11/18/2018

1

TALLAHASSEE CHAPTER

COSO/Internal Control

Emphasize the Basics, Elevate the Standards

November 27-28, 2018

Amy Slack

Senior Contract Audit Supervisor

Florida Department of Transportation

1

TALLAHASSEE CHAPTER

• Applicable IIA Red Book Standards

• Definitions of Internal Control

• Types of Internal Controls

• Benchmarks

• COSO

• GAO Green Book

• Internal Control deficiencies

• Limitation of Internal Controls

Agenda

2

TALLAHASSEE CHAPTER

References

• The COSO website at www.coso.org

• The IIA – www.theiia.org

• AICPA – www.aicpa.org

• US Government Accountability Office –

www.gao.gov

• OMB Circular A-133

• Sarbanes Oxley Act of 2002

• AICPA AU Section 325

3

11/18/2018

2

TALLAHASSEE CHAPTER

International Professional

Practices Framework (IPPF)® -

2017 Edition (Red Book)

• 2130 – Control

The internal audit activity must assist

the organization in maintaining effective

controls by evaluating their

effectiveness and efficiency and by

promoting continuous improvement.

4

TALLAHASSEE CHAPTER

Applicable IIA Standard

2130.A1 – The internal audit activity must evaluate the

adequacy and effectiveness of controls in responding to

risks within the organization’s governance, operations,

and information systems regarding the:

• Achievement of the organization’s strategic objectives;

• Reliability and integrity of financial and operational information;

• Effectiveness and efficiency of operations and programs;

• Safeguarding of assets; and

• Compliance with laws, regulations, policies, procedures, and

contracts.

5

TALLAHASSEE CHAPTER

Applicable IIA Standard

2130.C1 – Internal auditors must incorporate knowledge

of controls gained from consulting engagements into

evaluation of the organization’s control processes.

6

11/18/2018

3

TALLAHASSEE CHAPTER

IIA Red Book Definition

• Control is

“Any action taken by management, the board, and

other parties to manage risk and increase the

likelihood that established objectives and goals

will be achieved. Management plans, organizes,

and directs the performance of sufficient actions

to provide reasonable assurance that objectives

and goals will be achieved.”

7

TALLAHASSEE CHAPTER

COSO Definition

• Internal Control is“A process, effected by an entity’s board of

directors, management and other personnel,

designed to provide reasonable assurance

regarding the achievement of objectives in the

following categories:

• Effectiveness and efficiencies of operations

• Reliability of financial reporting

• Compliance with applicable laws and

regulations”

8

TALLAHASSEE CHAPTER

“Internal control is a process - effected by

those charged with governance, management

and other personnel - designed to provide

reasonable assurance about the achievement

of the entity's objectives with regard to the

reliability of financial reporting, effectiveness

and efficiency of operations, and compliance

with applicable laws and regulations.”

AICPA

Definition

(AU Section 325)

9

11/18/2018

4

TALLAHASSEE CHAPTER

Definition of Internal Control

• What is your definition of

internal control?

• Who is responsible for

internal controls?

10

TALLAHASSEE CHAPTER

Examples of Internal Controls

Think about what you do

At home

Your ATM/Debit card

Your car

Think about what you do at work

11

TALLAHASSEE CHAPTER

• Preventive – attempt to deter or stop an

unwanted outcome before it happens.

Examples: use of passwords, approval

• Detective – attempt to detect errors or

irregularities that may have already occurred.

Examples: reconciliations, monitoring of

actual expenses vs. budget, prior periods,

forecasts

Preventive - Detective

12

11/18/2018

5

TALLAHASSEE CHAPTER

Preventive or Detective?

• Segregation of duties

• Access security

• Physical count

• Authorization

• Review of performance and

processes

Preventive - Detective

13

TALLAHASSEE CHAPTER

Which is better - preventive

or detective control?

Preventive - Detective

14

TALLAHASSEE CHAPTER

Hard Controls vs Soft Controls

Hard Controls

• Formal

• Tangible

• Examples:

Organizational structure

Policies

Procedures

Soft Controls

• Informal

• Intangible

• Examples:

Ethical climate

Integrity

Trust

Competence

15

11/18/2018

6

TALLAHASSEE CHAPTER

• Segregation of duties or ethical

employees?

• Well-written and thorough

policies and procedures or

competent employees?

