SlideShare une entreprise Scribd logo

Coso internal control integrated framework

Télécharger en tant que PPSX, PDF
Irfan Ahmed - ACA, CICA
Irfan Ahmed - ACA, CICA

An introduction to COSO internal control - integrated framework

Économie & finance
1  sur  63
Enterprise Risk Services December 2011 COSO Internal Control–Integrated Framework Exposure Draft December 2011
What is COSO? The COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by: • American Accounting Association (AAA) • American Institute of Certified Public Accountants (AICPA) • Financial Executives International (FEI) • Institute of Management Accountants (IMA) • The Institute of Internal Auditors (IIA) 2
Internal Control-Integrated Framework • First published in 1992 • Gained wide acceptance following financial control failures of early 2000’s • Most widely used framework in the US • Also widely used around the world 3 Original COSO Cube
Methodology • Background ‒ Project announced in November 2010 ‒ To make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment ‒ PricewaterhouseCoopers as the original author conducted this project. ‒ not intended to change how internal control is defined, assessed, or managed, but rather provide greater clarity and a more comprehensive and relevant conceptual guidance • Project Structure ‒ Advisory Council comprising representatives from industries, academia, government agencies, and non-profit organizations updated Framework is being exposed to the public to capture additional input • Approach ‒ Assess and Envision ‒ Build and Design ‒ Preparation for Public Exposure ‒ Finalization
• Applies a principles-based approach • Clarifies the role of objective-setting in internal control • Reflects the increased relevance of technology • Enhances governance concepts • Expands the reporting category of objectives • Enhances consideration of anti-fraud expectations • Considers different business models and organizational structures Summary of Changes to the 1992 Version 5
Internal Control is a _______ effected by an entity’s _______ ____________________________________ designed to provide _________ assurance regarding the achievements of ________ in the following categories: • Effectiveness & efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations. board of directors, management and other personnel, process reasonable What is internal control? 6 objectives
Categories of Objectives 7 Operations Reporting Compliance • Improving Quality • Reducing Costs • Reducing Production Time • Improving Innovation • Improving Customer Satisfaction • Improving Employee Satisfaction • etc • External Financial Reporting Objectives • External Non- Financial Reporting Objectives • Internal Financial Reporting Objectives • Internal Non- Financial Reporting Objectives • Identifying Applicable Laws and Regulations • Ensuring Compliance with Applicable Laws and Regulation
Components of Internal Control 8 Monitoring Control Environment Risk Assessment Control Activities
A Principal Based Approach Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Five Components 5 principles 4 principles 3 principles 3 principles 2 principles 17 principles 21 Attributes 19 Attributes 16 Attributes 14 Attributes 11 Attributes 81 Attributes
A Principal Based Approach 10 Operations Objectives Reporting ObjectivesCompliance Objectives Apply to 17 Principals
Principles and Attributes Relating to Components of Internal Control
Principles Relating to Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 12
Attributes Relating to Control Environment 1. Sets the Tone at the Top 2. Establishes Standards of Conduct 3. Evaluates Adherence to Standards of Conduct 4. Addresses Deviations in a Timely Manner 13 1. Demonstrates Commitment to Integrity and Ethical Values
Attributes Relating to Control Environment 1. Establishes Board of Directors Oversight Responsibilities 2. Retains or Delegates Oversight Responsibilities 3. Applies Relevant Expertise 4. Operates Independently 5. Provides Oversight 14 2. Exercises Oversight Responsibility
Attributes Relating to Control Environment 1. Considers All Structures of the Entity 2. Establishes Reporting Lines 3. Defines, Assigns, and Limits Authorities and Responsibilities 15 3. Establishes Structure, Authority, and Responsibility
Attributes Relating to Control Environment 1. Establishes Policies and Practices 2. Attracts, Develops, and Retains Individuals 3. Evaluates Competence and Addresses Shortcomings 4. Plans and Prepares for Succession 16 4. Demonstrates Commitment to Competence
Attributes Relating to Control Environment 1. Enforces Accountability through Structures, Authorities, and Responsibilities 2. Establishes Performance Measures, Incentives, and Rewards 3. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance 4. Considers Excessive Pressures 5. Evaluates Performance and Rewards or Disciplines Individuals 17 5. Enforces Accountability
Principles Relating to Risk Assessment 1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control. 18
Attributes Relating to Risk Assessment 1. Considers Tolerance for Risk / Required Level of Precision / Materiality 2. Complies with Externally Established Standards, and Frameworks / Complies with Applicable Accounting Standards / Reflects External Laws and Regulations 3. Reflects Management’s Choices 4. Reflects Entity Activities 5. Includes Operations and Financial Performance Goals 6. Forms Basis for Committing of Resources 19 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment Attributes Relating to Operations Objectives • Considers Tolerances for Risk • Reflects Management’s Choices • Includes Operations and Financial Performance Goals • Forms Basis for Committing of Resources 20 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives External Financial Reporting • Considers Materiality • Complies with Applicable Accounting Standards • Reflects Entity Activities 21 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives External Non-financial Reporting Objectives • Complies with Externally Established Standards and Frameworks • Reflects Entity Activities • Considers the Required Level of Precision 22 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives Internal Reporting Objectives (financial and/or non-financial) • Considers the Required Level of Precision • Reflects Management’s Choices • Reflects Entity Activities 23 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment Attributes Relating to Compliance Objectives • Considers Tolerances for Risk • Reflects External Laws and Regulations 24 6. Specifies Relevant Objectives
Attributes Relating to Risk Assessment 1. Involves Appropriate Levels of Management 2. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels 3. Analyzes Internal and External Factors 4. Estimates Significance of Risks Identified 5. Determines How to Respond to Risks 25 7. Identifies and Analyzes Risks
Attributes Relating to Risk Assessment 1. Considers Various Ways That Fraud Can Occur 2. Considers Risk Factors 3. Assesses Incentive and Pressures 4. Assesses Opportunities 5. Assesses Attitudes and Rationalizations 26 8. Assesses Fraud Risk
Attributes Relating to Risk Assessment 1. Assesses Changes in the External Environment 2. Assesses Changes in the Business Model 3. Assesses Changes in Leadership 27 9. Identifies and Analyzes Significant Change
Principles Relating to Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.The organization selects and develops general control activities over technology to support the achievement of objectives. 12.The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies. 28
Attributes Relating to Control Activities 1. Integrates with Risk Assessment 2. Determines Relevant Business Processes 3. Considers Entity-Specific Factors 4. Evaluates a Mix of Control Activity Types 5. Considers at What Level Activities Are Applied 6. Addresses Segregation of Duties 29 10. Selects and Develops Control Activities
Attributes Relating to Control Activities 1. Determines Dependency between the Use of Technology in Business Processes and Technology General Controls 2. Establishes Relevant Technology Infrastructure Control Activities 3. Establishes Relevant Security Management Process Control Activities 4. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities 30 11. Selects and Develops General Controls over Technology
Attributes Relating to Control Activities 1. Establishes Policies and Procedures to Support Deployment of Management’s Directives 2. Establishes Responsibility and Accountability for Executing Policies and Procedures 3. Performs Using Competent Personnel 4. Performs in a Timely Manner 5. Takes Corrective Action 6. Reassesses Policies and Procedures 31 12. Deploys through Policies and Procedures
