The New COSO: Internal Control - Integrated Framework
The New COSO:Internal Control - Integrated FrameworkSeptember 17, 2014WebinarPresented in association with 2014 Rehmann
Presented by:Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit QualityRehmann 2014 Rehmann2
Session Outline Defining internal controlObjectives, components, and principlesLimitations on internal controlDeficiencies in internal controlInternal control over complianceConsiderations for smaller entities 2014 Rehmann3
Overview of Internal Control Internal Control—Integrated Framework– COSO Report (1992 & 2013)– Committee of Sponsoring Organizations (AICPA,AAA, IIA, IMA, FEI)– Codified in Auditing Standards by AICPA, GAO,OMB, and PCAOB (SOX) 2014 Rehmann4
Defining Internal Control Internal control is a process, effected by anentity’s board of directors, management, andother personnel, designed to providereasonable assurance regarding theachievement of objectives relating tooperations, reporting, and compliance 2014 Rehmann5
Defining Internal Control Internal control is:– Geared to the achievement of objectives in one ormore separate but overlapping categories: Operations Reporting Compliance 2014 Rehmann6
Defining Internal Control Internal control is:– A process consisting of ongoing tasks andactivities—a means to an end, not an end in itself 2014 Rehmann7
Defining Internal Control Internal control is:– Effected by people—not merely about policy andprocedure manuals, systems, and forms, butabout people and the actions they take at everylevel of an organization to effect internal control 2014 Rehmann8
Defining Internal Control Internal control is:– Able to provide reasonable assurance—but notabsolute assurance, to an entity’s seniormanagement and board of directors 2014 Rehmann9
Defining Internal Control Internal control is:– Adaptable to the entity structure—flexible inapplication for the entire entity or for a particularsubsidiary, division, operating unit, or businessprocess 2014 Rehmann10
Objectives, Components, & Principles Objectives:– Operations, reporting, compliance Components:– Control environment, risk assessment, controlactivities, information/communication, monitoring Principles:– 17 concepts applicable to the 5 components 2014 Rehmann11
Objectives, Components, & Principles Each principle andcomponent isapplicable to eachobjective at each levelof an organization 2014 Rehmann12
Objectives Operations objectives:– Achievement of the entity’s basic mission andvision (effectiveness)– Safeguarding of assets (preservation andefficiency) 2014 Rehmann13
Objectives Reporting objectives:– External vs. internal– Financial vs. non-financial 2014 Rehmann14
Objectives Compliance objectives:– Laws and regulations– Provisions of grant agreements 2014 Rehmann15
Components and PrinciplesControl Environment The set of standards, processes, andstructures that provide the basis for carryingout internal control across the organization 2014 Rehmann16
Components and PrinciplesControl Environment Principle 1: Demonstrates Commitment toIntegrity and Ethical ValuesThe organization demonstrates a commitmentto integrity and ethical values.–––– 2014 RehmannSets the Tone at the TopEstablishes Standards of ConductEvaluates Adherence to Standards of ConductAddresses Deviations in a Timely Manner17
Components and PrinciplesControl Environment Principle 2: Exercises Oversight ResponsibilityThe board of directors demonstratesindependence from management andexercises oversight of the development andperformance of internal control.–––– 2014 RehmannEstablishes Oversight ResponsibilitiesApplies Relevant ExpertiseOperates IndependentlyProvides Oversight for the System of Internal Control18
Components and PrinciplesControl Environment Principle 3: Establishes Structure, Authority,and ResponsibilityManagement establishes, with boardoversight, structures, reporting lines, andappropriate authorities and responsibilities inthe pursuit of objectives.– Considers All Structures of the Entity– Establishes Reporting Lines– Defines, Assigns, and Limits Authorities and Responsibilities 2014 Rehmann19
Components and PrinciplesControl Environment Principle 4: Demonstrates Commitment toCompetenceThe organization demonstrates a commitmentto attract, develop, and retain competentindividuals in alignment with objectives.–––– 2014 RehmannEstablishes Policies and PracticesEvaluates Competence and Addresses ShortcomingsAttracts, Develops, and Retains IndividualsPlans and Prepares for Succession20
Components and PrinciplesControl Environment Principle 5: Enforces AccountabilityThe organization holds individuals accountablefor their internal control responsibilities in thepursuit of objectives.– Enforces Accountability– Establishes Performance Measures, Incentives, and Rewards– Evaluates Measures, Incentives, and Rewards for OngoingRelevance– Considers Excessive Pressures– Evaluates Performance and Rewards or Disciplines Individuals 2014 Rehmann21
