Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Internal Controls
Presented By:Trey Long, CPA April 20, 2016
Agenda• Overview
– Background– Key changes– Overview of Updated COSO
Framework• Internal Control Integrated
Framework– Principles and Points of Focus
• The GAO Green Book• Limitations of Internal Control• Transition and Impact
– Application and Timing– Implementation Considerations
Overview Of The Updated Framework
COSO Background
• COSO (Committee of Sponsoring Organizations) of the TreadwayCommission released original guidance, Internal Control –Integrated Framework, in 1992.
• The document was recognized as leading framework for designing, implementing and conducting internal control and assessing the effectiveness of internal control.
1992 2006 2009 2013
COSO Publications
Original Framework
COSO’s Internal Control–Integrated Framework (1992 Edition)
Refresh Objectives
Updated Framework COSO’s Internal Control–Integrated Framework (2013 Edition)
Broadens Application Clarifies Requirements
Articulate principles to
facilitate effective internal
control
Updates Context
Enhancements
Reflect changes in business
& operating environments
Expand operations and
reporting objectives
COSO Framework Development
Environmental Changes Prompting Revision
• Expectations for governance oversight• Globalization of markets and operations• Changes and greater complexities in
business• Demands and complexities in laws, rules,
regulations and standards• Expectations for competencies and
accountabilities• Use of, and reliance on, evolving
technologies• Expectations relating to preventing and
detecting fraud
Overview of Changes
What Did Not Change• Core definition of internal control• Three categories of objectives
and five components of internal control
• Each of five components are required for effective internal control
• Role of judgment in designing, implementing, and conducting internal control, and in assessing effectiveness
What Changed• Changes in business and operating
environments considered• Operations and reporting objectives
expanded• Fundamental concepts underlying
the 5 component outlined in 17 principles
• Additional approaches and examples relevant to operations, compliance, and non‐financial reporting objectives added
• Certain key areas of concern are specifically addressed such as fraud and the role of technology.
Overview of the Framework
COSO Outlines:– Definition of internal control– Categories of objectives– Components and principles
of internal control– Requirements for
effectiveness
Updated COSO Framework – Internal Control
Definition of Internal Control:• “Internal Control is a process,
affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
Updated COSO Framework – Objectives
Categories of Objectives:• Operations• Reporting
– Previously “Financial Reporting”. Now includes other types of reporting such as non‐financial and internal reporting.
• Compliance
Updated COSO Framework – Components
Five Components of Internal Control:1. Control Environment2. Risk Assessment3. Control Activities4. Information & Communication5. Monitoring Activities
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
Updated COSO Framework – Principles
1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability
6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change
10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures
13. Uses relevant information14. Communicates internally15. Communicates externally
16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
Updated COSO Framework –Requirements for Effectiveness
• Each principle must be present and functioning for the related component to be considered present and functioning.– Present – relevant principles exist in
the design and implementation of the system of internal control to achieve specified objectives
– Functioning – relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives
• Auditor Assessment: “Design and Implementation”
Role of Internal Controls
• The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control• Not one‐size‐fits‐all• Management judgment based on factors unique to the entity
• A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles
• However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning
Role of Internal Controls
Which of the following statements related to internal control is false?
a) Internal controls can never be designed to prevent all possible failures.
b) Internal controls can provide reasonable, but not absolute assurance.
c) Policies and procedures are the foundation of internal control.
d) Costs and benefits should be considered as part of any internal control.
Role of Internal Controls
Which of the following statements related to internal control is false?
a) Internal controls can never be designed to prevent all possible failures.
b) Internal controls can provide reasonable, but not absolute assurance.
c) Policies and procedures are the foundation of internal control.
d) Costs and benefits should be considered as part of any internal control.
Internal Control –Integrated Framework
Internal Control Principles
• Points of Focus are an evaluation tool and may not all be applicable to each principle.
• Documentation related to internal control must address each of the 17 principles and whether they are present and functioning, but does not have to touch on each Point of Focus.