Principles Relating to Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 15.The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. 32
Attributes Relating to Information and Communication 1. Identifies Information Requirements 2. Captures Internal and External Sources of Data 3. Processes Relevant Data into Information 4. Maintains Quality Throughout Processing 5. Considers Costs and Benefits 33 13. Uses Relevant Information
Attributes Relating to Information and Communication 1. Communicates Internal Control Information with Personnel 2. Communicates with the Board of Directors 3. Provides Separate Communication Lines 4. Selects Relevant Method of Communication 34 14. Communicates Internally
Attributes Relating to Information and Communication 1. Communicates to External Parties 2. Enables Inbound Communications 3. Provides Separate Communication Lines 4. Selects Relevant Method of Communication 5. Communicates with the Board of Directors 35 15. Communicates Externally
Principles Relating to Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 36
Attributes Relating to Monitoring Activities 1. Considers a Mix of Ongoing and Separate Evaluations 2. Establishes Baseline Understanding 3. Uses Knowledgeable Personnel 4. Integrates with Business Processes 5. Objectively Evaluates 6. Adjusts Scope and Frequency 7. Considers Rate of Change 37 16. Conducts Ongoing and/or Separate Evaluations
Attributes Relating to Monitoring Activities 1. Assesses Results 2. Communicates Deficiencies to Management 3. Reports Deficiencies to Senior Management and the Board of Directors 4. Monitors Corrective Actions 38 17. Evaluates and Communicates Deficiencies
Roles and Responsibilities
Roles - Three Lines of Defense • Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives • Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice. 40
Roles - Three Lines of Defense • Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review. 41
Responsible Parties - The Board of Directors and its Committees The Board: • has a key role in defining expectations on integrity and ethical values and internal control responsibilities. • have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities. • utilize resources as needed to investigate any issues, and have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel. 42
Responsible Parties - The Board of Directors and its Committees Board-level committees include : • Audit Committee • Compensation Committee • Nomination/Governance Committee • Other Committees 43
Responsible Parties - Chief Executive Officer Chief Executive Officer (CEO) : • is ultimately responsible for the effectiveness of the entity’s internal control system • sets the tone at the top that affects control environment factors and all other components of internal control. 44
Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Providing leadership and direction to senior management. With the support of management, the CEO shapes the values, principles, and major operating policies that form the foundation of the entity’s internal control system. • Meeting periodically with senior management from each of the operating units (e.g., research and development, production, marketing, sales) and major business enabling functions (e.g., finance, human resources, legal, compliance, risk management). 45
Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Defining metrics, targets, or other measurable expectations with which to gauge the ongoing and long-term effectiveness of the system of internal control. The methods of designing, implementing, and assessing internal control are delegated to management at different levels. 46
Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Directing all management and other personnel to proactively identify threats to the system of internal control. Given the ever- increasing pace of change and networked interactions of business partners, customers, and employees, the sources of threat to an ongoing effective internal control system are constantly changing. The CEO expects senior management in particular to beware of making assumptions based on the traditional sources of threats to an effective internal control system. 47
Responsible Parties - Chief Financial Officer The Chief Financial Officer (CFO): • supports the CEO in front-line responsibilities, including internal control over financial reporting. • is integrally involved when the entity’s strategies are decided, objectives are established, risks are analyzed, and decisions are made on how changes will be managed. • provides valuable input and direction and is positioned to focus on evaluating and following up on the actions decided by management. • is an equal partner with the other functional heads. 48
Responsible Parties - Other Members of Senior Management Senior management comprises: • Chief operating officer • Chief administrative officer • Chief risk officer • Chief compliance officer • Chief information officer • Other senior leadership roles, depending on the nature of the business 49
Responsible Parties - Other Members of Senior Management Senior management: • guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives. • assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit’s functions or departments 50
Responsible Parties - Business-Enabling Functions • support the business through their specialized skills. • provide guidance and assessment of internal control related to their areas of expertise. • keep the organization informed of relevant requirements as they evolve over time. • Their efforts are coordinated and integrated as appropriate. 51
Responsible Parties - Risk and Control Personnel • provide specialized skills and guidance to front-line management and other personnel and evaluating internal control. • identify known and emerging risks. • help management develop processes to manage relevant risks. • communicate and provide education on these processes across the organization. • evaluate and report on the effectiveness of such processes. • not responsible for executing controls but support 52
Responsible Parties - Internal Auditors The Internal Auditor: • provide assurance and advisory services over internal control • evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding: ‒ Reliability and integrity of financial and operational information. ‒ Effectiveness and efficiency of operations and programs. ‒ Safeguarding of assets. ‒ Compliance with laws, regulations, policies, procedures, and contracts. 53
Responsible Parties - External Parties External Parties includes: • Outsourced Service Providers • Business Partners and Other Parties Interacting with the Entity • Independent Auditors • External Reviewers • Legislators and Regulators • Financial Analysts, Bond Rating Agencies, and the News Media 54
Assessing Effectiveness
Assessing Effectiveness When controls are effective; the organization: • Understands the extent to which operations are managed effectively and efficiently. • Prepares reliable reports. • Complies with applicable laws and regulations 56
Assessing Effectiveness • Each of the five components must be present and operate together. • Effectiveness of internal control is assessed relative to the five components of internal Control. • Effectiveness of internal control can also be assessed relative to a specific part of the organizational structure. 57
Assessing Effectiveness Determining whether a principle is present and functioning implies that the organization: • Understands the intent of the principle and how it is being applied. • Applies the principle consistently across the entity. • Works to help personnel understand and apply the principle across the entity. • Views omission of or non-conformity with a principle as an exception (i.e., not applying the wording, intent, and spirit of the principle is the exception rather than the norm). 58
Limitations of Internal Control • Quality and suitability of objectives • Judgment • Breakdowns • Management Override • Collusion 59
What is not of internal control? • Many decisions reached by the board are not part of internal control • Appropriateness of particular objectives selected • Setting the overall level of acceptable risk and associated risk appetite • setting risk tolerance levels in relation to specific objectives • Choosing which risk response is preferred to address specific risks 60
Q & A Session
Thank You
Coso internal control integrated framework

