational) resulting from adverse changes in market factors.     Investments   The risk loss in investment portfolio   Inappropriate investment strategy Poor investment decisions
31
Internal Audit and Internal Controls defined
  • IIA defines Internal Auditing as "Internal
    auditing is an independent, objective assurance
    and consulting activity designed to add value and
    improve an organizations operations. It helps an
    organization accomplish its objectives by
    bringing a systematic, disciplined approach to
    evaluate and improve the effectiveness of risk
    management, control and governance process." (1)
  • COSO defines internal control as a process,
    effected by an entitys board of directors,
    management and other personnel, designed to
    provide reasonable assurance regarding the
    achievement of objectives in the following
    categories effectiveness and efficiency of
    operations, reliability of financial reporting,
    and compliance with applicable laws and
    regulations.
  • Internal control is a process. It is a means to
    an end, not an end in itself.
  • Internal control is not merely documented by
    policy manuals and forms. Rather, it is put in by
    people at every level of an organization.
  • Internal control can provide only reasonable
    assurance, not absolute assurance, to an entitys
    management and board.
  • Internal control is geared to the achievement of
    objectives in one or more separate but
    overlapping categories.

(1) Source International Professional Practices
Framework (IPPF), The Institute of Internal
Auditors Research Foundation, Florida
USA, January 2009
32
  • What should you expect from your Internal Audit
    Department?

33
Governing bodies and senior management rely on
Internal Auditing for objective assurance and
insight on the effectiveness and efficiency of
governance, risk management and internal control
processes.
VALUE PROPOSITION OF INTERNAL AUDITING FOR KEY
STAKEHOLDERS
Internal Auditing Assurance ? Insight ?
Objectivity
34
What else should you expect from your IA
Department?
VALUE PROPOSITION OF INTERNAL AUDITING FOR KEY
STAKEHOLDERS
35
Value of Internal Audit and Controls?
Have we achieved the status and delivered on the
value that we can provide?
Is there more to address?
36
Internal Audit current state
  • In my opinion Internal Audit has come a long way
  • Things change
  • Economy
  • Risk
  • Technology
  • Competition
  • Danger that Internal Audit cannot keep up with
    the change
  • Must engage with stakeholders
  • The business
  • Senior Management
  • The Board
  • We as Internal Auditors probably think we have
    come further than the Board does, have we?

Knowledge of the Business is Key
ENGAGE With The Business
Internal Audit must demonstrate understanding
37
Internal Audit and Internal Controls Stakeholders
  • Dictionary.com defines stakeholders as a person
    or group that has an investment, share, or
    interest in something, as a business or
    industry.
  • Richard Chambers, the President and CEO of IIA
    defines IA stakeholders as For me, this one is
    the most obvious. I believe the stakeholders
    include

Primary internal audit stakeholders The audit committee and the board. The CEO (or head of the enterprise). The chief financial officer or individual to whom the CAE reports administratively. Potentially, the other chief officers of the enterprise.
Secondary stakeholders Business unit executives/leaders not identified as primary stakeholders. External auditors and regulators (the first time we think of stakeholders potentially residing outside of the enterprise). Investors and creditors. Citizens and taxpayers (for government audit functions).
Tertiary stakeholders Employees (and potentially retirees) of the enterprise. Investment analysts and others with an interest in the performance and effectiveness of risk management, and internal controls of the enterprise. Potentially, the general public.
Internal auditing must recognize that it exists
to serve the needs of the various stakeholder
groups, and that their expectations are
constantly evolving and rarely aligned. Internal
auditors and CAEs who lose sight of that fact are
at substantial risk of long-term failure.
Adapted from - http//www.theiia.org/blogs/chamber
s/index.cfm/post/So,20Who20Are20Internal20Audi
ting's20Stakeholders
38
Adding value
Internal Audits profile continues to
grow Internal Audit can and does add
value But, There is more to do to convince and
engage senior stakeholders Knowledge of business
is key It is time for us to step up a gear
and demonstrate our value
39
Role of Internal Controls
  • Role
  • SOX Certification Program which has evolved over
    time
  • Continuous Improvement mindset
  • Scoping and Risk Assessment
  • Materiality
  • Control Selection and Rationalization
  • Sampling Methodology
  • Reliance on Management Self Assessment
  • Focus on top-down, risk based approach
  • Continuous YoY reduction on the time spent
  • Other Efforts
  • Fraud Risk Assessment
  • Use of standardized ITGC Framework
  • Rotation of application controls testing
  • Centralization of the SOD controls for ERP
  • Implementation of GRC tool over ERP
  • Continuous engagement on all major projects to
    ensure compliance
  • Partnering with the business on key strategic
    initiatives
  • Streamlining controls and governance
    methodologies across the organization