Components and PrinciplesRisk Assessment A dynamic and iterative process for identifyingand assessing the possibility that an event willoccur and adversely affect the achievement ofobjectives 2014 Rehmann22
Components and PrinciplesRisk Assessment Principle 6: Specifies Suitable ObjectivesThe organization specifies objectives withsufficient clarity to enable the identificationand assessment of risks relating to objectives.––––– 2014 RehmannReflects Management’s ChoicesConsiders Tolerances for RiskIncludes Operations and Financial Performance GoalsForms a Basis for Committing of ResourcesComplies with reporting/compliance frameworks23
Components and PrinciplesRisk Assessment Principle 7: Identifies and Analyzes RiskThe organization identifies risks to theachievement of its objectives across the entityand analyzes risks as a basis for determining howthe risks should be managed.––––– 2014 RehmannIncludes Entity, Subsidiary, Division, Operating Unit, & Functional LevelsAnalyzes Internal and External FactorsInvolves Appropriate Levels of ManagementEstimates Significance of Risks IdentifiedDetermines How to Respond to Risks24
Components and PrinciplesRisk Assessment Principle 8: Assesses Fraud RiskThe organization considers the potential forfraud in assessing risks to the achievement ofobjectives.–––– 2014 RehmannConsiders Various Types of FraudAssesses Incentive and PressuresAssesses OpportunitiesAssesses Attitudes and Rationalizations25
Components and PrinciplesRisk Assessment Principle 9: Identifies and Analyzes SignificantChangeThe organization identifies and assesseschanges that could significantly impact thesystem of internal control.– Assesses Changes in the External Environment– Assesses Changes in the Business Model– Assesses Changes in Leadership 2014 Rehmann26
Components and PrinciplesControl Activities The actions established through policies andprocedures that help ensure thatmanagement’s directives to mitigate risks tothe achievement of objectives are carried out 2014 Rehmann27
Components and PrinciplesControl Activities Principle 10: Selects/Develops Control ActivitiesThe organization selects and develops controlactivities that contribute to the mitigation of risksto the achievement of objectives to acceptablelevels.–––––– 2014 RehmannIntegrates with Risk AssessmentConsiders Entity-Specific FactorsDetermines Relevant Business ProcessesEvaluates a Mix of Control Activity TypesConsiders at What Level Activities Are AppliedAddresses Segregation of Duties28
Components and PrinciplesControl Activities Principle 11: Selects and Develops GeneralControls over TechnologyThe organization selects and develops generalcontrol activities over technology to support theachievement of objectives.– Determines Dependency between the Use of Technology in BusinessProcesses and Technology General Controls– Establishes Relevant Technology Infrastructure Control Activities– Establishes Relevant Security Management Process Control Activities– Establishes Relevant Technology Acquisition, Development, andMaintenance Process Control Activities 2014 Rehmann29
Components and PrinciplesControl Activities Principle 12: Deploys Policies and ProceduresThe organization deploys control activitiesthrough policies that establish what isexpected and procedures that put policies intoaction. 2014 Rehmann30
Components and PrinciplesInformation and Communication The continual, iterative process of providing,sharing, and obtaining necessary informationto carry out internal control responsibilities tosupport the achievement of the entity’sobjectives 2014 Rehmann31
Components and PrinciplesInformation and Communication Principle 13: Uses Relevant InformationThe organization obtains or generates anduses relevant, quality information to supportthe functioning of internal control.––––– 2014 RehmannIdentifies Information RequirementsCaptures Internal and External Sources of DataProcesses Relevant Data into InformationMaintains Quality throughout ProcessingConsiders Costs and Benefits32
Components and PrinciplesInformation and Communication Principle 14: Communicates InternallyThe organization internally communicatesinformation, including objectives andresponsibilities for internal control, necessaryto support the functioning of internal control.–––– 2014 RehmannCommunicates Internal Control InformationCommunicates with the Board of DirectorsProvides Separate Communication LinesSelects Relevant Method of Communication33
Components and PrinciplesInformation and Communication Principle 15: Communicates ExternallyThe organization communicates with externalparties regarding matters affecting thefunctioning of internal control.––––– 2014 RehmannCommunicates to External PartiesEnables Inbound CommunicationsCommunicates with the Board of DirectorsProvides Separate Communication LinesSelects Relevant Method of Communication34
Components and PrinciplesMonitoring Activities Ongoing evaluations, separate evaluations, orsome combination of the two are used toascertain whether each of the fivecomponents of internal control, includingcontrols to effect the principles within eachcomponent, is present and functioning 2014 Rehmann35