Recommandé

Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Ch 9. Internal Audit
Ch 9. Internal AuditCh 9. Internal Audit
Ch 9. Internal Audit
Sazzad Hossain, ITP, MBA, CSCA™
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
hyesue
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 

Recommandé

Coso framework
Coso frameworkCoso framework
Coso framework
Darryl Woolley
 
COSO Internal Control - Integrated Framework
COSO Internal Control - Integrated FrameworkCOSO Internal Control - Integrated Framework
COSO Internal Control - Integrated Framework
Aziz Fataliyev, Internal Audit Practitioner
 
Ch 9. Internal Audit
Ch 9. Internal AuditCh 9. Internal Audit
Ch 9. Internal Audit
Sazzad Hossain, ITP, MBA, CSCA™
 
Coso Internal Control Integrated Framework
Coso Internal Control Integrated FrameworkCoso Internal Control Integrated Framework
Coso Internal Control Integrated Framework
hyesue
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
Treasury Consulting LLP
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
Jesús Gándara
 
Coso erm
Coso ermCoso erm
Coso erm
Humberto Omar Valverde Taborga
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk Management
Andrew Smart
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
All You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment ProcessAll You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment Process
International Federation of Accountants
 
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Kirtane Pandit
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework Model
TownofAddison
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
Nidhi Gupta
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
Corporate Compliance Seminars
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Legal Governance, Risk Management and Compliance
Legal Governance, Risk Management and ComplianceLegal Governance, Risk Management and Compliance
Legal Governance, Risk Management and Compliance
Effacts
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
SALIH AHMED ISLAM
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
Sophia Abigayle
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
SALIH AHMED ISLAM
 
White paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachWhite paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approach
Chandan Goyal
 
Internal Audit Strategic Framework
Internal Audit Strategic FrameworkInternal Audit Strategic Framework
Internal Audit Strategic Framework
Jeremy Cheng
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
Jenard Wachira
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditing
grifff
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
Internal Control
Internal ControlInternal Control
Internal Control
Salih Islam
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
Hardik Shah
 

Contenu connexe

Tendances

Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk Management
Andrew Smart
 
All You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment ProcessAll You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment Process
International Federation of Accountants
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
Nidhi Gupta
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
Frederick Altum Pokoo-Aikins
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
BlackLine
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 

Tendances (20)

Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk Management
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
All You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment ProcessAll You Need to Know about the Firm’s Risk Assessment Process
All You Need to Know about the Firm’s Risk Assessment Process
 
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
Internal Financial Controls (IFC) / Internal Control over Financial Reporting...
 
