1/15/2014

1

TALLAHASSEE CHAPTER

COSO/Internal ControlThe Basics of Internal Auditing

January 23-24, 2014

Flerida Rivera-Alsing

Chief Audit Executive

State Board of Administration of Florida

1

TALLAHASSEE CHAPTER

• Applicable IIA Standard

• Definition of internal control

• Objectives of internal controls

• Types of internal controls

• Benchmarks

• COSO

• Internal control deficiencies

• Limitation of internal controls

Agenda

2

TALLAHASSEE CHAPTER

Applicable IIA Standard

• 2130 – Control

The internal audit activity must assist

the organization in maintaining effective

controls by evaluating their

effectiveness and efficiency and by

promoting continuous improvement.

3

1/15/2014

2

TALLAHASSEE CHAPTER

Applicable IIA Standard

•2130.A1 – The internal audit activity

must evaluate the adequacy and

effectiveness of controls in responding

to risks within the organization’s

governance, operations, and

information systems regarding the:

• Achievement of the organization’s

strategic objectives;

• Reliability and integrity of financial

and operational information;

• Effectiveness and efficiency of

operations and programs;

• Safeguarding of assets; and

• Compliance with laws, regulations,

policies, procedures, and contracts.

•2130.C1 – Internal auditors must

incorporate knowledge of controls

gained from consulting engagements

into evaluation of the organization’s

control processes.

4

TALLAHASSEE CHAPTER

Definition of Internal Control

• Per The IIA

Control is

“Any action taken by management, the board, and

other parties to manage risk and increase the

likelihood that established objectives and goals

will be achieved. Management plans, organizes,

and directs the performance of sufficient actions

to provide reasonable assurance that objectives

and goals will be achieved.”

5

TALLAHASSEE CHAPTER

Definition of Internal Control

• Per COSO, internal control is“A process, effected by an entity’s board of

directors, management and other personnel,

designed to provide reasonable assurance

regarding the achievement of objectives in the

following categories:

• Effectiveness and efficiencies of operations

• Reliability of financial reporting

• Compliance with applicable laws and

regulations”

6

1/15/2014

3

TALLAHASSEE CHAPTER

• Per AICPA (AU Section 325),

“Internal control is a process - effected by

those charged with governance, management

and other personnel - designed to provide

reasonable assurance about the achievement

of the entity's objectives with regard to the

reliability of financial reporting, effectiveness

and efficiency of operations, and compliance

with applicable laws and regulations.”

Definition of Internal Control

7

TALLAHASSEE CHAPTER

Definition of Internal Control

What is your definition of

internal control?

8

TALLAHASSEE CHAPTER

Internal Control Concepts

• Process

• Effected by people

• Reasonable assurance

• Achievement of objectives

9

1/15/2014

4

TALLAHASSEE CHAPTER

Per COSO:

• Effectiveness and efficiencies of

operations

• Reliability of financial reporting

• Compliance with applicable laws

and regulations

Objectives of Internal Controls

10

TALLAHASSEE CHAPTER

Examples of Internal Controls

Think about what you do

At home

Your ATM/Debit card

Your car

Think about what you do at work

11

TALLAHASSEE CHAPTER

• Preventive – attempt to deter or stop an

unwanted outcome before it happens.

Examples: use of passwords, approval

• Detective – attempt to detect errors or

irregularities that may have already occurred.

Examples: reconciliations, monitoring of

actual expenses vs. budget, prior periods,

forecasts

Preventive - Detective

12

1/15/2014

5

TALLAHASSEE CHAPTER

Preventive or Detective?

• Segregation of duties

• Access security

• Physical count

• Authorization

• Review of performance

Preventive - Detective

13

TALLAHASSEE CHAPTER

Which is better preventive

or detective control?

Preventive - Detective

14

TALLAHASSEE CHAPTER

Hard – Soft

Hard Controls

• Formal

• Tangible

• Examples:

Organizational structure

Policies

Procedures

Soft Controls

• Informal

• Intangible

• Examples:

Ethical climate

Integrity

Trust

Competence

15

1/15/2014

6

TALLAHASSEE CHAPTER

• Segregation of duties or ethical

employees?

• Well-written and thorough

policies and procedures or

competent employees?