5Components
17Principles
83Points of Focus
Control Environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility3. Establishes structure, authority
and responsibility4. Demonstrates commitment to
competence5. Enforces accountability
Control Environment Principle 1
Control Environment Component(Principle 1)
• The organization demonstrates a commitment of integrity and ethical values
• Points of Focus:– Sets the tone at the top– Establishes standards of
conduct– Evaluates adherence to
standards of conduct– Addresses deviations in
timely manner
Control Environment Principle 1
Implementation:• Demonstrate through
directives, actions, and behaviors
• Expectations concerning integrity and ethical values
• Evaluate against expected standards
• Deviations are identified and remedied timely
Control Environment Principle 2
Exercises oversight responsibility• Points of focus:
– Establishes oversight responsibilities
– Retains oversight for the system of internal control
– Applies relevant expertise– Operates independently
Control Environment Principle 2
Implementation:• Clear outline of oversight
responsibility (i.e. those charged with governance) and what oversight role entails
Control Environment Principle 3
Establishes structure, authority and responsibility• Points of focus:
– Considers all structures of the entity
– Establishes reporting lines– Defines, assigns, and limits authorities and responsibilities
Control Environment Principle 3
Implementation:• Management reviews the assignment of authorities and
responsibilities• Job descriptions are maintained and updated• Management provides sufficient direction• Appropriate chain of command and assignment of
responsibilities based on individual capabilities• Accountability mechanisms in place
Control Environment Principle 4
Demonstrates commitment to competence• Points of focus:
– Establishes policies and practices– Evaluates competence and addresses shortcomings
– Attracts, develops and retains individuals
– Plans and prepares for succession
Control Environment Principle 4
Implementation:• Management identifies required
skills and necessary experience• Training needs are identified and
delivered• Management sets expectations for
the question of defined standards• Performance evaluation processes
and incentives are established
Control Environment Principle 5
Enforces accountability• Points of focus:
– Enforces accountability through structures, authorities and responsibilities
– Establishes performance measures, incentives and rewards– Evaluates performance measures, incentives and rewards for ongoing relevance
– Considers excessive pressures– Evaluates performance and rewards or disciplines individuals
Control Environment Principle 5
Enforces accountability• Implementation:
– Management defines performance measures and rewards
– Management periodically evaluate appropriateness of performance measures
– Management designs objective employee evaluation and compensation systems
Internal Control ExamplesControl Environment
• Ethics & Conduct:– Codes of conduct; – Charters for the board and other
senior executive committees; and – Other human resource policies.
• Communication & Reinforcement:– Providing information to new hires emphasizing senior
management’s views about the importance of sound integrity and ethics;
– Providing employees with training on ethical conduct and standards of acceptable behavior; and
– Making ethics guidelines available in hardcopy or electronic form.
Internal Control ExamplesControl Environment
• Communication Channels:– Whistleblower or similar mechanisms to report potential violations;– Access to independent parties (e.g., through secured Internet/intranet
sites or e‐mail) who are responsible for dealing with submitted complaints; and
– Direct lines of communication to external legal counsel or other designated recipients.
• Taking Action:– Investigating occurrences of possible violations to gain a thorough
understanding of the issues and circumstances; – Documenting the occurrences;– Remedying the situation appropriately and in accordance with the
entity’s prescribed guidelines on a consistent and timely basis; and– Following up to support continued compliance.
Risk Assessment
6. Specifies relevant objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes
significant change
Risk Assessment
*source: Fraud‐Related Internal Controls ‐ ACFE
Risk Assessment Principle 6
Specifies suitable operationsobjectives• Points of focus:
– Reflects management’s choices
– Considers tolerances for risk– Includes operations and financial performance goals
– Forms a basis for committing of resources
Risk Assessment Principle 6
Specifies suitable external financial reporting objectives• Points of focus:
– Complies with applicable accounting standards– Considers materiality– Reflects entity activities
Risk Assessment Principle 6
Specifies suitable external non‐financial reporting objectives• Points of focus:
– Complies with externally established standards and frameworks
– Considers the required level of precision– Reflects entity activities
Risk Assessment Principle 6
Specifies suitable internal reporting objectives• Points of focus:
– Reflects management’s choices
– Considers the required level of precision
– Reflects entity activities
Risk Assessment Principle 6
Specifies suitable complianceobjectives• Points of focus:
– Reflects external laws and regulations
– Considers tolerances for risks
Risk Assessment Principle 7
Identifies and analyzes risk• Points of focus:
– Includes entity, subsidiary, division, operating unit, and functional levels
– Analyzes internal and external factors
– Involves appropriate levels of management
– Estimates significance of risks identified
– Determines how to respond to risks
Risk Assessment Principle 7
Which of the following may provide for an increased risk of an employee committing fraud?
a) Employees have not been given raises in over 2 years.
b) An employee is facing financial hardships at home.
c) A poor internal control environment.d) All of the above.