COSO Framework Model
COSO Framework ModelCOSO Framework Model
COSO Framework Model
 
Proposal risk based internal audit 2013
Proposal risk based internal audit 2013Proposal risk based internal audit 2013
Proposal risk based internal audit 2013
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
COSO 2013 and The Auditor
COSO 2013 and The AuditorCOSO 2013 and The Auditor
COSO 2013 and The Auditor
 
Risk based internal auditing
Risk based internal auditing Risk based internal auditing
Risk based internal auditing
 
Legal Governance, Risk Management and Compliance
Legal Governance, Risk Management and ComplianceLegal Governance, Risk Management and Compliance
Legal Governance, Risk Management and Compliance
 
Risk Based Audit Approach
Risk Based Audit ApproachRisk Based Audit Approach
Risk Based Audit Approach
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Internal Audit Reporting
Internal Audit ReportingInternal Audit Reporting
Internal Audit Reporting
 
White paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachWhite paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approach
 
Internal Audit Strategic Framework
Internal Audit Strategic FrameworkInternal Audit Strategic Framework
Internal Audit Strategic Framework
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
An introduction to internal auditing
An introduction to internal auditingAn introduction to internal auditing
An introduction to internal auditing
 
Are You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls FrameworkAre You Ready? Implementing COSO's Updated Internal Controls Framework
Are You Ready? Implementing COSO's Updated Internal Controls Framework
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 

En vedette

Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
Hardik Shah
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
Manoj Agarwal
 
Internal control services
Internal control servicesInternal control services
Internal control services
sandesh mundra
 
Construction business training
Construction business trainingConstruction business training
Construction business training
veritama
 
Portifólio de patrocínio Global Risk Meeting 2011
Portifólio de patrocínio Global Risk Meeting 2011Portifólio de patrocínio Global Risk Meeting 2011
Portifólio de patrocínio Global Risk Meeting 2011
Mariana Lima
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
Duncan O. Ogutu; CPA, CFE
 
EY FSO Internal Audit Services_final
EY FSO Internal Audit Services_finalEY FSO Internal Audit Services_final
EY FSO Internal Audit Services_final
Vincent Jorna
 
IIA NL IAF.combining functions
IIA NL IAF.combining functionsIIA NL IAF.combining functions
IIA NL IAF.combining functions
Michel Kee
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
Tim Leech
 

En vedette (20)

Internal Control
Internal ControlInternal Control
Internal Control
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditing
 
Recent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management DevelopmentsRecent COSO Internal Control and Risk Management Developments
Recent COSO Internal Control and Risk Management Developments
 
internal control and control self assessment
internal control and control self assessmentinternal control and control self assessment
internal control and control self assessment
 
Effective Internal Controls by @EricPesik
Effective Internal Controls by @EricPesikEffective Internal Controls by @EricPesik
Effective Internal Controls by @EricPesik
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
 
Risk management and internal control simplified powerpoint
Risk management and internal control simplified powerpointRisk management and internal control simplified powerpoint
Risk management and internal control simplified powerpoint
 
Review of NIST Security Controls SC-28 SC-10
Review of NIST Security Controls SC-28 SC-10Review of NIST Security Controls SC-28 SC-10
Review of NIST Security Controls SC-28 SC-10
 
Applying an Effective Control Environment to Integrated Reporting Through COS...
Applying an Effective Control Environment to Integrated Reporting Through COS...Applying an Effective Control Environment to Integrated Reporting Through COS...
Applying an Effective Control Environment to Integrated Reporting Through COS...
 
Internal control services
Internal control servicesInternal control services
Internal control services
 
Đánh giá lựa chọn dự án đầu tư kinh doanh
Đánh giá lựa chọn dự án đầu tư kinh doanhĐánh giá lựa chọn dự án đầu tư kinh doanh
Đánh giá lựa chọn dự án đầu tư kinh doanh
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Construction business training
Construction business trainingConstruction business training
Construction business training
 
Risk Management and Internal Control in the Public Sector
Risk Management and Internal Control in the Public SectorRisk Management and Internal Control in the Public Sector
Risk Management and Internal Control in the Public Sector
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk Audit
 
Portifólio de patrocínio Global Risk Meeting 2011
Portifólio de patrocínio Global Risk Meeting 2011Portifólio de patrocínio Global Risk Meeting 2011
Portifólio de patrocínio Global Risk Meeting 2011
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
EY FSO Internal Audit Services_final
EY FSO Internal Audit Services_finalEY FSO Internal Audit Services_final
EY FSO Internal Audit Services_final
 
IIA NL IAF.combining functions
IIA NL IAF.combining functionsIIA NL IAF.combining functions
IIA NL IAF.combining functions
 