Hard - Soft

16

TALLAHASSEE CHAPTER

• Manual Controls - manually performed;

Could either:

solely manual where no IT generated

reports are used or

IT-dependent where a system generated

report is used to test a particular control

• Automated Controls - performed entirely by

the computer system

Manual - Automated

17

TALLAHASSEE CHAPTER

Are these manual or automated

controls-

• Review of system logs?

• Review of edit check?

Manual - Automated

18

1/15/2014

7

TALLAHASSEE CHAPTER

Benchmarks

Some of the benchmarks/frameworks

available:

• COSO - major accounting and audit

professional organizations

• CoCo - Canadian Institute of Chartered

Accountants

• UK Corporate Governance Code

19

TALLAHASSEE CHAPTER

Why the need for framework?

• Criteria in the framework provide basis

for:

Understanding control in an

organization

Assessment about the effectiveness

of control.

• Provide a standard review process

Benchmarks

20

TALLAHASSEE CHAPTER

COSO

Background:

COSO

AAA AICPA FEI IMA IIA

21

1/15/2014

8

TALLAHASSEE CHAPTER

COSO’s Mission

• “…to provide thought leadership through the

development of comprehensive frameworks

and guidance on enterprise risk

management, internal control and fraud

deterrence designed to improve

organizational performance and governance

and to reduce the extent of fraud in

organizations.”

(www.coso.org/aboutus)

22

TALLAHASSEE CHAPTER

COSO - Components of

Internal Control

23

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Control Environment

Principles

1.Demonstrates commitment to

integrity and ethical values

2.Board exercises oversight

responsibility

3.Establishes structure, authority

and responsibility

4.Demonstrates commitment to

competence

5.Enforces accountability

24

1/15/2014

9

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Risk Assessment

Principles

6.Specifies suitable

objectives

7.Identifies and analyzes risk

8.Assesses fraud risk

9.Identifies and analyzes

significant change

25

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Control Activities

Principles

10. Selects and develops

control activities to

mitigate risks

11. Selects and develops

general controls over

technology

12. Deploys through policies

and procedures

26

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Information and

communication

Principles

13. Obtains, generates, uses

relevant information

14. Communicates internally

15. Communicates externally

27

1/15/2014

10

TALLAHASSEE CHAPTER

COSO – Components and

Principles of Internal Control

Component

Monitoring activities

Principles

16. Selects, develops, performs

ongoing and/or separate

evaluations

17. Evaluates and

communicates deficiencies

timely

28

TALLAHASSEE CHAPTER

“A deficiency in internal control exists

when the design or operation of a control

does not allow management or

employees, in the normal course of

performing their assigned functions, to

prevent, or detect and correct

misstatements on a timely basis.”

(AICPA AU 325)

Internal Control Deficiency

29

TALLAHASSEE CHAPTER

Severity of a control deficiency:Significant deficiency is a deficiency, or a combination of

deficiencies, in internal control over financial reporting, that is less

severe than a material weakness yet important enough to merit

attention by those responsible for oversight of the company's

financial reporting.

Material weakness is a deficiency, or a combination of deficiencies,

in internal control over financial reporting, such that there is a

reasonable possibility that a material misstatement of the

company's annual or interim financial statements will not be

prevented or detected on a timely basis.

(AICPA AU 325)

Internal Control Deficiency

30

1/15/2014

11

TALLAHASSEE CHAPTER

Limitations of Internal Controls

• Human judgment – can be faulty

• Human failure – errors, mistakes,

etc.

• Ability to override internal control

• Cost/benefit constraints

• Obsolescence

31

TALLAHASSEE CHAPTER

E V E R Y O N E

Responsible for Internal

Control

32

TALLAHASSEE CHAPTER

References

The COSO website at www.coso.org

Options available:

• Buy the full 2013 Framework

• Buy the Internal Control Integrated Framework

• Buy the Internal Control – Integrated Framework,

Internal Control over External Financial Reporting

• Buy a complete bundle package: Internal Control –

Integrated Framework and Compendium Bundle

33

1/15/2014

12

TALLAHASSEE CHAPTER

• The IIA – www.theiia.org

• AICPA – www.aicpa.org

• US Government Accountability Office –

www.gao.gov

• OMB Circular A-133

• Sarbanes Oxley Act of 2002

• AICPA AU Section 325

References

34

TALLAHASSEE CHAPTER

Thank you

Flerida Rivera-AlsingChief Audit ExecutiveState Board of Administration of Floridaflerida.rivera-alsing@sbafla.com

35