Risk Assessment Principle 7
Which of the following may provide for an increased risk of an employee committing fraud?
a) Employees have not been given raises in over 2 years.
b) An employee is facing financial hardships at home.
c) A poor internal control environment.d) All of the above.
Risk Assessment Principle 7
Identifies and analyzes risk• Implementation:
– Risk assessment includes details related to identification, analysis, and response
– Incorporates the concepts of inherent risk– Considers velocity and persistence of risk– Incorporates consideration of outsourced service providers
Risk Assessment Principle 8
Risk Assessment Component(Principle 8)
• The organization considers the potential for fraud in assessing risks to the achievement of objectives
• Point of Focus:– Considers various types of
fraud– Assesses incentives and
pressures– Assesses opportunities– Assesses attitudes and
rationalizations
Risk Assessment Principle 8
• Fraud is more than misappropriation of assets or fraudulent financial reporting.– Non‐financial data can be
modified to enhance safety reporting, show milestones needed for pay raises or to allow unauthorized use or disposal of assets.
• The presence of anti‐fraud controls is effective at reducing fraud loss, but the risk cannot be completely eliminated.
Risk Assessment Principle 8
Assesses fraud risk• Implementation:
– Incorporates the concept of fraud risk assessment– Considerations related to various types of fraud– Evaluating incentives and pressures, opportunities, and attitudes and rationalizations (the fraud triangle)
– Identify the various ways that fraudulent financial reporting can occur
ACFE Report To The Nations
• ACFE 2014 Report– Organizations lose an estimated
5% of revenues annually– Median loss = $145,000– Detection of frauds:
• Tips 42%• External audit 3%
Fraud Detection(2014 Report to the Nations, ACFE)
Anti‐Fraud Controls(2014 Report to the Nations, ACFE)
Primary Internal Control Weaknesses(2014 Report to the Nations, ACFE)
Behavioral Red Flags(2014 Report to the Nations, ACFE)
Risk Assessment Principle 9
Identifies and analyzes significant change• Points of focus:
– Assesses changes in the external environment
– Assesses changes in the business model
– Assesses changes in leadership
Risk Assessment Principle 9
Identifies and analyzes significant change• Implementation:
– Importance of assessing impact on internal controls from changes in the external environment, business model, operations, technology, and leadership
– Staff‐level changes can be relevant as well
Internal Control Examples: Risk Assessment
Identifying & Assessing Risks:– Establishment of clear entity‐wide objectives that are consistent
with its business plans and budgets;– Establishment of objectives for key activities that are consistent
with and linked to the entity‐wide objectives and strategies; and– Identification of the resources and critical factors that are
important to achieving its objectives (e.g., financing, personnel, facilities, and technology).
– Periodic reviews of economic and industry factors;
Internal Control Examples: Risk Assessment
Identifying & Assessing Risks (Continued):– Consideration of the entity’s industry and the geographic region
where it does business;– Periodic interactions with external parties, such as customers,
buyers, intermediaries, suppliers, and creditors;– Reviewing and evaluating competitors’ actions;– Internal strategy and operational meetings;– Consultation with legal counsel regarding the implication of new
legislation
Changes That May Cause New Risks• Changes in operating
environment;• New personnel;• New or revamped information
systems;• Rapid growth;• New technology;• New business models, products,
or activities;• Organizational restructurings; and• New accounting pronouncements
or other financial reporting requirements.
Internal Control Examples: Risk Assessment
Response to Risks:– Supervision of employees in key
positions;– Procedures to assess the effects of
new or redesigned information systems and to monitor new technologies;
– Procedures to handle increasing volumes of information;
– Analyzing the impact of staff reassignments and reductions for their effect on employee morale and operations; and
– Consideration of customer demand, production capabilities and profitability.
Risk Strategies
AvoidanceDo not proceed!
MitigationImprove controls to
reduce likelihood/impact
TransferShift responsibility to an
external party
AcceptanceAccept the risk!