Five Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA ParadigmFive Lines of Assurance A New ERM and IA Paradigm
Five Lines of Assurance A New ERM and IA Paradigm
 

Similaire à Coso internal control integrated framework

COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkCOSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
BlackLine
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
Ahmad Tariq Bhatti
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
Aswin Kumar
 
Covering Your Bases McDonald
Covering Your Bases McDonaldCovering Your Bases McDonald
Covering Your Bases McDonald
EDR
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
Prashant Jain
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
Mark Micallef
 

Similaire à Coso internal control integrated framework (20)

COSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdfCOSO_2013_Framework_on_Internal_Control.pdf
COSO_2013_Framework_on_Internal_Control.pdf
 
COSO.pptx
COSO.pptxCOSO.pptx
COSO.pptx
 
Internal audit
Internal auditInternal audit
Internal audit
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
SFC Plan of engagement
SFC Plan of engagementSFC Plan of engagement
SFC Plan of engagement
 
financial statements and audit
financial statements and auditfinancial statements and audit
financial statements and audit
 
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO FrameworkCOSO Deep Dive - Using BlackLine to Manage Your COSO Framework
COSO Deep Dive - Using BlackLine to Manage Your COSO Framework
 
COSO Update DTF
COSO Update DTFCOSO Update DTF
COSO Update DTF
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 
Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)Internal auditing for “one & all” (second edition)
Internal auditing for “one & all” (second edition)
 
management audit in janakpuri
management audit in janakpuri management audit in janakpuri
management audit in janakpuri
 
What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business? What do the changes to ISO14001 mean for business?
What do the changes to ISO14001 mean for business?
 
PART II INTERNAL AUDITING in local government.ppt
PART II INTERNAL AUDITING in local government.pptPART II INTERNAL AUDITING in local government.ppt
PART II INTERNAL AUDITING in local government.ppt
 
Implementing Internal Audit Governance
Implementing Internal Audit GovernanceImplementing Internal Audit Governance
Implementing Internal Audit Governance
 
Strategic Management Process SMA.pptx
Strategic Management Process SMA.pptxStrategic Management Process SMA.pptx
Strategic Management Process SMA.pptx
 
Covering Your Bases McDonald
Covering Your Bases McDonaldCovering Your Bases McDonald
Covering Your Bases McDonald
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
dt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformationdt_mt_SREP_Pub_Transformation
dt_mt_SREP_Pub_Transformation
 
Strategy, budgetary planning and expenditure management
Strategy, budgetary planning and expenditure managementStrategy, budgetary planning and expenditure management
Strategy, budgetary planning and expenditure management
 

Dernier

FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdfFOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
Cocity Enterprises
 
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnLaw of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
TintoTom3
 
Economics Presentation-2.pdf xxjshshsjsjsjwjw
Economics Presentation-2.pdf xxjshshsjsjsjwjwEconomics Presentation-2.pdf xxjshshsjsjsjwjw
Economics Presentation-2.pdf xxjshshsjsjsjwjw
mordockmatt25
 
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadhabortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
samsungultra782445
 

Dernier (20)

cost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptxcost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptx
 
Shrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdfShrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdf
 
Group 8 - Goldman Sachs & 1MDB Case Studies
Group 8 - Goldman Sachs & 1MDB Case StudiesGroup 8 - Goldman Sachs & 1MDB Case Studies
Group 8 - Goldman Sachs & 1MDB Case Studies
 
W.D. Gann Theory Complete Information.pdf
W.D. Gann Theory Complete Information.pdfW.D. Gann Theory Complete Information.pdf
W.D. Gann Theory Complete Information.pdf
 
fundamentals of corporate finance 11th canadian edition test bank.docx
fundamentals of corporate finance 11th canadian edition test bank.docxfundamentals of corporate finance 11th canadian edition test bank.docx
fundamentals of corporate finance 11th canadian edition test bank.docx
 
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdfFOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
 
FE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case StudiesFE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case Studies
 
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
 
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
Famous Kala Jadu, Kala ilam specialist in USA and Bangali Amil baba in Saudi ...
 
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnLaw of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
 
Responsible Finance Principles and Implication
Responsible Finance Principles and ImplicationResponsible Finance Principles and Implication
Responsible Finance Principles and Implication
 
Technology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechnology industry / Finnish economic outlook
Technology industry / Finnish economic outlook
 
劳伦森大学毕业证
劳伦森大学毕业证劳伦森大学毕业证
劳伦森大学毕业证
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
 
Economics Presentation-2.pdf xxjshshsjsjsjwjw
Economics Presentation-2.pdf xxjshshsjsjsjwjwEconomics Presentation-2.pdf xxjshshsjsjsjwjw
Economics Presentation-2.pdf xxjshshsjsjsjwjw
 
Explore Dual Citizenship in Africa | Citizenship Benefits & Requirements
Explore Dual Citizenship in Africa | Citizenship Benefits & RequirementsExplore Dual Citizenship in Africa | Citizenship Benefits & Requirements
Explore Dual Citizenship in Africa | Citizenship Benefits & Requirements
 
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdf
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdfSeeman_Fiintouch_LLP_Newsletter_May-2024.pdf
Seeman_Fiintouch_LLP_Newsletter_May-2024.pdf
 
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadhabortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
abortion pills in Jeddah Saudi Arabia (+919707899604)cytotec pills in Riyadh
 
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...
 

