IIA General PowerPoint Template - Institute of Internal ... · PDF file1/15/2014 3 TALLAHASSEE...
Transcript of IIA General PowerPoint Template - Institute of Internal ... · PDF file1/15/2014 3 TALLAHASSEE...
1/15/2014
1
TALLAHASSEE CHAPTER
COSO/Internal ControlThe Basics of Internal Auditing
January 23-24, 2014
Flerida Rivera-Alsing
Chief Audit Executive
State Board of Administration of Florida
1
TALLAHASSEE CHAPTER
• Applicable IIA Standard
• Definition of internal control
• Objectives of internal controls
• Types of internal controls
• Benchmarks
• COSO
• Internal control deficiencies
• Limitation of internal controls
Agenda
2
TALLAHASSEE CHAPTER
Applicable IIA Standard
• 2130 – Control
The internal audit activity must assist
the organization in maintaining effective
controls by evaluating their
effectiveness and efficiency and by
promoting continuous improvement.
3
1/15/2014
2
TALLAHASSEE CHAPTER
Applicable IIA Standard
•2130.A1 – The internal audit activity
must evaluate the adequacy and
effectiveness of controls in responding
to risks within the organization’s
governance, operations, and
information systems regarding the:
• Achievement of the organization’s
strategic objectives;
• Reliability and integrity of financial
and operational information;
• Effectiveness and efficiency of
operations and programs;
• Safeguarding of assets; and
• Compliance with laws, regulations,
policies, procedures, and contracts.
•2130.C1 – Internal auditors must
incorporate knowledge of controls
gained from consulting engagements
into evaluation of the organization’s
control processes.
4
TALLAHASSEE CHAPTER
Definition of Internal Control
• Per The IIA
Control is
“Any action taken by management, the board, and
other parties to manage risk and increase the
likelihood that established objectives and goals
will be achieved. Management plans, organizes,
and directs the performance of sufficient actions
to provide reasonable assurance that objectives
and goals will be achieved.”
5
TALLAHASSEE CHAPTER
Definition of Internal Control
• Per COSO, internal control is“A process, effected by an entity’s board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• Effectiveness and efficiencies of operations
• Reliability of financial reporting
• Compliance with applicable laws and
regulations”
6
1/15/2014
3
TALLAHASSEE CHAPTER
• Per AICPA (AU Section 325),
“Internal control is a process - effected by
those charged with governance, management
and other personnel - designed to provide
reasonable assurance about the achievement
of the entity's objectives with regard to the
reliability of financial reporting, effectiveness
and efficiency of operations, and compliance
with applicable laws and regulations.”
Definition of Internal Control
7
TALLAHASSEE CHAPTER
Definition of Internal Control
What is your definition of
internal control?
8
TALLAHASSEE CHAPTER
Internal Control Concepts
• Process
• Effected by people
• Reasonable assurance
• Achievement of objectives
9
1/15/2014
4
TALLAHASSEE CHAPTER
Per COSO:
• Effectiveness and efficiencies of
operations
• Reliability of financial reporting
• Compliance with applicable laws
and regulations
Objectives of Internal Controls
10
TALLAHASSEE CHAPTER
Examples of Internal Controls
Think about what you do
At home
Your ATM/Debit card
Your car
Think about what you do at work
11
TALLAHASSEE CHAPTER
• Preventive – attempt to deter or stop an
unwanted outcome before it happens.
Examples: use of passwords, approval
• Detective – attempt to detect errors or
irregularities that may have already occurred.
Examples: reconciliations, monitoring of
actual expenses vs. budget, prior periods,
forecasts
Preventive - Detective
12
1/15/2014
5
TALLAHASSEE CHAPTER
Preventive or Detective?
• Segregation of duties
• Access security
• Physical count
• Authorization
• Review of performance
Preventive - Detective
13
TALLAHASSEE CHAPTER
Which is better preventive
or detective control?
Preventive - Detective
14
TALLAHASSEE CHAPTER
Hard – Soft
Hard Controls
• Formal
• Tangible
• Examples:
Organizational structure
Policies
Procedures
Soft Controls
• Informal
• Intangible
• Examples:
Ethical climate
Integrity
Trust
Competence
15
1/15/2014
6
TALLAHASSEE CHAPTER
• Segregation of duties or ethical
employees?
• Well-written and thorough
policies and procedures or
competent employees?