Components and PrinciplesMonitoring Activities Principle 16: Conducts Ongoing / Separate EvaluationsThe organization selects, develops, and performsongoing and/or separate evaluations to ascertainwhether the components of internal control are presentand functioning.––––––– 2014 RehmannConsiders a Mix of Ongoing and Separate EvaluationsConsiders Rate of ChangeEstablishes Baseline UnderstandingUses Knowledgeable PersonnelIntegrates with Business ProcessesAdjusts Scope and FrequencyObjectively Evaluates36
Components and PrinciplesMonitoring Activities Principle 17: Evaluates and CommunicatesDeficienciesThe organization evaluates and communicatesinternal control deficiencies in a timely manner tothose parties responsible for taking correctiveaction, including senior management and theboard of directors, as appropriate.– Assesses Results– Communicates Deficiencies– Monitors Corrective Actions 2014 Rehmann37
Limitations of Internal Control Internal control, no matter how well designed,implemented and conducted, can provide onlyreasonable assurance to management and theboard of directors of the achievement of anentity’s objectives. 2014 Rehmann38
Limitations of Internal Control JudgmentExternal eventsBreakdownsManagement overrideCollusion 2014 Rehmann39
Deficiencies in Internal Control Internal control deficiency– a shortcoming in a component or components andrelevant principle(s) that reduces the likelihood ofan entity achieving its objectives Major deficiency– an internal control deficiency or combination ofdeficiencies that severely reduces the likelihoodthat the entity can achieve its objectives 2014 Rehmann40
Deficiencies in Internal Control Assessing severityInternal Control DeficienciesMajor Deficiencies 2014 Rehmann41
Deficiencies in Internal Control Responding to identified deficiencies– Consider the control environment– Assess risks– Establish/revise policies and procedures– Communicate changes– Monitor results 2014 Rehmann42
Internal Control over Compliance Differences and similarities with IC overfinancial reporting Existing and new requirements for grants Auditor involvement / testing 2014 Rehmann43
Internal Control over Compliance Existing grant requirements:– OMB Circulars A-102 Common Rule and A-110Administrative Requirements– Requires management to establish and maintaininternal controls designed to provide reasonableassurance of compliance with Federal laws,regulations and program compliancerequirements 2014 Rehmann44
Internal Control over Compliance New Uniform Grant Guidance (2 CFR 200):– Establish and maintain effective internal controlover the Federal award that provides reasonableassurance that the non-Federal entity is managingthe Federal award in compliance with Federalstatutes, regulations, and the terms andconditions of the Federal award– Follow COSO’s Integrated Framework– Include written procedures 2014 Rehmann45
Internal Control over Compliance Auditor involvement / testing– Yellow Book engagements (material to financialstatements)– Single audit (material to major federal programs)– Other (Medicare, etc.) 2014 Rehmann46
Considerations for Smaller EntitiesCOSO – One Size Fits All? In 2006, COSO issued a tailored version of its1992 report, entitled Guidance for SmallerPublic Companies (now in Appendix C) Not specifically targeted at governments, buthelpful nonetheless Emphasizes the cost vs. benefit principle ofinternal control 2014 Rehmann47
Considerations for Smaller EntitiesCost vs. Benefit Entities always have limits on human andcapital resources and constraints on howmuch they can spend, and therefore they willoften consider the costs relative to thebenefits of alternative approaches inmanaging internal control options– Cost alone is not an acceptable reason to avoidimplementing internal control 2014 Rehmann48
Considerations for Smaller Entities“Small” vs. “Smaller” There is no “bright line” to define governments assmall, medium-size or large– Fewer types of services provided– Fewer personnel, many having a wider range of duties– Fewer levels of management, with wider spans ofcontrol– Less complex transaction processing systems andprotocols 2014 Rehmann49
Considerations for Smaller EntitiesChallenges for Smaller Governments Maintaining cost-effective internal control:– Managers that view internal control as a burden,rather than a benefit– Obtaining sufficient resources for adequatesegregation of duties– Management’s ability to dominate activities andoverride internal control– Recruiting/retaining personnel with sufficientexperience and skill in financial reporting and/orcomputer information systems 2014 Rehmann50
Considerations for Smaller EntitiesChallenges for Smaller Governments Potential solutions:– Wide and direct control from the top– Effective governing bodies– Compensating for limited segregation of duties– Information technology– Monitoring activities 2014 Rehmann51
