COSO 2012 - Community College Internal Auditors · Definition of internal control ! 5 internal...
Transcript of COSO 2012 - Community College Internal Auditors · Definition of internal control ! 5 internal...
COSO 2012 INTERNAL CONTROL - INTEGRATED FRAMEWORK POST PUBLIC EXPOSURE VERSION
September 2012
Mark Cousineau CPA, CIA, CFE, CGAP, CGFM, CTIP
Chief Deputy Auditor, San Bernardino County
Chief Deputy Controller, San Bernardino County
Finance & Human Resources Manager, VVWRA
McGladrey & Pullen CPAs
Operations Manager, Hospitality Industry
Bachelor of Science, Business Administration (Accounting), California State University-San Bernardino
DISCLAIMERS
The views expressed in this presentation are those of the author and do not reflect the official policy or position or views of the San Bernardino County Auditor-Controller/Treasurer/Tax Collector, The Office of the San Bernardino County Auditor-Controller/Treasurer/Tax Collector, or the County of San Bernardino.
� The author is a self described cynic, skeptic, and optimistic-pessimist or pessimistic-optimist.
AGENDA
� Learning Objectives
� History
� Revision Project Overview
� Key Changes
� Impacts
� A Closer Look at the Attributes
� Recap
� Question and Discussion
LEARNING OBJECTIVES
A fractal is an object or quantity that displays self-similarity on all scales. The object need not exhibit exactly the same structure at all scales, but the same "type" of structures must appear on all scales. mathworld.wolfram.com
LEARNING OBJECTIVES
1. When will the updated COSO Internal Control – Framework will be issued?
2. What are the key changes contemplated that will be useful to internal auditors?
3. How many principles will be implemented?
4. Name one anticipated impact on the internal audit profession.
5. How will the attributes help an entity and its internal audit function?
6. How are fractals and internal control similar?
7. How is entropy and internal control similar?
Fractals and Internal Control An entity’s internal control state is likely to be repeated in its lesser organizational units from the entity as a whole, to its departmental groups, departments, divisions, work units, and its employees.
lesson-connect.appspot.com
HISTORY
Those who do not remember the past are condemned to repeat it.
George Santayana
ABOUT COSO
� Formed in 1985 to examine fraudulent financial reporting
� A joint initiative of five private sector organizations:
� American Accounting Association
� American Institute of Certified Public Accountants
� Financial Executives International
� Institute of Management Accountants
� The Institute of Internal Auditors
INTERNAL CONTROL - INTEGRATED FRAMEWORK
Published in 1992 Gained wide acceptance in
2000’s
Leading standard for
internal control
1992 COSO CUBE
REVISION PROJECT OVERVIEW
PROJECT OBJECTIVES AND DRIVERS
Project Objectives Business Environment Evolution Since 1992
� “Refresh” the framework
� No alteration of original Framework’s core concepts
� Greater focus on operational and compliance control objectives
� Explicitly identifying principles and attributes of internal control components
� Expectations for governance oversight
� Expectations for competencies and accountabilities
� Demands and complexity of rules, regulations, and standards
� Expectations for preventing and detecting fraud
� Context needs updating
PROJECT TIMETABLE
2010 2011 2012 2013
Assess & Survey
Design & Build
Public Exposure Finalize
KEY CHANGES
COSO CUBE: 2012 TO 1992
2012 Revised COSO Cube 1992 COSO Cube
UPDATES SUMMARY
Not Changing Changing
� Definition of internal control
� 5 internal control components
� Criteria used to assess effectiveness of internal control
� Use of judgment in evaluating the effectiveness of internal control systems
� Codification of principles
� Expanded reporting objective to address internal and external, financial and non-financial reporting
� Increased focus on operations, compliance, and non-financial reporting objectives
PRINCIPLES CODIFICATION
• Demonstrates commitment to integrity and ethical values
• Exercises oversight responsibility • Establishes structure, authority, and responsibility • Demonstrates commitment to competence • Enforces accountability
Control Environment
• Specifies suitable objectives • Identifies and analyzes risk • Assesses fraud risk • Identifies and analyzes significant change
Risk Assessment
• Selects and develops control activities • Selects and develops general controls over technology • Deploys through policies and procedures
Control Activities
• Uses relevant information • Communicates internally • Communicates externally
Information & Communication
• Conducts ongoing and/or separate evaluations • Evaluates and communicates deficiencies Monitoring Activities
RELATIONSHIPS
Principles
Points of Focus
Criteria
PRINCIPLES & POINTS OF FOCUS
Component Principles Focal Points
Control Environment 5 20
Risk Assessment 4 16
Control Activities 3 16
Information & Communication 3 14
Monitoring Activities 2 10
Total 17 76
ROLES AND RESPONSIBILITIES Internal Control – Integrated Framework Update Project
KEY CHANGES PER COSO
� Discussion of the responsibility of the chief executive officer and chief financial officer to formerly attest to the effectiveness of internal control in certain jurisdictions.