Hard - Soft
16
TALLAHASSEE CHAPTER
• Manual Controls - manually performed;
Could either:
solely manual where no IT generated
reports are used or
IT-dependent where a system generated
report is used to test a particular control
• Automated Controls - performed entirely by
the computer system
Manual - Automated
17
TALLAHASSEE CHAPTER
Are these manual or automated
controls-
• Review of system logs?
• Review of edit check?
Manual - Automated
18
1/15/2014
7
TALLAHASSEE CHAPTER
Benchmarks
Some of the benchmarks/frameworks
available:
• COSO - major accounting and audit
professional organizations
• CoCo - Canadian Institute of Chartered
Accountants
• UK Corporate Governance Code
19
TALLAHASSEE CHAPTER
Why the need for framework?
• Criteria in the framework provide basis
for:
Understanding control in an
organization
Assessment about the effectiveness
of control.
• Provide a standard review process
Benchmarks
20
TALLAHASSEE CHAPTER
COSO
Background:
COSO
AAA AICPA FEI IMA IIA
21
1/15/2014
8
TALLAHASSEE CHAPTER
COSO’s Mission
• “…to provide thought leadership through the
development of comprehensive frameworks
and guidance on enterprise risk
management, internal control and fraud
deterrence designed to improve
organizational performance and governance
and to reduce the extent of fraud in
organizations.”
(www.coso.org/aboutus)
22
TALLAHASSEE CHAPTER
COSO - Components of
Internal Control
23
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Control Environment
Principles
1.Demonstrates commitment to
integrity and ethical values
2.Board exercises oversight
responsibility
3.Establishes structure, authority
and responsibility
4.Demonstrates commitment to
competence
5.Enforces accountability
24
1/15/2014
9
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Risk Assessment
Principles
6.Specifies suitable
objectives
7.Identifies and analyzes risk
8.Assesses fraud risk
9.Identifies and analyzes
significant change
25
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Control Activities
Principles
10. Selects and develops
control activities to
mitigate risks
11. Selects and develops
general controls over
technology
12. Deploys through policies
and procedures
26
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Information and
communication
Principles
13. Obtains, generates, uses
relevant information
14. Communicates internally
15. Communicates externally
27
1/15/2014
10
TALLAHASSEE CHAPTER
COSO – Components and
Principles of Internal Control
Component
Monitoring activities
Principles
16. Selects, develops, performs
ongoing and/or separate
evaluations
17. Evaluates and
communicates deficiencies
timely
28
TALLAHASSEE CHAPTER
“A deficiency in internal control exists
when the design or operation of a control
does not allow management or
employees, in the normal course of
performing their assigned functions, to
prevent, or detect and correct
misstatements on a timely basis.”
(AICPA AU 325)
Internal Control Deficiency
29
TALLAHASSEE CHAPTER
Severity of a control deficiency:Significant deficiency is a deficiency, or a combination of
deficiencies, in internal control over financial reporting, that is less
severe than a material weakness yet important enough to merit
attention by those responsible for oversight of the company's
financial reporting.
Material weakness is a deficiency, or a combination of deficiencies,
in internal control over financial reporting, such that there is a
reasonable possibility that a material misstatement of the
company's annual or interim financial statements will not be
prevented or detected on a timely basis.
(AICPA AU 325)
Internal Control Deficiency
30
1/15/2014
11
TALLAHASSEE CHAPTER
Limitations of Internal Controls
• Human judgment – can be faulty
• Human failure – errors, mistakes,
etc.
• Ability to override internal control
• Cost/benefit constraints
• Obsolescence
31
TALLAHASSEE CHAPTER
E V E R Y O N E
Responsible for Internal
Control
32
TALLAHASSEE CHAPTER
References
The COSO website at www.coso.org
Options available:
• Buy the full 2013 Framework
• Buy the Internal Control Integrated Framework
• Buy the Internal Control – Integrated Framework,
Internal Control over External Financial Reporting
• Buy a complete bundle package: Internal Control –
Integrated Framework and Compendium Bundle
33
1/15/2014
12
TALLAHASSEE CHAPTER
• The IIA – www.theiia.org
• AICPA – www.aicpa.org
• US Government Accountability Office –
www.gao.gov
• OMB Circular A-133
• Sarbanes Oxley Act of 2002
• AICPA AU Section 325
References
34
TALLAHASSEE CHAPTER
Thank you
Flerida Rivera-AlsingChief Audit ExecutiveState Board of Administration of [email protected]
35