CreationSeek risk activities strategically to
maximize opportunities
Control Activities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Control Activities
Preventive ControlPrevents the occurrence of a negative event in a proactive manner
Examples:• Approval for purchase >
$5,000• Passwords for access to
G/L System• Petty cash held in
lockbox• Security and
surveillance systems• Pre‐numbered checks
Detective ControlDetect the occurrence of a negative event after the fact in a reactive manner
Examples:• Supervisor review & approval• Report run showing user activity• Reconcile petty cash• Physical inventory count• Review missing/voided checks
Control Activities
Control Activities• If a weakness or limitation exists within the control environment, a
compensating controlmay be relied upon to mitigate the risk
• Can be preventive or detective
• Example: A unit does not have the staff resources to establish an adequate segregation of duties. Potential compensating controls could include:
o Automation of certain transaction data that cannot be altered by the staffo Manager review of detailed summary reports of the transactions initiated by
the staffo Peer staff and/or manager selects a sample of transactions and vouches
back to supporting documentation
Control Activities
Automated Control
Manual Control
Require action to be taken by employees, e.g.,• Obtain supervisor’s
approval for overtime
• Reconcile bank accounts
• Match receiving to POs
Built into network infrastructure and software applications, e.g.,• Passwords• Data entry
validation checks• Batch controls
Control Activities Principle 10
Selects and develops control activities• Points of focus:
– Integrates with risk assessment– Considers entity‐specific factors– Determines relevant business processes– Evaluates a mix of control activity types– Considers at what level activities are applied– Addresses segregation of duties
Control Activities Principle 10
Selects and develops control activities• Implementation:
– Understand how transactions are initiated, authorized, processed, and recorded
– Formal metrics and criteria to identify items for investigation– Consistent application and documentation of the review and
investigation of outliers
Control Activities Principle 11
Control Activities Component(Principle 11)
• The organization selects and develops general control activities over technology to support the achievement of objectives.
• Points of Focus:– Determines dependency
between use of technology and GITC
– Establishes relevant technology infrastructure
– Establishes relevant security management process control activities
– Establishes relevant technology acquisition, development and maintenance process control activities
Control Activities Principle 11Why is technology so critical?• Technology is essential to support the
entities’ objectives• Framework uses technology to refer
to computer systems, including software applications and operational control systems
• Technology creates both opportunities and risk
• The framework principles do not change with the application of technology
• Environments vary in size, complexity and extent of integration
Control Activities Principle 11
Selects and develops general controls over technology• Implementation:
– Dedication of sufficient resources to technology considerations, particularly given increasingly extensive reliance by all organizations on technology
– Much like accounting, the importance of the IT function cannot be ignored
Control Activities Principle 12
Deploys through policies and procedures• Points of focus:
– Establishes policies and procedures to support deployment of management’s directives
– Establishes responsibility and accountability for executing policies and procedures
– Performs in a timely manner– Takes corrective action– Performs using competent personnel– Reassesses policies and procedures
Control Activities Principle 12
Deploys through policies and procedures• Implementation:
– Initiation, authorization, tracking, and analysis of transactions
– Design and execution– Testing and quality assurance– Data conversion– Program implementation and
go‐live authorization– Documentation and training
Five Key Internal Control Activities…
1. Segregation of Duties
• Divide responsibilities between different employees so one individual doesn’t control all aspects of a transaction.
• Reduce the opportunity for an employee to commit and conceal errors (intentional or unintentional) or perpetrate fraud.
Segregation of Duties**Source: Fraud‐Related Internal Controls ‐ ACFE
2. Documentation
Document & preserve evidence to substantiate:• Critical decisions and significant events...typically involving the use, commitment, or transfer of resources.
• Transactions…enables a transaction to be traced from its inception to completion.
• Policies & Procedures…documents which set forth the fundamental principles and methods that employees rely on to do their jobs.
3. Authorization & Approvals
• Management documents and communicates which activities require approval, and by whom, based on the level of risk to the organization.
• Ensure that transactions are approved and executed only by employees acting within the scope of their authority granted by management.
Control Activities: Examples of Proper Authorization
• Customer credit • New vendors• Purchase order approval
for goods or services• Cash disbursements• Hiring new employees• Salary increases• Payroll
4. Security of Assets
• Secure and restrict access to equipment, cash, inventory, confidential information, etc. to reduce the risk of loss or unauthorized use.