Coso internal control integrated framework

  • 1. Enterprise Risk Services December 2011 COSO Internal Control–Integrated Framework Exposure Draft December 2011
  • 2. What is COSO? The COSO (Committee of Sponsoring Organizations of the Treadway Commission) is a private sector initiative, jointly sponsored and funded by: • American Accounting Association (AAA) • American Institute of Certified Public Accountants (AICPA) • Financial Executives International (FEI) • Institute of Management Accountants (IMA) • The Institute of Internal Auditors (IIA) 2
  • 3. Internal Control-Integrated Framework • First published in 1992 • Gained wide acceptance following financial control failures of early 2000’s • Most widely used framework in the US • Also widely used around the world 3 Original COSO Cube
  • 4. Methodology • Background ‒ Project announced in November 2010 ‒ To make the existing Framework and related evaluation tools more relevant in the increasingly complex business environment ‒ PricewaterhouseCoopers as the original author conducted this project. ‒ not intended to change how internal control is defined, assessed, or managed, but rather provide greater clarity and a more comprehensive and relevant conceptual guidance • Project Structure ‒ Advisory Council comprising representatives from industries, academia, government agencies, and non-profit organizations updated Framework is being exposed to the public to capture additional input • Approach ‒ Assess and Envision ‒ Build and Design ‒ Preparation for Public Exposure ‒ Finalization
  • 5. • Applies a principles-based approach • Clarifies the role of objective-setting in internal control • Reflects the increased relevance of technology • Enhances governance concepts • Expands the reporting category of objectives • Enhances consideration of anti-fraud expectations • Considers different business models and organizational structures Summary of Changes to the 1992 Version 5
  • 6. Internal Control is a _______ effected by an entity’s _______ ____________________________________ designed to provide _________ assurance regarding the achievements of ________ in the following categories: • Effectiveness & efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations. board of directors, management and other personnel, process reasonable What is internal control? 6 objectives
  • 7. Categories of Objectives 7 Operations Reporting Compliance • Improving Quality • Reducing Costs • Reducing Production Time • Improving Innovation • Improving Customer Satisfaction • Improving Employee Satisfaction • etc • External Financial Reporting Objectives • External Non- Financial Reporting Objectives • Internal Financial Reporting Objectives • Internal Non- Financial Reporting Objectives • Identifying Applicable Laws and Regulations • Ensuring Compliance with Applicable Laws and Regulation
  • 8. Components of Internal Control 8 Monitoring Control Environment Risk Assessment Control Activities
  • 9. A Principal Based Approach Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities Five Components 5 principles 4 principles 3 principles 3 principles 2 principles 17 principles 21 Attributes 19 Attributes 16 Attributes 14 Attributes 11 Attributes 81 Attributes
  • 10. A Principal Based Approach 10 Operations Objectives Reporting ObjectivesCompliance Objectives Apply to 17 Principals
  • 11. Principles and Attributes Relating to Components of Internal Control
  • 12. Principles Relating to Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 12
  • 13. Attributes Relating to Control Environment 1. Sets the Tone at the Top 2. Establishes Standards of Conduct 3. Evaluates Adherence to Standards of Conduct 4. Addresses Deviations in a Timely Manner 13 1. Demonstrates Commitment to Integrity and Ethical Values
  • 14. Attributes Relating to Control Environment 1. Establishes Board of Directors Oversight Responsibilities 2. Retains or Delegates Oversight Responsibilities 3. Applies Relevant Expertise 4. Operates Independently 5. Provides Oversight 14 2. Exercises Oversight Responsibility
  • 15. Attributes Relating to Control Environment 1. Considers All Structures of the Entity 2. Establishes Reporting Lines 3. Defines, Assigns, and Limits Authorities and Responsibilities 15 3. Establishes Structure, Authority, and Responsibility
  • 16. Attributes Relating to Control Environment 1. Establishes Policies and Practices 2. Attracts, Develops, and Retains Individuals 3. Evaluates Competence and Addresses Shortcomings 4. Plans and Prepares for Succession 16 4. Demonstrates Commitment to Competence
  • 17. Attributes Relating to Control Environment 1. Enforces Accountability through Structures, Authorities, and Responsibilities 2. Establishes Performance Measures, Incentives, and Rewards 3. Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance 4. Considers Excessive Pressures 5. Evaluates Performance and Rewards or Disciplines Individuals 17 5. Enforces Accountability
  • 18. Principles Relating to Risk Assessment 1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control. 18
  • 19. Attributes Relating to Risk Assessment 1. Considers Tolerance for Risk / Required Level of Precision / Materiality 2. Complies with Externally Established Standards, and Frameworks / Complies with Applicable Accounting Standards / Reflects External Laws and Regulations 3. Reflects Management’s Choices 4. Reflects Entity Activities 5. Includes Operations and Financial Performance Goals 6. Forms Basis for Committing of Resources 19 6. Specifies Relevant Objectives
  • 20. Attributes Relating to Risk Assessment Attributes Relating to Operations Objectives • Considers Tolerances for Risk • Reflects Management’s Choices • Includes Operations and Financial Performance Goals • Forms Basis for Committing of Resources 20 6. Specifies Relevant Objectives
  • 21. Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives External Financial Reporting • Considers Materiality • Complies with Applicable Accounting Standards • Reflects Entity Activities 21 6. Specifies Relevant Objectives
  • 22. Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives External Non-financial Reporting Objectives • Complies with Externally Established Standards and Frameworks • Reflects Entity Activities • Considers the Required Level of Precision 22 6. Specifies Relevant Objectives