� Expansion of the discussion of the types of committees at the board level and their underlying rationale.
� Adding external reviewers, alongside independent auditors, to reflect the different type of internal control reviews that can occur.
� Updating the section on legislators and regulators with illustrative discussions.
� Adding a section on outsourced service providers. � Aligning roles and responsibilities defined in the section on organization
structure section of the control environment.
OTHER KEY CHANGES
� Expansion of organizational hierarchy and discussion of role responsibilities. � Paragraphs 491 - 494 Board of Directors and its Committees
� Audit Committee
� Compensation Committee
� Nomination/Governance Committee
� Other Committees
� Paragraphs 495 - 497 Chief Executive Officer
� Paragraphs 498 - 500 Chief Financial Officer
� Paragraphs 501 - 505 Other Senior Management: “[…]through a cascading responsibility structure, each executive is a CEO for his or her sphere of responsibility.”
OTHER KEY CHANGES CONTINUED
� Expansion of organizational hierarchy and discussion of role responsibilities. � Paragraphs 506 - 511 Business Enabling Functions
� Risk and Control Personnel
� Legal and Compliance Personnel
� Paragraphs 512 - 513 Other Personnel
� Paragraphs 514 – 519 Internal Auditors
OTHER PERSONNEL
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
• Reading, understanding, and applying the standards of conduct of the organization
• Identifying and evaluating risks to the achievement of objectives.
• Performing reconciliations • Following up on exception reports • Performing physical inspections
• Producing and sharing information used in the internal control system
• Taking other actions needed to effect control
• Support efforts to identify and communicate internal control objectives issues to higher-level management, including illegal actions, waste, and abuse.
LIMITATIONS Preconditions, People, and Assurances
PRECONDITIONS
� Strong governance processes for selecting, developing, and evaluating board members is necessary to maximize and entity’s ability to provide appropriate oversight of internal control.
� Effective strategy-setting and objective-setting process facilitates and entity’s ability to achieve well constructed, realistic, or suitable objectives.
PEOPLE
Judgment Breakdowns
Management Override Collusion
Internal Control Failures
PEOPLE
Breakdowns of Well Designed Controls Management Override
� Misunderstood instructions
� Errors of judgment
� Errors of performance 1. Carelessness
2. Distraction
3. Too many tasks
� Overruling prescribed policies or procedures for illegitimate purposes with the intent of
� Personal gain or
� Enhanced presentation of an entity’s reporting or compliance status
MANAGEMENT INTERVENTION VS. OVERRIDE
WHY HOW
Necessary to deal with non-recurring and non-standard transactions or events that would not be handled appropriately by the control system
Personal gain, enhanced reporting and compliance status of organizational unit
INT
ERV
ENT
ION
OV
ERR
IDE
Overt Documented
Disclosed to appropriate personnel
Covert Undocumented
Undisclosed Deliberate misrepresentations
INT
ERV
ENT
ION
OV
ERR
IDE
LIMITATIONS SUMMARY LEVEL OF ASSURANCE
OPERATIONS
REPORTING
COMPLIANCE
REASONABLE NO1
YES2 YES YES
ABSOLUTE NO NO NO
1Internal control cannot provide any assurance for objectives related to the effectiveness and efficiency of an entity’s operations – such as achieving its basic mission, fiscal, and financial goals. 2Internal control can provide reasonable assurance to management of the entity’s progress, or lack of progress, towards its operational objectives.
A CLOSER LOOK
Monitoring Activities: 2 Principles and 10 Points of Focus
Entropy and Internal Control Entropy is a process of degradation or running down or a trend to disorder. Energy or force is required to maintain order.
MONITORING ACTIVITIES
Monitoring
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
MONITORING ACTIVITIES
CHANGE
Procedures become less effective or obsolete
Procedures may no longer be in place and
functioning Procedures may be insufficient to support achievement of changed objectives
Directional Change
MONITORING ACTIVITIES
Control Activities Monitoring Activities � Performed by people assigned a
role in an internal control process
� Regular participants in a preventive or detective control process: � New vendor approval
� Reconciliation of asset accounts
� Management independent of of the control activity
� Inspection of documentation showing performance
� Examine for trends
� Evaluate whether control activity is appropriate
� Evaluate directional risk
� Evaluate people’s control activity performance
MONITORING ACTIVITIES
Conducts Ongoing and/or Separate Evaluations – Principle No. 16 Points of Focus
The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]
� Considers a Mix of Ongoing and Separate Evaluations.
� Establishes Baseline Understanding.
� Considers Rate of Change. � Uses Knowledgeable Personnel. � Integrates with Business
Processes. � Objectively Evaluates. � Adjusts Scope and Frequency.