• Perform periodic physical inventories to verify existence, quantities, location, condition, and utilization.
• Base the level of security on the vulnerability of items being secured, the likelihood of loss, and the potential impact should a loss occur.
Security of Assets
• Restricting physical access– Inventory – Checks– Cash registers– Computer rooms
• Password protections• Fireproof storage
5. Reconciliation & Review
• Examine transactions, information, and events to verify accuracy, completeness, appropriateness, and compliance.
• Base level of review on materiality, risk, and overall importance to organization’s objectives.
• Ensure frequency is adequate enough to detect and act upon questionable activities in a timely manner.
• Timing of reconciliations and monitoring
Internal Control Examples: Control Activities
Control Development Considerations:• The type of control (i.e., manual or automated) and
the frequency with which it operates;• The complexity of the control;• The risk of management override;• The degree of judgment required to operate the control;• The competence of the personnel who perform the control;• Any changes in key personnel who perform the control; • The nature and materiality of misstatements that the control is intended to
prevent or detect; • The degree to which the control relies on the effectiveness of other controls
(e.g., general technology controls); and • The evidence of the operation of the control from prior years.
Internal Control Examples: Control Activities
Technology Considerations:• Technology infrastructure; • Security management; • End‐user computing
development and maintenance; and
• Completeness and accuracy controls between the end‐user computing system and other systems
• Interaction/integration with third‐party service organizations
Information & Communication
13. Uses relevant information14. Communicates internally15. Communicates externally
Information & Communication
Things to communicate:• Initiatives• Goals• Changes• Opportunities• Feedback• Questions• Answers• Policies• Procedures• Standards• Expectations
Information & Communication Principle 13
Uses relevant information• Points of focus:
– Identifies information requirements– Captures internal and external sources of data– Processes relevant data into information– Maintains quality throughout processing– Considers costs and benefits
Information & Communication Principle 13
Uses relevant information• Implementation:
– “Garbage in, garbage out”– Identify and capture information used in control activities, processes, and functions
– Governance has access to information sources outside of management regularly
Information & Communication Principle 14
Communicates internally• Points of focus:
– Communicates internal control information
– Communicates with the board of directors
– Provides separate communication lines
– Selects relevant method of communication
Information & Communication Principle 14
Communicates internally• Implementation:
– Timeliness and relevance of communications
– Communications/reporting meet needs of those on receiving end
Information & Communication Principle 15
Communicates externally• Points of focus:
– Communicates to external parties– Enables inbound communications– Communicates with the board of directors– Provides separate communication lines– Selects relevant method of communication
Information & Communication Principle 15
Communicates externally• Implementation:
– Timeliness and relevance of communications
– Communications/ reporting meet needs of those on receiving end
Internal Control Examples:Information & Communication
• The entity identifies and captures information used in controlling activities, processes, and functions, all of which lead to reliable financial reporting.
• The entity uses relevant information in preparing the financial statements:– Data from business processes– Data about the state of the economy– Economic data affecting the industry and the entity’s position in
the industry– Other relevant data in developing the entity’s accounting
estimates and adjusting entries.
Monitoring Activities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Monitoring Activities Principle 16
Conducts ongoing and/or separate evaluations• Points of focus:
– Considers a mix of ongoing and separate evaluations– Considers rate of change– Establishes baseline understanding– Uses knowledgeable personnel– Integrates with business processes– Adjusts scope and frequency– Objectively evaluates
Monitoring Activities Principle 16
Conducts ongoing and/or separate evaluations• Implementation:
– Develop a baseline understanding of the design and current state of internal controls
– Identify metrics that correlate to the completeness and accuracy of transactions
Monitoring Activities Principle 17
Evaluates and communicates deficiencies• Points of focus:
– Assesses results– Communicates deficiencies to parties responsible for corrective action and to senior management and the board of directors
– Monitors corrective actions
Monitoring Activities Principle 17
Evaluates and communicates deficiencies• Implementation:
– Identify necessary changes in design and conduct of internal controls that result from monitoring
– Evaluate changes in people, processes, and technology that may impact the design and implementation of controls
Internal Control Examples: Monitoring
• Management identifies metrics (e.g., current overtime in hours and dollars compared with expected and historical data for the month, quarter, and year) that correlate to the completeness and accuracy of financial transactions to provide ongoing evaluations of established control activities.