  • 23. Attributes Relating to Risk Assessment Attributes Relating to Reporting Objectives Internal Reporting Objectives (financial and/or non-financial) • Considers the Required Level of Precision • Reflects Management’s Choices • Reflects Entity Activities 23 6. Specifies Relevant Objectives
  • 24. Attributes Relating to Risk Assessment Attributes Relating to Compliance Objectives • Considers Tolerances for Risk • Reflects External Laws and Regulations 24 6. Specifies Relevant Objectives
  • 25. Attributes Relating to Risk Assessment 1. Involves Appropriate Levels of Management 2. Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels 3. Analyzes Internal and External Factors 4. Estimates Significance of Risks Identified 5. Determines How to Respond to Risks 25 7. Identifies and Analyzes Risks
  • 26. Attributes Relating to Risk Assessment 1. Considers Various Ways That Fraud Can Occur 2. Considers Risk Factors 3. Assesses Incentive and Pressures 4. Assesses Opportunities 5. Assesses Attitudes and Rationalizations 26 8. Assesses Fraud Risk
  • 27. Attributes Relating to Risk Assessment 1. Assesses Changes in the External Environment 2. Assesses Changes in the Business Model 3. Assesses Changes in Leadership 27 9. Identifies and Analyzes Significant Change
  • 28. Principles Relating to Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11.The organization selects and develops general control activities over technology to support the achievement of objectives. 12.The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies. 28
  • 29. Attributes Relating to Control Activities 1. Integrates with Risk Assessment 2. Determines Relevant Business Processes 3. Considers Entity-Specific Factors 4. Evaluates a Mix of Control Activity Types 5. Considers at What Level Activities Are Applied 6. Addresses Segregation of Duties 29 10. Selects and Develops Control Activities
  • 30. Attributes Relating to Control Activities 1. Determines Dependency between the Use of Technology in Business Processes and Technology General Controls 2. Establishes Relevant Technology Infrastructure Control Activities 3. Establishes Relevant Security Management Process Control Activities 4. Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities 30 11. Selects and Develops General Controls over Technology
  • 31. Attributes Relating to Control Activities 1. Establishes Policies and Procedures to Support Deployment of Management’s Directives 2. Establishes Responsibility and Accountability for Executing Policies and Procedures 3. Performs Using Competent Personnel 4. Performs in a Timely Manner 5. Takes Corrective Action 6. Reassesses Policies and Procedures 31 12. Deploys through Policies and Procedures
  • 32. Principles Relating to Information and Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. 14.The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control. 15.The organization communicates with external parties regarding matters affecting the functioning of other components of internal control. 32
  • 33. Attributes Relating to Information and Communication 1. Identifies Information Requirements 2. Captures Internal and External Sources of Data 3. Processes Relevant Data into Information 4. Maintains Quality Throughout Processing 5. Considers Costs and Benefits 33 13. Uses Relevant Information
  • 34. Attributes Relating to Information and Communication 1. Communicates Internal Control Information with Personnel 2. Communicates with the Board of Directors 3. Provides Separate Communication Lines 4. Selects Relevant Method of Communication 34 14. Communicates Internally
  • 35. Attributes Relating to Information and Communication 1. Communicates to External Parties 2. Enables Inbound Communications 3. Provides Separate Communication Lines 4. Selects Relevant Method of Communication 5. Communicates with the Board of Directors 35 15. Communicates Externally
  • 36. Principles Relating to Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. 36
  • 37. Attributes Relating to Monitoring Activities 1. Considers a Mix of Ongoing and Separate Evaluations 2. Establishes Baseline Understanding 3. Uses Knowledgeable Personnel 4. Integrates with Business Processes 5. Objectively Evaluates 6. Adjusts Scope and Frequency 7. Considers Rate of Change 37 16. Conducts Ongoing and/or Separate Evaluations
  • 38. Attributes Relating to Monitoring Activities 1. Assesses Results 2. Communicates Deficiencies to Management 3. Reports Deficiencies to Senior Management and the Board of Directors 4. Monitors Corrective Actions 38 17. Evaluates and Communicates Deficiencies
  • 40. Roles - Three Lines of Defense • Management and other personnel on the front line provide the first line of defense as they are responsible for maintaining effective internal control day to day; they are compensated based on performance in relation to all applicable objectives • Business-enabling functions such as risk, control, legal, and compliance provide the second line of defense as they clarify internal control requirements and evaluate adherence to defined standards. While they are functionally aligned to the business, their compensation is not directly tied to performance of the area to which they render expert advice. 40
  • 41. Roles - Three Lines of Defense • Internal auditors provide the third line of defense as they assess and report on internal control and recommend corrective actions or enhancements for management consideration and implementation; their position and compensation are separate and distinct from the business areas they review. 41
  • 42. Responsible Parties - The Board of Directors and its Committees The Board: • has a key role in defining expectations on integrity and ethical values and internal control responsibilities. • have a working knowledge of the entity’s activities and environment, and they commit the time necessary to fulfill their governance responsibilities. • utilize resources as needed to investigate any issues, and have an open and unrestricted communications channel with all entity personnel, the internal auditors, independent auditors, external reviewers, and legal counsel. 42
  • 43. Responsible Parties - The Board of Directors and its Committees Board-level committees include : • Audit Committee • Compensation Committee • Nomination/Governance Committee • Other Committees 43
