11/18/2018
1
TALLAHASSEE CHAPTER
COSO/Internal Control
Emphasize the Basics, Elevate the Standards
November 27-28, 2018
Amy Slack
Senior Contract Audit Supervisor
Florida Department of Transportation
1
TALLAHASSEE CHAPTER
• Applicable IIA Red Book Standards
• Definitions of Internal Control
• Types of Internal Controls
• Benchmarks
• COSO
• GAO Green Book
• Internal Control deficiencies
• Limitation of Internal Controls
Agenda
2
TALLAHASSEE CHAPTER
References
• The COSO website at www.coso.org
• The IIA – www.theiia.org
• AICPA – www.aicpa.org
• US Government Accountability Office –
www.gao.gov
• OMB Circular A-133
• Sarbanes Oxley Act of 2002
• AICPA AU Section 325
3
11/18/2018
2
TALLAHASSEE CHAPTER
International Professional
Practices Framework (IPPF)® -
2017 Edition (Red Book)
• 2130 – Control
The internal audit activity must assist
the organization in maintaining effective
controls by evaluating their
effectiveness and efficiency and by
promoting continuous improvement.
4
TALLAHASSEE CHAPTER
Applicable IIA Standard
2130.A1 – The internal audit activity must evaluate the
adequacy and effectiveness of controls in responding to
risks within the organization’s governance, operations,
and information systems regarding the:
• Achievement of the organization’s strategic objectives;
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations and programs;
• Safeguarding of assets; and
• Compliance with laws, regulations, policies, procedures, and
contracts.
5
TALLAHASSEE CHAPTER
Applicable IIA Standard
2130.C1 – Internal auditors must incorporate knowledge
of controls gained from consulting engagements into
evaluation of the organization’s control processes.
6
11/18/2018
3
TALLAHASSEE CHAPTER
IIA Red Book Definition
• Control is
“Any action taken by management, the board, and
other parties to manage risk and increase the
likelihood that established objectives and goals
will be achieved. Management plans, organizes,
and directs the performance of sufficient actions
to provide reasonable assurance that objectives
and goals will be achieved.”
7
TALLAHASSEE CHAPTER
COSO Definition
• Internal Control is“A process, effected by an entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• Effectiveness and efficiencies of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations”
8
TALLAHASSEE CHAPTER
“Internal control is a process - effected by
those charged with governance, management
and other personnel - designed to provide
reasonable assurance about the achievement
of the entity's objectives with regard to the
reliability of financial reporting, effectiveness
and efficiency of operations, and compliance
with applicable laws and regulations.”
AICPA
Definition
(AU Section 325)
9
11/18/2018
4
TALLAHASSEE CHAPTER
Definition of Internal Control
• What is your definition of
internal control?
• Who is responsible for
internal controls?
10
TALLAHASSEE CHAPTER
Examples of Internal Controls
Think about what you do
At home
Your ATM/Debit card
Your car
Think about what you do at work
11
TALLAHASSEE CHAPTER
• Preventive – attempt to deter or stop an
unwanted outcome before it happens.
Examples: use of passwords, approval
• Detective – attempt to detect errors or
irregularities that may have already occurred.
Examples: reconciliations, monitoring of
actual expenses vs. budget, prior periods,
forecasts
Preventive - Detective
12
11/18/2018
5
TALLAHASSEE CHAPTER
Preventive or Detective?
• Segregation of duties
• Access security
• Physical count
• Authorization
• Review of performance and
processes
Preventive - Detective
13
TALLAHASSEE CHAPTER
Which is better - preventive
or detective control?
Preventive - Detective
14
TALLAHASSEE CHAPTER
Hard Controls vs Soft Controls
Hard Controls
• Formal
• Tangible
• Examples:
Organizational structure
Policies
Procedures
Soft Controls
• Informal
• Intangible
• Examples:
Ethical climate
Integrity
Trust
Competence
15
11/18/2018
6
TALLAHASSEE CHAPTER
• Segregation of duties or ethical
employees?
• Well-written and thorough
policies and procedures or
competent employees?