CONDUCTS EVALUATIONS MANAGEMENT INCLUDES A BALANCE OF ONGOING AND SEPARATE EVALUATIONS.
ONGOING SEPARATE
� Routine operations
� Built into business processes
� Performed on real-time basis
� Reacts to changing conditions
� May identify problems more quickly
� Manual and automated
� Conducted periodically by
� Objective parties: � Management
� Internal audit
� External parties
Considers a Mix of Ongoing and Separate Evaluations
CONDUCTS EVALUATIONS THE DESIGN AND CURRENT STATE OF AN INTERNAL CONTROL SYSTEM ARE USED TO ESTABLISH A BASELINE FOR ONGOING AND SEPARATE EVALUATIONS.
Establishes Baseline Understanding � Includes design and current state of internal control system
� Used in establishing ONGOING and SEPARATE evaluations
� Assists in identifying changes
� Used to re-evaluate internal control components and realign evaluation activity when changes occur
� Scope and nature of activities
CONDUCTS EVALUATIONS MANAGEMENT CONSIDERS THE RATE OF CHANGE IN BUSINESS AND BUSINESS PROCESSES WHEN SELECTING AND DEVELOPING ONGOING AND SEPARATE EVALUATIONS.
Considers Rate of Change � External environment
� Programmatic changes – federal and state
� Organizational initiatives
� Change in leadership
CONDUCTS EVALUATIONS EVALUATORS PERFORMING ONGOING AND SEPARATE EVALUATIONS HAVE SUFFICIENT KNOWLEDGE TO UNDERSTAND WHAT IS BEING EVALUATED.
ONGOING SEPARATE
� Operational or functional managers
� Competent
� Understand what is being evaluated
� Escalate or initiate corrective action
� Internal audit function
� Other objective evaluations
� Cross operating unit or function
� Benchmarking or Peer evaluations
� Self-Assessments
Uses Knowledgeable Personnel
CONDUCTS EVALUATIONS ONGOING EVALUATIONS ARE BUILT INTO THE BUSINESS PROCESSES AND ADJUST TO CHANGING CONDITIONS.
Integrates with Business Processes � Manual or automated or combination
� Monitor the presence and functioning on internal control components in the ordinary course of business
� Reacts and adjusts to changing conditions, both external and internal
� Computerized monitoring � Highly objective
� Efficient review of large volumes of data
� Economical
� Continuous automated monitoring should b considered
CONDUCTS EVALUATIONS SEPARATE EVALUATIONS ARE PERFORMED PERIODICALLY TO PROVIDE OBJECTIVE FEEDBACK.
Objectively Evaluates � Generally not ingrained with the business
� Vary in scope and frequency
� Scope determined by which of the three objective categories is being addressed
� Risk ranking and responses taken into consideration
� Single or multiple internal control components can be addressed
� Against backdrop of management’s established standards for each component of internal control
CONDUCTS EVALUATIONS MANAGEMENT VARIES THE SCOPE AND FREQUENCY OF SEPARATE EVALUATIONS DEPENDING ON RISK.
Adjusts Scope and Frequency � Matter of management judgment
� Perceived need for periodic evaluations may indicate opportunity to improve ongoing evaluations
� Occurs at different entity levels
� Scope and nature of operations
� Internal and external changes
� Changes within the baseline internal control components
MONITORING ACTIVITIES
Evaluates and Communicates Deficiencies – Principle No. 17 Points of Focus
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
� Assesses Results
� Communicates Deficiencies
� Monitors Corrective Actions
EVALUATES & COMMUNICATES DEFICIENCIES MANAGEMENT AND THE BOARD, AS APPROPRIATE, ASSESS RESULTS OF ONGOING AND SEPARATE EVALUATIONS.
Assesses Results � Threats to the ability of the entity to achieve its objectives
� Opportunities to improve the efficiency of internal controls
� Opportunities to change the internal control system to increase the likelihood that the entity’s objectives will be achieved
� Material weaknesses, significant deficiencies, others
� Major non-conformities, minor non-conformities, others
EVALUATES & COMMUNICATES DEFICIENCIES DEFICIENCIES ARE COMMUNICATED TO PARTIES RESPONSIBLE FOR TAKING CORRECTIVE ACTION AND TO SENIOR MANAGEMENT AND THE BOARD OF DIRECTORS, AS APPROPRIATE.
Communicates Deficiencies � Individual’s authority to deal with circumstances that arise
� Oversight activities of superiors
� Management establishes criteria as to what is reported and to whom
� Crosscutting deficiencies are reported to all relevant parties and at a sufficiently high level to drive appropriate action
� Communications to those positioned to take timely corrective actions
� Internal control deficiencies are reported to the parties responsible for taking corrective action and usually one level of management above that person
EVALUATES & COMMUNICATES DEFICIENCIES DEFICIENCIES ARE REPORTED TO SENIOR MANAGEMENT AND TO THE BOARD, AS APPROPRIATE.