  • 44. Responsible Parties - Chief Executive Officer Chief Executive Officer (CEO) : • is ultimately responsible for the effectiveness of the entity’s internal control system • sets the tone at the top that affects control environment factors and all other components of internal control. 44
  • 45. Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Providing leadership and direction to senior management. With the support of management, the CEO shapes the values, principles, and major operating policies that form the foundation of the entity’s internal control system. • Meeting periodically with senior management from each of the operating units (e.g., research and development, production, marketing, sales) and major business enabling functions (e.g., finance, human resources, legal, compliance, risk management). 45
  • 46. Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Defining metrics, targets, or other measurable expectations with which to gauge the ongoing and long-term effectiveness of the system of internal control. The methods of designing, implementing, and assessing internal control are delegated to management at different levels. 46
  • 47. Responsible Parties - Chief Executive Officer The CEO fulfills this duty by: • Directing all management and other personnel to proactively identify threats to the system of internal control. Given the ever- increasing pace of change and networked interactions of business partners, customers, and employees, the sources of threat to an ongoing effective internal control system are constantly changing. The CEO expects senior management in particular to beware of making assumptions based on the traditional sources of threats to an effective internal control system. 47
  • 48. Responsible Parties - Chief Financial Officer The Chief Financial Officer (CFO): • supports the CEO in front-line responsibilities, including internal control over financial reporting. • is integrally involved when the entity’s strategies are decided, objectives are established, risks are analyzed, and decisions are made on how changes will be managed. • provides valuable input and direction and is positioned to focus on evaluating and following up on the actions decided by management. • is an equal partner with the other functional heads. 48
  • 49. Responsible Parties - Other Members of Senior Management Senior management comprises: • Chief operating officer • Chief administrative officer • Chief risk officer • Chief compliance officer • Chief information officer • Other senior leadership roles, depending on the nature of the business 49
  • 50. Responsible Parties - Other Members of Senior Management Senior management: • guides the development and implementation of internal control policies and procedures that address the objectives of their functional or operating unit and verify that they are consistent with the entity-wide objectives. • assigns responsibility for establishing even more specific internal control procedures to those personnel responsible for the unit’s functions or departments 50
  • 51. Responsible Parties - Business-Enabling Functions • support the business through their specialized skills. • provide guidance and assessment of internal control related to their areas of expertise. • keep the organization informed of relevant requirements as they evolve over time. • Their efforts are coordinated and integrated as appropriate. 51
  • 52. Responsible Parties - Risk and Control Personnel • provide specialized skills and guidance to front-line management and other personnel and evaluating internal control. • identify known and emerging risks. • help management develop processes to manage relevant risks. • communicate and provide education on these processes across the organization. • evaluate and report on the effectiveness of such processes. • not responsible for executing controls but support 52
  • 53. Responsible Parties - Internal Auditors The Internal Auditor: • provide assurance and advisory services over internal control • evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s oversight, operations, and information systems regarding: ‒ Reliability and integrity of financial and operational information. ‒ Effectiveness and efficiency of operations and programs. ‒ Safeguarding of assets. ‒ Compliance with laws, regulations, policies, procedures, and contracts. 53
  • 54. Responsible Parties - External Parties External Parties includes: • Outsourced Service Providers • Business Partners and Other Parties Interacting with the Entity • Independent Auditors • External Reviewers • Legislators and Regulators • Financial Analysts, Bond Rating Agencies, and the News Media 54
  • 56. Assessing Effectiveness When controls are effective; the organization: • Understands the extent to which operations are managed effectively and efficiently. • Prepares reliable reports. • Complies with applicable laws and regulations 56
  • 57. Assessing Effectiveness • Each of the five components must be present and operate together. • Effectiveness of internal control is assessed relative to the five components of internal Control. • Effectiveness of internal control can also be assessed relative to a specific part of the organizational structure. 57
  • 58. Assessing Effectiveness Determining whether a principle is present and functioning implies that the organization: • Understands the intent of the principle and how it is being applied. • Applies the principle consistently across the entity. • Works to help personnel understand and apply the principle across the entity. • Views omission of or non-conformity with a principle as an exception (i.e., not applying the wording, intent, and spirit of the principle is the exception rather than the norm). 58
  • 59. Limitations of Internal Control • Quality and suitability of objectives • Judgment • Breakdowns • Management Override • Collusion 59
  • 60. What is not of internal control? • Many decisions reached by the board are not part of internal control • Appropriateness of particular objectives selected • Setting the overall level of acceptable risk and associated risk appetite • setting risk tolerance levels in relation to specific objectives • Choosing which risk response is preferred to address specific risks 60
  • 61. Q & A Session