• Objective vs Subjective
Hard Controls vs Soft Controls
16
TALLAHASSEE CHAPTER
• Manual Controls - manually performed
solely manual where no IT generated
reports are used or
IT-dependent where a system generated
report is used to test a particular control
• Automated Controls - performed entirely by
the computer system
Manual - Automated
17
TALLAHASSEE CHAPTER
Benchmarks
Some of the benchmarks/frameworks
available:
• COSO - major accounting and audit
professional organizations
• CoCo - Canadian Institute of Chartered
Accountants
• UK Corporate Governance Code
18
11/18/2018
7
TALLAHASSEE CHAPTER
Why the need for framework?
• Criteria in the framework provide basis
for:
Understanding control in an
organization
Assessment about the effectiveness
of control.
• Provide a standard review process
Benchmarks
19
TALLAHASSEE CHAPTER
COSO
Background:
COSO
AAA AICPA FEI IMA IIA
20
TALLAHASSEE CHAPTER
COSO’s Mission
• “…to provide thought leadership through the
development of comprehensive frameworks
and guidance on enterprise risk
management, internal control and fraud
deterrence designed to improve
organizational performance and governance
and to reduce the extent of fraud in
organizations.”
(www.coso.org/aboutus)
21
11/18/2018
8
TALLAHASSEE CHAPTER
COSO - Components of Internal
Control
22
TALLAHASSEE CHAPTER
Per COSO:
• Effectiveness and efficiencies of
operations
• Reliability of financial reporting
• Compliance with applicable laws
and regulations
Objectives of Internal Controls
23
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Control Environment
Principles
1.Demonstrates commitment to
integrity and ethical values
2.Board exercises oversight
responsibility
3.Establishes structure, authority
and responsibility
4.Demonstrates commitment to
competence
5.Enforces accountability
24
11/18/2018
9
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Risk Assessment
Principles
6.Specifies suitable objectives
7. Identifies and analyzes risk
8.Assesses fraud risk
9. Identifies and analyzes
significant change
25
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Control Activities
Principles
10. Selects and develops
control activities to
mitigate risks
11. Selects and develops
general controls over
technology
12. Deploys through policies
and procedures
26
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Information and
communication
Principles
13. Obtains, generates, uses
relevant information
14. Communicates internally
15. Communicates externally
27
11/18/2018
10
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Monitoring activities
Principles
16. Selects, develops, performs
ongoing and/or separate
evaluations
17. Evaluates and
communicates deficiencies
timely
28
TALLAHASSEE CHAPTER
• Operations
• record beginning and ending cash register
totals and reconcile to recorded cash sales
• Reporting
• record purchased items by their barcode
• Compliance with the policies of the organization
• create cashier policies and distribute to staff
• Constant Monitoring
• review cash register activities (e.g. refunds,
overrides)
Cashier Example
29
TALLAHASSEE CHAPTER
• Standards for Internal Control in the Federal
Government
• An entity uses the Green Book to design,
implement, and operate internal controls to
achieve its objectives related to operations,
reporting, and compliance.
• Can be used by non-federal entities as best
practice
• Based on COSO Framework
GAO Green Book
30
11/18/2018
11
TALLAHASSEE CHAPTER
“A deficiency in internal control exists
when the design or operation of a control
does not allow management or
employees, in the normal course of
performing their assigned functions, to
prevent, or detect and correct
misstatements on a timely basis.”
(AICPA AU 325)
Internal Control Deficiency
31
TALLAHASSEE CHAPTER
Severity of a control deficiency:Significant deficiency is a deficiency, or a combination of
deficiencies, in internal control over financial reporting, that is less
severe than a material weakness yet important enough to merit
attention by those responsible for oversight of the company's
financial reporting.
Material weakness is a deficiency, or a combination of deficiencies,
in internal control over financial reporting, such that there is a
reasonable possibility that a material misstatement of the
company's annual or interim financial statements will not be
prevented or detected on a timely basis.
(AICPA AU 325)
Internal Control Deficiency
32
TALLAHASSEE CHAPTER
Limitations of Internal Controls
• Human judgment – can be faulty
• Human failure – errors, mistakes,
etc.
• Ability to override internal control
• Cost/benefit constraints
• Obsolescence
33
11/18/2018
12
TALLAHASSEE CHAPTER
Thank you
Amy SlackSenior Contract Audit SupervisorFlorida Dept. of [email protected]
34