40
COSO Framework 2013 Selection, Development and
Deployment of Control Activities
41
Control Activities COSO (Introduction and
Chapter Summary)
  • Introduction -
  • Control activities serve as mechanisms for
    managing the achievement of an entitys
    objectives and are very much a part of the
    processes by which an entity strives to achieve
    those objectives. They do not exist simply for
    their own sake or because having them is the
    right or proper thing to do.
  • Control activities can support one or more of the
    entitys operations, reporting, and compliance
    objectives. For example, an online retailers
    controls over the security of its information
    technology affect the processing of accurate and
    valid transactions with consumers, the protection
    of consumers confidential credit card
    information, and the availability and security of
    its website. In this case, control activities are
    necessary to support the reporting, compliance,
    and operations objectives.
  • Chapter Summary -
  • Control activities are the actions established
    through policies and procedures that help ensure
    that managements directives to mitigate risks to
    the achievement of objectives are carried out.
  • Control activities are performed at all levels of
    the entity, at various stages within business
    processes, and over the technology environment.
  • They may be preventive or detective in nature and
    may encompass a range of manual and automated
    activities such as authorizations and approvals,
    verifications, reconciliations, and business
    performance reviews.
  • Segregation of duties is typically built into the
    selection and development of control activities.
    Where segregation of duties is not practical,
    management selects and develops alternative
    control activities.

42
Control Activities Summary of Changes to COSO
Internal Controls Integrated Framework - 1992
  • Broadening the discussion to reflect the
    evolution of technology.
  • Expanding the discussion of the relationship
    between Automated Control activity and general
    control over technology to reinforce linkages to
    business processes.
  • Expanding the discussion that control activities
    constitute a range of control techniques while
    providing a more detailed description of these
    types and techniques and the ways to
    characterize them e.g. transaction level controls
    vs controls at other level of organization and
    more detailed discussion on information
    processing objectives
  • Updating the discussion on general technology
    controls to focus more on universal concepts
    rather than specifics applicable to old framework
  • Clarifying that control activities are actions
    established by policies and procedures rather
    than being the policies and procedures themselves

43
Selects and Develops Control Activities
  • The following points of focus may assist
    management in determining whether this principle
    is present and functioning
  •  
  • Integrates with Risk AssessmentControl
    activities help ensure that risk responses that
    address and mitigate risks are carried out.
  • Considers Entity-Specific FactorsManagement
    considers how the environment, complexity,
    nature, and scope of its operations, as well as
    the specific characteristics of its organization,
    affect the selection and development of control
    activities.
  • Determines Relevant Business ProcessesManagement
    determines which relevant business processes
    require control activities.
  • Evaluates a Mix of Control Activity TypesControl
    activities include a range and variety of
    controls and may include a balance of approaches
    to mitigate risks, considering both manual and
    automated controls, and preventive and detective
    controls.
  • Considers at What Level Activities Are Applied
    Management considers control activities at
    various levels in the entity.
  • Addresses Segregation of Duties Management
    segregates incompatible duties, and where such
    segregation is not practical management selects
    and develops alternative control activities.