Reports Deficiencies to Senior Management and the Board � Material weaknesses and significant deficiencies
� Major non-conformities
� Deficiencies and minor non-conformities that meet a specified threshold
� Entity established reporting directives
� Possible external reporting of deficiencies
EVALUATES & COMMUNICATES DEFICIENCIES MANAGEMENT TRACKS WHETHER DEFICIENCIES ARE REMEDIATED ON A TIMELY BASIS.
Monitors Corrective Actions � Management tracks remediation efforts and whether they are
conducted on a timely basis
� New management requirement
� Applies to ONGOING evaluations and SEPARATE evaluations that were not performed by the entity’s internal audit activity
IMPACTS
Things alter for the worse spontaneously, if they be not altered for the better designedly. ~Francis Bacon quotegarden.com
IMPACT OF CHANGES
� PRINCIPLES AND POINTS OF FOCUS � Need to make sure your audit program covers all 17 principles
� Documentation may need to be enhanced
� Easier to see everything is covered
� Easier to see what is missing
� EMPHASIS � Control Environment has 5 of 17 principles
� Risk Assessment has 4 of 17 principles
� Over 50% of principles in these components
IMPACT OF CHANGES CONTINUED
� BROADER REPORTING SCOPE � Internal Financial Reporting
� Internal Non-Financial Reporting
� External Non-Financial Reporting
� OPPORTUNITY TO HIGHLIGHT INTERNAL CONTROL OVER � Operations
� Compliance
COSO EXAMPLES
� The organization selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning
� The organization selects and develops general control activities over technology to support the achievement of objectives
� The organization considers the potential for fraud relating to material misstatement of reporting, inadequate safeguarding of assets, and corruption during the assessment of risks to the achievement of objectives
IMPACT OF CHANGES ON INTERNAL AUDITS
� Principles-based approach will allow flexibility to be applied at the entity, operating, and functional levels
� Changes will require review and potential updates to a number of processes, activities, and documentation
� Update allows for integration of both the COSO Enterprise Risk Management (ERM) and Internal Control-Integrated Framework (ICIF) models
� Identifies key attributes for each principle
MONITORING ACTIVITIES INTERNAL AUDIT EVALUATIONS: Objectives and Criteria
OBJECTIVES ASSERTIONS
Determine whether the organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]
16-1 Management includes a balance of ongoing and separate evaluations.
16-2 The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
16-3 Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
16-4 Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
16-5 Ongoing evaluations are built into the business processes and adjust to changing conditions.
16-6 Separate evaluations are performed periodically to provide objective feedback.
16-7 Management varies the scope and frequency of separate evaluations depending on risk.
OBJECTIVES ASSERTIONS
Determine whether the organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. [Principle No. 17]
17-1 Management and the board, as appropriate, assess results of ongoing and separate evaluations.
17-2 Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
Deficiencies are communicated to parties responsible for taking corrective action and to at least one level of management above.
17-4 Management tracks whether deficiencies are remediated on a timely basis.
AUDIT OBJECTIVES: Based on Principles
Principle
• The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. [Principle No. 16]
Objective
• Determine whether the organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Objective
• Determine whether the organization’s ongoing and/or separate evaluations ascertain whether the components of internal control are present and functioning.
CRITERIA: Based on Points of Focus
Attribute
• Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. [Principle No. 16]
Criterion 16-4
• Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
AUDIT PROCEDURES: Based on Attributes
Attribute
• Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
Criterion 16-4
• Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
Procedure 16-4.P1
• Obtain evaluator’s resume, job history, education, and training history.
Procedure 16-4.P2
• Obtain [insert org. unit] requirements for [insert subject matter] evaluator. Document if requirements differ between ongoing and separate evaluations. 16-4.P3
AUDIT PROCEDURES: Based on Points of Focus
Procedure 16-4.P3
• Review job history and evaluate whether the individual has an appropriate level of experience with organizational unit and/or program to understand the [insert subject matter].
Procedure 16-4.P4
• Compare the evaluator’s experience, knowledge, skills, and abilities to the minimum requirements established by the organizational unit.
Procedure 16-4.P5
• If evaluator’s experience did not meet organization’s minimum requirements at hire, determine whether the organization anticipated, documented, and took action to mitigate.
DEFICIENCIES
Deficiency
Control Environment
Risk Assessment
Control Activity Information & Communication
Monitoring Activity
RECAP
RECAP
1. First Quarter 2013
2. Stated Principles (17)
3. Points of Focus (76) Formerly 81 Attributes 4. Criteria Derived from Points of Focus
5. Internal Audit Activity Impact
6. Scalability of internal controls
7. Natural outcome for laissez-faire internal control maintenance.
QUESTION AND DISCUSSION