• Objective vs Subjective

Hard Controls vs Soft Controls

16

TALLAHASSEE CHAPTER

• Manual Controls - manually performed

solely manual where no IT generated

reports are used or

IT-dependent where a system generated

report is used to test a particular control

• Automated Controls - performed entirely by

the computer system

Manual - Automated

17

TALLAHASSEE CHAPTER

Benchmarks

Some of the benchmarks/frameworks

available:

• COSO - major accounting and audit

professional organizations

• CoCo - Canadian Institute of Chartered

Accountants

• UK Corporate Governance Code

18

11/18/2018

7

TALLAHASSEE CHAPTER

Why the need for framework?

• Criteria in the framework provide basis

for:

Understanding control in an

organization

Assessment about the effectiveness

of control.

• Provide a standard review process

Benchmarks

19

TALLAHASSEE CHAPTER

COSO

Background:

COSO

AAA AICPA FEI IMA IIA

20

TALLAHASSEE CHAPTER

COSO’s Mission

• “…to provide thought leadership through the

development of comprehensive frameworks

and guidance on enterprise risk

management, internal control and fraud

deterrence designed to improve

organizational performance and governance

and to reduce the extent of fraud in

organizations.”

(www.coso.org/aboutus)

21

11/18/2018

8

TALLAHASSEE CHAPTER

COSO - Components of Internal

Control

22

TALLAHASSEE CHAPTER

Per COSO:

• Effectiveness and efficiencies of

operations

• Reliability of financial reporting

• Compliance with applicable laws

and regulations

Objectives of Internal Controls

23

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Control Environment

Principles

1.Demonstrates commitment to

integrity and ethical values

2.Board exercises oversight

responsibility

3.Establishes structure, authority

and responsibility

4.Demonstrates commitment to

competence

5.Enforces accountability

24

11/18/2018

9

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Risk Assessment

Principles

6.Specifies suitable objectives

7. Identifies and analyzes risk

8.Assesses fraud risk

9. Identifies and analyzes

significant change

25

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Control Activities

Principles

10. Selects and develops

control activities to

mitigate risks

11. Selects and develops

general controls over

technology

12. Deploys through policies

and procedures

26

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Information and

communication

Principles

13. Obtains, generates, uses

relevant information

14. Communicates internally

15. Communicates externally

27

11/18/2018

10

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Monitoring activities

Principles

16. Selects, develops, performs

ongoing and/or separate

evaluations

17. Evaluates and

communicates deficiencies

timely

28

TALLAHASSEE CHAPTER

• Operations

• record beginning and ending cash register

totals and reconcile to recorded cash sales

• Reporting

• record purchased items by their barcode

• Compliance with the policies of the organization

• create cashier policies and distribute to staff

• Constant Monitoring

• review cash register activities (e.g. refunds,

overrides)

Cashier Example

29

TALLAHASSEE CHAPTER

• Standards for Internal Control in the Federal

Government

• An entity uses the Green Book to design,

implement, and operate internal controls to

achieve its objectives related to operations,

reporting, and compliance.

• Can be used by non-federal entities as best

practice

• Based on COSO Framework

GAO Green Book

30

11/18/2018

11

TALLAHASSEE CHAPTER

“A deficiency in internal control exists

when the design or operation of a control

does not allow management or

employees, in the normal course of

performing their assigned functions, to

prevent, or detect and correct

misstatements on a timely basis.”

(AICPA AU 325)

Internal Control Deficiency

31

TALLAHASSEE CHAPTER

Severity of a control deficiency:Significant deficiency is a deficiency, or a combination of

deficiencies, in internal control over financial reporting, that is less

severe than a material weakness yet important enough to merit

attention by those responsible for oversight of the company's

financial reporting.

Material weakness is a deficiency, or a combination of deficiencies,

in internal control over financial reporting, such that there is a

reasonable possibility that a material misstatement of the

company's annual or interim financial statements will not be

prevented or detected on a timely basis.

(AICPA AU 325)

Internal Control Deficiency

32

TALLAHASSEE CHAPTER

Limitations of Internal Controls

• Human judgment – can be faulty

• Human failure – errors, mistakes,

etc.

• Ability to override internal control

• Cost/benefit constraints

• Obsolescence

33

11/18/2018

12

TALLAHASSEE CHAPTER

Thank you

Amy SlackSenior Contract Audit SupervisorFlorida Dept. of TransportationAmy.Slack@dot.state.fl.us

34