Principle 10 The organization selects and
develops control activities that contribute to
the mitigation of risks to the achievement of
objectives to acceptable levels.
44
Selects and Develops Control Activities
  • Integration with Risk Assessment
  • Relevant Business Process
  • Entity Specific Factors
  • Business Process Control Activities
  • Completeness
  • Accuracy
  • Validity
  • Control Activity Types
  • Types of Transaction Control Activities
  • Authorization and Approvals
  • Verifications
  • Physical Controls
  • Controls over Standing Data
  • Reconciliations
  • Supervisory Controls
  • Technology and Control Activities
  • Technology supports business processes
  • Technology used to automate control activities
  • Control Activities at Different levels

45
Selects and Develops General Controls over
Technology
  • The following points of focus may assist
    management in determining whether this principle
    is present and functioning
  • Determines Dependency between the Use of
    Technology in Business Processes and Technology
    General ControlsManagement understands and
    determines the dependency and linkage between
    business processes, automated control activities,
    and technology general controls.
  • Establishes Relevant Technology Infrastructure
    Control ActivitiesManagement selects and
    develops control activities over the technology
    infrastructure, which are designed and
    implemented to help ensure the completeness,
    accuracy, and availability of technology
    processing.
  • Establishes Relevant Security Management Process
    Control Activities Management selects and
    develops control activities that are designed and
    implemented to restrict technology access rights
    to authorized users commensurate with their job
    responsibilities and to protect the entitys
    assets from external threats.
  • Establishes Relevant Technology Acquisition,
    Development, and Maintenance Process Control
    ActivitiesManagement selects and develops
    control activities over the acquisition,
    development, and maintenance of technology and
    its infrastructure to achieve managements
    objectives.

Principle 11 The organization selects and
develops general control activities over
technology to support the achievement of
objectives.
46
Selects and Develops General Controls over
Technology
  • Dependency between the Use of Technology in
    Business Processes and Technology General
    Controls
  • Technology General Controls (TCG) over the
    acquisition and development of technology are
    deployed to help ensure that automated controls
    work properly when first developed and
    implemented.
  • TCG help ensure automated controls continue to
    work properly
  • Proper security controls activities limit access
    to system limiting possibility of unauthorized
    edits
  • Control activities over changes to technology
    help ensure that it continues to function as
    designated
  • Technology General Controls
  • Technology Infrastructure
  • Security Management Process
  • Technology Acquisition, Development and
    Maintenance Process

47
Deploys through Policies and Procedures
  • The following points of focus may assist
    management in determining whether this principle
    is present and functioning
  • Establishes Policies and Procedures to Support
    Deployment of Managements DirectivesManagement
    establishes control activities that are built
    into business processes and employees day-to-day
    activities through policies establishing what is
    expected and relevant procedures specifying
    actions.
  • Establishes Responsibility and Accountability for
    Executing Policies and ProceduresManagement
    establishes responsibility and accountability for
    control activities with management (or other
    designated personnel) of the business unit or
    function in which the relevant risks reside.
  • Performs in a Timely MannerResponsible personnel
    perform control activities in a timely manner as
    defined by the policies and procedures.
  • Takes Corrective ActionResponsible personnel
    investigate and act on matters identified as a
    result of executing control activities.
  • Performs Using Competent PersonnelCompetent
    personnel with sufficient authority perform
    control activities with diligence and continuing
    focus.
  • Reassesses Policies and ProceduresManagement
    periodically reviews control activities to
    determine their continued relevance, and
    refreshes them when necessary.