Considerations for Smaller EntitiesControl from the Top Smaller governments may have one or moremembers of senior management that have anin-depth understanding of virtually all of thegovernment’s operations– Can enhance effectiveness of internal control– Enables leaders to know what to expect andfollow up on differences– Adds to risk of management override 2014 Rehmann52
Considerations for Smaller EntitiesEffective Governing Bodies Smaller governments have less complexstructures, and may have more involvedboards– Direct exposure to management– Careful review of monthly reporting, with followup questions– Extensive public transparency 2014 Rehmann53
Considerations for Smaller EntitiesCompensating for Limited SoD When it isn’t practical to fully segregate allduties, introduce supervision and reviewEmployeeA 2014 RehmannA/PPayroll– Two sets of eyes are better than oneEmployeeB54DoDoReviewReviewEmployeeAEmployeeB
Considerations for Smaller EntitiesInformation Technology Smaller governments tend to rely on “off-theshelf” software– Not risk-free, but lower risk– Built-in features for limiting access– Be sure to use audit-trails, flags, and exceptionreports if available 2014 Rehmann55
Considerations for Smaller EntitiesInformation Technology Securing important spreadsheets fromaccidental or unauthorized changes 2014 Rehmann56
Considerations for Smaller EntitiesMonitoring Activities Monitoring is an important part of the COSOFramework.– Management of smaller governments regularlyperform such procedures, but have not alwaystaken sufficient “credit” for their contribution tointernal control effectiveness– Usually performed manually, but may rely ontechnology 2014 Rehmann57
Considerations for Smaller EntitiesControls vs. Processes It is easy to confuse the processes used tocreate transactions with the controls designedto prevent or detect errors in thosetransactions Smaller governments frequently use ITsystems to process financial transactions, butdesign manual controls to review the outputof those systems 2014 Rehmann58
Considerations for Smaller EntitiesAutomated vs. Manual Controls Generally Accepted Auditing Standards (GAAS)recognize the difference between automatedand manual controls (AU-C 315.A53)– Manual controls may be independent of IT or mayuse information produced by IT– Smaller governments may need to rely moreheavily on manual controls in the absence of acomprehensive set of IT controls 2014 Rehmann59
Considerations for Smaller EntitiesAchieving Further Efficiencies Controls should focus on financial reportingobjectives directly applicable to thegovernment’s activities and services:– Risk-based approach to internal control– Right-sizing documentation– Viewing internal control as an integrated process 2014 Rehmann60
Considerations for Smaller EntitiesFocusing on Risk Risk-based controls focus on quantitative andqualitative factors that potentially impact thereliability of financial reporting– Identify transactions or processes where somethingcould go wrong– Assess likelihood and significance– Design controls specifically tailored to those risks– Don’t rely on generic controls designed for “typical”governments without modification 2014 Rehmann61
Considerations for Smaller EntitiesRight-Sizing Documentationred·tape noun: excessive regulation or rigid conformity toformal rules that is considered redundant orbureaucratic and hinders or prevents action ordecision-making 2014 Rehmann62
Considerations for Smaller EntitiesRight-Sizing Documentation Smaller governments should determine thenature and extent of their documentation needs– Promote consistency– Provide evidence of control effectiveness– While smaller governments may not require as formaldocumentation, certain elements (such as riskassessment) cannot be performed entirely in theCFO’s head 2014 Rehmann63
Considerations for Smaller EntitiesViewing IC as an Integrated Process Remember theinterrelationship of the ormationandCommunication 2014 Rehmann– Management has flexibilityin choosing controls– Should adjust and improvecontrols over time– Effectiveness is measuredoverall, not by elementRiskAssessmentControlActivities64
Considerations for Smaller EntitiesFinal Thoughts Remember the objective of internal control Design controls that are consistent with thegovernment’s risk assessment and resources Mitigate deficiencies in internal control withas much supervision and review as possible– Management– Governing body– Others within the organization 2014 Rehmann65
Questions? 2014 Rehmann66
For more information.Stephen W. Blann, CPA, CGFM, CGMADirector of Governmental Audit .com/government 2014 Rehmann67
Deficiencies in Internal Control Internal control deficiency –a shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives Major deficiency –an internal control deficiency or combina
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
COSO ICIF 2013 COSO Internal Control Integrated Framework Risk Assessment/Control Activities Principles and Points of Focus COSO Permission to Reprint: 201503‐0048 Michael L. Piazza Principal Associate Professional Development Associates Risk Ass