• When identifying metrics, management considers the processes and sub‐processes that should be monitored, and develops the appropriate measure and frequency for the evaluation.
• Procedures in place for identified metricsto be applied and compared to financialand/or other operating data.
Additional Resource: The GAO Green Book
The Green Book
• “Standards for Internal Control in the Federal Government”
• Published by the United State Government Accountability Office (GAO)– Publisher of GAGAS, or the
Yellow Book• Last published in 1999• New edition published
September 10, 2014
The Green Book
Reasons for Revision• Adapt to a more global, complex,
and technological landscape• Maintain relevancy to changing
standards• Harmonize Federal standards with
the updated COSO framework• Provide updated framework to be
used under proposed OMB Uniform Guidance for Federal Awards
The Green Book
Green Book vs. COSO• Same 5 Components as COSO• Same 17 Principles as COSO• 47 “Attributes” vs. Points of Focus• Attributes geared toward
application governmental environment
The Green Book
Component COSO Green Book
Control Environment 5 Principles20 Points of Focus
5 Principles13 Attributes
Risk Assessment 4 Principles27 Points of Focus
4 Principles10 Attributes
Control Activities 3 Principles16 Points of Focus
3 Principles11 Attributes
Information & Communication
3 Principles14 Points of Focus
3 Principles 7 Attributes
Monitoring 2 Principles10 Points of Focus
2 Principles 6 Attributes
The Green Book
Harmonization with COSO Example
COSO (Principle 2)The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.Green Book (Principle 2)The oversight body should oversee the entity’s internal control system.
Limitations of Internal Control
Internal Control: Daily Application
• Internal Controls are a process to accomplish a goal/objective – not just an additional requirement for the sake of doing more work.
• Consider controls used on a daily basis in our personal lives:– Locking our cars and homes– Review personal credit card statement charges– Check expiration dates on food– Looking both ways when crossing the road
• Controls Goal: Same second‐nature feeling
Internal Control: Myth vs. Fact
• Starts with strong set of policies and procedures.
• Auditors (internal or external) are responsible for internal controls.
• We do it because the accounting department tell us to.
• Takes time away from core activities.
• Strong controls will prevent fraud.
• Starts with a strong control environment.
• Management is the owner of internal control.
• It’s everyone’s responsibility and should be an integral part of operations.
• Should be built into, not onto business processes.
• Controls provide reasonable, but not absolute assurance.
Internal Control Limitations
• Inherent limitations to Internal Controls– They are affected by people and
technology• “Internal controls are only as good as the people performing them”
• Opportunities for Human/Computer Error
• Collusion– Reasonable, not absolute, assurance
• Importance of understanding benefit of controls
• Costs vs. Benefits
Internal Control Reminders
Things to remember when utilizing the updated model:• Not just be a financial process
– Operational controls – Non‐financial reporting– Legal and regulatory compliance
• Third‐party service providers– Management remains responsible
for controls– Third‐party provider’s controls still
need to be considered• Service Auditor report – SOC 1 (formerly SAS 70)
Additional Considerations
• Things to consider− Changes in business/operations− Does your system of internal control need to address changes in business?
− Does your system of internal control need to be updated to address all principles?
− Does your organization apply and interpret the original framework in the same manner as COSO?
− Is your organization considering new opportunities to apply internal control to cover additional objectives?
• Most common areas of weakness or lacking in controls:– Risk Assessment– Monitoring
• Focus on Key Objectives– Then most important/relevant controls
• Focus on Higher‐risk Areas– Controls to mitigate higher risks are
much more important than low‐risk areas
• Consider Overlapping Risks and Objectives– May present opportunity for efficiency
Additional Considerations
• Individuals must understand and believe in internal controls– Those Charged with Governance– Management/Department
Heads• Accounting• All Other Departments
– Staff• Accounting• All Other Departments
• Education Opportunities– Orientation and Training– External Speakers (i.e. auditors)
Internal Controls Start with Education
• COSO Framework– http://www.coso.org/IC.htm
(for purchase)• Green Book
– http://www.gao.gov/greenbook/overview• Your Auditors• Google
Resources