Principle 12 The organization deploys control
activities through policies that establish what
is expected and procedures that put policies into
action.
48
Deploys through Policies and Procedures
  • Policies and Procedures
  • Policies Reflect management statement can be
    documented, explicitly stated in communication or
    implied through management action and decisions.
  • Procedures consist of actions that implement
    policy
  • Responsibility and Accountability
  • Policies must establish clear responsibility and
    accountability which ultimately resides with the
    management of the entity or sub unit where risk
    resides
  • Procedures should be clear on the
    responsibilities of person performing the control
    activity
  • Timeliness
  • Procedures should include timing of when a
    control activity and any follow up of corrective
    actions are performed
  • Corrective Action
  • In conducting a control activity, matter
    identified for follow up should be investigated
    and, if appropriate, corrective action taken.
  • Competence
  • Competent personnel with sufficient authority
    should perform the control activity.
  • Level of competency required to perform the
    control would depend on complexity of control
    activity and complexity and volume of the
    underlying transaction
  • Periodic Reassessment
  • Periodic reassessment of policies and procedures
    is required for continued relevance and
    effectiveness
  • Sufficient changes would be evaluated through
    risk management process
  • Changes in people, process and technology may
    reduce the effectiveness of control activities or
    make some control activities redundant. If any of
    these changes occur management should reassess
    the relevance of existing controls.

49
COSO Framework 2013 Tools and templates for
assessing effectiveness of a system of internal
controls
50
Illustrative Example - Linking ELCs to COSO 2013
Control Activities Principle
  • The purpose of this enclosed document is to
    facilitate the identification and assessment of
    ELCs that address the principles associated with
    Control Activities component in the COSO 2013
    Framework. This example may be used for mapping
    of other components as well.
  • For each of the principles related to the five
    COSO components, identify the relevant ELCs
    (note three principles (P10, P11, P12)
    associated with Control Activities are primarily
    addressed through process level controls).
  • The Points of Focus for each principle
    (referenced as "P") are characteristics that
    elaborate on the principle and may assist in
    determining whether a control or suite of
    controls adequately address the principle.
  • All Points of Focus are not required to be
    present as controls for a principle to be
    effective however, management should consider
    how a principle is achieved without addressing
    all the points of focus.
  • Ordinarily, all principles are relevant. If
    management determines a principle is not
    relevant, COSO requires that the rationale for
    this determination be documented.

51
Illustrative Example - Linking ELCs to COSO 2013
Control Activities Principle
    10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels 11. The organization selects and develops general control activities over technology to support the achievement of objectives 11. The organization selects and develops general control activities over technology to support the achievement of objectives 11. The organization selects and develops general control activities over technology to support the achievement of objectives 11. The organization selects and develops general control activities over technology to support the achievement of objectives 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action
Control Description of Control Integrates with Risk Assessment Considers Entity-Specific Factors Determines Relevant Business Processes Evaluates a Mix of Control Activity Types Considers at What Level Activities are Applied Addresses Segregation of Duties Determines Dependency between the Use of Technology in Business Processes and Technology General Controls Establishes Relevant Technology Infrastructure Control Activities Establishes Relevant Security Management Process Control Activities Establishes Relevant Technology Acquisition, Development and Maintenance Process Control Activities Establishes Policies and Procedures to Support Deployment of Managements Directives Establishes Responsibility and Accountability for Executing Policies and Procedures Performs in a Timely Manner Takes Corrective Action Performs Using Competent Personnel Reassesses Policies and Procedures
    P10PF1 P10PF2 P10PF3 P10PF4 P10PF5 P10PF6 P11PF1 P11PF2 P11PF3 P11PF4 P12PF1 P12PF2 P12PF3 P12PF4 P12PF5 P12PF6
ELC 1 EXAMPLE An ICFR scoping document is prepared by Internal Controls which is approved by management. Based on risk assessments relevant business processes and locations are identified. x   x                          
                                   
                                   
                                   
check have controls been associated with this point of focus check have controls been associated with this point of focus YES NO YES NO NO NO NO NO NO NO NO NO NO NO NO NO
                                   
52
Component Evaluation Control Activities
      Present? (Y/N) Functioning? (Y/N) Explanation/Conclusion
10. Selects and Develops Control ActivitiesThe organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Selects and Develops Control ActivitiesThe organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectiv
About PowerShow.com